]> git.ipfire.org Git - thirdparty/hostap.git/blame - src/radius/radius_server.c
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Hotspot 2.0 Terms and Conditions signaling - CoA
[thirdparty/hostap.git] / src / radius / radius_server.c
CommitLineData
6fc6879b 1/*
362bd35f 2 * RADIUS authentication server
a1dd890a 3 * Copyright (c) 2005-2009, 2011-2014, Jouni Malinen <j@w1.fi>
6fc6879b 4 *
0f3d578e
JM		 5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
6fc6879b
JM		 7 */
8
9#include "includes.h"
10#include <net/if.h>
8a57da7e
JM		 11#ifdef CONFIG_SQLITE
12#include <sqlite3.h>
13#endif /* CONFIG_SQLITE */
6fc6879b
JM		 14
15#include "common.h"
16#include "radius.h"
17#include "eloop.h"
6fc6879b 18#include "eap_server/eap.h"
d0ee16ed 19#include "ap/ap_config.h"
390b9291 20#include "crypto/tls.h"
6fc6879b
JM		 21#include "radius_server.h"
22
362bd35f
JM		 23/**
24 * RADIUS_SESSION_TIMEOUT - Session timeout in seconds
25 */
6fc6879b 26#define RADIUS_SESSION_TIMEOUT 60
362bd35f 27
35677305
JM		 28/**
29 * RADIUS_SESSION_MAINTAIN - Completed session expiration timeout in seconds
30 */
31#define RADIUS_SESSION_MAINTAIN 5
32
362bd35f
JM		 33/**
34 * RADIUS_MAX_SESSION - Maximum number of active sessions
35 */
35677305 36#define RADIUS_MAX_SESSION 1000
362bd35f
JM		 37
38/**
39 * RADIUS_MAX_MSG_LEN - Maximum message length for incoming RADIUS messages
40 */
6fc6879b
JM		 41#define RADIUS_MAX_MSG_LEN 3000
42
8b423edb 43static const struct eapol_callbacks radius_server_eapol_cb;
6fc6879b
JM		 44
45struct radius_client;
46struct radius_server_data;
47
362bd35f
JM		 48/**
49 * struct radius_server_counters - RADIUS server statistics counters
50 */
6fc6879b
JM		 51struct radius_server_counters {
52 u32 access_requests;
53 u32 invalid_requests;
54 u32 dup_access_requests;
55 u32 access_accepts;
56 u32 access_rejects;
57 u32 access_challenges;
58 u32 malformed_access_requests;
59 u32 bad_authenticators;
60 u32 packets_dropped;
61 u32 unknown_types;
a1dd890a
JM		 62
63 u32 acct_requests;
64 u32 invalid_acct_requests;
65 u32 acct_responses;
66 u32 malformed_acct_requests;
67 u32 acct_bad_authenticators;
68 u32 unknown_acct_types;
6fc6879b
JM		 69};
70
362bd35f
JM		 71/**
72 * struct radius_session - Internal RADIUS server data for a session
73 */
6fc6879b
JM		 74struct radius_session {
75 struct radius_session *next;
76 struct radius_client *client;
77 struct radius_server_data *server;
78 unsigned int sess_id;
79 struct eap_sm *eap;
80 struct eap_eapol_interface *eap_if;
8a57da7e
JM		 81 char *username; /* from User-Name attribute */
82 char *nas_ip;
6fc6879b
JM		 83
84 struct radius_msg *last_msg;
85 char *last_from_addr;
86 int last_from_port;
87 struct sockaddr_storage last_from;
88 socklen_t last_fromlen;
89 u8 last_identifier;
90 struct radius_msg *last_reply;
91 u8 last_authenticator[16];
8d2a9921
JM		 92
93 unsigned int remediation:1;
8943cc99 94 unsigned int macacl:1;
d0ee16ed
JM		 95
96 struct hostapd_radius_attr *accept_attr;
6fc6879b
JM		 97};
98
362bd35f
JM		 99/**
100 * struct radius_client - Internal RADIUS server data for a client
101 */
6fc6879b
JM		 102struct radius_client {
103 struct radius_client *next;
104 struct in_addr addr;
105 struct in_addr mask;
106#ifdef CONFIG_IPV6
107 struct in6_addr addr6;
108 struct in6_addr mask6;
109#endif /* CONFIG_IPV6 */
110 char *shared_secret;
111 int shared_secret_len;
112 struct radius_session *sessions;
113 struct radius_server_counters counters;
114};
115
362bd35f
JM		 116/**
117 * struct radius_server_data - Internal RADIUS server data
118 */
6fc6879b 119struct radius_server_data {
362bd35f
JM		 120 /**
121 * auth_sock - Socket for RADIUS authentication messages
122 */
6fc6879b 123 int auth_sock;
362bd35f 124
a1dd890a
JM		 125 /**
126 * acct_sock - Socket for RADIUS accounting messages
127 */
128 int acct_sock;
129
362bd35f
JM		 130 /**
131 * clients - List of authorized RADIUS clients
132 */
6fc6879b 133 struct radius_client *clients;
362bd35f
JM		 134
135 /**
136 * next_sess_id - Next session identifier
137 */
6fc6879b 138 unsigned int next_sess_id;
362bd35f
JM		 139
140 /**
141 * conf_ctx - Context pointer for callbacks
142 *
143 * This is used as the ctx argument in get_eap_user() calls.
144 */
6fc6879b 145 void *conf_ctx;
362bd35f
JM		 146
147 /**
148 * num_sess - Number of active sessions
149 */
6fc6879b 150 int num_sess;
362bd35f
JM		 151
152 /**
153 * eap_sim_db_priv - EAP-SIM/AKA database context
154 *
155 * This is passed to the EAP-SIM/AKA server implementation as a
156 * callback context.
157 */
6fc6879b 158 void *eap_sim_db_priv;
362bd35f
JM		 159
160 /**
161 * ssl_ctx - TLS context
162 *
163 * This is passed to the EAP server implementation as a callback
164 * context for TLS operations.
165 */
6fc6879b 166 void *ssl_ctx;
362bd35f
JM		 167
168 /**
169 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
170 *
171 * This parameter is used to set a key for EAP-FAST to encrypt the
172 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
173 * set, must point to a 16-octet key.
174 */
6fc6879b 175 u8 *pac_opaque_encr_key;
362bd35f
JM		 176
177 /**
178 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
179 *
180 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
181 * is a variable length field, but due to some existing implementations
182 * requiring A-ID to be 16 octets in length, it is recommended to use
183 * that length for the field to provide interoperability with deployed
184 * peer implementations.
185 */
2d867244 186 u8 *eap_fast_a_id;
362bd35f
JM		 187
188 /**
189 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
190 */
2d867244 191 size_t eap_fast_a_id_len;
362bd35f
JM		 192
193 /**
194 * eap_fast_a_id_info - EAP-FAST authority identifier information
195 *
196 * This A-ID-Info contains a user-friendly name for the A-ID. For
197 * example, this could be the enterprise and server names in
198 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
199 * is not used, this can be set to %NULL.
200 */
2d867244 201 char *eap_fast_a_id_info;
362bd35f
JM		 202
203 /**
204 * eap_fast_prov - EAP-FAST provisioning modes
205 *
206 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
207 * 2 = only authenticated provisioning allowed, 3 = both provisioning
208 * modes allowed.
209 */
378eae5e 210 int eap_fast_prov;
362bd35f
JM		 211
212 /**
213 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
214 *
215 * This is the hard limit on how long a provisioned PAC-Key can be
216 * used.
217 */
a11c90a6 218 int pac_key_lifetime;
362bd35f
JM		 219
220 /**
221 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
222 *
223 * This is a soft limit on the PAC-Key. The server will automatically
224 * generate a new PAC-Key when this number of seconds (or fewer) of the
225 * lifetime remains.
226 */
a11c90a6 227 int pac_key_refresh_time;
362bd35f
JM		 228
229 /**
230 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
231 *
232 * This controls whether the protected success/failure indication
233 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
234 */
6fc6879b 235 int eap_sim_aka_result_ind;
362bd35f
JM		 236
237 /**
238 * tnc - Trusted Network Connect (TNC)
239 *
240 * This controls whether TNC is enabled and will be required before the
241 * peer is allowed to connect. Note: This is only used with EAP-TTLS
242 * and EAP-FAST. If any other EAP method is enabled, the peer will be
243 * allowed to connect without TNC.
244 */
c3e258ae 245 int tnc;
362bd35f 246
df684d82
DH		 247 /**
248 * pwd_group - The D-H group assigned for EAP-pwd
249 *
250 * If EAP-pwd is not used it can be set to zero.
251 */
252 u16 pwd_group;
253
67fe933d
JM		 254 /**
255 * server_id - Server identity
256 */
257 const char *server_id;
258
d3bddd8b
JM		 259 /**
260 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
261 *
262 * This controls whether the authentication server derives ERP key
263 * hierarchy (rRK and rIK) from full EAP authentication and allows
264 * these keys to be used to perform ERP to derive rMSK instead of full
265 * EAP authentication to derive MSK.
266 */
267 int erp;
268
269 const char *erp_domain;
270
271 struct dl_list erp_keys; /* struct eap_server_erp_key */
272
681e199d
JM		 273 unsigned int tls_session_lifetime;
274
6418400d
JM		 275 unsigned int tls_flags;
276
362bd35f
JM		 277 /**
278 * wps - Wi-Fi Protected Setup context
279 *
280 * If WPS is used with an external RADIUS server (which is quite
281 * unlikely configuration), this is used to provide a pointer to WPS
282 * context data. Normally, this can be set to %NULL.
283 */
ad08c363 284 struct wps_context *wps;
362bd35f
JM		 285
286 /**
287 * ipv6 - Whether to enable IPv6 support in the RADIUS server
288 */
6fc6879b 289 int ipv6;
362bd35f
JM		 290
291 /**
292 * start_time - Timestamp of server start
293 */
58707176 294 struct os_reltime start_time;
362bd35f
JM		 295
296 /**
297 * counters - Statistics counters for server operations
298 *
299 * These counters are the sum over all clients.
300 */
6fc6879b 301 struct radius_server_counters counters;
362bd35f
JM		 302
303 /**
304 * get_eap_user - Callback for fetching EAP user information
305 * @ctx: Context data from conf_ctx
306 * @identity: User identity
307 * @identity_len: identity buffer length in octets
308 * @phase2: Whether this is for Phase 2 identity
309 * @user: Data structure for filling in the user information
310 * Returns: 0 on success, -1 on failure
311 *
312 * This is used to fetch information from user database. The callback
313 * will fill in information about allowed EAP methods and the user
314 * password. The password field will be an allocated copy of the
315 * password data and RADIUS server will free it after use.
316 */
6fc6879b
JM		 317 int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
318 int phase2, struct eap_user *user);
362bd35f
JM		 319
320 /**
321 * eap_req_id_text - Optional data for EAP-Request/Identity
322 *
323 * This can be used to configure an optional, displayable message that
324 * will be sent in EAP-Request/Identity. This string can contain an
325 * ASCII-0 character (nul) to separate network infromation per RFC
326 * 4284. The actual string length is explicit provided in
327 * eap_req_id_text_len since nul character will not be used as a string
328 * terminator.
329 */
65d50f0a 330 char *eap_req_id_text;
362bd35f
JM		 331
332 /**
333 * eap_req_id_text_len - Length of eap_req_id_text buffer in octets
334 */
65d50f0a 335 size_t eap_req_id_text_len;
bb437f28
GD		 336
337 /*
338 * msg_ctx - Context data for wpa_msg() calls
339 */
340 void *msg_ctx;
505a3694
JM		 341
342#ifdef CONFIG_RADIUS_TEST
343 char *dump_msk_file;
344#endif /* CONFIG_RADIUS_TEST */
8d2a9921
JM		 345
346 char *subscr_remediation_url;
347 u8 subscr_remediation_method;
8a57da7e
JM		 348
349#ifdef CONFIG_SQLITE
350 sqlite3 *db;
351#endif /* CONFIG_SQLITE */
6fc6879b
JM		 352};
353
354
6fc6879b
JM		 355#define RADIUS_DEBUG(args...) \
356wpa_printf(MSG_DEBUG, "RADIUS SRV: " args)
357#define RADIUS_ERROR(args...) \
358wpa_printf(MSG_ERROR, "RADIUS SRV: " args)
359#define RADIUS_DUMP(args...) \
360wpa_hexdump(MSG_MSGDUMP, "RADIUS SRV: " args)
361#define RADIUS_DUMP_ASCII(args...) \
362wpa_hexdump_ascii(MSG_MSGDUMP, "RADIUS SRV: " args)
363
364
365static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx);
f481459f
JM		 366static void radius_server_session_remove_timeout(void *eloop_ctx,
367 void *timeout_ctx);
6fc6879b 368
8a57da7e
JM		 369void srv_log(struct radius_session *sess, const char *fmt, ...)
370PRINTF_FORMAT(2, 3);
371
372void srv_log(struct radius_session *sess, const char *fmt, ...)
373{
374 va_list ap;
375 char *buf;
376 int buflen;
377
378 va_start(ap, fmt);
379 buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
380 va_end(ap);
381
382 buf = os_malloc(buflen);
383 if (buf == NULL)
384 return;
385 va_start(ap, fmt);
386 vsnprintf(buf, buflen, fmt, ap);
387 va_end(ap);
388
389 RADIUS_DEBUG("[0x%x %s] %s", sess->sess_id, sess->nas_ip, buf);
390
391#ifdef CONFIG_SQLITE
392 if (sess->server->db) {
393 char *sql;
394 sql = sqlite3_mprintf("INSERT INTO authlog"
395 "(timestamp,session,nas_ip,username,note)"
396 " VALUES ("
397 "strftime('%%Y-%%m-%%d %%H:%%M:%%f',"
398 "'now'),%u,%Q,%Q,%Q)",
399 sess->sess_id, sess->nas_ip,
400 sess->username, buf);
401 if (sql) {
402 if (sqlite3_exec(sess->server->db, sql, NULL, NULL,
403 NULL) != SQLITE_OK) {
404 RADIUS_ERROR("Failed to add authlog entry into sqlite database: %s",
405 sqlite3_errmsg(sess->server->db));
406 }
407 sqlite3_free(sql);
408 }
409 }
410#endif /* CONFIG_SQLITE */
411
412 os_free(buf);
413}
414
6fc6879b
JM		 415
416static struct radius_client *
417radius_server_get_client(struct radius_server_data *data, struct in_addr *addr,
418 int ipv6)
419{
420 struct radius_client *client = data->clients;
421
422 while (client) {
423#ifdef CONFIG_IPV6
424 if (ipv6) {
425 struct in6_addr *addr6;
426 int i;
427
428 addr6 = (struct in6_addr *) addr;
429 for (i = 0; i < 16; i++) {
430 if ((addr6->s6_addr[i] &
431 client->mask6.s6_addr[i]) !=
432 (client->addr6.s6_addr[i] &
433 client->mask6.s6_addr[i])) {
434 i = 17;
435 break;
436 }
437 }
438 if (i == 16) {
439 break;
440 }
441 }
442#endif /* CONFIG_IPV6 */
443 if (!ipv6 && (client->addr.s_addr & client->mask.s_addr) ==
444 (addr->s_addr & client->mask.s_addr)) {
445 break;
446 }
447
448 client = client->next;
449 }
450
451 return client;
452}
453
454
455static struct radius_session *
456radius_server_get_session(struct radius_client *client, unsigned int sess_id)
457{
458 struct radius_session *sess = client->sessions;
459
460 while (sess) {
461 if (sess->sess_id == sess_id) {
462 break;
463 }
464 sess = sess->next;
465 }
466
467 return sess;
468}
469
470
471static void radius_server_session_free(struct radius_server_data *data,
472 struct radius_session *sess)
473{
474 eloop_cancel_timeout(radius_server_session_timeout, data, sess);
f481459f 475 eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess);
6fc6879b 476 eap_server_sm_deinit(sess->eap);
9e7245bd 477 radius_msg_free(sess->last_msg);
6fc6879b 478 os_free(sess->last_from_addr);
9e7245bd 479 radius_msg_free(sess->last_reply);
8a57da7e
JM		 480 os_free(sess->username);
481 os_free(sess->nas_ip);
6fc6879b
JM		 482 os_free(sess);
483 data->num_sess--;
484}
485
486
6fc6879b
JM		 487static void radius_server_session_remove(struct radius_server_data *data,
488 struct radius_session *sess)
489{
490 struct radius_client *client = sess->client;
491 struct radius_session *session, *prev;
492
493 eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess);
494
495 prev = NULL;
496 session = client->sessions;
497 while (session) {
498 if (session == sess) {
499 if (prev == NULL) {
500 client->sessions = sess->next;
501 } else {
502 prev->next = sess->next;
503 }
504 radius_server_session_free(data, sess);
505 break;
506 }
507 prev = session;
508 session = session->next;
509 }
510}
511
512
513static void radius_server_session_remove_timeout(void *eloop_ctx,
514 void *timeout_ctx)
515{
516 struct radius_server_data *data = eloop_ctx;
517 struct radius_session *sess = timeout_ctx;
518 RADIUS_DEBUG("Removing completed session 0x%x", sess->sess_id);
519 radius_server_session_remove(data, sess);
520}
521
522
523static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx)
524{
525 struct radius_server_data *data = eloop_ctx;
526 struct radius_session *sess = timeout_ctx;
527
528 RADIUS_DEBUG("Timing out authentication session 0x%x", sess->sess_id);
529 radius_server_session_remove(data, sess);
530}
531
532
533static struct radius_session *
534radius_server_new_session(struct radius_server_data *data,
535 struct radius_client *client)
536{
537 struct radius_session *sess;
538
539 if (data->num_sess >= RADIUS_MAX_SESSION) {
540 RADIUS_DEBUG("Maximum number of existing session - no room "
541 "for a new session");
542 return NULL;
543 }
544
545 sess = os_zalloc(sizeof(*sess));
546 if (sess == NULL)
547 return NULL;
548
549 sess->server = data;
550 sess->client = client;
551 sess->sess_id = data->next_sess_id++;
552 sess->next = client->sessions;
553 client->sessions = sess;
554 eloop_register_timeout(RADIUS_SESSION_TIMEOUT, 0,
555 radius_server_session_timeout, data, sess);
556 data->num_sess++;
557 return sess;
558}
559
560
390b9291
JM		 561#ifdef CONFIG_TESTING_OPTIONS
562static void radius_server_testing_options_tls(struct radius_session *sess,
563 const char *tls,
564 struct eap_config *eap_conf)
565{
566 int test = atoi(tls);
567
568 switch (test) {
569 case 1:
570 srv_log(sess, "TLS test - break VerifyData");
571 eap_conf->tls_test_flags = TLS_BREAK_VERIFY_DATA;
572 break;
573 case 2:
574 srv_log(sess, "TLS test - break ServerKeyExchange ServerParams hash");
575 eap_conf->tls_test_flags = TLS_BREAK_SRV_KEY_X_HASH;
576 break;
577 case 3:
578 srv_log(sess, "TLS test - break ServerKeyExchange ServerParams Signature");
579 eap_conf->tls_test_flags = TLS_BREAK_SRV_KEY_X_SIGNATURE;
580 break;
47bd94a0
JM		 581 case 4:
582 srv_log(sess, "TLS test - RSA-DHE using a short 511-bit prime");
583 eap_conf->tls_test_flags = TLS_DHE_PRIME_511B;
584 break;
585 case 5:
586 srv_log(sess, "TLS test - RSA-DHE using a short 767-bit prime");
587 eap_conf->tls_test_flags = TLS_DHE_PRIME_767B;
588 break;
589 case 6:
590 srv_log(sess, "TLS test - RSA-DHE using a bogus 15 \"prime\"");
591 eap_conf->tls_test_flags = TLS_DHE_PRIME_15;
592 break;
593 case 7:
594 srv_log(sess, "TLS test - RSA-DHE using a short 58-bit prime in long container");
595 eap_conf->tls_test_flags = TLS_DHE_PRIME_58B;
596 break;
597 case 8:
598 srv_log(sess, "TLS test - RSA-DHE using a non-prime");
599 eap_conf->tls_test_flags = TLS_DHE_NON_PRIME;
600 break;
390b9291
JM		 601 default:
602 srv_log(sess, "Unrecognized TLS test");
603 break;
604 }
605}
606#endif /* CONFIG_TESTING_OPTIONS */
607
608static void radius_server_testing_options(struct radius_session *sess,
609 struct eap_config *eap_conf)
610{
611#ifdef CONFIG_TESTING_OPTIONS
612 const char *pos;
613
614 pos = os_strstr(sess->username, "@test-");
615 if (pos == NULL)
616 return;
617 pos += 6;
618 if (os_strncmp(pos, "tls-", 4) == 0)
619 radius_server_testing_options_tls(sess, pos + 4, eap_conf);
620 else
621 srv_log(sess, "Unrecognized test: %s", pos);
622#endif /* CONFIG_TESTING_OPTIONS */
623}
624
625
6fc6879b
JM		 626static struct radius_session *
627radius_server_get_new_session(struct radius_server_data *data,
628 struct radius_client *client,
8a57da7e 629 struct radius_msg *msg, const char *from_addr)
6fc6879b
JM		 630{
631 u8 *user;
632 size_t user_len;
633 int res;
634 struct radius_session *sess;
635 struct eap_config eap_conf;
d0ee16ed 636 struct eap_user tmp;
6fc6879b
JM		 637
638 RADIUS_DEBUG("Creating a new session");
639
8a57da7e
JM		 640 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &user,
641 &user_len, NULL) < 0) {
6fc6879b 642 RADIUS_DEBUG("Could not get User-Name");
6fc6879b
JM		 643 return NULL;
644 }
6fc6879b
JM		 645 RADIUS_DUMP_ASCII("User-Name", user, user_len);
646
d0ee16ed
JM		 647 os_memset(&tmp, 0, sizeof(tmp));
648 res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp);
b7175b4d 649 bin_clear_free(tmp.password, tmp.password_len);
6fc6879b 650
8a57da7e 651 if (res != 0) {
6fc6879b
JM		 652 RADIUS_DEBUG("User-Name not found from user database");
653 return NULL;
654 }
655
8a57da7e
JM		 656 RADIUS_DEBUG("Matching user entry found");
657 sess = radius_server_new_session(data, client);
658 if (sess == NULL) {
659 RADIUS_DEBUG("Failed to create a new session");
660 return NULL;
661 }
662 sess->accept_attr = tmp.accept_attr;
8943cc99 663 sess->macacl = tmp.macacl;
8a57da7e 664
95f6f6a4 665 sess->username = os_malloc(user_len * 4 + 1);
8a57da7e 666 if (sess->username == NULL) {
de01f254 667 radius_server_session_remove(data, sess);
8a57da7e
JM		 668 return NULL;
669 }
95f6f6a4 670 printf_encode(sess->username, user_len * 4 + 1, user, user_len);
8a57da7e
JM		 671
672 sess->nas_ip = os_strdup(from_addr);
673 if (sess->nas_ip == NULL) {
de01f254 674 radius_server_session_remove(data, sess);
8a57da7e
JM		 675 return NULL;
676 }
677
678 srv_log(sess, "New session created");
679
6fc6879b
JM		 680 os_memset(&eap_conf, 0, sizeof(eap_conf));
681 eap_conf.ssl_ctx = data->ssl_ctx;
bb437f28 682 eap_conf.msg_ctx = data->msg_ctx;
6fc6879b
JM		 683 eap_conf.eap_sim_db_priv = data->eap_sim_db_priv;
684 eap_conf.backend_auth = TRUE;
685 eap_conf.eap_server = 1;
686 eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
687 eap_conf.eap_fast_a_id = data->eap_fast_a_id;
2d867244
JM		 688 eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len;
689 eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info;
378eae5e 690 eap_conf.eap_fast_prov = data->eap_fast_prov;
a11c90a6
JM		 691 eap_conf.pac_key_lifetime = data->pac_key_lifetime;
692 eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
6fc6879b 693 eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
c3e258ae 694 eap_conf.tnc = data->tnc;
ad08c363 695 eap_conf.wps = data->wps;
df684d82 696 eap_conf.pwd_group = data->pwd_group;
67fe933d
JM		 697 eap_conf.server_id = (const u8 *) data->server_id;
698 eap_conf.server_id_len = os_strlen(data->server_id);
d3bddd8b 699 eap_conf.erp = data->erp;
681e199d 700 eap_conf.tls_session_lifetime = data->tls_session_lifetime;
6418400d 701 eap_conf.tls_flags = data->tls_flags;
390b9291 702 radius_server_testing_options(sess, &eap_conf);
6fc6879b
JM		 703 sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
704 &eap_conf);
705 if (sess->eap == NULL) {
706 RADIUS_DEBUG("Failed to initialize EAP state machine for the "
707 "new session");
de01f254 708 radius_server_session_remove(data, sess);
6fc6879b
JM		 709 return NULL;
710 }
711 sess->eap_if = eap_get_interface(sess->eap);
712 sess->eap_if->eapRestart = TRUE;
713 sess->eap_if->portEnabled = TRUE;
714
715 RADIUS_DEBUG("New session 0x%x initialized", sess->sess_id);
716
717 return sess;
718}
719
720
721static struct radius_msg *
722radius_server_encapsulate_eap(struct radius_server_data *data,
723 struct radius_client *client,
724 struct radius_session *sess,
725 struct radius_msg *request)
726{
727 struct radius_msg *msg;
728 int code;
729 unsigned int sess_id;
1489e11a 730 struct radius_hdr *hdr = radius_msg_get_hdr(request);
f75ed556 731 u16 reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED;
6fc6879b
JM		 732
733 if (sess->eap_if->eapFail) {
734 sess->eap_if->eapFail = FALSE;
735 code = RADIUS_CODE_ACCESS_REJECT;
736 } else if (sess->eap_if->eapSuccess) {
737 sess->eap_if->eapSuccess = FALSE;
738 code = RADIUS_CODE_ACCESS_ACCEPT;
739 } else {
740 sess->eap_if->eapReq = FALSE;
741 code = RADIUS_CODE_ACCESS_CHALLENGE;
742 }
743
1489e11a 744 msg = radius_msg_new(code, hdr->identifier);
6fc6879b
JM		 745 if (msg == NULL) {
746 RADIUS_DEBUG("Failed to allocate reply message");
747 return NULL;
748 }
749
750 sess_id = htonl(sess->sess_id);
751 if (code == RADIUS_CODE_ACCESS_CHALLENGE &&
752 !radius_msg_add_attr(msg, RADIUS_ATTR_STATE,
753 (u8 *) &sess_id, sizeof(sess_id))) {
754 RADIUS_DEBUG("Failed to add State attribute");
755 }
756
757 if (sess->eap_if->eapReqData &&
758 !radius_msg_add_eap(msg, wpabuf_head(sess->eap_if->eapReqData),
759 wpabuf_len(sess->eap_if->eapReqData))) {
760 RADIUS_DEBUG("Failed to add EAP-Message attribute");
761 }
762
763 if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->eap_if->eapKeyData) {
764 int len;
505a3694
JM		 765#ifdef CONFIG_RADIUS_TEST
766 if (data->dump_msk_file) {
767 FILE *f;
768 char buf[2 * 64 + 1];
769 f = fopen(data->dump_msk_file, "a");
770 if (f) {
771 len = sess->eap_if->eapKeyDataLen;
772 if (len > 64)
773 len = 64;
774 len = wpa_snprintf_hex(
775 buf, sizeof(buf),
776 sess->eap_if->eapKeyData, len);
777 buf[len] = '\0';
778 fprintf(f, "%s\n", buf);
779 fclose(f);
780 }
781 }
782#endif /* CONFIG_RADIUS_TEST */
6fc6879b
JM		 783 if (sess->eap_if->eapKeyDataLen > 64) {
784 len = 32;
785 } else {
786 len = sess->eap_if->eapKeyDataLen / 2;
787 }
1489e11a 788 if (!radius_msg_add_mppe_keys(msg, hdr->authenticator,
6fc6879b
JM		 789 (u8 *) client->shared_secret,
790 client->shared_secret_len,
791 sess->eap_if->eapKeyData + len,
792 len, sess->eap_if->eapKeyData,
793 len)) {
794 RADIUS_DEBUG("Failed to add MPPE key attributes");
795 }
796 }
797
8d2a9921
JM		 798#ifdef CONFIG_HS20
799 if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation &&
800 data->subscr_remediation_url) {
801 u8 *buf;
802 size_t url_len = os_strlen(data->subscr_remediation_url);
803 buf = os_malloc(1 + url_len);
804 if (buf == NULL) {
805 radius_msg_free(msg);
806 return NULL;
807 }
808 buf[0] = data->subscr_remediation_method;
809 os_memcpy(&buf[1], data->subscr_remediation_url, url_len);
810 if (!radius_msg_add_wfa(
811 msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION,
812 buf, 1 + url_len)) {
813 RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem");
814 }
815 os_free(buf);
816 } else if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation) {
817 u8 buf[1];
818 if (!radius_msg_add_wfa(
819 msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION,
820 buf, 0)) {
821 RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem");
822 }
823 }
824#endif /* CONFIG_HS20 */
825
6fc6879b
JM		 826 if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) {
827 RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)");
828 radius_msg_free(msg);
6fc6879b
JM		 829 return NULL;
830 }
831
d0ee16ed
JM		 832 if (code == RADIUS_CODE_ACCESS_ACCEPT) {
833 struct hostapd_radius_attr *attr;
834 for (attr = sess->accept_attr; attr; attr = attr->next) {
835 if (!radius_msg_add_attr(msg, attr->type,
836 wpabuf_head(attr->val),
837 wpabuf_len(attr->val))) {
838 wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
839 radius_msg_free(msg);
840 return NULL;
841 }
842 }
843 }
844
f75ed556
JM		 845 if (code == RADIUS_CODE_ACCESS_REJECT) {
846 if (radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE,
847 reason) < 0) {
848 RADIUS_DEBUG("Failed to add WLAN-Reason-Code attribute");
849 radius_msg_free(msg);
850 return NULL;
851 }
852 }
853
6fc6879b
JM		 854 if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
855 client->shared_secret_len,
1489e11a 856 hdr->authenticator) < 0) {
6fc6879b
JM		 857 RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
858 }
859
860 return msg;
861}
862
863
8943cc99
JM		 864static struct radius_msg *
865radius_server_macacl(struct radius_server_data *data,
866 struct radius_client *client,
867 struct radius_session *sess,
868 struct radius_msg *request)
869{
870 struct radius_msg *msg;
871 int code;
872 struct radius_hdr *hdr = radius_msg_get_hdr(request);
873 u8 *pw;
874 size_t pw_len;
875
876 code = RADIUS_CODE_ACCESS_ACCEPT;
877
878 if (radius_msg_get_attr_ptr(request, RADIUS_ATTR_USER_PASSWORD, &pw,
879 &pw_len, NULL) < 0) {
880 RADIUS_DEBUG("Could not get User-Password");
881 code = RADIUS_CODE_ACCESS_REJECT;
882 } else {
883 int res;
884 struct eap_user tmp;
885
886 os_memset(&tmp, 0, sizeof(tmp));
887 res = data->get_eap_user(data->conf_ctx, (u8 *) sess->username,
888 os_strlen(sess->username), 0, &tmp);
889 if (res || !tmp.macacl || tmp.password == NULL) {
890 RADIUS_DEBUG("No MAC ACL user entry");
b7175b4d 891 bin_clear_free(tmp.password, tmp.password_len);
8943cc99
JM		 892 code = RADIUS_CODE_ACCESS_REJECT;
893 } else {
894 u8 buf[128];
895 res = radius_user_password_hide(
896 request, tmp.password, tmp.password_len,
897 (u8 *) client->shared_secret,
898 client->shared_secret_len,
899 buf, sizeof(buf));
b7175b4d 900 bin_clear_free(tmp.password, tmp.password_len);
8943cc99
JM		 901
902 if (res < 0 || pw_len != (size_t) res ||
c2371953 903 os_memcmp_const(pw, buf, res) != 0) {
8943cc99
JM		 904 RADIUS_DEBUG("Incorrect User-Password");
905 code = RADIUS_CODE_ACCESS_REJECT;
906 }
907 }
908 }
909
910 msg = radius_msg_new(code, hdr->identifier);
911 if (msg == NULL) {
912 RADIUS_DEBUG("Failed to allocate reply message");
913 return NULL;
914 }
915
916 if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) {
917 RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)");
918 radius_msg_free(msg);
919 return NULL;
920 }
921
922 if (code == RADIUS_CODE_ACCESS_ACCEPT) {
923 struct hostapd_radius_attr *attr;
924 for (attr = sess->accept_attr; attr; attr = attr->next) {
925 if (!radius_msg_add_attr(msg, attr->type,
926 wpabuf_head(attr->val),
927 wpabuf_len(attr->val))) {
928 wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
929 radius_msg_free(msg);
930 return NULL;
931 }
932 }
933 }
934
935 if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
936 client->shared_secret_len,
937 hdr->authenticator) < 0) {
938 RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
939 }
940
941 return msg;
942}
943
944
6fc6879b
JM		 945static int radius_server_reject(struct radius_server_data *data,
946 struct radius_client *client,
947 struct radius_msg *request,
948 struct sockaddr *from, socklen_t fromlen,
949 const char *from_addr, int from_port)
950{
951 struct radius_msg *msg;
952 int ret = 0;
953 struct eap_hdr eapfail;
1489e11a
JM		 954 struct wpabuf *buf;
955 struct radius_hdr *hdr = radius_msg_get_hdr(request);
6fc6879b
JM		 956
957 RADIUS_DEBUG("Reject invalid request from %s:%d",
958 from_addr, from_port);
959
1489e11a 960 msg = radius_msg_new(RADIUS_CODE_ACCESS_REJECT, hdr->identifier);
6fc6879b
JM		 961 if (msg == NULL) {
962 return -1;
963 }
964
965 os_memset(&eapfail, 0, sizeof(eapfail));
966 eapfail.code = EAP_CODE_FAILURE;
967 eapfail.identifier = 0;
968 eapfail.length = host_to_be16(sizeof(eapfail));
969
970 if (!radius_msg_add_eap(msg, (u8 *) &eapfail, sizeof(eapfail))) {
971 RADIUS_DEBUG("Failed to add EAP-Message attribute");
972 }
973
974 if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) {
975 RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)");
976 radius_msg_free(msg);
6fc6879b
JM		 977 return -1;
978 }
979
980 if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
981 client->shared_secret_len,
1489e11a
JM		 982 hdr->authenticator) <
983 0) {
6fc6879b
JM		 984 RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
985 }
986
987 if (wpa_debug_level <= MSG_MSGDUMP) {
988 radius_msg_dump(msg);
989 }
990
991 data->counters.access_rejects++;
992 client->counters.access_rejects++;
1489e11a
JM		 993 buf = radius_msg_get_buf(msg);
994 if (sendto(data->auth_sock, wpabuf_head(buf), wpabuf_len(buf), 0,
6fc6879b 995 (struct sockaddr *) from, sizeof(*from)) < 0) {
61323e70 996 wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s", strerror(errno));
6fc6879b
JM		 997 ret = -1;
998 }
999
1000 radius_msg_free(msg);
6fc6879b
JM		 1001
1002 return ret;
1003}
1004
1005
1006static int radius_server_request(struct radius_server_data *data,
1007 struct radius_msg *msg,
1008 struct sockaddr *from, socklen_t fromlen,
1009 struct radius_client *client,
1010 const char *from_addr, int from_port,
1011 struct radius_session *force_sess)
1012{
e100828b 1013 struct wpabuf *eap = NULL;
6fc6879b
JM		 1014 int res, state_included = 0;
1015 u8 statebuf[4];
1016 unsigned int state;
1017 struct radius_session *sess;
1018 struct radius_msg *reply;
7598210b 1019 int is_complete = 0;
6fc6879b
JM		 1020
1021 if (force_sess)
1022 sess = force_sess;
1023 else {
1024 res = radius_msg_get_attr(msg, RADIUS_ATTR_STATE, statebuf,
1025 sizeof(statebuf));
1026 state_included = res >= 0;
1027 if (res == sizeof(statebuf)) {
1028 state = WPA_GET_BE32(statebuf);
1029 sess = radius_server_get_session(client, state);
1030 } else {
1031 sess = NULL;
1032 }
1033 }
1034
1035 if (sess) {
1036 RADIUS_DEBUG("Request for session 0x%x", sess->sess_id);
1037 } else if (state_included) {
1038 RADIUS_DEBUG("State attribute included but no session found");
1039 radius_server_reject(data, client, msg, from, fromlen,
1040 from_addr, from_port);
1041 return -1;
1042 } else {
8a57da7e
JM		 1043 sess = radius_server_get_new_session(data, client, msg,
1044 from_addr);
6fc6879b
JM		 1045 if (sess == NULL) {
1046 RADIUS_DEBUG("Could not create a new session");
1047 radius_server_reject(data, client, msg, from, fromlen,
1048 from_addr, from_port);
1049 return -1;
1050 }
1051 }
1052
1053 if (sess->last_from_port == from_port &&
1489e11a
JM		 1054 sess->last_identifier == radius_msg_get_hdr(msg)->identifier &&
1055 os_memcmp(sess->last_authenticator,
1056 radius_msg_get_hdr(msg)->authenticator, 16) == 0) {
6fc6879b
JM		 1057 RADIUS_DEBUG("Duplicate message from %s", from_addr);
1058 data->counters.dup_access_requests++;
1059 client->counters.dup_access_requests++;
1060
1061 if (sess->last_reply) {
1489e11a
JM		 1062 struct wpabuf *buf;
1063 buf = radius_msg_get_buf(sess->last_reply);
1064 res = sendto(data->auth_sock, wpabuf_head(buf),
1065 wpabuf_len(buf), 0,
6fc6879b
JM		 1066 (struct sockaddr *) from, fromlen);
1067 if (res < 0) {
61323e70
JM		 1068 wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s",
1069 strerror(errno));
6fc6879b
JM		 1070 }
1071 return 0;
1072 }
1073
1074 RADIUS_DEBUG("No previous reply available for duplicate "
1075 "message");
1076 return -1;
1077 }
95de34a1 1078
e100828b 1079 eap = radius_msg_get_eap(msg);
8943cc99
JM		 1080 if (eap == NULL && sess->macacl) {
1081 reply = radius_server_macacl(data, client, sess, msg);
1082 if (reply == NULL)
1083 return -1;
1084 goto send_reply;
1085 }
6fc6879b
JM		 1086 if (eap == NULL) {
1087 RADIUS_DEBUG("No EAP-Message in RADIUS packet from %s",
1088 from_addr);
1089 data->counters.packets_dropped++;
1090 client->counters.packets_dropped++;
1091 return -1;
1092 }
1093
e100828b 1094 RADIUS_DUMP("Received EAP data", wpabuf_head(eap), wpabuf_len(eap));
6fc6879b
JM		 1095
1096 /* FIX: if Code is Request, Success, or Failure, send Access-Reject;
1097 * RFC3579 Sect. 2.6.2.
1098 * Include EAP-Response/Nak with no preferred method if
1099 * code == request.
1100 * If code is not 1-4, discard the packet silently.
1101 * Or is this already done by the EAP state machine? */
1102
1103 wpabuf_free(sess->eap_if->eapRespData);
e100828b 1104 sess->eap_if->eapRespData = eap;
6fc6879b
JM		 1105 sess->eap_if->eapResp = TRUE;
1106 eap_server_sm_step(sess->eap);
1107
1108 if ((sess->eap_if->eapReq || sess->eap_if->eapSuccess ||
1109 sess->eap_if->eapFail) && sess->eap_if->eapReqData) {
1110 RADIUS_DUMP("EAP data from the state machine",
1111 wpabuf_head(sess->eap_if->eapReqData),
1112 wpabuf_len(sess->eap_if->eapReqData));
1113 } else if (sess->eap_if->eapFail) {
1114 RADIUS_DEBUG("No EAP data from the state machine, but eapFail "
1115 "set");
1116 } else if (eap_sm_method_pending(sess->eap)) {
9e7245bd 1117 radius_msg_free(sess->last_msg);
6fc6879b
JM		 1118 sess->last_msg = msg;
1119 sess->last_from_port = from_port;
1120 os_free(sess->last_from_addr);
1121 sess->last_from_addr = os_strdup(from_addr);
1122 sess->last_fromlen = fromlen;
1123 os_memcpy(&sess->last_from, from, fromlen);
1124 return -2;
1125 } else {
1126 RADIUS_DEBUG("No EAP data from the state machine - ignore this"
1127 " Access-Request silently (assuming it was a "
1128 "duplicate)");
1129 data->counters.packets_dropped++;
1130 client->counters.packets_dropped++;
1131 return -1;
1132 }
1133
7598210b
AB		 1134 if (sess->eap_if->eapSuccess || sess->eap_if->eapFail)
1135 is_complete = 1;
8a57da7e
JM		 1136 if (sess->eap_if->eapFail)
1137 srv_log(sess, "EAP authentication failed");
1138 else if (sess->eap_if->eapSuccess)
1139 srv_log(sess, "EAP authentication succeeded");
7598210b 1140
6fc6879b
JM		 1141 reply = radius_server_encapsulate_eap(data, client, sess, msg);
1142
8943cc99 1143send_reply:
6fc6879b 1144 if (reply) {
1489e11a
JM		 1145 struct wpabuf *buf;
1146 struct radius_hdr *hdr;
1147
6fc6879b
JM		 1148 RADIUS_DEBUG("Reply to %s:%d", from_addr, from_port);
1149 if (wpa_debug_level <= MSG_MSGDUMP) {
1150 radius_msg_dump(reply);
1151 }
1152
1489e11a 1153 switch (radius_msg_get_hdr(reply)->code) {
6fc6879b 1154 case RADIUS_CODE_ACCESS_ACCEPT:
8a57da7e 1155 srv_log(sess, "Sending Access-Accept");
6fc6879b
JM		 1156 data->counters.access_accepts++;
1157 client->counters.access_accepts++;
1158 break;
1159 case RADIUS_CODE_ACCESS_REJECT:
8a57da7e 1160 srv_log(sess, "Sending Access-Reject");
6fc6879b
JM		 1161 data->counters.access_rejects++;
1162 client->counters.access_rejects++;
1163 break;
1164 case RADIUS_CODE_ACCESS_CHALLENGE:
1165 data->counters.access_challenges++;
1166 client->counters.access_challenges++;
1167 break;
1168 }
1489e11a
JM		 1169 buf = radius_msg_get_buf(reply);
1170 res = sendto(data->auth_sock, wpabuf_head(buf),
1171 wpabuf_len(buf), 0,
6fc6879b
JM		 1172 (struct sockaddr *) from, fromlen);
1173 if (res < 0) {
61323e70
JM		 1174 wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s",
1175 strerror(errno));
6fc6879b 1176 }
9e7245bd 1177 radius_msg_free(sess->last_reply);
6fc6879b
JM		 1178 sess->last_reply = reply;
1179 sess->last_from_port = from_port;
1489e11a
JM		 1180 hdr = radius_msg_get_hdr(msg);
1181 sess->last_identifier = hdr->identifier;
1182 os_memcpy(sess->last_authenticator, hdr->authenticator, 16);
6fc6879b
JM		 1183 } else {
1184 data->counters.packets_dropped++;
1185 client->counters.packets_dropped++;
1186 }
1187
7598210b 1188 if (is_complete) {
6fc6879b
JM		 1189 RADIUS_DEBUG("Removing completed session 0x%x after timeout",
1190 sess->sess_id);
1191 eloop_cancel_timeout(radius_server_session_remove_timeout,
1192 data, sess);
35677305 1193 eloop_register_timeout(RADIUS_SESSION_MAINTAIN, 0,
6fc6879b
JM		 1194 radius_server_session_remove_timeout,
1195 data, sess);
1196 }
1197
1198 return 0;
1199}
1200
1201
1202static void radius_server_receive_auth(int sock, void *eloop_ctx,
1203 void *sock_ctx)
1204{
1205 struct radius_server_data *data = eloop_ctx;
1206 u8 *buf = NULL;
5a641ae0
JM		 1207 union {
1208 struct sockaddr_storage ss;
1209 struct sockaddr_in sin;
1210#ifdef CONFIG_IPV6
1211 struct sockaddr_in6 sin6;
1212#endif /* CONFIG_IPV6 */
1213 } from;
6fc6879b
JM		 1214 socklen_t fromlen;
1215 int len;
1216 struct radius_client *client = NULL;
1217 struct radius_msg *msg = NULL;
1218 char abuf[50];
1219 int from_port = 0;
1220
1221 buf = os_malloc(RADIUS_MAX_MSG_LEN);
1222 if (buf == NULL) {
1223 goto fail;
1224 }
1225
1226 fromlen = sizeof(from);
1227 len = recvfrom(sock, buf, RADIUS_MAX_MSG_LEN, 0,
5a641ae0 1228 (struct sockaddr *) &from.ss, &fromlen);
6fc6879b 1229 if (len < 0) {
61323e70
JM		 1230 wpa_printf(MSG_INFO, "recvfrom[radius_server]: %s",
1231 strerror(errno));
6fc6879b
JM		 1232 goto fail;
1233 }
1234
1235#ifdef CONFIG_IPV6
1236 if (data->ipv6) {
5a641ae0
JM		 1237 if (inet_ntop(AF_INET6, &from.sin6.sin6_addr, abuf,
1238 sizeof(abuf)) == NULL)
6fc6879b 1239 abuf[0] = '\0';
5a641ae0 1240 from_port = ntohs(from.sin6.sin6_port);
6fc6879b
JM		 1241 RADIUS_DEBUG("Received %d bytes from %s:%d",
1242 len, abuf, from_port);
1243
1244 client = radius_server_get_client(data,
1245 (struct in_addr *)
5a641ae0 1246 &from.sin6.sin6_addr, 1);
6fc6879b
JM		 1247 }
1248#endif /* CONFIG_IPV6 */
1249
1250 if (!data->ipv6) {
5a641ae0
JM		 1251 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
1252 from_port = ntohs(from.sin.sin_port);
6fc6879b
JM		 1253 RADIUS_DEBUG("Received %d bytes from %s:%d",
1254 len, abuf, from_port);
1255
5a641ae0 1256 client = radius_server_get_client(data, &from.sin.sin_addr, 0);
6fc6879b
JM		 1257 }
1258
1259 RADIUS_DUMP("Received data", buf, len);
1260
1261 if (client == NULL) {
1262 RADIUS_DEBUG("Unknown client %s - packet ignored", abuf);
1263 data->counters.invalid_requests++;
1264 goto fail;
1265 }
1266
1267 msg = radius_msg_parse(buf, len);
1268 if (msg == NULL) {
1269 RADIUS_DEBUG("Parsing incoming RADIUS frame failed");
1270 data->counters.malformed_access_requests++;
1271 client->counters.malformed_access_requests++;
1272 goto fail;
1273 }
1274
1275 os_free(buf);
1276 buf = NULL;
1277
1278 if (wpa_debug_level <= MSG_MSGDUMP) {
1279 radius_msg_dump(msg);
1280 }
1281
1489e11a
JM		 1282 if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCESS_REQUEST) {
1283 RADIUS_DEBUG("Unexpected RADIUS code %d",
1284 radius_msg_get_hdr(msg)->code);
6fc6879b
JM		 1285 data->counters.unknown_types++;
1286 client->counters.unknown_types++;
1287 goto fail;
1288 }
1289
1290 data->counters.access_requests++;
1291 client->counters.access_requests++;
1292
1293 if (radius_msg_verify_msg_auth(msg, (u8 *) client->shared_secret,
1294 client->shared_secret_len, NULL)) {
1295 RADIUS_DEBUG("Invalid Message-Authenticator from %s", abuf);
1296 data->counters.bad_authenticators++;
1297 client->counters.bad_authenticators++;
1298 goto fail;
1299 }
1300
1301 if (radius_server_request(data, msg, (struct sockaddr *) &from,
1302 fromlen, client, abuf, from_port, NULL) ==
1303 -2)
1304 return; /* msg was stored with the session */
1305
1306fail:
9e7245bd 1307 radius_msg_free(msg);
6fc6879b
JM		 1308 os_free(buf);
1309}
1310
1311
a1dd890a
JM		 1312static void radius_server_receive_acct(int sock, void *eloop_ctx,
1313 void *sock_ctx)
1314{
1315 struct radius_server_data *data = eloop_ctx;
1316 u8 *buf = NULL;
1317 union {
1318 struct sockaddr_storage ss;
1319 struct sockaddr_in sin;
1320#ifdef CONFIG_IPV6
1321 struct sockaddr_in6 sin6;
1322#endif /* CONFIG_IPV6 */
1323 } from;
1324 socklen_t fromlen;
1325 int len, res;
1326 struct radius_client *client = NULL;
1327 struct radius_msg *msg = NULL, *resp = NULL;
1328 char abuf[50];
1329 int from_port = 0;
1330 struct radius_hdr *hdr;
1331 struct wpabuf *rbuf;
1332
1333 buf = os_malloc(RADIUS_MAX_MSG_LEN);
1334 if (buf == NULL) {
1335 goto fail;
1336 }
1337
1338 fromlen = sizeof(from);
1339 len = recvfrom(sock, buf, RADIUS_MAX_MSG_LEN, 0,
1340 (struct sockaddr *) &from.ss, &fromlen);
1341 if (len < 0) {
1342 wpa_printf(MSG_INFO, "recvfrom[radius_server]: %s",
1343 strerror(errno));
1344 goto fail;
1345 }
1346
1347#ifdef CONFIG_IPV6
1348 if (data->ipv6) {
1349 if (inet_ntop(AF_INET6, &from.sin6.sin6_addr, abuf,
1350 sizeof(abuf)) == NULL)
1351 abuf[0] = '\0';
1352 from_port = ntohs(from.sin6.sin6_port);
1353 RADIUS_DEBUG("Received %d bytes from %s:%d",
1354 len, abuf, from_port);
1355
1356 client = radius_server_get_client(data,
1357 (struct in_addr *)
1358 &from.sin6.sin6_addr, 1);
1359 }
1360#endif /* CONFIG_IPV6 */
1361
1362 if (!data->ipv6) {
1363 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
1364 from_port = ntohs(from.sin.sin_port);
1365 RADIUS_DEBUG("Received %d bytes from %s:%d",
1366 len, abuf, from_port);
1367
1368 client = radius_server_get_client(data, &from.sin.sin_addr, 0);
1369 }
1370
1371 RADIUS_DUMP("Received data", buf, len);
1372
1373 if (client == NULL) {
1374 RADIUS_DEBUG("Unknown client %s - packet ignored", abuf);
1375 data->counters.invalid_acct_requests++;
1376 goto fail;
1377 }
1378
1379 msg = radius_msg_parse(buf, len);
1380 if (msg == NULL) {
1381 RADIUS_DEBUG("Parsing incoming RADIUS frame failed");
1382 data->counters.malformed_acct_requests++;
1383 client->counters.malformed_acct_requests++;
1384 goto fail;
1385 }
1386
1387 os_free(buf);
1388 buf = NULL;
1389
1390 if (wpa_debug_level <= MSG_MSGDUMP) {
1391 radius_msg_dump(msg);
1392 }
1393
1394 if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCOUNTING_REQUEST) {
1395 RADIUS_DEBUG("Unexpected RADIUS code %d",
1396 radius_msg_get_hdr(msg)->code);
1397 data->counters.unknown_acct_types++;
1398 client->counters.unknown_acct_types++;
1399 goto fail;
1400 }
1401
1402 data->counters.acct_requests++;
1403 client->counters.acct_requests++;
1404
1405 if (radius_msg_verify_acct_req(msg, (u8 *) client->shared_secret,
1406 client->shared_secret_len)) {
1407 RADIUS_DEBUG("Invalid Authenticator from %s", abuf);
1408 data->counters.acct_bad_authenticators++;
1409 client->counters.acct_bad_authenticators++;
1410 goto fail;
1411 }
1412
1413 /* TODO: Write accounting information to a file or database */
1414
1415 hdr = radius_msg_get_hdr(msg);
1416
1417 resp = radius_msg_new(RADIUS_CODE_ACCOUNTING_RESPONSE, hdr->identifier);
1418 if (resp == NULL)
1419 goto fail;
1420
1421 radius_msg_finish_acct_resp(resp, (u8 *) client->shared_secret,
1422 client->shared_secret_len,
1423 hdr->authenticator);
1424
1425 RADIUS_DEBUG("Reply to %s:%d", abuf, from_port);
1426 if (wpa_debug_level <= MSG_MSGDUMP) {
1427 radius_msg_dump(resp);
1428 }
1429 rbuf = radius_msg_get_buf(resp);
1430 data->counters.acct_responses++;
1431 client->counters.acct_responses++;
1432 res = sendto(data->acct_sock, wpabuf_head(rbuf), wpabuf_len(rbuf), 0,
1433 (struct sockaddr *) &from.ss, fromlen);
1434 if (res < 0) {
1435 wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s",
1436 strerror(errno));
1437 }
1438
1439fail:
1440 radius_msg_free(resp);
1441 radius_msg_free(msg);
1442 os_free(buf);
1443}
1444
1445
5cd89c26
JM		 1446static int radius_server_disable_pmtu_discovery(int s)
1447{
1448 int r = -1;
1449#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
1450 /* Turn off Path MTU discovery on IPv4/UDP sockets. */
1451 int action = IP_PMTUDISC_DONT;
1452 r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
1453 sizeof(action));
1454 if (r == -1)
1455 wpa_printf(MSG_ERROR, "Failed to set IP_MTU_DISCOVER: "
1456 "%s", strerror(errno));
1457#endif
1458 return r;
1459}
1460
1461
6fc6879b
JM		 1462static int radius_server_open_socket(int port)
1463{
1464 int s;
1465 struct sockaddr_in addr;
1466
1467 s = socket(PF_INET, SOCK_DGRAM, 0);
1468 if (s < 0) {
61323e70 1469 wpa_printf(MSG_INFO, "RADIUS: socket: %s", strerror(errno));
6fc6879b
JM		 1470 return -1;
1471 }
1472
5cd89c26
JM		 1473 radius_server_disable_pmtu_discovery(s);
1474
6fc6879b
JM		 1475 os_memset(&addr, 0, sizeof(addr));
1476 addr.sin_family = AF_INET;
1477 addr.sin_port = htons(port);
1478 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
61323e70 1479 wpa_printf(MSG_INFO, "RADIUS: bind: %s", strerror(errno));
6fc6879b
JM		 1480 close(s);
1481 return -1;
1482 }
1483
1484 return s;
1485}
1486
1487
1488#ifdef CONFIG_IPV6
1489static int radius_server_open_socket6(int port)
1490{
1491 int s;
1492 struct sockaddr_in6 addr;
1493
1494 s = socket(PF_INET6, SOCK_DGRAM, 0);
1495 if (s < 0) {
61323e70
JM		 1496 wpa_printf(MSG_INFO, "RADIUS: socket[IPv6]: %s",
1497 strerror(errno));
6fc6879b
JM		 1498 return -1;
1499 }
1500
1501 os_memset(&addr, 0, sizeof(addr));
1502 addr.sin6_family = AF_INET6;
1503 os_memcpy(&addr.sin6_addr, &in6addr_any, sizeof(in6addr_any));
1504 addr.sin6_port = htons(port);
1505 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
61323e70 1506 wpa_printf(MSG_INFO, "RADIUS: bind: %s", strerror(errno));
6fc6879b
JM		 1507 close(s);
1508 return -1;
1509 }
1510
1511 return s;
1512}
1513#endif /* CONFIG_IPV6 */
1514
1515
1516static void radius_server_free_sessions(struct radius_server_data *data,
1517 struct radius_session *sessions)
1518{
1519 struct radius_session *session, *prev;
1520
1521 session = sessions;
1522 while (session) {
1523 prev = session;
1524 session = session->next;
1525 radius_server_session_free(data, prev);
1526 }
1527}
1528
1529
1530static void radius_server_free_clients(struct radius_server_data *data,
1531 struct radius_client *clients)
1532{
1533 struct radius_client *client, *prev;
1534
1535 client = clients;
1536 while (client) {
1537 prev = client;
1538 client = client->next;
1539
1540 radius_server_free_sessions(data, prev->sessions);
1541 os_free(prev->shared_secret);
1542 os_free(prev);
1543 }
1544}
1545
1546
1547static struct radius_client *
1548radius_server_read_clients(const char *client_file, int ipv6)
1549{
1550 FILE *f;
1551 const int buf_size = 1024;
1552 char *buf, *pos;
1553 struct radius_client *clients, *tail, *entry;
1554 int line = 0, mask, failed = 0, i;
1555 struct in_addr addr;
1556#ifdef CONFIG_IPV6
1557 struct in6_addr addr6;
1558#endif /* CONFIG_IPV6 */
1559 unsigned int val;
1560
1561 f = fopen(client_file, "r");
1562 if (f == NULL) {
1563 RADIUS_ERROR("Could not open client file '%s'", client_file);
1564 return NULL;
1565 }
1566
1567 buf = os_malloc(buf_size);
1568 if (buf == NULL) {
1569 fclose(f);
1570 return NULL;
1571 }
1572
1573 clients = tail = NULL;
1574 while (fgets(buf, buf_size, f)) {
1575 /* Configuration file format:
1576 * 192.168.1.0/24 secret
1577 * 192.168.1.2 secret
1578 * fe80::211:22ff:fe33:4455/64 secretipv6
1579 */
1580 line++;
1581 buf[buf_size - 1] = '\0';
1582 pos = buf;
1583 while (*pos != '\0' && *pos != '\n')
1584 pos++;
1585 if (*pos == '\n')
1586 *pos = '\0';
1587 if (*buf == '\0' || *buf == '#')
1588 continue;
1589
1590 pos = buf;
1591 while ((*pos >= '0' && *pos <= '9') || *pos == '.' ||
1592 (*pos >= 'a' && *pos <= 'f') || *pos == ':' ||
1593 (*pos >= 'A' && *pos <= 'F')) {
1594 pos++;
1595 }
1596
1597 if (*pos == '\0') {
1598 failed = 1;
1599 break;
1600 }
1601
1602 if (*pos == '/') {
1603 char *end;
1604 *pos++ = '\0';
1605 mask = strtol(pos, &end, 10);
1606 if ((pos == end) ||
1607 (mask < 0 || mask > (ipv6 ? 128 : 32))) {
1608 failed = 1;
1609 break;
1610 }
1611 pos = end;
1612 } else {
1613 mask = ipv6 ? 128 : 32;
1614 *pos++ = '\0';
1615 }
1616
1617 if (!ipv6 && inet_aton(buf, &addr) == 0) {
1618 failed = 1;
1619 break;
1620 }
1621#ifdef CONFIG_IPV6
1622 if (ipv6 && inet_pton(AF_INET6, buf, &addr6) <= 0) {
1623 if (inet_pton(AF_INET, buf, &addr) <= 0) {
1624 failed = 1;
1625 break;
1626 }
1627 /* Convert IPv4 address to IPv6 */
1628 if (mask <= 32)
1629 mask += (128 - 32);
1630 os_memset(addr6.s6_addr, 0, 10);
1631 addr6.s6_addr[10] = 0xff;
1632 addr6.s6_addr[11] = 0xff;
1633 os_memcpy(addr6.s6_addr + 12, (char *) &addr.s_addr,
1634 4);
1635 }
1636#endif /* CONFIG_IPV6 */
1637
1638 while (*pos == ' ' || *pos == '\t') {
1639 pos++;
1640 }
1641
1642 if (*pos == '\0') {
1643 failed = 1;
1644 break;
1645 }
1646
1647 entry = os_zalloc(sizeof(*entry));
1648 if (entry == NULL) {
1649 failed = 1;
1650 break;
1651 }
1652 entry->shared_secret = os_strdup(pos);
1653 if (entry->shared_secret == NULL) {
1654 failed = 1;
1655 os_free(entry);
1656 break;
1657 }
1658 entry->shared_secret_len = os_strlen(entry->shared_secret);
6fc6879b 1659 if (!ipv6) {
77381639 1660 entry->addr.s_addr = addr.s_addr;
6fc6879b
JM		 1661 val = 0;
1662 for (i = 0; i < mask; i++)
1663 val |= 1 << (31 - i);
1664 entry->mask.s_addr = htonl(val);
1665 }
1666#ifdef CONFIG_IPV6
1667 if (ipv6) {
1668 int offset = mask / 8;
1669
1670 os_memcpy(entry->addr6.s6_addr, addr6.s6_addr, 16);
1671 os_memset(entry->mask6.s6_addr, 0xff, offset);
1672 val = 0;
1673 for (i = 0; i < (mask % 8); i++)
1674 val |= 1 << (7 - i);
1675 if (offset < 16)
1676 entry->mask6.s6_addr[offset] = val;
1677 }
1678#endif /* CONFIG_IPV6 */
1679
1680 if (tail == NULL) {
1681 clients = tail = entry;
1682 } else {
1683 tail->next = entry;
1684 tail = entry;
1685 }
1686 }
1687
1688 if (failed) {
1689 RADIUS_ERROR("Invalid line %d in '%s'", line, client_file);
1690 radius_server_free_clients(NULL, clients);
1691 clients = NULL;
1692 }
1693
1694 os_free(buf);
1695 fclose(f);
1696
1697 return clients;
1698}
1699
1700
362bd35f
JM		 1701/**
1702 * radius_server_init - Initialize RADIUS server
1703 * @conf: Configuration for the RADIUS server
1704 * Returns: Pointer to private RADIUS server context or %NULL on failure
1705 *
1706 * This initializes a RADIUS server instance and returns a context pointer that
1707 * will be used in other calls to the RADIUS server module. The server can be
1708 * deinitialize by calling radius_server_deinit().
1709 */
6fc6879b
JM		 1710struct radius_server_data *
1711radius_server_init(struct radius_server_conf *conf)
1712{
1713 struct radius_server_data *data;
1714
1715#ifndef CONFIG_IPV6
1716 if (conf->ipv6) {
61323e70 1717 wpa_printf(MSG_ERROR, "RADIUS server compiled without IPv6 support");
6fc6879b
JM		 1718 return NULL;
1719 }
1720#endif /* CONFIG_IPV6 */
1721
1722 data = os_zalloc(sizeof(*data));
1723 if (data == NULL)
1724 return NULL;
1725
d3bddd8b 1726 dl_list_init(&data->erp_keys);
58707176 1727 os_get_reltime(&data->start_time);
6fc6879b
JM		 1728 data->conf_ctx = conf->conf_ctx;
1729 data->eap_sim_db_priv = conf->eap_sim_db_priv;
1730 data->ssl_ctx = conf->ssl_ctx;
bb437f28 1731 data->msg_ctx = conf->msg_ctx;
6fc6879b
JM		 1732 data->ipv6 = conf->ipv6;
1733 if (conf->pac_opaque_encr_key) {
1734 data->pac_opaque_encr_key = os_malloc(16);
4457f41b
MJ		 1735 if (data->pac_opaque_encr_key) {
1736 os_memcpy(data->pac_opaque_encr_key,
1737 conf->pac_opaque_encr_key, 16);
1738 }
6fc6879b 1739 }
2d867244
JM		 1740 if (conf->eap_fast_a_id) {
1741 data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
1742 if (data->eap_fast_a_id) {
1743 os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id,
1744 conf->eap_fast_a_id_len);
1745 data->eap_fast_a_id_len = conf->eap_fast_a_id_len;
1746 }
1747 }
1748 if (conf->eap_fast_a_id_info)
1749 data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
378eae5e 1750 data->eap_fast_prov = conf->eap_fast_prov;
a11c90a6
JM		 1751 data->pac_key_lifetime = conf->pac_key_lifetime;
1752 data->pac_key_refresh_time = conf->pac_key_refresh_time;
6fc6879b
JM		 1753 data->get_eap_user = conf->get_eap_user;
1754 data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
c3e258ae 1755 data->tnc = conf->tnc;
ad08c363 1756 data->wps = conf->wps;
df684d82 1757 data->pwd_group = conf->pwd_group;
67fe933d 1758 data->server_id = conf->server_id;
65d50f0a
JM		 1759 if (conf->eap_req_id_text) {
1760 data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
1761 if (data->eap_req_id_text) {
1762 os_memcpy(data->eap_req_id_text, conf->eap_req_id_text,
1763 conf->eap_req_id_text_len);
1764 data->eap_req_id_text_len = conf->eap_req_id_text_len;
1765 }
1766 }
d3bddd8b
JM		 1767 data->erp = conf->erp;
1768 data->erp_domain = conf->erp_domain;
681e199d 1769 data->tls_session_lifetime = conf->tls_session_lifetime;
6418400d 1770 data->tls_flags = conf->tls_flags;
6fc6879b 1771
8d2a9921
JM		 1772 if (conf->subscr_remediation_url) {
1773 data->subscr_remediation_url =
1774 os_strdup(conf->subscr_remediation_url);
1775 }
f6fb1926 1776 data->subscr_remediation_method = conf->subscr_remediation_method;
8d2a9921 1777
8a57da7e
JM		 1778#ifdef CONFIG_SQLITE
1779 if (conf->sqlite_file) {
1780 if (sqlite3_open(conf->sqlite_file, &data->db)) {
1781 RADIUS_ERROR("Could not open SQLite file '%s'",
1782 conf->sqlite_file);
1783 radius_server_deinit(data);
1784 return NULL;
1785 }
1786 }
1787#endif /* CONFIG_SQLITE */
1788
505a3694
JM		 1789#ifdef CONFIG_RADIUS_TEST
1790 if (conf->dump_msk_file)
1791 data->dump_msk_file = os_strdup(conf->dump_msk_file);
1792#endif /* CONFIG_RADIUS_TEST */
1793
6fc6879b
JM		 1794 data->clients = radius_server_read_clients(conf->client_file,
1795 conf->ipv6);
1796 if (data->clients == NULL) {
61323e70 1797 wpa_printf(MSG_ERROR, "No RADIUS clients configured");
6fc6879b
JM		 1798 radius_server_deinit(data);
1799 return NULL;
1800 }
1801
1802#ifdef CONFIG_IPV6
1803 if (conf->ipv6)
1804 data->auth_sock = radius_server_open_socket6(conf->auth_port);
1805 else
1806#endif /* CONFIG_IPV6 */
1807 data->auth_sock = radius_server_open_socket(conf->auth_port);
1808 if (data->auth_sock < 0) {
61323e70 1809 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS authentication server");
6fc6879b
JM		 1810 radius_server_deinit(data);
1811 return NULL;
1812 }
1813 if (eloop_register_read_sock(data->auth_sock,
1814 radius_server_receive_auth,
1815 data, NULL)) {
1816 radius_server_deinit(data);
1817 return NULL;
1818 }
1819
a1dd890a
JM		 1820 if (conf->acct_port) {
1821#ifdef CONFIG_IPV6
1822 if (conf->ipv6)
1823 data->acct_sock = radius_server_open_socket6(
1824 conf->acct_port);
1825 else
1826#endif /* CONFIG_IPV6 */
1827 data->acct_sock = radius_server_open_socket(conf->acct_port);
1828 if (data->acct_sock < 0) {
1829 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS accounting server");
1830 radius_server_deinit(data);
1831 return NULL;
1832 }
1833 if (eloop_register_read_sock(data->acct_sock,
1834 radius_server_receive_acct,
1835 data, NULL)) {
1836 radius_server_deinit(data);
1837 return NULL;
1838 }
1839 } else {
1840 data->acct_sock = -1;
1841 }
1842
6fc6879b
JM		 1843 return data;
1844}
1845
1846
362bd35f 1847/**
2c6411ed 1848 * radius_server_erp_flush - Flush all ERP keys
362bd35f
JM		 1849 * @data: RADIUS server context from radius_server_init()
1850 */
2c6411ed 1851void radius_server_erp_flush(struct radius_server_data *data)
6fc6879b 1852{
d3bddd8b
JM		 1853 struct eap_server_erp_key *erp;
1854
2c6411ed
JM		 1855 if (data == NULL)
1856 return;
1857 while ((erp = dl_list_first(&data->erp_keys, struct eap_server_erp_key,
1858 list)) != NULL) {
1859 dl_list_del(&erp->list);
1860 bin_clear_free(erp, sizeof(*erp));
1861 }
1862}
1863
1864
1865/**
1866 * radius_server_deinit - Deinitialize RADIUS server
1867 * @data: RADIUS server context from radius_server_init()
1868 */
1869void radius_server_deinit(struct radius_server_data *data)
1870{
6fc6879b
JM		 1871 if (data == NULL)
1872 return;
1873
1874 if (data->auth_sock >= 0) {
1875 eloop_unregister_read_sock(data->auth_sock);
1876 close(data->auth_sock);
1877 }
1878
a1dd890a
JM		 1879 if (data->acct_sock >= 0) {
1880 eloop_unregister_read_sock(data->acct_sock);
1881 close(data->acct_sock);
1882 }
1883
6fc6879b
JM		 1884 radius_server_free_clients(data, data->clients);
1885
1886 os_free(data->pac_opaque_encr_key);
1887 os_free(data->eap_fast_a_id);
2d867244 1888 os_free(data->eap_fast_a_id_info);
65d50f0a 1889 os_free(data->eap_req_id_text);
505a3694
JM		 1890#ifdef CONFIG_RADIUS_TEST
1891 os_free(data->dump_msk_file);
1892#endif /* CONFIG_RADIUS_TEST */
8d2a9921 1893 os_free(data->subscr_remediation_url);
8a57da7e
JM		 1894
1895#ifdef CONFIG_SQLITE
1896 if (data->db)
1897 sqlite3_close(data->db);
1898#endif /* CONFIG_SQLITE */
1899
2c6411ed 1900 radius_server_erp_flush(data);
d3bddd8b 1901
6fc6879b
JM		 1902 os_free(data);
1903}
1904
1905
362bd35f
JM		 1906/**
1907 * radius_server_get_mib - Get RADIUS server MIB information
1908 * @data: RADIUS server context from radius_server_init()
1909 * @buf: Buffer for returning the MIB data in text format
1910 * @buflen: buf length in octets
1911 * Returns: Number of octets written into buf
1912 */
6fc6879b
JM		 1913int radius_server_get_mib(struct radius_server_data *data, char *buf,
1914 size_t buflen)
1915{
1916 int ret, uptime;
1917 unsigned int idx;
1918 char *end, *pos;
58707176 1919 struct os_reltime now;
6fc6879b
JM		 1920 struct radius_client *cli;
1921
1922 /* RFC 2619 - RADIUS Authentication Server MIB */
1923
1924 if (data == NULL || buflen == 0)
1925 return 0;
1926
1927 pos = buf;
1928 end = buf + buflen;
1929
58707176 1930 os_get_reltime(&now);
6fc6879b
JM		 1931 uptime = (now.sec - data->start_time.sec) * 100 +
1932 ((now.usec - data->start_time.usec) / 10000) % 100;
1933 ret = os_snprintf(pos, end - pos,
1934 "RADIUS-AUTH-SERVER-MIB\n"
1935 "radiusAuthServIdent=hostapd\n"
1936 "radiusAuthServUpTime=%d\n"
1937 "radiusAuthServResetTime=0\n"
1938 "radiusAuthServConfigReset=4\n",
1939 uptime);
d85e1fc8 1940 if (os_snprintf_error(end - pos, ret)) {
6fc6879b
JM		 1941 *pos = '\0';
1942 return pos - buf;
1943 }
1944 pos += ret;
1945
1946 ret = os_snprintf(pos, end - pos,
1947 "radiusAuthServTotalAccessRequests=%u\n"
1948 "radiusAuthServTotalInvalidRequests=%u\n"
1949 "radiusAuthServTotalDupAccessRequests=%u\n"
1950 "radiusAuthServTotalAccessAccepts=%u\n"
1951 "radiusAuthServTotalAccessRejects=%u\n"
1952 "radiusAuthServTotalAccessChallenges=%u\n"
1953 "radiusAuthServTotalMalformedAccessRequests=%u\n"
1954 "radiusAuthServTotalBadAuthenticators=%u\n"
1955 "radiusAuthServTotalPacketsDropped=%u\n"
a1dd890a
JM		 1956 "radiusAuthServTotalUnknownTypes=%u\n"
1957 "radiusAccServTotalRequests=%u\n"
1958 "radiusAccServTotalInvalidRequests=%u\n"
1959 "radiusAccServTotalResponses=%u\n"
1960 "radiusAccServTotalMalformedRequests=%u\n"
1961 "radiusAccServTotalBadAuthenticators=%u\n"
1962 "radiusAccServTotalUnknownTypes=%u\n",
6fc6879b
JM		 1963 data->counters.access_requests,
1964 data->counters.invalid_requests,
1965 data->counters.dup_access_requests,
1966 data->counters.access_accepts,
1967 data->counters.access_rejects,
1968 data->counters.access_challenges,
1969 data->counters.malformed_access_requests,
1970 data->counters.bad_authenticators,
1971 data->counters.packets_dropped,
a1dd890a
JM		 1972 data->counters.unknown_types,
1973 data->counters.acct_requests,
1974 data->counters.invalid_acct_requests,
1975 data->counters.acct_responses,
1976 data->counters.malformed_acct_requests,
1977 data->counters.acct_bad_authenticators,
1978 data->counters.unknown_acct_types);
d85e1fc8 1979 if (os_snprintf_error(end - pos, ret)) {
6fc6879b
JM		 1980 *pos = '\0';
1981 return pos - buf;
1982 }
1983 pos += ret;
1984
1985 for (cli = data->clients, idx = 0; cli; cli = cli->next, idx++) {
1986 char abuf[50], mbuf[50];
1987#ifdef CONFIG_IPV6
1988 if (data->ipv6) {
1989 if (inet_ntop(AF_INET6, &cli->addr6, abuf,
1990 sizeof(abuf)) == NULL)
1991 abuf[0] = '\0';
c9cd78e5 1992 if (inet_ntop(AF_INET6, &cli->mask6, mbuf,
6fc6879b
JM		 1993 sizeof(mbuf)) == NULL)
1994 mbuf[0] = '\0';
1995 }
1996#endif /* CONFIG_IPV6 */
1997 if (!data->ipv6) {
1998 os_strlcpy(abuf, inet_ntoa(cli->addr), sizeof(abuf));
1999 os_strlcpy(mbuf, inet_ntoa(cli->mask), sizeof(mbuf));
2000 }
2001
2002 ret = os_snprintf(pos, end - pos,
2003 "radiusAuthClientIndex=%u\n"
2004 "radiusAuthClientAddress=%s/%s\n"
2005 "radiusAuthServAccessRequests=%u\n"
2006 "radiusAuthServDupAccessRequests=%u\n"
2007 "radiusAuthServAccessAccepts=%u\n"
2008 "radiusAuthServAccessRejects=%u\n"
2009 "radiusAuthServAccessChallenges=%u\n"
2010 "radiusAuthServMalformedAccessRequests=%u\n"
2011 "radiusAuthServBadAuthenticators=%u\n"
2012 "radiusAuthServPacketsDropped=%u\n"
a1dd890a
JM		 2013 "radiusAuthServUnknownTypes=%u\n"
2014 "radiusAccServTotalRequests=%u\n"
2015 "radiusAccServTotalInvalidRequests=%u\n"
2016 "radiusAccServTotalResponses=%u\n"
2017 "radiusAccServTotalMalformedRequests=%u\n"
2018 "radiusAccServTotalBadAuthenticators=%u\n"
2019 "radiusAccServTotalUnknownTypes=%u\n",
6fc6879b
JM		 2020 idx,
2021 abuf, mbuf,
2022 cli->counters.access_requests,
2023 cli->counters.dup_access_requests,
2024 cli->counters.access_accepts,
2025 cli->counters.access_rejects,
2026 cli->counters.access_challenges,
2027 cli->counters.malformed_access_requests,
2028 cli->counters.bad_authenticators,
2029 cli->counters.packets_dropped,
a1dd890a
JM		 2030 cli->counters.unknown_types,
2031 cli->counters.acct_requests,
2032 cli->counters.invalid_acct_requests,
2033 cli->counters.acct_responses,
2034 cli->counters.malformed_acct_requests,
2035 cli->counters.acct_bad_authenticators,
2036 cli->counters.unknown_acct_types);
d85e1fc8 2037 if (os_snprintf_error(end - pos, ret)) {
6fc6879b
JM		 2038 *pos = '\0';
2039 return pos - buf;
2040 }
2041 pos += ret;
2042 }
2043
2044 return pos - buf;
2045}
2046
2047
2048static int radius_server_get_eap_user(void *ctx, const u8 *identity,
2049 size_t identity_len, int phase2,
2050 struct eap_user *user)
2051{
2052 struct radius_session *sess = ctx;
2053 struct radius_server_data *data = sess->server;
8d2a9921 2054 int ret;
6fc6879b 2055
8d2a9921
JM		 2056 ret = data->get_eap_user(data->conf_ctx, identity, identity_len,
2057 phase2, user);
d0ee16ed
JM		 2058 if (ret == 0 && user) {
2059 sess->accept_attr = user->accept_attr;
8d2a9921 2060 sess->remediation = user->remediation;
8943cc99 2061 sess->macacl = user->macacl;
d0ee16ed 2062 }
fc48d33b
BG		 2063
2064 if (ret) {
2065 RADIUS_DEBUG("%s: User-Name not found from user database",
2066 __func__);
2067 }
2068
8d2a9921 2069 return ret;
6fc6879b
JM		 2070}
2071
2072
65d50f0a
JM		 2073static const char * radius_server_get_eap_req_id_text(void *ctx, size_t *len)
2074{
2075 struct radius_session *sess = ctx;
2076 struct radius_server_data *data = sess->server;
2077 *len = data->eap_req_id_text_len;
2078 return data->eap_req_id_text;
2079}
2080
2081
01f7fe10
JM		 2082static void radius_server_log_msg(void *ctx, const char *msg)
2083{
2084 struct radius_session *sess = ctx;
2085 srv_log(sess, "EAP: %s", msg);
2086}
2087
2088
d3bddd8b
JM		 2089#ifdef CONFIG_ERP
2090
2091static const char * radius_server_get_erp_domain(void *ctx)
2092{
2093 struct radius_session *sess = ctx;
2094 struct radius_server_data *data = sess->server;
2095
2096 return data->erp_domain;
2097}
2098
2099
2100static struct eap_server_erp_key *
2101radius_server_erp_get_key(void *ctx, const char *keyname)
2102{
2103 struct radius_session *sess = ctx;
2104 struct radius_server_data *data = sess->server;
2105 struct eap_server_erp_key *erp;
2106
2107 dl_list_for_each(erp, &data->erp_keys, struct eap_server_erp_key,
2108 list) {
2109 if (os_strcmp(erp->keyname_nai, keyname) == 0)
2110 return erp;
2111 }
2112
2113 return NULL;
2114}
2115
2116
2117static int radius_server_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
2118{
2119 struct radius_session *sess = ctx;
2120 struct radius_server_data *data = sess->server;
2121
2122 dl_list_add(&data->erp_keys, &erp->list);
2123 return 0;
2124}
2125
2126#endif /* CONFIG_ERP */
2127
2128
8b423edb 2129static const struct eapol_callbacks radius_server_eapol_cb =
6fc6879b
JM		 2130{
2131 .get_eap_user = radius_server_get_eap_user,
65d50f0a 2132 .get_eap_req_id_text = radius_server_get_eap_req_id_text,
01f7fe10 2133 .log_msg = radius_server_log_msg,
d3bddd8b
JM		 2134#ifdef CONFIG_ERP
2135 .get_erp_send_reauth_start = NULL,
2136 .get_erp_domain = radius_server_get_erp_domain,
2137 .erp_get_key = radius_server_erp_get_key,
2138 .erp_add_key = radius_server_erp_add_key,
2139#endif /* CONFIG_ERP */
6fc6879b
JM		 2140};
2141
2142
362bd35f
JM		 2143/**
2144 * radius_server_eap_pending_cb - Pending EAP data notification
2145 * @data: RADIUS server context from radius_server_init()
2146 * @ctx: Pending EAP context pointer
2147 *
2148 * This function is used to notify EAP server module that a pending operation
2149 * has been completed and processing of the EAP session can proceed.
2150 */
6fc6879b
JM		 2151void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx)
2152{
2153 struct radius_client *cli;
2154 struct radius_session *s, *sess = NULL;
2155 struct radius_msg *msg;
2156
2157 if (data == NULL)
2158 return;
2159
2160 for (cli = data->clients; cli; cli = cli->next) {
2161 for (s = cli->sessions; s; s = s->next) {
2162 if (s->eap == ctx && s->last_msg) {
2163 sess = s;
2164 break;
2165 }
6fc6879b
JM		 2166 }
2167 if (sess)
2168 break;
2169 }
2170
2171 if (sess == NULL) {
2172 RADIUS_DEBUG("No session matched callback ctx");
2173 return;
2174 }
2175
2176 msg = sess->last_msg;
2177 sess->last_msg = NULL;
2178 eap_sm_pending_cb(sess->eap);
2179 if (radius_server_request(data, msg,
2180 (struct sockaddr *) &sess->last_from,
2181 sess->last_fromlen, cli,
2182 sess->last_from_addr,
2183 sess->last_from_port, sess) == -2)
2184 return; /* msg was stored with the session */
2185
2186 radius_msg_free(msg);
6fc6879b 2187}
Unnamed repository; edit this file 'description' to name the repository.