2 * hostapd / RADIUS client
3 * Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
19 #include "radius_client.h"
22 /* Defaults for RADIUS retransmit values (exponential backoff) */
23 #define RADIUS_CLIENT_FIRST_WAIT 3 /* seconds */
24 #define RADIUS_CLIENT_MAX_WAIT 120 /* seconds */
25 #define RADIUS_CLIENT_MAX_RETRIES 10 /* maximum number of retransmit attempts
26 * before entry is removed from retransmit
28 #define RADIUS_CLIENT_MAX_ENTRIES 30 /* maximum number of entries in retransmit
29 * list (oldest will be removed, if this
30 * limit is exceeded) */
31 #define RADIUS_CLIENT_NUM_FAILOVER 4 /* try to change RADIUS server after this
32 * many failed retry attempts */
35 struct radius_rx_handler {
36 RadiusRxResult (*handler)(struct radius_msg *msg,
37 struct radius_msg *req,
38 u8 *shared_secret, size_t shared_secret_len,
44 /* RADIUS message retransmit list */
45 struct radius_msg_list {
46 u8 addr[ETH_ALEN]; /* STA/client address; used to find RADIUS messages
47 * for the same STA. */
48 struct radius_msg *msg;
54 struct os_time last_attempt;
57 size_t shared_secret_len;
59 /* TODO: server config with failover to backup server(s) */
61 struct radius_msg_list *next;
65 struct radius_client_data {
67 struct hostapd_radius_servers *conf;
69 int auth_serv_sock; /* socket for authentication RADIUS messages */
70 int acct_serv_sock; /* socket for accounting RADIUS messages */
73 int auth_sock; /* currently used socket */
74 int acct_sock; /* currently used socket */
76 struct radius_rx_handler *auth_handlers;
77 size_t num_auth_handlers;
78 struct radius_rx_handler *acct_handlers;
79 size_t num_acct_handlers;
81 struct radius_msg_list *msgs;
84 u8 next_radius_identifier;
89 radius_change_server(struct radius_client_data *radius,
90 struct hostapd_radius_server *nserv,
91 struct hostapd_radius_server *oserv,
92 int sock, int sock6, int auth);
93 static int radius_client_init_acct(struct radius_client_data *radius);
94 static int radius_client_init_auth(struct radius_client_data *radius);
97 static void radius_client_msg_free(struct radius_msg_list *req)
99 radius_msg_free(req->msg);
105 int radius_client_register(struct radius_client_data *radius,
107 RadiusRxResult (*handler)(struct radius_msg *msg,
108 struct radius_msg *req,
110 size_t shared_secret_len,
114 struct radius_rx_handler **handlers, *newh;
117 if (msg_type == RADIUS_ACCT) {
118 handlers = &radius->acct_handlers;
119 num = &radius->num_acct_handlers;
121 handlers = &radius->auth_handlers;
122 num = &radius->num_auth_handlers;
125 newh = os_realloc(*handlers,
126 (*num + 1) * sizeof(struct radius_rx_handler));
130 newh[*num].handler = handler;
131 newh[*num].data = data;
139 static void radius_client_handle_send_error(struct radius_client_data *radius,
140 int s, RadiusType msg_type)
142 #ifndef CONFIG_NATIVE_WINDOWS
144 perror("send[RADIUS]");
145 if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
147 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
149 "Send failed - maybe interface status changed -"
150 " try to connect again");
151 eloop_unregister_read_sock(s);
153 if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM)
154 radius_client_init_acct(radius);
156 radius_client_init_auth(radius);
158 #endif /* CONFIG_NATIVE_WINDOWS */
162 static int radius_client_retransmit(struct radius_client_data *radius,
163 struct radius_msg_list *entry,
166 struct hostapd_radius_servers *conf = radius->conf;
169 if (entry->msg_type == RADIUS_ACCT ||
170 entry->msg_type == RADIUS_ACCT_INTERIM) {
171 s = radius->acct_sock;
172 if (entry->attempts == 0)
173 conf->acct_server->requests++;
175 conf->acct_server->timeouts++;
176 conf->acct_server->retransmissions++;
179 s = radius->auth_sock;
180 if (entry->attempts == 0)
181 conf->auth_server->requests++;
183 conf->auth_server->timeouts++;
184 conf->auth_server->retransmissions++;
188 /* retransmit; remove entry if too many attempts */
190 hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
191 HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
192 entry->msg->hdr->identifier);
194 os_get_time(&entry->last_attempt);
195 if (send(s, entry->msg->buf, entry->msg->buf_used, 0) < 0)
196 radius_client_handle_send_error(radius, s, entry->msg_type);
198 entry->next_try = now + entry->next_wait;
199 entry->next_wait *= 2;
200 if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
201 entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
202 if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
203 printf("Removing un-ACKed RADIUS message due to too many "
204 "failed retransmit attempts\n");
212 static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
214 struct radius_client_data *radius = eloop_ctx;
215 struct hostapd_radius_servers *conf = radius->conf;
218 struct radius_msg_list *entry, *prev, *tmp;
219 int auth_failover = 0, acct_failover = 0;
222 entry = radius->msgs;
231 if (now.sec >= entry->next_try &&
232 radius_client_retransmit(radius, entry, now.sec)) {
234 prev->next = entry->next;
236 radius->msgs = entry->next;
240 radius_client_msg_free(tmp);
245 if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER) {
246 if (entry->msg_type == RADIUS_ACCT ||
247 entry->msg_type == RADIUS_ACCT_INTERIM)
253 if (first == 0 || entry->next_try < first)
254 first = entry->next_try;
263 eloop_register_timeout(first - now.sec, 0,
264 radius_client_timer, radius, NULL);
265 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
266 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
267 "retransmit in %ld seconds",
268 (long int) (first - now.sec));
271 if (auth_failover && conf->num_auth_servers > 1) {
272 struct hostapd_radius_server *next, *old;
273 old = conf->auth_server;
274 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
275 HOSTAPD_LEVEL_NOTICE,
276 "No response from Authentication server "
278 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
281 for (entry = radius->msgs; entry; entry = entry->next) {
282 if (entry->msg_type == RADIUS_AUTH)
287 if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
288 next = conf->auth_servers;
289 conf->auth_server = next;
290 radius_change_server(radius, next, old,
291 radius->auth_serv_sock,
292 radius->auth_serv_sock6, 1);
295 if (acct_failover && conf->num_acct_servers > 1) {
296 struct hostapd_radius_server *next, *old;
297 old = conf->acct_server;
298 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
299 HOSTAPD_LEVEL_NOTICE,
300 "No response from Accounting server "
302 hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
305 for (entry = radius->msgs; entry; entry = entry->next) {
306 if (entry->msg_type == RADIUS_ACCT ||
307 entry->msg_type == RADIUS_ACCT_INTERIM)
312 if (next > &conf->acct_servers[conf->num_acct_servers - 1])
313 next = conf->acct_servers;
314 conf->acct_server = next;
315 radius_change_server(radius, next, old,
316 radius->acct_serv_sock,
317 radius->acct_serv_sock6, 0);
322 static void radius_client_update_timeout(struct radius_client_data *radius)
326 struct radius_msg_list *entry;
328 eloop_cancel_timeout(radius_client_timer, radius, NULL);
330 if (radius->msgs == NULL) {
335 for (entry = radius->msgs; entry; entry = entry->next) {
336 if (first == 0 || entry->next_try < first)
337 first = entry->next_try;
343 eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
345 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
346 HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
347 " %ld seconds\n", (long int) (first - now.sec));
351 static void radius_client_list_add(struct radius_client_data *radius,
352 struct radius_msg *msg,
353 RadiusType msg_type, u8 *shared_secret,
354 size_t shared_secret_len, const u8 *addr)
356 struct radius_msg_list *entry, *prev;
358 if (eloop_terminated()) {
359 /* No point in adding entries to retransmit queue since event
360 * loop has already been terminated. */
361 radius_msg_free(msg);
366 entry = wpa_zalloc(sizeof(*entry));
368 printf("Failed to add RADIUS packet into retransmit list\n");
369 radius_msg_free(msg);
375 os_memcpy(entry->addr, addr, ETH_ALEN);
377 entry->msg_type = msg_type;
378 entry->shared_secret = shared_secret;
379 entry->shared_secret_len = shared_secret_len;
380 os_get_time(&entry->last_attempt);
381 entry->first_try = entry->last_attempt.sec;
382 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
384 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
385 entry->next = radius->msgs;
386 radius->msgs = entry;
387 radius_client_update_timeout(radius);
389 if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
390 printf("Removing the oldest un-ACKed RADIUS packet due to "
391 "retransmit list limits.\n");
393 while (entry->next) {
399 radius_client_msg_free(entry);
406 static void radius_client_list_del(struct radius_client_data *radius,
407 RadiusType msg_type, const u8 *addr)
409 struct radius_msg_list *entry, *prev, *tmp;
414 entry = radius->msgs;
417 if (entry->msg_type == msg_type &&
418 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
420 prev->next = entry->next;
422 radius->msgs = entry->next;
425 hostapd_logger(radius->ctx, addr,
426 HOSTAPD_MODULE_RADIUS,
428 "Removing matching RADIUS message");
429 radius_client_msg_free(tmp);
439 int radius_client_send(struct radius_client_data *radius,
440 struct radius_msg *msg, RadiusType msg_type,
443 struct hostapd_radius_servers *conf = radius->conf;
445 size_t shared_secret_len;
449 if (msg_type == RADIUS_ACCT_INTERIM) {
450 /* Remove any pending interim acct update for the same STA. */
451 radius_client_list_del(radius, msg_type, addr);
454 if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
455 if (conf->acct_server == NULL) {
456 hostapd_logger(radius->ctx, NULL,
457 HOSTAPD_MODULE_RADIUS,
459 "No accounting server configured");
462 shared_secret = conf->acct_server->shared_secret;
463 shared_secret_len = conf->acct_server->shared_secret_len;
464 radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
466 s = radius->acct_sock;
467 conf->acct_server->requests++;
469 if (conf->auth_server == NULL) {
470 hostapd_logger(radius->ctx, NULL,
471 HOSTAPD_MODULE_RADIUS,
473 "No authentication server configured");
476 shared_secret = conf->auth_server->shared_secret;
477 shared_secret_len = conf->auth_server->shared_secret_len;
478 radius_msg_finish(msg, shared_secret, shared_secret_len);
479 name = "authentication";
480 s = radius->auth_sock;
481 conf->auth_server->requests++;
484 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
485 HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
488 radius_msg_dump(msg);
490 res = send(s, msg->buf, msg->buf_used, 0);
492 radius_client_handle_send_error(radius, s, msg_type);
494 radius_client_list_add(radius, msg, msg_type, shared_secret,
495 shared_secret_len, addr);
501 static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
503 struct radius_client_data *radius = eloop_ctx;
504 struct hostapd_radius_servers *conf = radius->conf;
505 RadiusType msg_type = (RadiusType) sock_ctx;
507 unsigned char buf[3000];
508 struct radius_msg *msg;
509 struct radius_rx_handler *handlers;
510 size_t num_handlers, i;
511 struct radius_msg_list *req, *prev_req;
513 struct hostapd_radius_server *rconf;
514 int invalid_authenticator = 0;
516 if (msg_type == RADIUS_ACCT) {
517 handlers = radius->acct_handlers;
518 num_handlers = radius->num_acct_handlers;
519 rconf = conf->acct_server;
521 handlers = radius->auth_handlers;
522 num_handlers = radius->num_auth_handlers;
523 rconf = conf->auth_server;
526 len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT);
528 perror("recv[RADIUS]");
531 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
532 HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
534 if (len == sizeof(buf)) {
535 printf("Possibly too long UDP frame for our buffer - "
540 msg = radius_msg_parse(buf, len);
542 printf("Parsing incoming RADIUS frame failed\n");
543 rconf->malformed_responses++;
547 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
548 HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
550 radius_msg_dump(msg);
552 switch (msg->hdr->code) {
553 case RADIUS_CODE_ACCESS_ACCEPT:
554 rconf->access_accepts++;
556 case RADIUS_CODE_ACCESS_REJECT:
557 rconf->access_rejects++;
559 case RADIUS_CODE_ACCESS_CHALLENGE:
560 rconf->access_challenges++;
562 case RADIUS_CODE_ACCOUNTING_RESPONSE:
570 /* TODO: also match by src addr:port of the packet when using
571 * alternative RADIUS servers (?) */
572 if ((req->msg_type == msg_type ||
573 (req->msg_type == RADIUS_ACCT_INTERIM &&
574 msg_type == RADIUS_ACCT)) &&
575 req->msg->hdr->identifier == msg->hdr->identifier)
583 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
585 "No matching RADIUS request found (type=%d "
586 "id=%d) - dropping packet",
587 msg_type, msg->hdr->identifier);
592 roundtrip = (now.sec - req->last_attempt.sec) * 100 +
593 (now.usec - req->last_attempt.usec) / 10000;
594 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
596 "Received RADIUS packet matched with a pending "
597 "request, round trip time %d.%02d sec",
598 roundtrip / 100, roundtrip % 100);
599 rconf->round_trip_time = roundtrip;
601 /* Remove ACKed RADIUS packet from retransmit list */
603 prev_req->next = req->next;
605 radius->msgs = req->next;
608 for (i = 0; i < num_handlers; i++) {
610 res = handlers[i].handler(msg, req->msg, req->shared_secret,
611 req->shared_secret_len,
614 case RADIUS_RX_PROCESSED:
615 radius_msg_free(msg);
618 case RADIUS_RX_QUEUED:
619 radius_client_msg_free(req);
621 case RADIUS_RX_INVALID_AUTHENTICATOR:
622 invalid_authenticator++;
624 case RADIUS_RX_UNKNOWN:
625 /* continue with next handler */
630 if (invalid_authenticator)
631 rconf->bad_authenticators++;
633 rconf->unknown_types++;
634 hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
635 HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
636 "(type=%d code=%d id=%d)%s - dropping packet",
637 msg_type, msg->hdr->code, msg->hdr->identifier,
638 invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
640 radius_client_msg_free(req);
643 radius_msg_free(msg);
648 u8 radius_client_get_id(struct radius_client_data *radius)
650 struct radius_msg_list *entry, *prev, *_remove;
651 u8 id = radius->next_radius_identifier++;
653 /* remove entries with matching id from retransmit list to avoid
654 * using new reply from the RADIUS server with an old request */
655 entry = radius->msgs;
658 if (entry->msg->hdr->identifier == id) {
659 hostapd_logger(radius->ctx, entry->addr,
660 HOSTAPD_MODULE_RADIUS,
662 "Removing pending RADIUS message, "
663 "since its id (%d) is reused", id);
665 prev->next = entry->next;
667 radius->msgs = entry->next;
676 radius_client_msg_free(_remove);
683 void radius_client_flush(struct radius_client_data *radius, int only_auth)
685 struct radius_msg_list *entry, *prev, *tmp;
691 entry = radius->msgs;
694 if (!only_auth || entry->msg_type == RADIUS_AUTH) {
696 prev->next = entry->next;
698 radius->msgs = entry->next;
702 radius_client_msg_free(tmp);
710 if (radius->msgs == NULL)
711 eloop_cancel_timeout(radius_client_timer, radius, NULL);
715 void radius_client_update_acct_msgs(struct radius_client_data *radius,
717 size_t shared_secret_len)
719 struct radius_msg_list *entry;
724 for (entry = radius->msgs; entry; entry = entry->next) {
725 if (entry->msg_type == RADIUS_ACCT) {
726 entry->shared_secret = shared_secret;
727 entry->shared_secret_len = shared_secret_len;
728 radius_msg_finish_acct(entry->msg, shared_secret,
736 radius_change_server(struct radius_client_data *radius,
737 struct hostapd_radius_server *nserv,
738 struct hostapd_radius_server *oserv,
739 int sock, int sock6, int auth)
741 struct sockaddr_in serv;
743 struct sockaddr_in6 serv6;
744 #endif /* CONFIG_IPV6 */
745 struct sockaddr *addr;
749 struct radius_msg_list *entry;
751 hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
754 auth ? "Authentication" : "Accounting",
755 hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
758 if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len ||
759 os_memcmp(nserv->shared_secret, oserv->shared_secret,
760 nserv->shared_secret_len) != 0) {
761 /* Pending RADIUS packets used different shared secret, so
762 * they need to be modified. Update accounting message
763 * authenticators here. Authentication messages are removed
764 * since they would require more changes and the new RADIUS
765 * server may not be prepared to receive them anyway due to
766 * missing state information. Client will likely retry
767 * authentication, so this should not be an issue. */
769 radius_client_flush(radius, 1);
771 radius_client_update_acct_msgs(
772 radius, nserv->shared_secret,
773 nserv->shared_secret_len);
777 /* Reset retry counters for the new server */
778 for (entry = radius->msgs; entry; entry = entry->next) {
779 if ((auth && entry->msg_type != RADIUS_AUTH) ||
780 (!auth && entry->msg_type != RADIUS_ACCT))
782 entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
784 entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
788 eloop_cancel_timeout(radius_client_timer, radius, NULL);
789 eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
790 radius_client_timer, radius, NULL);
793 switch (nserv->addr.af) {
795 os_memset(&serv, 0, sizeof(serv));
796 serv.sin_family = AF_INET;
797 serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
798 serv.sin_port = htons(nserv->port);
799 addr = (struct sockaddr *) &serv;
800 addrlen = sizeof(serv);
805 os_memset(&serv6, 0, sizeof(serv6));
806 serv6.sin6_family = AF_INET6;
807 os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
808 sizeof(struct in6_addr));
809 serv6.sin6_port = htons(nserv->port);
810 addr = (struct sockaddr *) &serv6;
811 addrlen = sizeof(serv6);
814 #endif /* CONFIG_IPV6 */
819 if (connect(sel_sock, addr, addrlen) < 0) {
820 perror("connect[radius]");
825 radius->auth_sock = sel_sock;
827 radius->acct_sock = sel_sock;
833 static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
835 struct radius_client_data *radius = eloop_ctx;
836 struct hostapd_radius_servers *conf = radius->conf;
837 struct hostapd_radius_server *oserv;
839 if (radius->auth_sock >= 0 && conf->auth_servers &&
840 conf->auth_server != conf->auth_servers) {
841 oserv = conf->auth_server;
842 conf->auth_server = conf->auth_servers;
843 radius_change_server(radius, conf->auth_server, oserv,
844 radius->auth_serv_sock,
845 radius->auth_serv_sock6, 1);
848 if (radius->acct_sock >= 0 && conf->acct_servers &&
849 conf->acct_server != conf->acct_servers) {
850 oserv = conf->acct_server;
851 conf->acct_server = conf->acct_servers;
852 radius_change_server(radius, conf->acct_server, oserv,
853 radius->acct_serv_sock,
854 radius->acct_serv_sock6, 0);
857 if (conf->retry_primary_interval)
858 eloop_register_timeout(conf->retry_primary_interval, 0,
859 radius_retry_primary_timer, radius,
864 static int radius_client_init_auth(struct radius_client_data *radius)
866 struct hostapd_radius_servers *conf = radius->conf;
869 radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
870 if (radius->auth_serv_sock < 0)
871 perror("socket[PF_INET,SOCK_DGRAM]");
876 radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
877 if (radius->auth_serv_sock6 < 0)
878 perror("socket[PF_INET6,SOCK_DGRAM]");
881 #endif /* CONFIG_IPV6 */
886 radius_change_server(radius, conf->auth_server, NULL,
887 radius->auth_serv_sock, radius->auth_serv_sock6,
890 if (radius->auth_serv_sock >= 0 &&
891 eloop_register_read_sock(radius->auth_serv_sock,
892 radius_client_receive, radius,
893 (void *) RADIUS_AUTH)) {
894 printf("Could not register read socket for authentication "
900 if (radius->auth_serv_sock6 >= 0 &&
901 eloop_register_read_sock(radius->auth_serv_sock6,
902 radius_client_receive, radius,
903 (void *) RADIUS_AUTH)) {
904 printf("Could not register read socket for authentication "
908 #endif /* CONFIG_IPV6 */
914 static int radius_client_init_acct(struct radius_client_data *radius)
916 struct hostapd_radius_servers *conf = radius->conf;
919 radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
920 if (radius->acct_serv_sock < 0)
921 perror("socket[PF_INET,SOCK_DGRAM]");
926 radius->acct_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0);
927 if (radius->acct_serv_sock6 < 0)
928 perror("socket[PF_INET6,SOCK_DGRAM]");
931 #endif /* CONFIG_IPV6 */
936 radius_change_server(radius, conf->acct_server, NULL,
937 radius->acct_serv_sock, radius->acct_serv_sock6,
940 if (radius->acct_serv_sock >= 0 &&
941 eloop_register_read_sock(radius->acct_serv_sock,
942 radius_client_receive, radius,
943 (void *) RADIUS_ACCT)) {
944 printf("Could not register read socket for accounting "
950 if (radius->acct_serv_sock6 >= 0 &&
951 eloop_register_read_sock(radius->acct_serv_sock6,
952 radius_client_receive, radius,
953 (void *) RADIUS_ACCT)) {
954 printf("Could not register read socket for accounting "
958 #endif /* CONFIG_IPV6 */
964 struct radius_client_data *
965 radius_client_init(void *ctx, struct hostapd_radius_servers *conf)
967 struct radius_client_data *radius;
969 radius = wpa_zalloc(sizeof(struct radius_client_data));
975 radius->auth_serv_sock = radius->acct_serv_sock =
976 radius->auth_serv_sock6 = radius->acct_serv_sock6 =
977 radius->auth_sock = radius->acct_sock = -1;
979 if (conf->auth_server && radius_client_init_auth(radius)) {
980 radius_client_deinit(radius);
984 if (conf->acct_server && radius_client_init_acct(radius)) {
985 radius_client_deinit(radius);
989 if (conf->retry_primary_interval)
990 eloop_register_timeout(conf->retry_primary_interval, 0,
991 radius_retry_primary_timer, radius,
998 void radius_client_deinit(struct radius_client_data *radius)
1003 if (radius->auth_serv_sock >= 0)
1004 eloop_unregister_read_sock(radius->auth_serv_sock);
1005 if (radius->acct_serv_sock >= 0)
1006 eloop_unregister_read_sock(radius->acct_serv_sock);
1008 eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
1010 radius_client_flush(radius, 0);
1011 os_free(radius->auth_handlers);
1012 os_free(radius->acct_handlers);
1017 void radius_client_flush_auth(struct radius_client_data *radius, u8 *addr)
1019 struct radius_msg_list *entry, *prev, *tmp;
1022 entry = radius->msgs;
1024 if (entry->msg_type == RADIUS_AUTH &&
1025 os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
1026 hostapd_logger(radius->ctx, addr,
1027 HOSTAPD_MODULE_RADIUS,
1028 HOSTAPD_LEVEL_DEBUG,
1029 "Removing pending RADIUS authentication"
1030 " message for removed client");
1033 prev->next = entry->next;
1035 radius->msgs = entry->next;
1038 entry = entry->next;
1039 radius_client_msg_free(tmp);
1045 entry = entry->next;
1050 static int radius_client_dump_auth_server(char *buf, size_t buflen,
1051 struct hostapd_radius_server *serv,
1052 struct radius_client_data *cli)
1055 struct radius_msg_list *msg;
1059 for (msg = cli->msgs; msg; msg = msg->next) {
1060 if (msg->msg_type == RADIUS_AUTH)
1065 return os_snprintf(buf, buflen,
1066 "radiusAuthServerIndex=%d\n"
1067 "radiusAuthServerAddress=%s\n"
1068 "radiusAuthClientServerPortNumber=%d\n"
1069 "radiusAuthClientRoundTripTime=%d\n"
1070 "radiusAuthClientAccessRequests=%u\n"
1071 "radiusAuthClientAccessRetransmissions=%u\n"
1072 "radiusAuthClientAccessAccepts=%u\n"
1073 "radiusAuthClientAccessRejects=%u\n"
1074 "radiusAuthClientAccessChallenges=%u\n"
1075 "radiusAuthClientMalformedAccessResponses=%u\n"
1076 "radiusAuthClientBadAuthenticators=%u\n"
1077 "radiusAuthClientPendingRequests=%u\n"
1078 "radiusAuthClientTimeouts=%u\n"
1079 "radiusAuthClientUnknownTypes=%u\n"
1080 "radiusAuthClientPacketsDropped=%u\n",
1082 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1084 serv->round_trip_time,
1086 serv->retransmissions,
1087 serv->access_accepts,
1088 serv->access_rejects,
1089 serv->access_challenges,
1090 serv->malformed_responses,
1091 serv->bad_authenticators,
1094 serv->unknown_types,
1095 serv->packets_dropped);
1099 static int radius_client_dump_acct_server(char *buf, size_t buflen,
1100 struct hostapd_radius_server *serv,
1101 struct radius_client_data *cli)
1104 struct radius_msg_list *msg;
1108 for (msg = cli->msgs; msg; msg = msg->next) {
1109 if (msg->msg_type == RADIUS_ACCT ||
1110 msg->msg_type == RADIUS_ACCT_INTERIM)
1115 return os_snprintf(buf, buflen,
1116 "radiusAccServerIndex=%d\n"
1117 "radiusAccServerAddress=%s\n"
1118 "radiusAccClientServerPortNumber=%d\n"
1119 "radiusAccClientRoundTripTime=%d\n"
1120 "radiusAccClientRequests=%u\n"
1121 "radiusAccClientRetransmissions=%u\n"
1122 "radiusAccClientResponses=%u\n"
1123 "radiusAccClientMalformedResponses=%u\n"
1124 "radiusAccClientBadAuthenticators=%u\n"
1125 "radiusAccClientPendingRequests=%u\n"
1126 "radiusAccClientTimeouts=%u\n"
1127 "radiusAccClientUnknownTypes=%u\n"
1128 "radiusAccClientPacketsDropped=%u\n",
1130 hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
1132 serv->round_trip_time,
1134 serv->retransmissions,
1136 serv->malformed_responses,
1137 serv->bad_authenticators,
1140 serv->unknown_types,
1141 serv->packets_dropped);
1145 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
1148 struct hostapd_radius_servers *conf = radius->conf;
1150 struct hostapd_radius_server *serv;
1153 if (conf->auth_servers) {
1154 for (i = 0; i < conf->num_auth_servers; i++) {
1155 serv = &conf->auth_servers[i];
1156 count += radius_client_dump_auth_server(
1157 buf + count, buflen - count, serv,
1158 serv == conf->auth_server ?
1163 if (conf->acct_servers) {
1164 for (i = 0; i < conf->num_acct_servers; i++) {
1165 serv = &conf->acct_servers[i];
1166 count += radius_client_dump_acct_server(
1167 buf + count, buflen - count, serv,
1168 serv == conf->acct_server ?
1177 static int radius_servers_diff(struct hostapd_radius_server *nserv,
1178 struct hostapd_radius_server *oserv,
1183 for (i = 0; i < num; i++) {
1184 if (hostapd_ip_diff(&nserv[i].addr, &oserv[i].addr) ||
1185 nserv[i].port != oserv[i].port ||
1186 nserv[i].shared_secret_len != oserv[i].shared_secret_len ||
1187 memcmp(nserv[i].shared_secret, oserv[i].shared_secret,
1188 nserv[i].shared_secret_len) != 0)
1196 struct radius_client_data *
1197 radius_client_reconfig(struct radius_client_data *old, void *ctx,
1198 struct hostapd_radius_servers *oldconf,
1199 struct hostapd_radius_servers *newconf)
1201 radius_client_flush(old, 0);
1203 if (newconf->retry_primary_interval !=
1204 oldconf->retry_primary_interval ||
1205 newconf->num_auth_servers != oldconf->num_auth_servers ||
1206 newconf->num_acct_servers != oldconf->num_acct_servers ||
1207 radius_servers_diff(newconf->auth_servers, oldconf->auth_servers,
1208 newconf->num_auth_servers) ||
1209 radius_servers_diff(newconf->acct_servers, oldconf->acct_servers,
1210 newconf->num_acct_servers)) {
1211 hostapd_logger(ctx, NULL, HOSTAPD_MODULE_RADIUS,
1212 HOSTAPD_LEVEL_DEBUG,
1213 "Reconfiguring RADIUS client");
1214 radius_client_deinit(old);
1215 return radius_client_init(ctx, newconf);