2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
3 * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "utils/common.h"
13 #include "utils/eloop.h"
14 #include "utils/ip_addr.h"
16 #include "radius_das.h"
19 extern int wpa_debug_level;
22 struct radius_das_data {
25 size_t shared_secret_len;
26 struct hostapd_ip_addr client_addr;
27 unsigned int time_window;
28 int require_event_timestamp;
30 enum radius_das_res (*disconnect)(void *ctx,
31 struct radius_das_attrs *attr);
35 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
36 struct radius_msg *msg,
40 struct radius_hdr *hdr;
41 struct radius_msg *reply;
43 RADIUS_ATTR_USER_NAME,
44 RADIUS_ATTR_CALLING_STATION_ID,
45 RADIUS_ATTR_ACCT_SESSION_ID,
46 RADIUS_ATTR_EVENT_TIMESTAMP,
47 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
48 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
53 enum radius_das_res res;
54 struct radius_das_attrs attrs;
58 u8 sta_addr[ETH_ALEN];
60 hdr = radius_msg_get_hdr(msg);
62 attr = radius_msg_find_unlisted_attr(msg, allowed);
64 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
65 "Disconnect-Request from %s:%d", attr,
71 os_memset(&attrs, 0, sizeof(attrs));
73 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
74 &buf, &len, NULL) == 0) {
75 if (len >= sizeof(tmp))
76 len = sizeof(tmp) - 1;
77 os_memcpy(tmp, buf, len);
79 if (hwaddr_aton2(tmp, sta_addr) < 0) {
80 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
81 "'%s' from %s:%d", tmp, abuf, from_port);
85 attrs.sta_addr = sta_addr;
88 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
89 &buf, &len, NULL) == 0) {
90 attrs.user_name = buf;
91 attrs.user_name_len = len;
94 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
95 &buf, &len, NULL) == 0) {
96 attrs.acct_session_id = buf;
97 attrs.acct_session_id_len = len;
100 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
101 &buf, &len, NULL) == 0) {
106 res = das->disconnect(das->ctx, &attrs);
108 case RADIUS_DAS_NAS_MISMATCH:
109 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
113 case RADIUS_DAS_SESSION_NOT_FOUND:
114 wpa_printf(MSG_INFO, "DAS: Session not found for request from "
115 "%s:%d", abuf, from_port);
118 case RADIUS_DAS_SUCCESS:
124 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
125 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
130 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
132 radius_msg_free(reply);
141 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
143 struct radius_das_data *das = eloop_ctx;
146 struct sockaddr_storage ss;
147 struct sockaddr_in sin;
149 struct sockaddr_in6 sin6;
150 #endif /* CONFIG_IPV6 */
156 struct radius_msg *msg, *reply = NULL;
157 struct radius_hdr *hdr;
163 fromlen = sizeof(from);
164 len = recvfrom(sock, buf, sizeof(buf), 0,
165 (struct sockaddr *) &from.ss, &fromlen);
167 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
171 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
172 from_port = ntohs(from.sin.sin_port);
174 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
175 len, abuf, from_port);
176 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
177 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
181 msg = radius_msg_parse(buf, len);
183 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
184 "from %s:%d failed", abuf, from_port);
188 if (wpa_debug_level <= MSG_MSGDUMP)
189 radius_msg_dump(msg);
191 if (radius_msg_verify_das_req(msg, das->shared_secret,
192 das->shared_secret_len)) {
193 wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
194 "from %s:%d - drop", abuf, from_port);
199 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
202 u32 timestamp = ntohl(val);
203 if (abs(now.sec - timestamp) > das->time_window) {
204 wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
205 "Event-Timestamp (%u; local time %u) in "
206 "packet from %s:%d - drop",
207 timestamp, (unsigned int) now.sec,
211 } else if (das->require_event_timestamp) {
212 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
213 "from %s:%d - drop", abuf, from_port);
217 hdr = radius_msg_get_hdr(msg);
220 case RADIUS_CODE_DISCONNECT_REQUEST:
221 reply = radius_das_disconnect(das, msg, abuf, from_port);
223 case RADIUS_CODE_COA_REQUEST:
225 reply = radius_msg_new(RADIUS_CODE_COA_NAK,
230 /* Unsupported Service */
231 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
233 radius_msg_free(reply);
239 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
241 hdr->code, abuf, from_port);
245 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
247 if (!radius_msg_add_attr_int32(reply,
248 RADIUS_ATTR_EVENT_TIMESTAMP,
250 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
251 "Event-Timestamp attribute");
254 if (radius_msg_finish_das_resp(reply, das->shared_secret,
255 das->shared_secret_len, hdr) <
257 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
258 "Message-Authenticator attribute");
261 if (wpa_debug_level <= MSG_MSGDUMP)
262 radius_msg_dump(reply);
264 rbuf = radius_msg_get_buf(reply);
265 res = sendto(das->sock, wpabuf_head(rbuf),
267 (struct sockaddr *) &from.ss, fromlen);
269 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
270 abuf, from_port, strerror(errno));
275 radius_msg_free(msg);
276 radius_msg_free(reply);
280 static int radius_das_open_socket(int port)
283 struct sockaddr_in addr;
285 s = socket(PF_INET, SOCK_DGRAM, 0);
291 os_memset(&addr, 0, sizeof(addr));
292 addr.sin_family = AF_INET;
293 addr.sin_port = htons(port);
294 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
304 struct radius_das_data *
305 radius_das_init(struct radius_das_conf *conf)
307 struct radius_das_data *das;
309 if (conf->port == 0 || conf->shared_secret == NULL ||
310 conf->client_addr == NULL)
313 das = os_zalloc(sizeof(*das));
317 das->time_window = conf->time_window;
318 das->require_event_timestamp = conf->require_event_timestamp;
319 das->ctx = conf->ctx;
320 das->disconnect = conf->disconnect;
322 os_memcpy(&das->client_addr, conf->client_addr,
323 sizeof(das->client_addr));
325 das->shared_secret = os_malloc(conf->shared_secret_len);
326 if (das->shared_secret == NULL) {
327 radius_das_deinit(das);
330 os_memcpy(das->shared_secret, conf->shared_secret,
331 conf->shared_secret_len);
332 das->shared_secret_len = conf->shared_secret_len;
334 das->sock = radius_das_open_socket(conf->port);
336 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
338 radius_das_deinit(das);
342 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
344 radius_das_deinit(das);
352 void radius_das_deinit(struct radius_das_data *das)
357 if (das->sock >= 0) {
358 eloop_unregister_read_sock(das->sock);
362 os_free(das->shared_secret);