]>
Commit | Line | Data |
---|---|---|
6fc6879b | 1 | /* |
362bd35f | 2 | * RADIUS authentication server |
505a3694 | 3 | * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi> |
6fc6879b | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | #include <net/if.h> | |
11 | ||
12 | #include "common.h" | |
13 | #include "radius.h" | |
14 | #include "eloop.h" | |
6fc6879b JM |
15 | #include "eap_server/eap.h" |
16 | #include "radius_server.h" | |
17 | ||
362bd35f JM |
18 | /** |
19 | * RADIUS_SESSION_TIMEOUT - Session timeout in seconds | |
20 | */ | |
6fc6879b | 21 | #define RADIUS_SESSION_TIMEOUT 60 |
362bd35f JM |
22 | |
23 | /** | |
24 | * RADIUS_MAX_SESSION - Maximum number of active sessions | |
25 | */ | |
6fc6879b | 26 | #define RADIUS_MAX_SESSION 100 |
362bd35f JM |
27 | |
28 | /** | |
29 | * RADIUS_MAX_MSG_LEN - Maximum message length for incoming RADIUS messages | |
30 | */ | |
6fc6879b JM |
31 | #define RADIUS_MAX_MSG_LEN 3000 |
32 | ||
33 | static struct eapol_callbacks radius_server_eapol_cb; | |
34 | ||
35 | struct radius_client; | |
36 | struct radius_server_data; | |
37 | ||
362bd35f JM |
38 | /** |
39 | * struct radius_server_counters - RADIUS server statistics counters | |
40 | */ | |
6fc6879b JM |
41 | struct radius_server_counters { |
42 | u32 access_requests; | |
43 | u32 invalid_requests; | |
44 | u32 dup_access_requests; | |
45 | u32 access_accepts; | |
46 | u32 access_rejects; | |
47 | u32 access_challenges; | |
48 | u32 malformed_access_requests; | |
49 | u32 bad_authenticators; | |
50 | u32 packets_dropped; | |
51 | u32 unknown_types; | |
52 | }; | |
53 | ||
362bd35f JM |
54 | /** |
55 | * struct radius_session - Internal RADIUS server data for a session | |
56 | */ | |
6fc6879b JM |
57 | struct radius_session { |
58 | struct radius_session *next; | |
59 | struct radius_client *client; | |
60 | struct radius_server_data *server; | |
61 | unsigned int sess_id; | |
62 | struct eap_sm *eap; | |
63 | struct eap_eapol_interface *eap_if; | |
64 | ||
65 | struct radius_msg *last_msg; | |
66 | char *last_from_addr; | |
67 | int last_from_port; | |
68 | struct sockaddr_storage last_from; | |
69 | socklen_t last_fromlen; | |
70 | u8 last_identifier; | |
71 | struct radius_msg *last_reply; | |
72 | u8 last_authenticator[16]; | |
73 | }; | |
74 | ||
362bd35f JM |
75 | /** |
76 | * struct radius_client - Internal RADIUS server data for a client | |
77 | */ | |
6fc6879b JM |
78 | struct radius_client { |
79 | struct radius_client *next; | |
80 | struct in_addr addr; | |
81 | struct in_addr mask; | |
82 | #ifdef CONFIG_IPV6 | |
83 | struct in6_addr addr6; | |
84 | struct in6_addr mask6; | |
85 | #endif /* CONFIG_IPV6 */ | |
86 | char *shared_secret; | |
87 | int shared_secret_len; | |
88 | struct radius_session *sessions; | |
89 | struct radius_server_counters counters; | |
90 | }; | |
91 | ||
362bd35f JM |
92 | /** |
93 | * struct radius_server_data - Internal RADIUS server data | |
94 | */ | |
6fc6879b | 95 | struct radius_server_data { |
362bd35f JM |
96 | /** |
97 | * auth_sock - Socket for RADIUS authentication messages | |
98 | */ | |
6fc6879b | 99 | int auth_sock; |
362bd35f JM |
100 | |
101 | /** | |
102 | * clients - List of authorized RADIUS clients | |
103 | */ | |
6fc6879b | 104 | struct radius_client *clients; |
362bd35f JM |
105 | |
106 | /** | |
107 | * next_sess_id - Next session identifier | |
108 | */ | |
6fc6879b | 109 | unsigned int next_sess_id; |
362bd35f JM |
110 | |
111 | /** | |
112 | * conf_ctx - Context pointer for callbacks | |
113 | * | |
114 | * This is used as the ctx argument in get_eap_user() calls. | |
115 | */ | |
6fc6879b | 116 | void *conf_ctx; |
362bd35f JM |
117 | |
118 | /** | |
119 | * num_sess - Number of active sessions | |
120 | */ | |
6fc6879b | 121 | int num_sess; |
362bd35f JM |
122 | |
123 | /** | |
124 | * eap_sim_db_priv - EAP-SIM/AKA database context | |
125 | * | |
126 | * This is passed to the EAP-SIM/AKA server implementation as a | |
127 | * callback context. | |
128 | */ | |
6fc6879b | 129 | void *eap_sim_db_priv; |
362bd35f JM |
130 | |
131 | /** | |
132 | * ssl_ctx - TLS context | |
133 | * | |
134 | * This is passed to the EAP server implementation as a callback | |
135 | * context for TLS operations. | |
136 | */ | |
6fc6879b | 137 | void *ssl_ctx; |
362bd35f JM |
138 | |
139 | /** | |
140 | * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST | |
141 | * | |
142 | * This parameter is used to set a key for EAP-FAST to encrypt the | |
143 | * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If | |
144 | * set, must point to a 16-octet key. | |
145 | */ | |
6fc6879b | 146 | u8 *pac_opaque_encr_key; |
362bd35f JM |
147 | |
148 | /** | |
149 | * eap_fast_a_id - EAP-FAST authority identity (A-ID) | |
150 | * | |
151 | * If EAP-FAST is not used, this can be set to %NULL. In theory, this | |
152 | * is a variable length field, but due to some existing implementations | |
153 | * requiring A-ID to be 16 octets in length, it is recommended to use | |
154 | * that length for the field to provide interoperability with deployed | |
155 | * peer implementations. | |
156 | */ | |
2d867244 | 157 | u8 *eap_fast_a_id; |
362bd35f JM |
158 | |
159 | /** | |
160 | * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets | |
161 | */ | |
2d867244 | 162 | size_t eap_fast_a_id_len; |
362bd35f JM |
163 | |
164 | /** | |
165 | * eap_fast_a_id_info - EAP-FAST authority identifier information | |
166 | * | |
167 | * This A-ID-Info contains a user-friendly name for the A-ID. For | |
168 | * example, this could be the enterprise and server names in | |
169 | * human-readable format. This field is encoded as UTF-8. If EAP-FAST | |
170 | * is not used, this can be set to %NULL. | |
171 | */ | |
2d867244 | 172 | char *eap_fast_a_id_info; |
362bd35f JM |
173 | |
174 | /** | |
175 | * eap_fast_prov - EAP-FAST provisioning modes | |
176 | * | |
177 | * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, | |
178 | * 2 = only authenticated provisioning allowed, 3 = both provisioning | |
179 | * modes allowed. | |
180 | */ | |
378eae5e | 181 | int eap_fast_prov; |
362bd35f JM |
182 | |
183 | /** | |
184 | * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds | |
185 | * | |
186 | * This is the hard limit on how long a provisioned PAC-Key can be | |
187 | * used. | |
188 | */ | |
a11c90a6 | 189 | int pac_key_lifetime; |
362bd35f JM |
190 | |
191 | /** | |
192 | * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds | |
193 | * | |
194 | * This is a soft limit on the PAC-Key. The server will automatically | |
195 | * generate a new PAC-Key when this number of seconds (or fewer) of the | |
196 | * lifetime remains. | |
197 | */ | |
a11c90a6 | 198 | int pac_key_refresh_time; |
362bd35f JM |
199 | |
200 | /** | |
201 | * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication | |
202 | * | |
203 | * This controls whether the protected success/failure indication | |
204 | * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. | |
205 | */ | |
6fc6879b | 206 | int eap_sim_aka_result_ind; |
362bd35f JM |
207 | |
208 | /** | |
209 | * tnc - Trusted Network Connect (TNC) | |
210 | * | |
211 | * This controls whether TNC is enabled and will be required before the | |
212 | * peer is allowed to connect. Note: This is only used with EAP-TTLS | |
213 | * and EAP-FAST. If any other EAP method is enabled, the peer will be | |
214 | * allowed to connect without TNC. | |
215 | */ | |
c3e258ae | 216 | int tnc; |
362bd35f | 217 | |
df684d82 DH |
218 | /** |
219 | * pwd_group - The D-H group assigned for EAP-pwd | |
220 | * | |
221 | * If EAP-pwd is not used it can be set to zero. | |
222 | */ | |
223 | u16 pwd_group; | |
224 | ||
67fe933d JM |
225 | /** |
226 | * server_id - Server identity | |
227 | */ | |
228 | const char *server_id; | |
229 | ||
362bd35f JM |
230 | /** |
231 | * wps - Wi-Fi Protected Setup context | |
232 | * | |
233 | * If WPS is used with an external RADIUS server (which is quite | |
234 | * unlikely configuration), this is used to provide a pointer to WPS | |
235 | * context data. Normally, this can be set to %NULL. | |
236 | */ | |
ad08c363 | 237 | struct wps_context *wps; |
362bd35f JM |
238 | |
239 | /** | |
240 | * ipv6 - Whether to enable IPv6 support in the RADIUS server | |
241 | */ | |
6fc6879b | 242 | int ipv6; |
362bd35f JM |
243 | |
244 | /** | |
245 | * start_time - Timestamp of server start | |
246 | */ | |
6fc6879b | 247 | struct os_time start_time; |
362bd35f JM |
248 | |
249 | /** | |
250 | * counters - Statistics counters for server operations | |
251 | * | |
252 | * These counters are the sum over all clients. | |
253 | */ | |
6fc6879b | 254 | struct radius_server_counters counters; |
362bd35f JM |
255 | |
256 | /** | |
257 | * get_eap_user - Callback for fetching EAP user information | |
258 | * @ctx: Context data from conf_ctx | |
259 | * @identity: User identity | |
260 | * @identity_len: identity buffer length in octets | |
261 | * @phase2: Whether this is for Phase 2 identity | |
262 | * @user: Data structure for filling in the user information | |
263 | * Returns: 0 on success, -1 on failure | |
264 | * | |
265 | * This is used to fetch information from user database. The callback | |
266 | * will fill in information about allowed EAP methods and the user | |
267 | * password. The password field will be an allocated copy of the | |
268 | * password data and RADIUS server will free it after use. | |
269 | */ | |
6fc6879b JM |
270 | int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, |
271 | int phase2, struct eap_user *user); | |
362bd35f JM |
272 | |
273 | /** | |
274 | * eap_req_id_text - Optional data for EAP-Request/Identity | |
275 | * | |
276 | * This can be used to configure an optional, displayable message that | |
277 | * will be sent in EAP-Request/Identity. This string can contain an | |
278 | * ASCII-0 character (nul) to separate network infromation per RFC | |
279 | * 4284. The actual string length is explicit provided in | |
280 | * eap_req_id_text_len since nul character will not be used as a string | |
281 | * terminator. | |
282 | */ | |
65d50f0a | 283 | char *eap_req_id_text; |
362bd35f JM |
284 | |
285 | /** | |
286 | * eap_req_id_text_len - Length of eap_req_id_text buffer in octets | |
287 | */ | |
65d50f0a | 288 | size_t eap_req_id_text_len; |
bb437f28 GD |
289 | |
290 | /* | |
291 | * msg_ctx - Context data for wpa_msg() calls | |
292 | */ | |
293 | void *msg_ctx; | |
505a3694 JM |
294 | |
295 | #ifdef CONFIG_RADIUS_TEST | |
296 | char *dump_msk_file; | |
297 | #endif /* CONFIG_RADIUS_TEST */ | |
6fc6879b JM |
298 | }; |
299 | ||
300 | ||
301 | extern int wpa_debug_level; | |
302 | ||
303 | #define RADIUS_DEBUG(args...) \ | |
304 | wpa_printf(MSG_DEBUG, "RADIUS SRV: " args) | |
305 | #define RADIUS_ERROR(args...) \ | |
306 | wpa_printf(MSG_ERROR, "RADIUS SRV: " args) | |
307 | #define RADIUS_DUMP(args...) \ | |
308 | wpa_hexdump(MSG_MSGDUMP, "RADIUS SRV: " args) | |
309 | #define RADIUS_DUMP_ASCII(args...) \ | |
310 | wpa_hexdump_ascii(MSG_MSGDUMP, "RADIUS SRV: " args) | |
311 | ||
312 | ||
313 | static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx); | |
f481459f JM |
314 | static void radius_server_session_remove_timeout(void *eloop_ctx, |
315 | void *timeout_ctx); | |
6fc6879b JM |
316 | |
317 | ||
318 | static struct radius_client * | |
319 | radius_server_get_client(struct radius_server_data *data, struct in_addr *addr, | |
320 | int ipv6) | |
321 | { | |
322 | struct radius_client *client = data->clients; | |
323 | ||
324 | while (client) { | |
325 | #ifdef CONFIG_IPV6 | |
326 | if (ipv6) { | |
327 | struct in6_addr *addr6; | |
328 | int i; | |
329 | ||
330 | addr6 = (struct in6_addr *) addr; | |
331 | for (i = 0; i < 16; i++) { | |
332 | if ((addr6->s6_addr[i] & | |
333 | client->mask6.s6_addr[i]) != | |
334 | (client->addr6.s6_addr[i] & | |
335 | client->mask6.s6_addr[i])) { | |
336 | i = 17; | |
337 | break; | |
338 | } | |
339 | } | |
340 | if (i == 16) { | |
341 | break; | |
342 | } | |
343 | } | |
344 | #endif /* CONFIG_IPV6 */ | |
345 | if (!ipv6 && (client->addr.s_addr & client->mask.s_addr) == | |
346 | (addr->s_addr & client->mask.s_addr)) { | |
347 | break; | |
348 | } | |
349 | ||
350 | client = client->next; | |
351 | } | |
352 | ||
353 | return client; | |
354 | } | |
355 | ||
356 | ||
357 | static struct radius_session * | |
358 | radius_server_get_session(struct radius_client *client, unsigned int sess_id) | |
359 | { | |
360 | struct radius_session *sess = client->sessions; | |
361 | ||
362 | while (sess) { | |
363 | if (sess->sess_id == sess_id) { | |
364 | break; | |
365 | } | |
366 | sess = sess->next; | |
367 | } | |
368 | ||
369 | return sess; | |
370 | } | |
371 | ||
372 | ||
373 | static void radius_server_session_free(struct radius_server_data *data, | |
374 | struct radius_session *sess) | |
375 | { | |
376 | eloop_cancel_timeout(radius_server_session_timeout, data, sess); | |
f481459f | 377 | eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess); |
6fc6879b | 378 | eap_server_sm_deinit(sess->eap); |
9e7245bd | 379 | radius_msg_free(sess->last_msg); |
6fc6879b | 380 | os_free(sess->last_from_addr); |
9e7245bd | 381 | radius_msg_free(sess->last_reply); |
6fc6879b JM |
382 | os_free(sess); |
383 | data->num_sess--; | |
384 | } | |
385 | ||
386 | ||
6fc6879b JM |
387 | static void radius_server_session_remove(struct radius_server_data *data, |
388 | struct radius_session *sess) | |
389 | { | |
390 | struct radius_client *client = sess->client; | |
391 | struct radius_session *session, *prev; | |
392 | ||
393 | eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess); | |
394 | ||
395 | prev = NULL; | |
396 | session = client->sessions; | |
397 | while (session) { | |
398 | if (session == sess) { | |
399 | if (prev == NULL) { | |
400 | client->sessions = sess->next; | |
401 | } else { | |
402 | prev->next = sess->next; | |
403 | } | |
404 | radius_server_session_free(data, sess); | |
405 | break; | |
406 | } | |
407 | prev = session; | |
408 | session = session->next; | |
409 | } | |
410 | } | |
411 | ||
412 | ||
413 | static void radius_server_session_remove_timeout(void *eloop_ctx, | |
414 | void *timeout_ctx) | |
415 | { | |
416 | struct radius_server_data *data = eloop_ctx; | |
417 | struct radius_session *sess = timeout_ctx; | |
418 | RADIUS_DEBUG("Removing completed session 0x%x", sess->sess_id); | |
419 | radius_server_session_remove(data, sess); | |
420 | } | |
421 | ||
422 | ||
423 | static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx) | |
424 | { | |
425 | struct radius_server_data *data = eloop_ctx; | |
426 | struct radius_session *sess = timeout_ctx; | |
427 | ||
428 | RADIUS_DEBUG("Timing out authentication session 0x%x", sess->sess_id); | |
429 | radius_server_session_remove(data, sess); | |
430 | } | |
431 | ||
432 | ||
433 | static struct radius_session * | |
434 | radius_server_new_session(struct radius_server_data *data, | |
435 | struct radius_client *client) | |
436 | { | |
437 | struct radius_session *sess; | |
438 | ||
439 | if (data->num_sess >= RADIUS_MAX_SESSION) { | |
440 | RADIUS_DEBUG("Maximum number of existing session - no room " | |
441 | "for a new session"); | |
442 | return NULL; | |
443 | } | |
444 | ||
445 | sess = os_zalloc(sizeof(*sess)); | |
446 | if (sess == NULL) | |
447 | return NULL; | |
448 | ||
449 | sess->server = data; | |
450 | sess->client = client; | |
451 | sess->sess_id = data->next_sess_id++; | |
452 | sess->next = client->sessions; | |
453 | client->sessions = sess; | |
454 | eloop_register_timeout(RADIUS_SESSION_TIMEOUT, 0, | |
455 | radius_server_session_timeout, data, sess); | |
456 | data->num_sess++; | |
457 | return sess; | |
458 | } | |
459 | ||
460 | ||
461 | static struct radius_session * | |
462 | radius_server_get_new_session(struct radius_server_data *data, | |
463 | struct radius_client *client, | |
464 | struct radius_msg *msg) | |
465 | { | |
466 | u8 *user; | |
467 | size_t user_len; | |
468 | int res; | |
469 | struct radius_session *sess; | |
470 | struct eap_config eap_conf; | |
471 | ||
472 | RADIUS_DEBUG("Creating a new session"); | |
473 | ||
474 | user = os_malloc(256); | |
475 | if (user == NULL) { | |
476 | return NULL; | |
477 | } | |
478 | res = radius_msg_get_attr(msg, RADIUS_ATTR_USER_NAME, user, 256); | |
479 | if (res < 0 || res > 256) { | |
480 | RADIUS_DEBUG("Could not get User-Name"); | |
481 | os_free(user); | |
482 | return NULL; | |
483 | } | |
484 | user_len = res; | |
485 | RADIUS_DUMP_ASCII("User-Name", user, user_len); | |
486 | ||
487 | res = data->get_eap_user(data->conf_ctx, user, user_len, 0, NULL); | |
488 | os_free(user); | |
489 | ||
490 | if (res == 0) { | |
491 | RADIUS_DEBUG("Matching user entry found"); | |
492 | sess = radius_server_new_session(data, client); | |
493 | if (sess == NULL) { | |
494 | RADIUS_DEBUG("Failed to create a new session"); | |
495 | return NULL; | |
496 | } | |
497 | } else { | |
498 | RADIUS_DEBUG("User-Name not found from user database"); | |
499 | return NULL; | |
500 | } | |
501 | ||
502 | os_memset(&eap_conf, 0, sizeof(eap_conf)); | |
503 | eap_conf.ssl_ctx = data->ssl_ctx; | |
bb437f28 | 504 | eap_conf.msg_ctx = data->msg_ctx; |
6fc6879b JM |
505 | eap_conf.eap_sim_db_priv = data->eap_sim_db_priv; |
506 | eap_conf.backend_auth = TRUE; | |
507 | eap_conf.eap_server = 1; | |
508 | eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key; | |
509 | eap_conf.eap_fast_a_id = data->eap_fast_a_id; | |
2d867244 JM |
510 | eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len; |
511 | eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info; | |
378eae5e | 512 | eap_conf.eap_fast_prov = data->eap_fast_prov; |
a11c90a6 JM |
513 | eap_conf.pac_key_lifetime = data->pac_key_lifetime; |
514 | eap_conf.pac_key_refresh_time = data->pac_key_refresh_time; | |
6fc6879b | 515 | eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; |
c3e258ae | 516 | eap_conf.tnc = data->tnc; |
ad08c363 | 517 | eap_conf.wps = data->wps; |
df684d82 | 518 | eap_conf.pwd_group = data->pwd_group; |
67fe933d JM |
519 | eap_conf.server_id = (const u8 *) data->server_id; |
520 | eap_conf.server_id_len = os_strlen(data->server_id); | |
6fc6879b JM |
521 | sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb, |
522 | &eap_conf); | |
523 | if (sess->eap == NULL) { | |
524 | RADIUS_DEBUG("Failed to initialize EAP state machine for the " | |
525 | "new session"); | |
526 | radius_server_session_free(data, sess); | |
527 | return NULL; | |
528 | } | |
529 | sess->eap_if = eap_get_interface(sess->eap); | |
530 | sess->eap_if->eapRestart = TRUE; | |
531 | sess->eap_if->portEnabled = TRUE; | |
532 | ||
533 | RADIUS_DEBUG("New session 0x%x initialized", sess->sess_id); | |
534 | ||
535 | return sess; | |
536 | } | |
537 | ||
538 | ||
539 | static struct radius_msg * | |
540 | radius_server_encapsulate_eap(struct radius_server_data *data, | |
541 | struct radius_client *client, | |
542 | struct radius_session *sess, | |
543 | struct radius_msg *request) | |
544 | { | |
545 | struct radius_msg *msg; | |
546 | int code; | |
547 | unsigned int sess_id; | |
1489e11a | 548 | struct radius_hdr *hdr = radius_msg_get_hdr(request); |
6fc6879b JM |
549 | |
550 | if (sess->eap_if->eapFail) { | |
551 | sess->eap_if->eapFail = FALSE; | |
552 | code = RADIUS_CODE_ACCESS_REJECT; | |
553 | } else if (sess->eap_if->eapSuccess) { | |
554 | sess->eap_if->eapSuccess = FALSE; | |
555 | code = RADIUS_CODE_ACCESS_ACCEPT; | |
556 | } else { | |
557 | sess->eap_if->eapReq = FALSE; | |
558 | code = RADIUS_CODE_ACCESS_CHALLENGE; | |
559 | } | |
560 | ||
1489e11a | 561 | msg = radius_msg_new(code, hdr->identifier); |
6fc6879b JM |
562 | if (msg == NULL) { |
563 | RADIUS_DEBUG("Failed to allocate reply message"); | |
564 | return NULL; | |
565 | } | |
566 | ||
567 | sess_id = htonl(sess->sess_id); | |
568 | if (code == RADIUS_CODE_ACCESS_CHALLENGE && | |
569 | !radius_msg_add_attr(msg, RADIUS_ATTR_STATE, | |
570 | (u8 *) &sess_id, sizeof(sess_id))) { | |
571 | RADIUS_DEBUG("Failed to add State attribute"); | |
572 | } | |
573 | ||
574 | if (sess->eap_if->eapReqData && | |
575 | !radius_msg_add_eap(msg, wpabuf_head(sess->eap_if->eapReqData), | |
576 | wpabuf_len(sess->eap_if->eapReqData))) { | |
577 | RADIUS_DEBUG("Failed to add EAP-Message attribute"); | |
578 | } | |
579 | ||
580 | if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->eap_if->eapKeyData) { | |
581 | int len; | |
505a3694 JM |
582 | #ifdef CONFIG_RADIUS_TEST |
583 | if (data->dump_msk_file) { | |
584 | FILE *f; | |
585 | char buf[2 * 64 + 1]; | |
586 | f = fopen(data->dump_msk_file, "a"); | |
587 | if (f) { | |
588 | len = sess->eap_if->eapKeyDataLen; | |
589 | if (len > 64) | |
590 | len = 64; | |
591 | len = wpa_snprintf_hex( | |
592 | buf, sizeof(buf), | |
593 | sess->eap_if->eapKeyData, len); | |
594 | buf[len] = '\0'; | |
595 | fprintf(f, "%s\n", buf); | |
596 | fclose(f); | |
597 | } | |
598 | } | |
599 | #endif /* CONFIG_RADIUS_TEST */ | |
6fc6879b JM |
600 | if (sess->eap_if->eapKeyDataLen > 64) { |
601 | len = 32; | |
602 | } else { | |
603 | len = sess->eap_if->eapKeyDataLen / 2; | |
604 | } | |
1489e11a | 605 | if (!radius_msg_add_mppe_keys(msg, hdr->authenticator, |
6fc6879b JM |
606 | (u8 *) client->shared_secret, |
607 | client->shared_secret_len, | |
608 | sess->eap_if->eapKeyData + len, | |
609 | len, sess->eap_if->eapKeyData, | |
610 | len)) { | |
611 | RADIUS_DEBUG("Failed to add MPPE key attributes"); | |
612 | } | |
613 | } | |
614 | ||
615 | if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { | |
616 | RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); | |
617 | radius_msg_free(msg); | |
6fc6879b JM |
618 | return NULL; |
619 | } | |
620 | ||
621 | if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, | |
622 | client->shared_secret_len, | |
1489e11a | 623 | hdr->authenticator) < 0) { |
6fc6879b JM |
624 | RADIUS_DEBUG("Failed to add Message-Authenticator attribute"); |
625 | } | |
626 | ||
627 | return msg; | |
628 | } | |
629 | ||
630 | ||
631 | static int radius_server_reject(struct radius_server_data *data, | |
632 | struct radius_client *client, | |
633 | struct radius_msg *request, | |
634 | struct sockaddr *from, socklen_t fromlen, | |
635 | const char *from_addr, int from_port) | |
636 | { | |
637 | struct radius_msg *msg; | |
638 | int ret = 0; | |
639 | struct eap_hdr eapfail; | |
1489e11a JM |
640 | struct wpabuf *buf; |
641 | struct radius_hdr *hdr = radius_msg_get_hdr(request); | |
6fc6879b JM |
642 | |
643 | RADIUS_DEBUG("Reject invalid request from %s:%d", | |
644 | from_addr, from_port); | |
645 | ||
1489e11a | 646 | msg = radius_msg_new(RADIUS_CODE_ACCESS_REJECT, hdr->identifier); |
6fc6879b JM |
647 | if (msg == NULL) { |
648 | return -1; | |
649 | } | |
650 | ||
651 | os_memset(&eapfail, 0, sizeof(eapfail)); | |
652 | eapfail.code = EAP_CODE_FAILURE; | |
653 | eapfail.identifier = 0; | |
654 | eapfail.length = host_to_be16(sizeof(eapfail)); | |
655 | ||
656 | if (!radius_msg_add_eap(msg, (u8 *) &eapfail, sizeof(eapfail))) { | |
657 | RADIUS_DEBUG("Failed to add EAP-Message attribute"); | |
658 | } | |
659 | ||
660 | if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { | |
661 | RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); | |
662 | radius_msg_free(msg); | |
6fc6879b JM |
663 | return -1; |
664 | } | |
665 | ||
666 | if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, | |
667 | client->shared_secret_len, | |
1489e11a JM |
668 | hdr->authenticator) < |
669 | 0) { | |
6fc6879b JM |
670 | RADIUS_DEBUG("Failed to add Message-Authenticator attribute"); |
671 | } | |
672 | ||
673 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
674 | radius_msg_dump(msg); | |
675 | } | |
676 | ||
677 | data->counters.access_rejects++; | |
678 | client->counters.access_rejects++; | |
1489e11a JM |
679 | buf = radius_msg_get_buf(msg); |
680 | if (sendto(data->auth_sock, wpabuf_head(buf), wpabuf_len(buf), 0, | |
6fc6879b JM |
681 | (struct sockaddr *) from, sizeof(*from)) < 0) { |
682 | perror("sendto[RADIUS SRV]"); | |
683 | ret = -1; | |
684 | } | |
685 | ||
686 | radius_msg_free(msg); | |
6fc6879b JM |
687 | |
688 | return ret; | |
689 | } | |
690 | ||
691 | ||
692 | static int radius_server_request(struct radius_server_data *data, | |
693 | struct radius_msg *msg, | |
694 | struct sockaddr *from, socklen_t fromlen, | |
695 | struct radius_client *client, | |
696 | const char *from_addr, int from_port, | |
697 | struct radius_session *force_sess) | |
698 | { | |
e100828b | 699 | struct wpabuf *eap = NULL; |
6fc6879b JM |
700 | int res, state_included = 0; |
701 | u8 statebuf[4]; | |
702 | unsigned int state; | |
703 | struct radius_session *sess; | |
704 | struct radius_msg *reply; | |
7598210b | 705 | int is_complete = 0; |
6fc6879b JM |
706 | |
707 | if (force_sess) | |
708 | sess = force_sess; | |
709 | else { | |
710 | res = radius_msg_get_attr(msg, RADIUS_ATTR_STATE, statebuf, | |
711 | sizeof(statebuf)); | |
712 | state_included = res >= 0; | |
713 | if (res == sizeof(statebuf)) { | |
714 | state = WPA_GET_BE32(statebuf); | |
715 | sess = radius_server_get_session(client, state); | |
716 | } else { | |
717 | sess = NULL; | |
718 | } | |
719 | } | |
720 | ||
721 | if (sess) { | |
722 | RADIUS_DEBUG("Request for session 0x%x", sess->sess_id); | |
723 | } else if (state_included) { | |
724 | RADIUS_DEBUG("State attribute included but no session found"); | |
725 | radius_server_reject(data, client, msg, from, fromlen, | |
726 | from_addr, from_port); | |
727 | return -1; | |
728 | } else { | |
729 | sess = radius_server_get_new_session(data, client, msg); | |
730 | if (sess == NULL) { | |
731 | RADIUS_DEBUG("Could not create a new session"); | |
732 | radius_server_reject(data, client, msg, from, fromlen, | |
733 | from_addr, from_port); | |
734 | return -1; | |
735 | } | |
736 | } | |
737 | ||
738 | if (sess->last_from_port == from_port && | |
1489e11a JM |
739 | sess->last_identifier == radius_msg_get_hdr(msg)->identifier && |
740 | os_memcmp(sess->last_authenticator, | |
741 | radius_msg_get_hdr(msg)->authenticator, 16) == 0) { | |
6fc6879b JM |
742 | RADIUS_DEBUG("Duplicate message from %s", from_addr); |
743 | data->counters.dup_access_requests++; | |
744 | client->counters.dup_access_requests++; | |
745 | ||
746 | if (sess->last_reply) { | |
1489e11a JM |
747 | struct wpabuf *buf; |
748 | buf = radius_msg_get_buf(sess->last_reply); | |
749 | res = sendto(data->auth_sock, wpabuf_head(buf), | |
750 | wpabuf_len(buf), 0, | |
6fc6879b JM |
751 | (struct sockaddr *) from, fromlen); |
752 | if (res < 0) { | |
753 | perror("sendto[RADIUS SRV]"); | |
754 | } | |
755 | return 0; | |
756 | } | |
757 | ||
758 | RADIUS_DEBUG("No previous reply available for duplicate " | |
759 | "message"); | |
760 | return -1; | |
761 | } | |
762 | ||
e100828b | 763 | eap = radius_msg_get_eap(msg); |
6fc6879b JM |
764 | if (eap == NULL) { |
765 | RADIUS_DEBUG("No EAP-Message in RADIUS packet from %s", | |
766 | from_addr); | |
767 | data->counters.packets_dropped++; | |
768 | client->counters.packets_dropped++; | |
769 | return -1; | |
770 | } | |
771 | ||
e100828b | 772 | RADIUS_DUMP("Received EAP data", wpabuf_head(eap), wpabuf_len(eap)); |
6fc6879b JM |
773 | |
774 | /* FIX: if Code is Request, Success, or Failure, send Access-Reject; | |
775 | * RFC3579 Sect. 2.6.2. | |
776 | * Include EAP-Response/Nak with no preferred method if | |
777 | * code == request. | |
778 | * If code is not 1-4, discard the packet silently. | |
779 | * Or is this already done by the EAP state machine? */ | |
780 | ||
781 | wpabuf_free(sess->eap_if->eapRespData); | |
e100828b | 782 | sess->eap_if->eapRespData = eap; |
6fc6879b JM |
783 | sess->eap_if->eapResp = TRUE; |
784 | eap_server_sm_step(sess->eap); | |
785 | ||
786 | if ((sess->eap_if->eapReq || sess->eap_if->eapSuccess || | |
787 | sess->eap_if->eapFail) && sess->eap_if->eapReqData) { | |
788 | RADIUS_DUMP("EAP data from the state machine", | |
789 | wpabuf_head(sess->eap_if->eapReqData), | |
790 | wpabuf_len(sess->eap_if->eapReqData)); | |
791 | } else if (sess->eap_if->eapFail) { | |
792 | RADIUS_DEBUG("No EAP data from the state machine, but eapFail " | |
793 | "set"); | |
794 | } else if (eap_sm_method_pending(sess->eap)) { | |
9e7245bd | 795 | radius_msg_free(sess->last_msg); |
6fc6879b JM |
796 | sess->last_msg = msg; |
797 | sess->last_from_port = from_port; | |
798 | os_free(sess->last_from_addr); | |
799 | sess->last_from_addr = os_strdup(from_addr); | |
800 | sess->last_fromlen = fromlen; | |
801 | os_memcpy(&sess->last_from, from, fromlen); | |
802 | return -2; | |
803 | } else { | |
804 | RADIUS_DEBUG("No EAP data from the state machine - ignore this" | |
805 | " Access-Request silently (assuming it was a " | |
806 | "duplicate)"); | |
807 | data->counters.packets_dropped++; | |
808 | client->counters.packets_dropped++; | |
809 | return -1; | |
810 | } | |
811 | ||
7598210b AB |
812 | if (sess->eap_if->eapSuccess || sess->eap_if->eapFail) |
813 | is_complete = 1; | |
814 | ||
6fc6879b JM |
815 | reply = radius_server_encapsulate_eap(data, client, sess, msg); |
816 | ||
817 | if (reply) { | |
1489e11a JM |
818 | struct wpabuf *buf; |
819 | struct radius_hdr *hdr; | |
820 | ||
6fc6879b JM |
821 | RADIUS_DEBUG("Reply to %s:%d", from_addr, from_port); |
822 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
823 | radius_msg_dump(reply); | |
824 | } | |
825 | ||
1489e11a | 826 | switch (radius_msg_get_hdr(reply)->code) { |
6fc6879b JM |
827 | case RADIUS_CODE_ACCESS_ACCEPT: |
828 | data->counters.access_accepts++; | |
829 | client->counters.access_accepts++; | |
830 | break; | |
831 | case RADIUS_CODE_ACCESS_REJECT: | |
832 | data->counters.access_rejects++; | |
833 | client->counters.access_rejects++; | |
834 | break; | |
835 | case RADIUS_CODE_ACCESS_CHALLENGE: | |
836 | data->counters.access_challenges++; | |
837 | client->counters.access_challenges++; | |
838 | break; | |
839 | } | |
1489e11a JM |
840 | buf = radius_msg_get_buf(reply); |
841 | res = sendto(data->auth_sock, wpabuf_head(buf), | |
842 | wpabuf_len(buf), 0, | |
6fc6879b JM |
843 | (struct sockaddr *) from, fromlen); |
844 | if (res < 0) { | |
845 | perror("sendto[RADIUS SRV]"); | |
846 | } | |
9e7245bd | 847 | radius_msg_free(sess->last_reply); |
6fc6879b JM |
848 | sess->last_reply = reply; |
849 | sess->last_from_port = from_port; | |
1489e11a JM |
850 | hdr = radius_msg_get_hdr(msg); |
851 | sess->last_identifier = hdr->identifier; | |
852 | os_memcpy(sess->last_authenticator, hdr->authenticator, 16); | |
6fc6879b JM |
853 | } else { |
854 | data->counters.packets_dropped++; | |
855 | client->counters.packets_dropped++; | |
856 | } | |
857 | ||
7598210b | 858 | if (is_complete) { |
6fc6879b JM |
859 | RADIUS_DEBUG("Removing completed session 0x%x after timeout", |
860 | sess->sess_id); | |
861 | eloop_cancel_timeout(radius_server_session_remove_timeout, | |
862 | data, sess); | |
863 | eloop_register_timeout(10, 0, | |
864 | radius_server_session_remove_timeout, | |
865 | data, sess); | |
866 | } | |
867 | ||
868 | return 0; | |
869 | } | |
870 | ||
871 | ||
872 | static void radius_server_receive_auth(int sock, void *eloop_ctx, | |
873 | void *sock_ctx) | |
874 | { | |
875 | struct radius_server_data *data = eloop_ctx; | |
876 | u8 *buf = NULL; | |
5a641ae0 JM |
877 | union { |
878 | struct sockaddr_storage ss; | |
879 | struct sockaddr_in sin; | |
880 | #ifdef CONFIG_IPV6 | |
881 | struct sockaddr_in6 sin6; | |
882 | #endif /* CONFIG_IPV6 */ | |
883 | } from; | |
6fc6879b JM |
884 | socklen_t fromlen; |
885 | int len; | |
886 | struct radius_client *client = NULL; | |
887 | struct radius_msg *msg = NULL; | |
888 | char abuf[50]; | |
889 | int from_port = 0; | |
890 | ||
891 | buf = os_malloc(RADIUS_MAX_MSG_LEN); | |
892 | if (buf == NULL) { | |
893 | goto fail; | |
894 | } | |
895 | ||
896 | fromlen = sizeof(from); | |
897 | len = recvfrom(sock, buf, RADIUS_MAX_MSG_LEN, 0, | |
5a641ae0 | 898 | (struct sockaddr *) &from.ss, &fromlen); |
6fc6879b JM |
899 | if (len < 0) { |
900 | perror("recvfrom[radius_server]"); | |
901 | goto fail; | |
902 | } | |
903 | ||
904 | #ifdef CONFIG_IPV6 | |
905 | if (data->ipv6) { | |
5a641ae0 JM |
906 | if (inet_ntop(AF_INET6, &from.sin6.sin6_addr, abuf, |
907 | sizeof(abuf)) == NULL) | |
6fc6879b | 908 | abuf[0] = '\0'; |
5a641ae0 | 909 | from_port = ntohs(from.sin6.sin6_port); |
6fc6879b JM |
910 | RADIUS_DEBUG("Received %d bytes from %s:%d", |
911 | len, abuf, from_port); | |
912 | ||
913 | client = radius_server_get_client(data, | |
914 | (struct in_addr *) | |
5a641ae0 | 915 | &from.sin6.sin6_addr, 1); |
6fc6879b JM |
916 | } |
917 | #endif /* CONFIG_IPV6 */ | |
918 | ||
919 | if (!data->ipv6) { | |
5a641ae0 JM |
920 | os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); |
921 | from_port = ntohs(from.sin.sin_port); | |
6fc6879b JM |
922 | RADIUS_DEBUG("Received %d bytes from %s:%d", |
923 | len, abuf, from_port); | |
924 | ||
5a641ae0 | 925 | client = radius_server_get_client(data, &from.sin.sin_addr, 0); |
6fc6879b JM |
926 | } |
927 | ||
928 | RADIUS_DUMP("Received data", buf, len); | |
929 | ||
930 | if (client == NULL) { | |
931 | RADIUS_DEBUG("Unknown client %s - packet ignored", abuf); | |
932 | data->counters.invalid_requests++; | |
933 | goto fail; | |
934 | } | |
935 | ||
936 | msg = radius_msg_parse(buf, len); | |
937 | if (msg == NULL) { | |
938 | RADIUS_DEBUG("Parsing incoming RADIUS frame failed"); | |
939 | data->counters.malformed_access_requests++; | |
940 | client->counters.malformed_access_requests++; | |
941 | goto fail; | |
942 | } | |
943 | ||
944 | os_free(buf); | |
945 | buf = NULL; | |
946 | ||
947 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
948 | radius_msg_dump(msg); | |
949 | } | |
950 | ||
1489e11a JM |
951 | if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCESS_REQUEST) { |
952 | RADIUS_DEBUG("Unexpected RADIUS code %d", | |
953 | radius_msg_get_hdr(msg)->code); | |
6fc6879b JM |
954 | data->counters.unknown_types++; |
955 | client->counters.unknown_types++; | |
956 | goto fail; | |
957 | } | |
958 | ||
959 | data->counters.access_requests++; | |
960 | client->counters.access_requests++; | |
961 | ||
962 | if (radius_msg_verify_msg_auth(msg, (u8 *) client->shared_secret, | |
963 | client->shared_secret_len, NULL)) { | |
964 | RADIUS_DEBUG("Invalid Message-Authenticator from %s", abuf); | |
965 | data->counters.bad_authenticators++; | |
966 | client->counters.bad_authenticators++; | |
967 | goto fail; | |
968 | } | |
969 | ||
970 | if (radius_server_request(data, msg, (struct sockaddr *) &from, | |
971 | fromlen, client, abuf, from_port, NULL) == | |
972 | -2) | |
973 | return; /* msg was stored with the session */ | |
974 | ||
975 | fail: | |
9e7245bd | 976 | radius_msg_free(msg); |
6fc6879b JM |
977 | os_free(buf); |
978 | } | |
979 | ||
980 | ||
5cd89c26 JM |
981 | static int radius_server_disable_pmtu_discovery(int s) |
982 | { | |
983 | int r = -1; | |
984 | #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) | |
985 | /* Turn off Path MTU discovery on IPv4/UDP sockets. */ | |
986 | int action = IP_PMTUDISC_DONT; | |
987 | r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action, | |
988 | sizeof(action)); | |
989 | if (r == -1) | |
990 | wpa_printf(MSG_ERROR, "Failed to set IP_MTU_DISCOVER: " | |
991 | "%s", strerror(errno)); | |
992 | #endif | |
993 | return r; | |
994 | } | |
995 | ||
996 | ||
6fc6879b JM |
997 | static int radius_server_open_socket(int port) |
998 | { | |
999 | int s; | |
1000 | struct sockaddr_in addr; | |
1001 | ||
1002 | s = socket(PF_INET, SOCK_DGRAM, 0); | |
1003 | if (s < 0) { | |
1004 | perror("socket"); | |
1005 | return -1; | |
1006 | } | |
1007 | ||
5cd89c26 JM |
1008 | radius_server_disable_pmtu_discovery(s); |
1009 | ||
6fc6879b JM |
1010 | os_memset(&addr, 0, sizeof(addr)); |
1011 | addr.sin_family = AF_INET; | |
1012 | addr.sin_port = htons(port); | |
1013 | if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { | |
1014 | perror("bind"); | |
1015 | close(s); | |
1016 | return -1; | |
1017 | } | |
1018 | ||
1019 | return s; | |
1020 | } | |
1021 | ||
1022 | ||
1023 | #ifdef CONFIG_IPV6 | |
1024 | static int radius_server_open_socket6(int port) | |
1025 | { | |
1026 | int s; | |
1027 | struct sockaddr_in6 addr; | |
1028 | ||
1029 | s = socket(PF_INET6, SOCK_DGRAM, 0); | |
1030 | if (s < 0) { | |
1031 | perror("socket[IPv6]"); | |
1032 | return -1; | |
1033 | } | |
1034 | ||
1035 | os_memset(&addr, 0, sizeof(addr)); | |
1036 | addr.sin6_family = AF_INET6; | |
1037 | os_memcpy(&addr.sin6_addr, &in6addr_any, sizeof(in6addr_any)); | |
1038 | addr.sin6_port = htons(port); | |
1039 | if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { | |
1040 | perror("bind"); | |
1041 | close(s); | |
1042 | return -1; | |
1043 | } | |
1044 | ||
1045 | return s; | |
1046 | } | |
1047 | #endif /* CONFIG_IPV6 */ | |
1048 | ||
1049 | ||
1050 | static void radius_server_free_sessions(struct radius_server_data *data, | |
1051 | struct radius_session *sessions) | |
1052 | { | |
1053 | struct radius_session *session, *prev; | |
1054 | ||
1055 | session = sessions; | |
1056 | while (session) { | |
1057 | prev = session; | |
1058 | session = session->next; | |
1059 | radius_server_session_free(data, prev); | |
1060 | } | |
1061 | } | |
1062 | ||
1063 | ||
1064 | static void radius_server_free_clients(struct radius_server_data *data, | |
1065 | struct radius_client *clients) | |
1066 | { | |
1067 | struct radius_client *client, *prev; | |
1068 | ||
1069 | client = clients; | |
1070 | while (client) { | |
1071 | prev = client; | |
1072 | client = client->next; | |
1073 | ||
1074 | radius_server_free_sessions(data, prev->sessions); | |
1075 | os_free(prev->shared_secret); | |
1076 | os_free(prev); | |
1077 | } | |
1078 | } | |
1079 | ||
1080 | ||
1081 | static struct radius_client * | |
1082 | radius_server_read_clients(const char *client_file, int ipv6) | |
1083 | { | |
1084 | FILE *f; | |
1085 | const int buf_size = 1024; | |
1086 | char *buf, *pos; | |
1087 | struct radius_client *clients, *tail, *entry; | |
1088 | int line = 0, mask, failed = 0, i; | |
1089 | struct in_addr addr; | |
1090 | #ifdef CONFIG_IPV6 | |
1091 | struct in6_addr addr6; | |
1092 | #endif /* CONFIG_IPV6 */ | |
1093 | unsigned int val; | |
1094 | ||
1095 | f = fopen(client_file, "r"); | |
1096 | if (f == NULL) { | |
1097 | RADIUS_ERROR("Could not open client file '%s'", client_file); | |
1098 | return NULL; | |
1099 | } | |
1100 | ||
1101 | buf = os_malloc(buf_size); | |
1102 | if (buf == NULL) { | |
1103 | fclose(f); | |
1104 | return NULL; | |
1105 | } | |
1106 | ||
1107 | clients = tail = NULL; | |
1108 | while (fgets(buf, buf_size, f)) { | |
1109 | /* Configuration file format: | |
1110 | * 192.168.1.0/24 secret | |
1111 | * 192.168.1.2 secret | |
1112 | * fe80::211:22ff:fe33:4455/64 secretipv6 | |
1113 | */ | |
1114 | line++; | |
1115 | buf[buf_size - 1] = '\0'; | |
1116 | pos = buf; | |
1117 | while (*pos != '\0' && *pos != '\n') | |
1118 | pos++; | |
1119 | if (*pos == '\n') | |
1120 | *pos = '\0'; | |
1121 | if (*buf == '\0' || *buf == '#') | |
1122 | continue; | |
1123 | ||
1124 | pos = buf; | |
1125 | while ((*pos >= '0' && *pos <= '9') || *pos == '.' || | |
1126 | (*pos >= 'a' && *pos <= 'f') || *pos == ':' || | |
1127 | (*pos >= 'A' && *pos <= 'F')) { | |
1128 | pos++; | |
1129 | } | |
1130 | ||
1131 | if (*pos == '\0') { | |
1132 | failed = 1; | |
1133 | break; | |
1134 | } | |
1135 | ||
1136 | if (*pos == '/') { | |
1137 | char *end; | |
1138 | *pos++ = '\0'; | |
1139 | mask = strtol(pos, &end, 10); | |
1140 | if ((pos == end) || | |
1141 | (mask < 0 || mask > (ipv6 ? 128 : 32))) { | |
1142 | failed = 1; | |
1143 | break; | |
1144 | } | |
1145 | pos = end; | |
1146 | } else { | |
1147 | mask = ipv6 ? 128 : 32; | |
1148 | *pos++ = '\0'; | |
1149 | } | |
1150 | ||
1151 | if (!ipv6 && inet_aton(buf, &addr) == 0) { | |
1152 | failed = 1; | |
1153 | break; | |
1154 | } | |
1155 | #ifdef CONFIG_IPV6 | |
1156 | if (ipv6 && inet_pton(AF_INET6, buf, &addr6) <= 0) { | |
1157 | if (inet_pton(AF_INET, buf, &addr) <= 0) { | |
1158 | failed = 1; | |
1159 | break; | |
1160 | } | |
1161 | /* Convert IPv4 address to IPv6 */ | |
1162 | if (mask <= 32) | |
1163 | mask += (128 - 32); | |
1164 | os_memset(addr6.s6_addr, 0, 10); | |
1165 | addr6.s6_addr[10] = 0xff; | |
1166 | addr6.s6_addr[11] = 0xff; | |
1167 | os_memcpy(addr6.s6_addr + 12, (char *) &addr.s_addr, | |
1168 | 4); | |
1169 | } | |
1170 | #endif /* CONFIG_IPV6 */ | |
1171 | ||
1172 | while (*pos == ' ' || *pos == '\t') { | |
1173 | pos++; | |
1174 | } | |
1175 | ||
1176 | if (*pos == '\0') { | |
1177 | failed = 1; | |
1178 | break; | |
1179 | } | |
1180 | ||
1181 | entry = os_zalloc(sizeof(*entry)); | |
1182 | if (entry == NULL) { | |
1183 | failed = 1; | |
1184 | break; | |
1185 | } | |
1186 | entry->shared_secret = os_strdup(pos); | |
1187 | if (entry->shared_secret == NULL) { | |
1188 | failed = 1; | |
1189 | os_free(entry); | |
1190 | break; | |
1191 | } | |
1192 | entry->shared_secret_len = os_strlen(entry->shared_secret); | |
1193 | entry->addr.s_addr = addr.s_addr; | |
1194 | if (!ipv6) { | |
1195 | val = 0; | |
1196 | for (i = 0; i < mask; i++) | |
1197 | val |= 1 << (31 - i); | |
1198 | entry->mask.s_addr = htonl(val); | |
1199 | } | |
1200 | #ifdef CONFIG_IPV6 | |
1201 | if (ipv6) { | |
1202 | int offset = mask / 8; | |
1203 | ||
1204 | os_memcpy(entry->addr6.s6_addr, addr6.s6_addr, 16); | |
1205 | os_memset(entry->mask6.s6_addr, 0xff, offset); | |
1206 | val = 0; | |
1207 | for (i = 0; i < (mask % 8); i++) | |
1208 | val |= 1 << (7 - i); | |
1209 | if (offset < 16) | |
1210 | entry->mask6.s6_addr[offset] = val; | |
1211 | } | |
1212 | #endif /* CONFIG_IPV6 */ | |
1213 | ||
1214 | if (tail == NULL) { | |
1215 | clients = tail = entry; | |
1216 | } else { | |
1217 | tail->next = entry; | |
1218 | tail = entry; | |
1219 | } | |
1220 | } | |
1221 | ||
1222 | if (failed) { | |
1223 | RADIUS_ERROR("Invalid line %d in '%s'", line, client_file); | |
1224 | radius_server_free_clients(NULL, clients); | |
1225 | clients = NULL; | |
1226 | } | |
1227 | ||
1228 | os_free(buf); | |
1229 | fclose(f); | |
1230 | ||
1231 | return clients; | |
1232 | } | |
1233 | ||
1234 | ||
362bd35f JM |
1235 | /** |
1236 | * radius_server_init - Initialize RADIUS server | |
1237 | * @conf: Configuration for the RADIUS server | |
1238 | * Returns: Pointer to private RADIUS server context or %NULL on failure | |
1239 | * | |
1240 | * This initializes a RADIUS server instance and returns a context pointer that | |
1241 | * will be used in other calls to the RADIUS server module. The server can be | |
1242 | * deinitialize by calling radius_server_deinit(). | |
1243 | */ | |
6fc6879b JM |
1244 | struct radius_server_data * |
1245 | radius_server_init(struct radius_server_conf *conf) | |
1246 | { | |
1247 | struct radius_server_data *data; | |
1248 | ||
1249 | #ifndef CONFIG_IPV6 | |
1250 | if (conf->ipv6) { | |
1251 | fprintf(stderr, "RADIUS server compiled without IPv6 " | |
1252 | "support.\n"); | |
1253 | return NULL; | |
1254 | } | |
1255 | #endif /* CONFIG_IPV6 */ | |
1256 | ||
1257 | data = os_zalloc(sizeof(*data)); | |
1258 | if (data == NULL) | |
1259 | return NULL; | |
1260 | ||
1261 | os_get_time(&data->start_time); | |
1262 | data->conf_ctx = conf->conf_ctx; | |
1263 | data->eap_sim_db_priv = conf->eap_sim_db_priv; | |
1264 | data->ssl_ctx = conf->ssl_ctx; | |
bb437f28 | 1265 | data->msg_ctx = conf->msg_ctx; |
6fc6879b JM |
1266 | data->ipv6 = conf->ipv6; |
1267 | if (conf->pac_opaque_encr_key) { | |
1268 | data->pac_opaque_encr_key = os_malloc(16); | |
1269 | os_memcpy(data->pac_opaque_encr_key, conf->pac_opaque_encr_key, | |
1270 | 16); | |
1271 | } | |
2d867244 JM |
1272 | if (conf->eap_fast_a_id) { |
1273 | data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); | |
1274 | if (data->eap_fast_a_id) { | |
1275 | os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id, | |
1276 | conf->eap_fast_a_id_len); | |
1277 | data->eap_fast_a_id_len = conf->eap_fast_a_id_len; | |
1278 | } | |
1279 | } | |
1280 | if (conf->eap_fast_a_id_info) | |
1281 | data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info); | |
378eae5e | 1282 | data->eap_fast_prov = conf->eap_fast_prov; |
a11c90a6 JM |
1283 | data->pac_key_lifetime = conf->pac_key_lifetime; |
1284 | data->pac_key_refresh_time = conf->pac_key_refresh_time; | |
6fc6879b JM |
1285 | data->get_eap_user = conf->get_eap_user; |
1286 | data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; | |
c3e258ae | 1287 | data->tnc = conf->tnc; |
ad08c363 | 1288 | data->wps = conf->wps; |
df684d82 | 1289 | data->pwd_group = conf->pwd_group; |
67fe933d | 1290 | data->server_id = conf->server_id; |
65d50f0a JM |
1291 | if (conf->eap_req_id_text) { |
1292 | data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len); | |
1293 | if (data->eap_req_id_text) { | |
1294 | os_memcpy(data->eap_req_id_text, conf->eap_req_id_text, | |
1295 | conf->eap_req_id_text_len); | |
1296 | data->eap_req_id_text_len = conf->eap_req_id_text_len; | |
1297 | } | |
1298 | } | |
6fc6879b | 1299 | |
505a3694 JM |
1300 | #ifdef CONFIG_RADIUS_TEST |
1301 | if (conf->dump_msk_file) | |
1302 | data->dump_msk_file = os_strdup(conf->dump_msk_file); | |
1303 | #endif /* CONFIG_RADIUS_TEST */ | |
1304 | ||
6fc6879b JM |
1305 | data->clients = radius_server_read_clients(conf->client_file, |
1306 | conf->ipv6); | |
1307 | if (data->clients == NULL) { | |
1308 | printf("No RADIUS clients configured.\n"); | |
1309 | radius_server_deinit(data); | |
1310 | return NULL; | |
1311 | } | |
1312 | ||
1313 | #ifdef CONFIG_IPV6 | |
1314 | if (conf->ipv6) | |
1315 | data->auth_sock = radius_server_open_socket6(conf->auth_port); | |
1316 | else | |
1317 | #endif /* CONFIG_IPV6 */ | |
1318 | data->auth_sock = radius_server_open_socket(conf->auth_port); | |
1319 | if (data->auth_sock < 0) { | |
1320 | printf("Failed to open UDP socket for RADIUS authentication " | |
1321 | "server\n"); | |
1322 | radius_server_deinit(data); | |
1323 | return NULL; | |
1324 | } | |
1325 | if (eloop_register_read_sock(data->auth_sock, | |
1326 | radius_server_receive_auth, | |
1327 | data, NULL)) { | |
1328 | radius_server_deinit(data); | |
1329 | return NULL; | |
1330 | } | |
1331 | ||
1332 | return data; | |
1333 | } | |
1334 | ||
1335 | ||
362bd35f JM |
1336 | /** |
1337 | * radius_server_deinit - Deinitialize RADIUS server | |
1338 | * @data: RADIUS server context from radius_server_init() | |
1339 | */ | |
6fc6879b JM |
1340 | void radius_server_deinit(struct radius_server_data *data) |
1341 | { | |
1342 | if (data == NULL) | |
1343 | return; | |
1344 | ||
1345 | if (data->auth_sock >= 0) { | |
1346 | eloop_unregister_read_sock(data->auth_sock); | |
1347 | close(data->auth_sock); | |
1348 | } | |
1349 | ||
1350 | radius_server_free_clients(data, data->clients); | |
1351 | ||
1352 | os_free(data->pac_opaque_encr_key); | |
1353 | os_free(data->eap_fast_a_id); | |
2d867244 | 1354 | os_free(data->eap_fast_a_id_info); |
65d50f0a | 1355 | os_free(data->eap_req_id_text); |
505a3694 JM |
1356 | #ifdef CONFIG_RADIUS_TEST |
1357 | os_free(data->dump_msk_file); | |
1358 | #endif /* CONFIG_RADIUS_TEST */ | |
6fc6879b JM |
1359 | os_free(data); |
1360 | } | |
1361 | ||
1362 | ||
362bd35f JM |
1363 | /** |
1364 | * radius_server_get_mib - Get RADIUS server MIB information | |
1365 | * @data: RADIUS server context from radius_server_init() | |
1366 | * @buf: Buffer for returning the MIB data in text format | |
1367 | * @buflen: buf length in octets | |
1368 | * Returns: Number of octets written into buf | |
1369 | */ | |
6fc6879b JM |
1370 | int radius_server_get_mib(struct radius_server_data *data, char *buf, |
1371 | size_t buflen) | |
1372 | { | |
1373 | int ret, uptime; | |
1374 | unsigned int idx; | |
1375 | char *end, *pos; | |
1376 | struct os_time now; | |
1377 | struct radius_client *cli; | |
1378 | ||
1379 | /* RFC 2619 - RADIUS Authentication Server MIB */ | |
1380 | ||
1381 | if (data == NULL || buflen == 0) | |
1382 | return 0; | |
1383 | ||
1384 | pos = buf; | |
1385 | end = buf + buflen; | |
1386 | ||
1387 | os_get_time(&now); | |
1388 | uptime = (now.sec - data->start_time.sec) * 100 + | |
1389 | ((now.usec - data->start_time.usec) / 10000) % 100; | |
1390 | ret = os_snprintf(pos, end - pos, | |
1391 | "RADIUS-AUTH-SERVER-MIB\n" | |
1392 | "radiusAuthServIdent=hostapd\n" | |
1393 | "radiusAuthServUpTime=%d\n" | |
1394 | "radiusAuthServResetTime=0\n" | |
1395 | "radiusAuthServConfigReset=4\n", | |
1396 | uptime); | |
1397 | if (ret < 0 || ret >= end - pos) { | |
1398 | *pos = '\0'; | |
1399 | return pos - buf; | |
1400 | } | |
1401 | pos += ret; | |
1402 | ||
1403 | ret = os_snprintf(pos, end - pos, | |
1404 | "radiusAuthServTotalAccessRequests=%u\n" | |
1405 | "radiusAuthServTotalInvalidRequests=%u\n" | |
1406 | "radiusAuthServTotalDupAccessRequests=%u\n" | |
1407 | "radiusAuthServTotalAccessAccepts=%u\n" | |
1408 | "radiusAuthServTotalAccessRejects=%u\n" | |
1409 | "radiusAuthServTotalAccessChallenges=%u\n" | |
1410 | "radiusAuthServTotalMalformedAccessRequests=%u\n" | |
1411 | "radiusAuthServTotalBadAuthenticators=%u\n" | |
1412 | "radiusAuthServTotalPacketsDropped=%u\n" | |
1413 | "radiusAuthServTotalUnknownTypes=%u\n", | |
1414 | data->counters.access_requests, | |
1415 | data->counters.invalid_requests, | |
1416 | data->counters.dup_access_requests, | |
1417 | data->counters.access_accepts, | |
1418 | data->counters.access_rejects, | |
1419 | data->counters.access_challenges, | |
1420 | data->counters.malformed_access_requests, | |
1421 | data->counters.bad_authenticators, | |
1422 | data->counters.packets_dropped, | |
1423 | data->counters.unknown_types); | |
1424 | if (ret < 0 || ret >= end - pos) { | |
1425 | *pos = '\0'; | |
1426 | return pos - buf; | |
1427 | } | |
1428 | pos += ret; | |
1429 | ||
1430 | for (cli = data->clients, idx = 0; cli; cli = cli->next, idx++) { | |
1431 | char abuf[50], mbuf[50]; | |
1432 | #ifdef CONFIG_IPV6 | |
1433 | if (data->ipv6) { | |
1434 | if (inet_ntop(AF_INET6, &cli->addr6, abuf, | |
1435 | sizeof(abuf)) == NULL) | |
1436 | abuf[0] = '\0'; | |
1437 | if (inet_ntop(AF_INET6, &cli->mask6, abuf, | |
1438 | sizeof(mbuf)) == NULL) | |
1439 | mbuf[0] = '\0'; | |
1440 | } | |
1441 | #endif /* CONFIG_IPV6 */ | |
1442 | if (!data->ipv6) { | |
1443 | os_strlcpy(abuf, inet_ntoa(cli->addr), sizeof(abuf)); | |
1444 | os_strlcpy(mbuf, inet_ntoa(cli->mask), sizeof(mbuf)); | |
1445 | } | |
1446 | ||
1447 | ret = os_snprintf(pos, end - pos, | |
1448 | "radiusAuthClientIndex=%u\n" | |
1449 | "radiusAuthClientAddress=%s/%s\n" | |
1450 | "radiusAuthServAccessRequests=%u\n" | |
1451 | "radiusAuthServDupAccessRequests=%u\n" | |
1452 | "radiusAuthServAccessAccepts=%u\n" | |
1453 | "radiusAuthServAccessRejects=%u\n" | |
1454 | "radiusAuthServAccessChallenges=%u\n" | |
1455 | "radiusAuthServMalformedAccessRequests=%u\n" | |
1456 | "radiusAuthServBadAuthenticators=%u\n" | |
1457 | "radiusAuthServPacketsDropped=%u\n" | |
1458 | "radiusAuthServUnknownTypes=%u\n", | |
1459 | idx, | |
1460 | abuf, mbuf, | |
1461 | cli->counters.access_requests, | |
1462 | cli->counters.dup_access_requests, | |
1463 | cli->counters.access_accepts, | |
1464 | cli->counters.access_rejects, | |
1465 | cli->counters.access_challenges, | |
1466 | cli->counters.malformed_access_requests, | |
1467 | cli->counters.bad_authenticators, | |
1468 | cli->counters.packets_dropped, | |
1469 | cli->counters.unknown_types); | |
1470 | if (ret < 0 || ret >= end - pos) { | |
1471 | *pos = '\0'; | |
1472 | return pos - buf; | |
1473 | } | |
1474 | pos += ret; | |
1475 | } | |
1476 | ||
1477 | return pos - buf; | |
1478 | } | |
1479 | ||
1480 | ||
1481 | static int radius_server_get_eap_user(void *ctx, const u8 *identity, | |
1482 | size_t identity_len, int phase2, | |
1483 | struct eap_user *user) | |
1484 | { | |
1485 | struct radius_session *sess = ctx; | |
1486 | struct radius_server_data *data = sess->server; | |
1487 | ||
1488 | return data->get_eap_user(data->conf_ctx, identity, identity_len, | |
1489 | phase2, user); | |
1490 | } | |
1491 | ||
1492 | ||
65d50f0a JM |
1493 | static const char * radius_server_get_eap_req_id_text(void *ctx, size_t *len) |
1494 | { | |
1495 | struct radius_session *sess = ctx; | |
1496 | struct radius_server_data *data = sess->server; | |
1497 | *len = data->eap_req_id_text_len; | |
1498 | return data->eap_req_id_text; | |
1499 | } | |
1500 | ||
1501 | ||
6fc6879b JM |
1502 | static struct eapol_callbacks radius_server_eapol_cb = |
1503 | { | |
1504 | .get_eap_user = radius_server_get_eap_user, | |
65d50f0a | 1505 | .get_eap_req_id_text = radius_server_get_eap_req_id_text, |
6fc6879b JM |
1506 | }; |
1507 | ||
1508 | ||
362bd35f JM |
1509 | /** |
1510 | * radius_server_eap_pending_cb - Pending EAP data notification | |
1511 | * @data: RADIUS server context from radius_server_init() | |
1512 | * @ctx: Pending EAP context pointer | |
1513 | * | |
1514 | * This function is used to notify EAP server module that a pending operation | |
1515 | * has been completed and processing of the EAP session can proceed. | |
1516 | */ | |
6fc6879b JM |
1517 | void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx) |
1518 | { | |
1519 | struct radius_client *cli; | |
1520 | struct radius_session *s, *sess = NULL; | |
1521 | struct radius_msg *msg; | |
1522 | ||
1523 | if (data == NULL) | |
1524 | return; | |
1525 | ||
1526 | for (cli = data->clients; cli; cli = cli->next) { | |
1527 | for (s = cli->sessions; s; s = s->next) { | |
1528 | if (s->eap == ctx && s->last_msg) { | |
1529 | sess = s; | |
1530 | break; | |
1531 | } | |
1532 | if (sess) | |
1533 | break; | |
1534 | } | |
1535 | if (sess) | |
1536 | break; | |
1537 | } | |
1538 | ||
1539 | if (sess == NULL) { | |
1540 | RADIUS_DEBUG("No session matched callback ctx"); | |
1541 | return; | |
1542 | } | |
1543 | ||
1544 | msg = sess->last_msg; | |
1545 | sess->last_msg = NULL; | |
1546 | eap_sm_pending_cb(sess->eap); | |
1547 | if (radius_server_request(data, msg, | |
1548 | (struct sockaddr *) &sess->last_from, | |
1549 | sess->last_fromlen, cli, | |
1550 | sess->last_from_addr, | |
1551 | sess->last_from_port, sess) == -2) | |
1552 | return; /* msg was stored with the session */ | |
1553 | ||
1554 | radius_msg_free(msg); | |
6fc6879b | 1555 | } |