]>
Commit | Line | Data |
---|---|---|
6fc6879b | 1 | /* |
362bd35f | 2 | * RADIUS authentication server |
a1dd890a | 3 | * Copyright (c) 2005-2009, 2011-2014, Jouni Malinen <j@w1.fi> |
6fc6879b | 4 | * |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
6fc6879b JM |
7 | */ |
8 | ||
9 | #include "includes.h" | |
10 | #include <net/if.h> | |
8a57da7e JM |
11 | #ifdef CONFIG_SQLITE |
12 | #include <sqlite3.h> | |
13 | #endif /* CONFIG_SQLITE */ | |
6fc6879b JM |
14 | |
15 | #include "common.h" | |
16 | #include "radius.h" | |
17 | #include "eloop.h" | |
6fc6879b | 18 | #include "eap_server/eap.h" |
d0ee16ed | 19 | #include "ap/ap_config.h" |
390b9291 | 20 | #include "crypto/tls.h" |
6fc6879b JM |
21 | #include "radius_server.h" |
22 | ||
362bd35f JM |
23 | /** |
24 | * RADIUS_SESSION_TIMEOUT - Session timeout in seconds | |
25 | */ | |
6fc6879b | 26 | #define RADIUS_SESSION_TIMEOUT 60 |
362bd35f | 27 | |
35677305 JM |
28 | /** |
29 | * RADIUS_SESSION_MAINTAIN - Completed session expiration timeout in seconds | |
30 | */ | |
31 | #define RADIUS_SESSION_MAINTAIN 5 | |
32 | ||
362bd35f JM |
33 | /** |
34 | * RADIUS_MAX_SESSION - Maximum number of active sessions | |
35 | */ | |
35677305 | 36 | #define RADIUS_MAX_SESSION 1000 |
362bd35f JM |
37 | |
38 | /** | |
39 | * RADIUS_MAX_MSG_LEN - Maximum message length for incoming RADIUS messages | |
40 | */ | |
6fc6879b JM |
41 | #define RADIUS_MAX_MSG_LEN 3000 |
42 | ||
8b423edb | 43 | static const struct eapol_callbacks radius_server_eapol_cb; |
6fc6879b JM |
44 | |
45 | struct radius_client; | |
46 | struct radius_server_data; | |
47 | ||
362bd35f JM |
48 | /** |
49 | * struct radius_server_counters - RADIUS server statistics counters | |
50 | */ | |
6fc6879b JM |
51 | struct radius_server_counters { |
52 | u32 access_requests; | |
53 | u32 invalid_requests; | |
54 | u32 dup_access_requests; | |
55 | u32 access_accepts; | |
56 | u32 access_rejects; | |
57 | u32 access_challenges; | |
58 | u32 malformed_access_requests; | |
59 | u32 bad_authenticators; | |
60 | u32 packets_dropped; | |
61 | u32 unknown_types; | |
a1dd890a JM |
62 | |
63 | u32 acct_requests; | |
64 | u32 invalid_acct_requests; | |
65 | u32 acct_responses; | |
66 | u32 malformed_acct_requests; | |
67 | u32 acct_bad_authenticators; | |
68 | u32 unknown_acct_types; | |
6fc6879b JM |
69 | }; |
70 | ||
362bd35f JM |
71 | /** |
72 | * struct radius_session - Internal RADIUS server data for a session | |
73 | */ | |
6fc6879b JM |
74 | struct radius_session { |
75 | struct radius_session *next; | |
76 | struct radius_client *client; | |
77 | struct radius_server_data *server; | |
78 | unsigned int sess_id; | |
79 | struct eap_sm *eap; | |
80 | struct eap_eapol_interface *eap_if; | |
8a57da7e JM |
81 | char *username; /* from User-Name attribute */ |
82 | char *nas_ip; | |
6fc6879b JM |
83 | |
84 | struct radius_msg *last_msg; | |
85 | char *last_from_addr; | |
86 | int last_from_port; | |
87 | struct sockaddr_storage last_from; | |
88 | socklen_t last_fromlen; | |
89 | u8 last_identifier; | |
90 | struct radius_msg *last_reply; | |
91 | u8 last_authenticator[16]; | |
8d2a9921 JM |
92 | |
93 | unsigned int remediation:1; | |
8943cc99 | 94 | unsigned int macacl:1; |
d0ee16ed JM |
95 | |
96 | struct hostapd_radius_attr *accept_attr; | |
6fc6879b JM |
97 | }; |
98 | ||
362bd35f JM |
99 | /** |
100 | * struct radius_client - Internal RADIUS server data for a client | |
101 | */ | |
6fc6879b JM |
102 | struct radius_client { |
103 | struct radius_client *next; | |
104 | struct in_addr addr; | |
105 | struct in_addr mask; | |
106 | #ifdef CONFIG_IPV6 | |
107 | struct in6_addr addr6; | |
108 | struct in6_addr mask6; | |
109 | #endif /* CONFIG_IPV6 */ | |
110 | char *shared_secret; | |
111 | int shared_secret_len; | |
112 | struct radius_session *sessions; | |
113 | struct radius_server_counters counters; | |
114 | }; | |
115 | ||
362bd35f JM |
116 | /** |
117 | * struct radius_server_data - Internal RADIUS server data | |
118 | */ | |
6fc6879b | 119 | struct radius_server_data { |
362bd35f JM |
120 | /** |
121 | * auth_sock - Socket for RADIUS authentication messages | |
122 | */ | |
6fc6879b | 123 | int auth_sock; |
362bd35f | 124 | |
a1dd890a JM |
125 | /** |
126 | * acct_sock - Socket for RADIUS accounting messages | |
127 | */ | |
128 | int acct_sock; | |
129 | ||
362bd35f JM |
130 | /** |
131 | * clients - List of authorized RADIUS clients | |
132 | */ | |
6fc6879b | 133 | struct radius_client *clients; |
362bd35f JM |
134 | |
135 | /** | |
136 | * next_sess_id - Next session identifier | |
137 | */ | |
6fc6879b | 138 | unsigned int next_sess_id; |
362bd35f JM |
139 | |
140 | /** | |
141 | * conf_ctx - Context pointer for callbacks | |
142 | * | |
143 | * This is used as the ctx argument in get_eap_user() calls. | |
144 | */ | |
6fc6879b | 145 | void *conf_ctx; |
362bd35f JM |
146 | |
147 | /** | |
148 | * num_sess - Number of active sessions | |
149 | */ | |
6fc6879b | 150 | int num_sess; |
362bd35f JM |
151 | |
152 | /** | |
153 | * eap_sim_db_priv - EAP-SIM/AKA database context | |
154 | * | |
155 | * This is passed to the EAP-SIM/AKA server implementation as a | |
156 | * callback context. | |
157 | */ | |
6fc6879b | 158 | void *eap_sim_db_priv; |
362bd35f JM |
159 | |
160 | /** | |
161 | * ssl_ctx - TLS context | |
162 | * | |
163 | * This is passed to the EAP server implementation as a callback | |
164 | * context for TLS operations. | |
165 | */ | |
6fc6879b | 166 | void *ssl_ctx; |
362bd35f JM |
167 | |
168 | /** | |
169 | * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST | |
170 | * | |
171 | * This parameter is used to set a key for EAP-FAST to encrypt the | |
172 | * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If | |
173 | * set, must point to a 16-octet key. | |
174 | */ | |
6fc6879b | 175 | u8 *pac_opaque_encr_key; |
362bd35f JM |
176 | |
177 | /** | |
178 | * eap_fast_a_id - EAP-FAST authority identity (A-ID) | |
179 | * | |
180 | * If EAP-FAST is not used, this can be set to %NULL. In theory, this | |
181 | * is a variable length field, but due to some existing implementations | |
182 | * requiring A-ID to be 16 octets in length, it is recommended to use | |
183 | * that length for the field to provide interoperability with deployed | |
184 | * peer implementations. | |
185 | */ | |
2d867244 | 186 | u8 *eap_fast_a_id; |
362bd35f JM |
187 | |
188 | /** | |
189 | * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets | |
190 | */ | |
2d867244 | 191 | size_t eap_fast_a_id_len; |
362bd35f JM |
192 | |
193 | /** | |
194 | * eap_fast_a_id_info - EAP-FAST authority identifier information | |
195 | * | |
196 | * This A-ID-Info contains a user-friendly name for the A-ID. For | |
197 | * example, this could be the enterprise and server names in | |
198 | * human-readable format. This field is encoded as UTF-8. If EAP-FAST | |
199 | * is not used, this can be set to %NULL. | |
200 | */ | |
2d867244 | 201 | char *eap_fast_a_id_info; |
362bd35f JM |
202 | |
203 | /** | |
204 | * eap_fast_prov - EAP-FAST provisioning modes | |
205 | * | |
206 | * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, | |
207 | * 2 = only authenticated provisioning allowed, 3 = both provisioning | |
208 | * modes allowed. | |
209 | */ | |
378eae5e | 210 | int eap_fast_prov; |
362bd35f JM |
211 | |
212 | /** | |
213 | * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds | |
214 | * | |
215 | * This is the hard limit on how long a provisioned PAC-Key can be | |
216 | * used. | |
217 | */ | |
a11c90a6 | 218 | int pac_key_lifetime; |
362bd35f JM |
219 | |
220 | /** | |
221 | * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds | |
222 | * | |
223 | * This is a soft limit on the PAC-Key. The server will automatically | |
224 | * generate a new PAC-Key when this number of seconds (or fewer) of the | |
225 | * lifetime remains. | |
226 | */ | |
a11c90a6 | 227 | int pac_key_refresh_time; |
362bd35f JM |
228 | |
229 | /** | |
230 | * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication | |
231 | * | |
232 | * This controls whether the protected success/failure indication | |
233 | * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. | |
234 | */ | |
6fc6879b | 235 | int eap_sim_aka_result_ind; |
362bd35f JM |
236 | |
237 | /** | |
238 | * tnc - Trusted Network Connect (TNC) | |
239 | * | |
240 | * This controls whether TNC is enabled and will be required before the | |
241 | * peer is allowed to connect. Note: This is only used with EAP-TTLS | |
242 | * and EAP-FAST. If any other EAP method is enabled, the peer will be | |
243 | * allowed to connect without TNC. | |
244 | */ | |
c3e258ae | 245 | int tnc; |
362bd35f | 246 | |
df684d82 DH |
247 | /** |
248 | * pwd_group - The D-H group assigned for EAP-pwd | |
249 | * | |
250 | * If EAP-pwd is not used it can be set to zero. | |
251 | */ | |
252 | u16 pwd_group; | |
253 | ||
67fe933d JM |
254 | /** |
255 | * server_id - Server identity | |
256 | */ | |
257 | const char *server_id; | |
258 | ||
d3bddd8b JM |
259 | /** |
260 | * erp - Whether EAP Re-authentication Protocol (ERP) is enabled | |
261 | * | |
262 | * This controls whether the authentication server derives ERP key | |
263 | * hierarchy (rRK and rIK) from full EAP authentication and allows | |
264 | * these keys to be used to perform ERP to derive rMSK instead of full | |
265 | * EAP authentication to derive MSK. | |
266 | */ | |
267 | int erp; | |
268 | ||
269 | const char *erp_domain; | |
270 | ||
271 | struct dl_list erp_keys; /* struct eap_server_erp_key */ | |
272 | ||
681e199d JM |
273 | unsigned int tls_session_lifetime; |
274 | ||
6418400d JM |
275 | unsigned int tls_flags; |
276 | ||
362bd35f JM |
277 | /** |
278 | * wps - Wi-Fi Protected Setup context | |
279 | * | |
280 | * If WPS is used with an external RADIUS server (which is quite | |
281 | * unlikely configuration), this is used to provide a pointer to WPS | |
282 | * context data. Normally, this can be set to %NULL. | |
283 | */ | |
ad08c363 | 284 | struct wps_context *wps; |
362bd35f JM |
285 | |
286 | /** | |
287 | * ipv6 - Whether to enable IPv6 support in the RADIUS server | |
288 | */ | |
6fc6879b | 289 | int ipv6; |
362bd35f JM |
290 | |
291 | /** | |
292 | * start_time - Timestamp of server start | |
293 | */ | |
58707176 | 294 | struct os_reltime start_time; |
362bd35f JM |
295 | |
296 | /** | |
297 | * counters - Statistics counters for server operations | |
298 | * | |
299 | * These counters are the sum over all clients. | |
300 | */ | |
6fc6879b | 301 | struct radius_server_counters counters; |
362bd35f JM |
302 | |
303 | /** | |
304 | * get_eap_user - Callback for fetching EAP user information | |
305 | * @ctx: Context data from conf_ctx | |
306 | * @identity: User identity | |
307 | * @identity_len: identity buffer length in octets | |
308 | * @phase2: Whether this is for Phase 2 identity | |
309 | * @user: Data structure for filling in the user information | |
310 | * Returns: 0 on success, -1 on failure | |
311 | * | |
312 | * This is used to fetch information from user database. The callback | |
313 | * will fill in information about allowed EAP methods and the user | |
314 | * password. The password field will be an allocated copy of the | |
315 | * password data and RADIUS server will free it after use. | |
316 | */ | |
6fc6879b JM |
317 | int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, |
318 | int phase2, struct eap_user *user); | |
362bd35f JM |
319 | |
320 | /** | |
321 | * eap_req_id_text - Optional data for EAP-Request/Identity | |
322 | * | |
323 | * This can be used to configure an optional, displayable message that | |
324 | * will be sent in EAP-Request/Identity. This string can contain an | |
325 | * ASCII-0 character (nul) to separate network infromation per RFC | |
326 | * 4284. The actual string length is explicit provided in | |
327 | * eap_req_id_text_len since nul character will not be used as a string | |
328 | * terminator. | |
329 | */ | |
65d50f0a | 330 | char *eap_req_id_text; |
362bd35f JM |
331 | |
332 | /** | |
333 | * eap_req_id_text_len - Length of eap_req_id_text buffer in octets | |
334 | */ | |
65d50f0a | 335 | size_t eap_req_id_text_len; |
bb437f28 GD |
336 | |
337 | /* | |
338 | * msg_ctx - Context data for wpa_msg() calls | |
339 | */ | |
340 | void *msg_ctx; | |
505a3694 JM |
341 | |
342 | #ifdef CONFIG_RADIUS_TEST | |
343 | char *dump_msk_file; | |
344 | #endif /* CONFIG_RADIUS_TEST */ | |
8d2a9921 JM |
345 | |
346 | char *subscr_remediation_url; | |
347 | u8 subscr_remediation_method; | |
8a57da7e JM |
348 | |
349 | #ifdef CONFIG_SQLITE | |
350 | sqlite3 *db; | |
351 | #endif /* CONFIG_SQLITE */ | |
6fc6879b JM |
352 | }; |
353 | ||
354 | ||
6fc6879b JM |
355 | #define RADIUS_DEBUG(args...) \ |
356 | wpa_printf(MSG_DEBUG, "RADIUS SRV: " args) | |
357 | #define RADIUS_ERROR(args...) \ | |
358 | wpa_printf(MSG_ERROR, "RADIUS SRV: " args) | |
359 | #define RADIUS_DUMP(args...) \ | |
360 | wpa_hexdump(MSG_MSGDUMP, "RADIUS SRV: " args) | |
361 | #define RADIUS_DUMP_ASCII(args...) \ | |
362 | wpa_hexdump_ascii(MSG_MSGDUMP, "RADIUS SRV: " args) | |
363 | ||
364 | ||
365 | static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx); | |
f481459f JM |
366 | static void radius_server_session_remove_timeout(void *eloop_ctx, |
367 | void *timeout_ctx); | |
6fc6879b | 368 | |
8a57da7e JM |
369 | void srv_log(struct radius_session *sess, const char *fmt, ...) |
370 | PRINTF_FORMAT(2, 3); | |
371 | ||
372 | void srv_log(struct radius_session *sess, const char *fmt, ...) | |
373 | { | |
374 | va_list ap; | |
375 | char *buf; | |
376 | int buflen; | |
377 | ||
378 | va_start(ap, fmt); | |
379 | buflen = vsnprintf(NULL, 0, fmt, ap) + 1; | |
380 | va_end(ap); | |
381 | ||
382 | buf = os_malloc(buflen); | |
383 | if (buf == NULL) | |
384 | return; | |
385 | va_start(ap, fmt); | |
386 | vsnprintf(buf, buflen, fmt, ap); | |
387 | va_end(ap); | |
388 | ||
389 | RADIUS_DEBUG("[0x%x %s] %s", sess->sess_id, sess->nas_ip, buf); | |
390 | ||
391 | #ifdef CONFIG_SQLITE | |
392 | if (sess->server->db) { | |
393 | char *sql; | |
394 | sql = sqlite3_mprintf("INSERT INTO authlog" | |
395 | "(timestamp,session,nas_ip,username,note)" | |
396 | " VALUES (" | |
397 | "strftime('%%Y-%%m-%%d %%H:%%M:%%f'," | |
398 | "'now'),%u,%Q,%Q,%Q)", | |
399 | sess->sess_id, sess->nas_ip, | |
400 | sess->username, buf); | |
401 | if (sql) { | |
402 | if (sqlite3_exec(sess->server->db, sql, NULL, NULL, | |
403 | NULL) != SQLITE_OK) { | |
404 | RADIUS_ERROR("Failed to add authlog entry into sqlite database: %s", | |
405 | sqlite3_errmsg(sess->server->db)); | |
406 | } | |
407 | sqlite3_free(sql); | |
408 | } | |
409 | } | |
410 | #endif /* CONFIG_SQLITE */ | |
411 | ||
412 | os_free(buf); | |
413 | } | |
414 | ||
6fc6879b JM |
415 | |
416 | static struct radius_client * | |
417 | radius_server_get_client(struct radius_server_data *data, struct in_addr *addr, | |
418 | int ipv6) | |
419 | { | |
420 | struct radius_client *client = data->clients; | |
421 | ||
422 | while (client) { | |
423 | #ifdef CONFIG_IPV6 | |
424 | if (ipv6) { | |
425 | struct in6_addr *addr6; | |
426 | int i; | |
427 | ||
428 | addr6 = (struct in6_addr *) addr; | |
429 | for (i = 0; i < 16; i++) { | |
430 | if ((addr6->s6_addr[i] & | |
431 | client->mask6.s6_addr[i]) != | |
432 | (client->addr6.s6_addr[i] & | |
433 | client->mask6.s6_addr[i])) { | |
434 | i = 17; | |
435 | break; | |
436 | } | |
437 | } | |
438 | if (i == 16) { | |
439 | break; | |
440 | } | |
441 | } | |
442 | #endif /* CONFIG_IPV6 */ | |
443 | if (!ipv6 && (client->addr.s_addr & client->mask.s_addr) == | |
444 | (addr->s_addr & client->mask.s_addr)) { | |
445 | break; | |
446 | } | |
447 | ||
448 | client = client->next; | |
449 | } | |
450 | ||
451 | return client; | |
452 | } | |
453 | ||
454 | ||
455 | static struct radius_session * | |
456 | radius_server_get_session(struct radius_client *client, unsigned int sess_id) | |
457 | { | |
458 | struct radius_session *sess = client->sessions; | |
459 | ||
460 | while (sess) { | |
461 | if (sess->sess_id == sess_id) { | |
462 | break; | |
463 | } | |
464 | sess = sess->next; | |
465 | } | |
466 | ||
467 | return sess; | |
468 | } | |
469 | ||
470 | ||
471 | static void radius_server_session_free(struct radius_server_data *data, | |
472 | struct radius_session *sess) | |
473 | { | |
474 | eloop_cancel_timeout(radius_server_session_timeout, data, sess); | |
f481459f | 475 | eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess); |
6fc6879b | 476 | eap_server_sm_deinit(sess->eap); |
9e7245bd | 477 | radius_msg_free(sess->last_msg); |
6fc6879b | 478 | os_free(sess->last_from_addr); |
9e7245bd | 479 | radius_msg_free(sess->last_reply); |
8a57da7e JM |
480 | os_free(sess->username); |
481 | os_free(sess->nas_ip); | |
6fc6879b JM |
482 | os_free(sess); |
483 | data->num_sess--; | |
484 | } | |
485 | ||
486 | ||
6fc6879b JM |
487 | static void radius_server_session_remove(struct radius_server_data *data, |
488 | struct radius_session *sess) | |
489 | { | |
490 | struct radius_client *client = sess->client; | |
491 | struct radius_session *session, *prev; | |
492 | ||
493 | eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess); | |
494 | ||
495 | prev = NULL; | |
496 | session = client->sessions; | |
497 | while (session) { | |
498 | if (session == sess) { | |
499 | if (prev == NULL) { | |
500 | client->sessions = sess->next; | |
501 | } else { | |
502 | prev->next = sess->next; | |
503 | } | |
504 | radius_server_session_free(data, sess); | |
505 | break; | |
506 | } | |
507 | prev = session; | |
508 | session = session->next; | |
509 | } | |
510 | } | |
511 | ||
512 | ||
513 | static void radius_server_session_remove_timeout(void *eloop_ctx, | |
514 | void *timeout_ctx) | |
515 | { | |
516 | struct radius_server_data *data = eloop_ctx; | |
517 | struct radius_session *sess = timeout_ctx; | |
518 | RADIUS_DEBUG("Removing completed session 0x%x", sess->sess_id); | |
519 | radius_server_session_remove(data, sess); | |
520 | } | |
521 | ||
522 | ||
523 | static void radius_server_session_timeout(void *eloop_ctx, void *timeout_ctx) | |
524 | { | |
525 | struct radius_server_data *data = eloop_ctx; | |
526 | struct radius_session *sess = timeout_ctx; | |
527 | ||
528 | RADIUS_DEBUG("Timing out authentication session 0x%x", sess->sess_id); | |
529 | radius_server_session_remove(data, sess); | |
530 | } | |
531 | ||
532 | ||
533 | static struct radius_session * | |
534 | radius_server_new_session(struct radius_server_data *data, | |
535 | struct radius_client *client) | |
536 | { | |
537 | struct radius_session *sess; | |
538 | ||
539 | if (data->num_sess >= RADIUS_MAX_SESSION) { | |
540 | RADIUS_DEBUG("Maximum number of existing session - no room " | |
541 | "for a new session"); | |
542 | return NULL; | |
543 | } | |
544 | ||
545 | sess = os_zalloc(sizeof(*sess)); | |
546 | if (sess == NULL) | |
547 | return NULL; | |
548 | ||
549 | sess->server = data; | |
550 | sess->client = client; | |
551 | sess->sess_id = data->next_sess_id++; | |
552 | sess->next = client->sessions; | |
553 | client->sessions = sess; | |
554 | eloop_register_timeout(RADIUS_SESSION_TIMEOUT, 0, | |
555 | radius_server_session_timeout, data, sess); | |
556 | data->num_sess++; | |
557 | return sess; | |
558 | } | |
559 | ||
560 | ||
390b9291 JM |
561 | #ifdef CONFIG_TESTING_OPTIONS |
562 | static void radius_server_testing_options_tls(struct radius_session *sess, | |
563 | const char *tls, | |
564 | struct eap_config *eap_conf) | |
565 | { | |
566 | int test = atoi(tls); | |
567 | ||
568 | switch (test) { | |
569 | case 1: | |
570 | srv_log(sess, "TLS test - break VerifyData"); | |
571 | eap_conf->tls_test_flags = TLS_BREAK_VERIFY_DATA; | |
572 | break; | |
573 | case 2: | |
574 | srv_log(sess, "TLS test - break ServerKeyExchange ServerParams hash"); | |
575 | eap_conf->tls_test_flags = TLS_BREAK_SRV_KEY_X_HASH; | |
576 | break; | |
577 | case 3: | |
578 | srv_log(sess, "TLS test - break ServerKeyExchange ServerParams Signature"); | |
579 | eap_conf->tls_test_flags = TLS_BREAK_SRV_KEY_X_SIGNATURE; | |
580 | break; | |
47bd94a0 JM |
581 | case 4: |
582 | srv_log(sess, "TLS test - RSA-DHE using a short 511-bit prime"); | |
583 | eap_conf->tls_test_flags = TLS_DHE_PRIME_511B; | |
584 | break; | |
585 | case 5: | |
586 | srv_log(sess, "TLS test - RSA-DHE using a short 767-bit prime"); | |
587 | eap_conf->tls_test_flags = TLS_DHE_PRIME_767B; | |
588 | break; | |
589 | case 6: | |
590 | srv_log(sess, "TLS test - RSA-DHE using a bogus 15 \"prime\""); | |
591 | eap_conf->tls_test_flags = TLS_DHE_PRIME_15; | |
592 | break; | |
593 | case 7: | |
594 | srv_log(sess, "TLS test - RSA-DHE using a short 58-bit prime in long container"); | |
595 | eap_conf->tls_test_flags = TLS_DHE_PRIME_58B; | |
596 | break; | |
597 | case 8: | |
598 | srv_log(sess, "TLS test - RSA-DHE using a non-prime"); | |
599 | eap_conf->tls_test_flags = TLS_DHE_NON_PRIME; | |
600 | break; | |
390b9291 JM |
601 | default: |
602 | srv_log(sess, "Unrecognized TLS test"); | |
603 | break; | |
604 | } | |
605 | } | |
606 | #endif /* CONFIG_TESTING_OPTIONS */ | |
607 | ||
608 | static void radius_server_testing_options(struct radius_session *sess, | |
609 | struct eap_config *eap_conf) | |
610 | { | |
611 | #ifdef CONFIG_TESTING_OPTIONS | |
612 | const char *pos; | |
613 | ||
614 | pos = os_strstr(sess->username, "@test-"); | |
615 | if (pos == NULL) | |
616 | return; | |
617 | pos += 6; | |
618 | if (os_strncmp(pos, "tls-", 4) == 0) | |
619 | radius_server_testing_options_tls(sess, pos + 4, eap_conf); | |
620 | else | |
621 | srv_log(sess, "Unrecognized test: %s", pos); | |
622 | #endif /* CONFIG_TESTING_OPTIONS */ | |
623 | } | |
624 | ||
625 | ||
6fc6879b JM |
626 | static struct radius_session * |
627 | radius_server_get_new_session(struct radius_server_data *data, | |
628 | struct radius_client *client, | |
8a57da7e | 629 | struct radius_msg *msg, const char *from_addr) |
6fc6879b JM |
630 | { |
631 | u8 *user; | |
632 | size_t user_len; | |
633 | int res; | |
634 | struct radius_session *sess; | |
635 | struct eap_config eap_conf; | |
d0ee16ed | 636 | struct eap_user tmp; |
6fc6879b JM |
637 | |
638 | RADIUS_DEBUG("Creating a new session"); | |
639 | ||
8a57da7e JM |
640 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &user, |
641 | &user_len, NULL) < 0) { | |
6fc6879b | 642 | RADIUS_DEBUG("Could not get User-Name"); |
6fc6879b JM |
643 | return NULL; |
644 | } | |
6fc6879b JM |
645 | RADIUS_DUMP_ASCII("User-Name", user, user_len); |
646 | ||
d0ee16ed JM |
647 | os_memset(&tmp, 0, sizeof(tmp)); |
648 | res = data->get_eap_user(data->conf_ctx, user, user_len, 0, &tmp); | |
b7175b4d | 649 | bin_clear_free(tmp.password, tmp.password_len); |
6fc6879b | 650 | |
8a57da7e | 651 | if (res != 0) { |
6fc6879b JM |
652 | RADIUS_DEBUG("User-Name not found from user database"); |
653 | return NULL; | |
654 | } | |
655 | ||
8a57da7e JM |
656 | RADIUS_DEBUG("Matching user entry found"); |
657 | sess = radius_server_new_session(data, client); | |
658 | if (sess == NULL) { | |
659 | RADIUS_DEBUG("Failed to create a new session"); | |
660 | return NULL; | |
661 | } | |
662 | sess->accept_attr = tmp.accept_attr; | |
8943cc99 | 663 | sess->macacl = tmp.macacl; |
8a57da7e | 664 | |
95f6f6a4 | 665 | sess->username = os_malloc(user_len * 4 + 1); |
8a57da7e | 666 | if (sess->username == NULL) { |
de01f254 | 667 | radius_server_session_remove(data, sess); |
8a57da7e JM |
668 | return NULL; |
669 | } | |
95f6f6a4 | 670 | printf_encode(sess->username, user_len * 4 + 1, user, user_len); |
8a57da7e JM |
671 | |
672 | sess->nas_ip = os_strdup(from_addr); | |
673 | if (sess->nas_ip == NULL) { | |
de01f254 | 674 | radius_server_session_remove(data, sess); |
8a57da7e JM |
675 | return NULL; |
676 | } | |
677 | ||
678 | srv_log(sess, "New session created"); | |
679 | ||
6fc6879b JM |
680 | os_memset(&eap_conf, 0, sizeof(eap_conf)); |
681 | eap_conf.ssl_ctx = data->ssl_ctx; | |
bb437f28 | 682 | eap_conf.msg_ctx = data->msg_ctx; |
6fc6879b JM |
683 | eap_conf.eap_sim_db_priv = data->eap_sim_db_priv; |
684 | eap_conf.backend_auth = TRUE; | |
685 | eap_conf.eap_server = 1; | |
686 | eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key; | |
687 | eap_conf.eap_fast_a_id = data->eap_fast_a_id; | |
2d867244 JM |
688 | eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len; |
689 | eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info; | |
378eae5e | 690 | eap_conf.eap_fast_prov = data->eap_fast_prov; |
a11c90a6 JM |
691 | eap_conf.pac_key_lifetime = data->pac_key_lifetime; |
692 | eap_conf.pac_key_refresh_time = data->pac_key_refresh_time; | |
6fc6879b | 693 | eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind; |
c3e258ae | 694 | eap_conf.tnc = data->tnc; |
ad08c363 | 695 | eap_conf.wps = data->wps; |
df684d82 | 696 | eap_conf.pwd_group = data->pwd_group; |
67fe933d JM |
697 | eap_conf.server_id = (const u8 *) data->server_id; |
698 | eap_conf.server_id_len = os_strlen(data->server_id); | |
d3bddd8b | 699 | eap_conf.erp = data->erp; |
681e199d | 700 | eap_conf.tls_session_lifetime = data->tls_session_lifetime; |
6418400d | 701 | eap_conf.tls_flags = data->tls_flags; |
390b9291 | 702 | radius_server_testing_options(sess, &eap_conf); |
6fc6879b JM |
703 | sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb, |
704 | &eap_conf); | |
705 | if (sess->eap == NULL) { | |
706 | RADIUS_DEBUG("Failed to initialize EAP state machine for the " | |
707 | "new session"); | |
de01f254 | 708 | radius_server_session_remove(data, sess); |
6fc6879b JM |
709 | return NULL; |
710 | } | |
711 | sess->eap_if = eap_get_interface(sess->eap); | |
712 | sess->eap_if->eapRestart = TRUE; | |
713 | sess->eap_if->portEnabled = TRUE; | |
714 | ||
715 | RADIUS_DEBUG("New session 0x%x initialized", sess->sess_id); | |
716 | ||
717 | return sess; | |
718 | } | |
719 | ||
720 | ||
721 | static struct radius_msg * | |
722 | radius_server_encapsulate_eap(struct radius_server_data *data, | |
723 | struct radius_client *client, | |
724 | struct radius_session *sess, | |
725 | struct radius_msg *request) | |
726 | { | |
727 | struct radius_msg *msg; | |
728 | int code; | |
729 | unsigned int sess_id; | |
1489e11a | 730 | struct radius_hdr *hdr = radius_msg_get_hdr(request); |
f75ed556 | 731 | u16 reason = WLAN_REASON_IEEE_802_1X_AUTH_FAILED; |
6fc6879b JM |
732 | |
733 | if (sess->eap_if->eapFail) { | |
734 | sess->eap_if->eapFail = FALSE; | |
735 | code = RADIUS_CODE_ACCESS_REJECT; | |
736 | } else if (sess->eap_if->eapSuccess) { | |
737 | sess->eap_if->eapSuccess = FALSE; | |
738 | code = RADIUS_CODE_ACCESS_ACCEPT; | |
739 | } else { | |
740 | sess->eap_if->eapReq = FALSE; | |
741 | code = RADIUS_CODE_ACCESS_CHALLENGE; | |
742 | } | |
743 | ||
1489e11a | 744 | msg = radius_msg_new(code, hdr->identifier); |
6fc6879b JM |
745 | if (msg == NULL) { |
746 | RADIUS_DEBUG("Failed to allocate reply message"); | |
747 | return NULL; | |
748 | } | |
749 | ||
750 | sess_id = htonl(sess->sess_id); | |
751 | if (code == RADIUS_CODE_ACCESS_CHALLENGE && | |
752 | !radius_msg_add_attr(msg, RADIUS_ATTR_STATE, | |
753 | (u8 *) &sess_id, sizeof(sess_id))) { | |
754 | RADIUS_DEBUG("Failed to add State attribute"); | |
755 | } | |
756 | ||
757 | if (sess->eap_if->eapReqData && | |
758 | !radius_msg_add_eap(msg, wpabuf_head(sess->eap_if->eapReqData), | |
759 | wpabuf_len(sess->eap_if->eapReqData))) { | |
760 | RADIUS_DEBUG("Failed to add EAP-Message attribute"); | |
761 | } | |
762 | ||
763 | if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->eap_if->eapKeyData) { | |
764 | int len; | |
505a3694 JM |
765 | #ifdef CONFIG_RADIUS_TEST |
766 | if (data->dump_msk_file) { | |
767 | FILE *f; | |
768 | char buf[2 * 64 + 1]; | |
769 | f = fopen(data->dump_msk_file, "a"); | |
770 | if (f) { | |
771 | len = sess->eap_if->eapKeyDataLen; | |
772 | if (len > 64) | |
773 | len = 64; | |
774 | len = wpa_snprintf_hex( | |
775 | buf, sizeof(buf), | |
776 | sess->eap_if->eapKeyData, len); | |
777 | buf[len] = '\0'; | |
778 | fprintf(f, "%s\n", buf); | |
779 | fclose(f); | |
780 | } | |
781 | } | |
782 | #endif /* CONFIG_RADIUS_TEST */ | |
6fc6879b JM |
783 | if (sess->eap_if->eapKeyDataLen > 64) { |
784 | len = 32; | |
785 | } else { | |
786 | len = sess->eap_if->eapKeyDataLen / 2; | |
787 | } | |
1489e11a | 788 | if (!radius_msg_add_mppe_keys(msg, hdr->authenticator, |
6fc6879b JM |
789 | (u8 *) client->shared_secret, |
790 | client->shared_secret_len, | |
791 | sess->eap_if->eapKeyData + len, | |
792 | len, sess->eap_if->eapKeyData, | |
793 | len)) { | |
794 | RADIUS_DEBUG("Failed to add MPPE key attributes"); | |
795 | } | |
796 | } | |
797 | ||
8d2a9921 JM |
798 | #ifdef CONFIG_HS20 |
799 | if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation && | |
800 | data->subscr_remediation_url) { | |
801 | u8 *buf; | |
802 | size_t url_len = os_strlen(data->subscr_remediation_url); | |
803 | buf = os_malloc(1 + url_len); | |
804 | if (buf == NULL) { | |
805 | radius_msg_free(msg); | |
806 | return NULL; | |
807 | } | |
808 | buf[0] = data->subscr_remediation_method; | |
809 | os_memcpy(&buf[1], data->subscr_remediation_url, url_len); | |
810 | if (!radius_msg_add_wfa( | |
811 | msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION, | |
812 | buf, 1 + url_len)) { | |
813 | RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem"); | |
814 | } | |
815 | os_free(buf); | |
816 | } else if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation) { | |
817 | u8 buf[1]; | |
818 | if (!radius_msg_add_wfa( | |
819 | msg, RADIUS_VENDOR_ATTR_WFA_HS20_SUBSCR_REMEDIATION, | |
820 | buf, 0)) { | |
821 | RADIUS_DEBUG("Failed to add WFA-HS20-SubscrRem"); | |
822 | } | |
823 | } | |
824 | #endif /* CONFIG_HS20 */ | |
825 | ||
6fc6879b JM |
826 | if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { |
827 | RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); | |
828 | radius_msg_free(msg); | |
6fc6879b JM |
829 | return NULL; |
830 | } | |
831 | ||
d0ee16ed JM |
832 | if (code == RADIUS_CODE_ACCESS_ACCEPT) { |
833 | struct hostapd_radius_attr *attr; | |
834 | for (attr = sess->accept_attr; attr; attr = attr->next) { | |
835 | if (!radius_msg_add_attr(msg, attr->type, | |
836 | wpabuf_head(attr->val), | |
837 | wpabuf_len(attr->val))) { | |
838 | wpa_printf(MSG_ERROR, "Could not add RADIUS attribute"); | |
839 | radius_msg_free(msg); | |
840 | return NULL; | |
841 | } | |
842 | } | |
843 | } | |
844 | ||
f75ed556 JM |
845 | if (code == RADIUS_CODE_ACCESS_REJECT) { |
846 | if (radius_msg_add_attr_int32(msg, RADIUS_ATTR_WLAN_REASON_CODE, | |
847 | reason) < 0) { | |
848 | RADIUS_DEBUG("Failed to add WLAN-Reason-Code attribute"); | |
849 | radius_msg_free(msg); | |
850 | return NULL; | |
851 | } | |
852 | } | |
853 | ||
6fc6879b JM |
854 | if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, |
855 | client->shared_secret_len, | |
1489e11a | 856 | hdr->authenticator) < 0) { |
6fc6879b JM |
857 | RADIUS_DEBUG("Failed to add Message-Authenticator attribute"); |
858 | } | |
859 | ||
860 | return msg; | |
861 | } | |
862 | ||
863 | ||
8943cc99 JM |
864 | static struct radius_msg * |
865 | radius_server_macacl(struct radius_server_data *data, | |
866 | struct radius_client *client, | |
867 | struct radius_session *sess, | |
868 | struct radius_msg *request) | |
869 | { | |
870 | struct radius_msg *msg; | |
871 | int code; | |
872 | struct radius_hdr *hdr = radius_msg_get_hdr(request); | |
873 | u8 *pw; | |
874 | size_t pw_len; | |
875 | ||
876 | code = RADIUS_CODE_ACCESS_ACCEPT; | |
877 | ||
878 | if (radius_msg_get_attr_ptr(request, RADIUS_ATTR_USER_PASSWORD, &pw, | |
879 | &pw_len, NULL) < 0) { | |
880 | RADIUS_DEBUG("Could not get User-Password"); | |
881 | code = RADIUS_CODE_ACCESS_REJECT; | |
882 | } else { | |
883 | int res; | |
884 | struct eap_user tmp; | |
885 | ||
886 | os_memset(&tmp, 0, sizeof(tmp)); | |
887 | res = data->get_eap_user(data->conf_ctx, (u8 *) sess->username, | |
888 | os_strlen(sess->username), 0, &tmp); | |
889 | if (res || !tmp.macacl || tmp.password == NULL) { | |
890 | RADIUS_DEBUG("No MAC ACL user entry"); | |
b7175b4d | 891 | bin_clear_free(tmp.password, tmp.password_len); |
8943cc99 JM |
892 | code = RADIUS_CODE_ACCESS_REJECT; |
893 | } else { | |
894 | u8 buf[128]; | |
895 | res = radius_user_password_hide( | |
896 | request, tmp.password, tmp.password_len, | |
897 | (u8 *) client->shared_secret, | |
898 | client->shared_secret_len, | |
899 | buf, sizeof(buf)); | |
b7175b4d | 900 | bin_clear_free(tmp.password, tmp.password_len); |
8943cc99 JM |
901 | |
902 | if (res < 0 || pw_len != (size_t) res || | |
c2371953 | 903 | os_memcmp_const(pw, buf, res) != 0) { |
8943cc99 JM |
904 | RADIUS_DEBUG("Incorrect User-Password"); |
905 | code = RADIUS_CODE_ACCESS_REJECT; | |
906 | } | |
907 | } | |
908 | } | |
909 | ||
910 | msg = radius_msg_new(code, hdr->identifier); | |
911 | if (msg == NULL) { | |
912 | RADIUS_DEBUG("Failed to allocate reply message"); | |
913 | return NULL; | |
914 | } | |
915 | ||
916 | if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { | |
917 | RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); | |
918 | radius_msg_free(msg); | |
919 | return NULL; | |
920 | } | |
921 | ||
922 | if (code == RADIUS_CODE_ACCESS_ACCEPT) { | |
923 | struct hostapd_radius_attr *attr; | |
924 | for (attr = sess->accept_attr; attr; attr = attr->next) { | |
925 | if (!radius_msg_add_attr(msg, attr->type, | |
926 | wpabuf_head(attr->val), | |
927 | wpabuf_len(attr->val))) { | |
928 | wpa_printf(MSG_ERROR, "Could not add RADIUS attribute"); | |
929 | radius_msg_free(msg); | |
930 | return NULL; | |
931 | } | |
932 | } | |
933 | } | |
934 | ||
935 | if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, | |
936 | client->shared_secret_len, | |
937 | hdr->authenticator) < 0) { | |
938 | RADIUS_DEBUG("Failed to add Message-Authenticator attribute"); | |
939 | } | |
940 | ||
941 | return msg; | |
942 | } | |
943 | ||
944 | ||
6fc6879b JM |
945 | static int radius_server_reject(struct radius_server_data *data, |
946 | struct radius_client *client, | |
947 | struct radius_msg *request, | |
948 | struct sockaddr *from, socklen_t fromlen, | |
949 | const char *from_addr, int from_port) | |
950 | { | |
951 | struct radius_msg *msg; | |
952 | int ret = 0; | |
953 | struct eap_hdr eapfail; | |
1489e11a JM |
954 | struct wpabuf *buf; |
955 | struct radius_hdr *hdr = radius_msg_get_hdr(request); | |
6fc6879b JM |
956 | |
957 | RADIUS_DEBUG("Reject invalid request from %s:%d", | |
958 | from_addr, from_port); | |
959 | ||
1489e11a | 960 | msg = radius_msg_new(RADIUS_CODE_ACCESS_REJECT, hdr->identifier); |
6fc6879b JM |
961 | if (msg == NULL) { |
962 | return -1; | |
963 | } | |
964 | ||
965 | os_memset(&eapfail, 0, sizeof(eapfail)); | |
966 | eapfail.code = EAP_CODE_FAILURE; | |
967 | eapfail.identifier = 0; | |
968 | eapfail.length = host_to_be16(sizeof(eapfail)); | |
969 | ||
970 | if (!radius_msg_add_eap(msg, (u8 *) &eapfail, sizeof(eapfail))) { | |
971 | RADIUS_DEBUG("Failed to add EAP-Message attribute"); | |
972 | } | |
973 | ||
974 | if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { | |
975 | RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); | |
976 | radius_msg_free(msg); | |
6fc6879b JM |
977 | return -1; |
978 | } | |
979 | ||
980 | if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, | |
981 | client->shared_secret_len, | |
1489e11a JM |
982 | hdr->authenticator) < |
983 | 0) { | |
6fc6879b JM |
984 | RADIUS_DEBUG("Failed to add Message-Authenticator attribute"); |
985 | } | |
986 | ||
987 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
988 | radius_msg_dump(msg); | |
989 | } | |
990 | ||
991 | data->counters.access_rejects++; | |
992 | client->counters.access_rejects++; | |
1489e11a JM |
993 | buf = radius_msg_get_buf(msg); |
994 | if (sendto(data->auth_sock, wpabuf_head(buf), wpabuf_len(buf), 0, | |
6fc6879b | 995 | (struct sockaddr *) from, sizeof(*from)) < 0) { |
61323e70 | 996 | wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s", strerror(errno)); |
6fc6879b JM |
997 | ret = -1; |
998 | } | |
999 | ||
1000 | radius_msg_free(msg); | |
6fc6879b JM |
1001 | |
1002 | return ret; | |
1003 | } | |
1004 | ||
1005 | ||
1006 | static int radius_server_request(struct radius_server_data *data, | |
1007 | struct radius_msg *msg, | |
1008 | struct sockaddr *from, socklen_t fromlen, | |
1009 | struct radius_client *client, | |
1010 | const char *from_addr, int from_port, | |
1011 | struct radius_session *force_sess) | |
1012 | { | |
e100828b | 1013 | struct wpabuf *eap = NULL; |
6fc6879b JM |
1014 | int res, state_included = 0; |
1015 | u8 statebuf[4]; | |
1016 | unsigned int state; | |
1017 | struct radius_session *sess; | |
1018 | struct radius_msg *reply; | |
7598210b | 1019 | int is_complete = 0; |
6fc6879b JM |
1020 | |
1021 | if (force_sess) | |
1022 | sess = force_sess; | |
1023 | else { | |
1024 | res = radius_msg_get_attr(msg, RADIUS_ATTR_STATE, statebuf, | |
1025 | sizeof(statebuf)); | |
1026 | state_included = res >= 0; | |
1027 | if (res == sizeof(statebuf)) { | |
1028 | state = WPA_GET_BE32(statebuf); | |
1029 | sess = radius_server_get_session(client, state); | |
1030 | } else { | |
1031 | sess = NULL; | |
1032 | } | |
1033 | } | |
1034 | ||
1035 | if (sess) { | |
1036 | RADIUS_DEBUG("Request for session 0x%x", sess->sess_id); | |
1037 | } else if (state_included) { | |
1038 | RADIUS_DEBUG("State attribute included but no session found"); | |
1039 | radius_server_reject(data, client, msg, from, fromlen, | |
1040 | from_addr, from_port); | |
1041 | return -1; | |
1042 | } else { | |
8a57da7e JM |
1043 | sess = radius_server_get_new_session(data, client, msg, |
1044 | from_addr); | |
6fc6879b JM |
1045 | if (sess == NULL) { |
1046 | RADIUS_DEBUG("Could not create a new session"); | |
1047 | radius_server_reject(data, client, msg, from, fromlen, | |
1048 | from_addr, from_port); | |
1049 | return -1; | |
1050 | } | |
1051 | } | |
1052 | ||
1053 | if (sess->last_from_port == from_port && | |
1489e11a JM |
1054 | sess->last_identifier == radius_msg_get_hdr(msg)->identifier && |
1055 | os_memcmp(sess->last_authenticator, | |
1056 | radius_msg_get_hdr(msg)->authenticator, 16) == 0) { | |
6fc6879b JM |
1057 | RADIUS_DEBUG("Duplicate message from %s", from_addr); |
1058 | data->counters.dup_access_requests++; | |
1059 | client->counters.dup_access_requests++; | |
1060 | ||
1061 | if (sess->last_reply) { | |
1489e11a JM |
1062 | struct wpabuf *buf; |
1063 | buf = radius_msg_get_buf(sess->last_reply); | |
1064 | res = sendto(data->auth_sock, wpabuf_head(buf), | |
1065 | wpabuf_len(buf), 0, | |
6fc6879b JM |
1066 | (struct sockaddr *) from, fromlen); |
1067 | if (res < 0) { | |
61323e70 JM |
1068 | wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s", |
1069 | strerror(errno)); | |
6fc6879b JM |
1070 | } |
1071 | return 0; | |
1072 | } | |
1073 | ||
1074 | RADIUS_DEBUG("No previous reply available for duplicate " | |
1075 | "message"); | |
1076 | return -1; | |
1077 | } | |
95de34a1 | 1078 | |
e100828b | 1079 | eap = radius_msg_get_eap(msg); |
8943cc99 JM |
1080 | if (eap == NULL && sess->macacl) { |
1081 | reply = radius_server_macacl(data, client, sess, msg); | |
1082 | if (reply == NULL) | |
1083 | return -1; | |
1084 | goto send_reply; | |
1085 | } | |
6fc6879b JM |
1086 | if (eap == NULL) { |
1087 | RADIUS_DEBUG("No EAP-Message in RADIUS packet from %s", | |
1088 | from_addr); | |
1089 | data->counters.packets_dropped++; | |
1090 | client->counters.packets_dropped++; | |
1091 | return -1; | |
1092 | } | |
1093 | ||
e100828b | 1094 | RADIUS_DUMP("Received EAP data", wpabuf_head(eap), wpabuf_len(eap)); |
6fc6879b JM |
1095 | |
1096 | /* FIX: if Code is Request, Success, or Failure, send Access-Reject; | |
1097 | * RFC3579 Sect. 2.6.2. | |
1098 | * Include EAP-Response/Nak with no preferred method if | |
1099 | * code == request. | |
1100 | * If code is not 1-4, discard the packet silently. | |
1101 | * Or is this already done by the EAP state machine? */ | |
1102 | ||
1103 | wpabuf_free(sess->eap_if->eapRespData); | |
e100828b | 1104 | sess->eap_if->eapRespData = eap; |
6fc6879b JM |
1105 | sess->eap_if->eapResp = TRUE; |
1106 | eap_server_sm_step(sess->eap); | |
1107 | ||
1108 | if ((sess->eap_if->eapReq || sess->eap_if->eapSuccess || | |
1109 | sess->eap_if->eapFail) && sess->eap_if->eapReqData) { | |
1110 | RADIUS_DUMP("EAP data from the state machine", | |
1111 | wpabuf_head(sess->eap_if->eapReqData), | |
1112 | wpabuf_len(sess->eap_if->eapReqData)); | |
1113 | } else if (sess->eap_if->eapFail) { | |
1114 | RADIUS_DEBUG("No EAP data from the state machine, but eapFail " | |
1115 | "set"); | |
1116 | } else if (eap_sm_method_pending(sess->eap)) { | |
9e7245bd | 1117 | radius_msg_free(sess->last_msg); |
6fc6879b JM |
1118 | sess->last_msg = msg; |
1119 | sess->last_from_port = from_port; | |
1120 | os_free(sess->last_from_addr); | |
1121 | sess->last_from_addr = os_strdup(from_addr); | |
1122 | sess->last_fromlen = fromlen; | |
1123 | os_memcpy(&sess->last_from, from, fromlen); | |
1124 | return -2; | |
1125 | } else { | |
1126 | RADIUS_DEBUG("No EAP data from the state machine - ignore this" | |
1127 | " Access-Request silently (assuming it was a " | |
1128 | "duplicate)"); | |
1129 | data->counters.packets_dropped++; | |
1130 | client->counters.packets_dropped++; | |
1131 | return -1; | |
1132 | } | |
1133 | ||
7598210b AB |
1134 | if (sess->eap_if->eapSuccess || sess->eap_if->eapFail) |
1135 | is_complete = 1; | |
8a57da7e JM |
1136 | if (sess->eap_if->eapFail) |
1137 | srv_log(sess, "EAP authentication failed"); | |
1138 | else if (sess->eap_if->eapSuccess) | |
1139 | srv_log(sess, "EAP authentication succeeded"); | |
7598210b | 1140 | |
6fc6879b JM |
1141 | reply = radius_server_encapsulate_eap(data, client, sess, msg); |
1142 | ||
8943cc99 | 1143 | send_reply: |
6fc6879b | 1144 | if (reply) { |
1489e11a JM |
1145 | struct wpabuf *buf; |
1146 | struct radius_hdr *hdr; | |
1147 | ||
6fc6879b JM |
1148 | RADIUS_DEBUG("Reply to %s:%d", from_addr, from_port); |
1149 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
1150 | radius_msg_dump(reply); | |
1151 | } | |
1152 | ||
1489e11a | 1153 | switch (radius_msg_get_hdr(reply)->code) { |
6fc6879b | 1154 | case RADIUS_CODE_ACCESS_ACCEPT: |
8a57da7e | 1155 | srv_log(sess, "Sending Access-Accept"); |
6fc6879b JM |
1156 | data->counters.access_accepts++; |
1157 | client->counters.access_accepts++; | |
1158 | break; | |
1159 | case RADIUS_CODE_ACCESS_REJECT: | |
8a57da7e | 1160 | srv_log(sess, "Sending Access-Reject"); |
6fc6879b JM |
1161 | data->counters.access_rejects++; |
1162 | client->counters.access_rejects++; | |
1163 | break; | |
1164 | case RADIUS_CODE_ACCESS_CHALLENGE: | |
1165 | data->counters.access_challenges++; | |
1166 | client->counters.access_challenges++; | |
1167 | break; | |
1168 | } | |
1489e11a JM |
1169 | buf = radius_msg_get_buf(reply); |
1170 | res = sendto(data->auth_sock, wpabuf_head(buf), | |
1171 | wpabuf_len(buf), 0, | |
6fc6879b JM |
1172 | (struct sockaddr *) from, fromlen); |
1173 | if (res < 0) { | |
61323e70 JM |
1174 | wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s", |
1175 | strerror(errno)); | |
6fc6879b | 1176 | } |
9e7245bd | 1177 | radius_msg_free(sess->last_reply); |
6fc6879b JM |
1178 | sess->last_reply = reply; |
1179 | sess->last_from_port = from_port; | |
1489e11a JM |
1180 | hdr = radius_msg_get_hdr(msg); |
1181 | sess->last_identifier = hdr->identifier; | |
1182 | os_memcpy(sess->last_authenticator, hdr->authenticator, 16); | |
6fc6879b JM |
1183 | } else { |
1184 | data->counters.packets_dropped++; | |
1185 | client->counters.packets_dropped++; | |
1186 | } | |
1187 | ||
7598210b | 1188 | if (is_complete) { |
6fc6879b JM |
1189 | RADIUS_DEBUG("Removing completed session 0x%x after timeout", |
1190 | sess->sess_id); | |
1191 | eloop_cancel_timeout(radius_server_session_remove_timeout, | |
1192 | data, sess); | |
35677305 | 1193 | eloop_register_timeout(RADIUS_SESSION_MAINTAIN, 0, |
6fc6879b JM |
1194 | radius_server_session_remove_timeout, |
1195 | data, sess); | |
1196 | } | |
1197 | ||
1198 | return 0; | |
1199 | } | |
1200 | ||
1201 | ||
1202 | static void radius_server_receive_auth(int sock, void *eloop_ctx, | |
1203 | void *sock_ctx) | |
1204 | { | |
1205 | struct radius_server_data *data = eloop_ctx; | |
1206 | u8 *buf = NULL; | |
5a641ae0 JM |
1207 | union { |
1208 | struct sockaddr_storage ss; | |
1209 | struct sockaddr_in sin; | |
1210 | #ifdef CONFIG_IPV6 | |
1211 | struct sockaddr_in6 sin6; | |
1212 | #endif /* CONFIG_IPV6 */ | |
1213 | } from; | |
6fc6879b JM |
1214 | socklen_t fromlen; |
1215 | int len; | |
1216 | struct radius_client *client = NULL; | |
1217 | struct radius_msg *msg = NULL; | |
1218 | char abuf[50]; | |
1219 | int from_port = 0; | |
1220 | ||
1221 | buf = os_malloc(RADIUS_MAX_MSG_LEN); | |
1222 | if (buf == NULL) { | |
1223 | goto fail; | |
1224 | } | |
1225 | ||
1226 | fromlen = sizeof(from); | |
1227 | len = recvfrom(sock, buf, RADIUS_MAX_MSG_LEN, 0, | |
5a641ae0 | 1228 | (struct sockaddr *) &from.ss, &fromlen); |
6fc6879b | 1229 | if (len < 0) { |
61323e70 JM |
1230 | wpa_printf(MSG_INFO, "recvfrom[radius_server]: %s", |
1231 | strerror(errno)); | |
6fc6879b JM |
1232 | goto fail; |
1233 | } | |
1234 | ||
1235 | #ifdef CONFIG_IPV6 | |
1236 | if (data->ipv6) { | |
5a641ae0 JM |
1237 | if (inet_ntop(AF_INET6, &from.sin6.sin6_addr, abuf, |
1238 | sizeof(abuf)) == NULL) | |
6fc6879b | 1239 | abuf[0] = '\0'; |
5a641ae0 | 1240 | from_port = ntohs(from.sin6.sin6_port); |
6fc6879b JM |
1241 | RADIUS_DEBUG("Received %d bytes from %s:%d", |
1242 | len, abuf, from_port); | |
1243 | ||
1244 | client = radius_server_get_client(data, | |
1245 | (struct in_addr *) | |
5a641ae0 | 1246 | &from.sin6.sin6_addr, 1); |
6fc6879b JM |
1247 | } |
1248 | #endif /* CONFIG_IPV6 */ | |
1249 | ||
1250 | if (!data->ipv6) { | |
5a641ae0 JM |
1251 | os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); |
1252 | from_port = ntohs(from.sin.sin_port); | |
6fc6879b JM |
1253 | RADIUS_DEBUG("Received %d bytes from %s:%d", |
1254 | len, abuf, from_port); | |
1255 | ||
5a641ae0 | 1256 | client = radius_server_get_client(data, &from.sin.sin_addr, 0); |
6fc6879b JM |
1257 | } |
1258 | ||
1259 | RADIUS_DUMP("Received data", buf, len); | |
1260 | ||
1261 | if (client == NULL) { | |
1262 | RADIUS_DEBUG("Unknown client %s - packet ignored", abuf); | |
1263 | data->counters.invalid_requests++; | |
1264 | goto fail; | |
1265 | } | |
1266 | ||
1267 | msg = radius_msg_parse(buf, len); | |
1268 | if (msg == NULL) { | |
1269 | RADIUS_DEBUG("Parsing incoming RADIUS frame failed"); | |
1270 | data->counters.malformed_access_requests++; | |
1271 | client->counters.malformed_access_requests++; | |
1272 | goto fail; | |
1273 | } | |
1274 | ||
1275 | os_free(buf); | |
1276 | buf = NULL; | |
1277 | ||
1278 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
1279 | radius_msg_dump(msg); | |
1280 | } | |
1281 | ||
1489e11a JM |
1282 | if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCESS_REQUEST) { |
1283 | RADIUS_DEBUG("Unexpected RADIUS code %d", | |
1284 | radius_msg_get_hdr(msg)->code); | |
6fc6879b JM |
1285 | data->counters.unknown_types++; |
1286 | client->counters.unknown_types++; | |
1287 | goto fail; | |
1288 | } | |
1289 | ||
1290 | data->counters.access_requests++; | |
1291 | client->counters.access_requests++; | |
1292 | ||
1293 | if (radius_msg_verify_msg_auth(msg, (u8 *) client->shared_secret, | |
1294 | client->shared_secret_len, NULL)) { | |
1295 | RADIUS_DEBUG("Invalid Message-Authenticator from %s", abuf); | |
1296 | data->counters.bad_authenticators++; | |
1297 | client->counters.bad_authenticators++; | |
1298 | goto fail; | |
1299 | } | |
1300 | ||
1301 | if (radius_server_request(data, msg, (struct sockaddr *) &from, | |
1302 | fromlen, client, abuf, from_port, NULL) == | |
1303 | -2) | |
1304 | return; /* msg was stored with the session */ | |
1305 | ||
1306 | fail: | |
9e7245bd | 1307 | radius_msg_free(msg); |
6fc6879b JM |
1308 | os_free(buf); |
1309 | } | |
1310 | ||
1311 | ||
a1dd890a JM |
1312 | static void radius_server_receive_acct(int sock, void *eloop_ctx, |
1313 | void *sock_ctx) | |
1314 | { | |
1315 | struct radius_server_data *data = eloop_ctx; | |
1316 | u8 *buf = NULL; | |
1317 | union { | |
1318 | struct sockaddr_storage ss; | |
1319 | struct sockaddr_in sin; | |
1320 | #ifdef CONFIG_IPV6 | |
1321 | struct sockaddr_in6 sin6; | |
1322 | #endif /* CONFIG_IPV6 */ | |
1323 | } from; | |
1324 | socklen_t fromlen; | |
1325 | int len, res; | |
1326 | struct radius_client *client = NULL; | |
1327 | struct radius_msg *msg = NULL, *resp = NULL; | |
1328 | char abuf[50]; | |
1329 | int from_port = 0; | |
1330 | struct radius_hdr *hdr; | |
1331 | struct wpabuf *rbuf; | |
1332 | ||
1333 | buf = os_malloc(RADIUS_MAX_MSG_LEN); | |
1334 | if (buf == NULL) { | |
1335 | goto fail; | |
1336 | } | |
1337 | ||
1338 | fromlen = sizeof(from); | |
1339 | len = recvfrom(sock, buf, RADIUS_MAX_MSG_LEN, 0, | |
1340 | (struct sockaddr *) &from.ss, &fromlen); | |
1341 | if (len < 0) { | |
1342 | wpa_printf(MSG_INFO, "recvfrom[radius_server]: %s", | |
1343 | strerror(errno)); | |
1344 | goto fail; | |
1345 | } | |
1346 | ||
1347 | #ifdef CONFIG_IPV6 | |
1348 | if (data->ipv6) { | |
1349 | if (inet_ntop(AF_INET6, &from.sin6.sin6_addr, abuf, | |
1350 | sizeof(abuf)) == NULL) | |
1351 | abuf[0] = '\0'; | |
1352 | from_port = ntohs(from.sin6.sin6_port); | |
1353 | RADIUS_DEBUG("Received %d bytes from %s:%d", | |
1354 | len, abuf, from_port); | |
1355 | ||
1356 | client = radius_server_get_client(data, | |
1357 | (struct in_addr *) | |
1358 | &from.sin6.sin6_addr, 1); | |
1359 | } | |
1360 | #endif /* CONFIG_IPV6 */ | |
1361 | ||
1362 | if (!data->ipv6) { | |
1363 | os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); | |
1364 | from_port = ntohs(from.sin.sin_port); | |
1365 | RADIUS_DEBUG("Received %d bytes from %s:%d", | |
1366 | len, abuf, from_port); | |
1367 | ||
1368 | client = radius_server_get_client(data, &from.sin.sin_addr, 0); | |
1369 | } | |
1370 | ||
1371 | RADIUS_DUMP("Received data", buf, len); | |
1372 | ||
1373 | if (client == NULL) { | |
1374 | RADIUS_DEBUG("Unknown client %s - packet ignored", abuf); | |
1375 | data->counters.invalid_acct_requests++; | |
1376 | goto fail; | |
1377 | } | |
1378 | ||
1379 | msg = radius_msg_parse(buf, len); | |
1380 | if (msg == NULL) { | |
1381 | RADIUS_DEBUG("Parsing incoming RADIUS frame failed"); | |
1382 | data->counters.malformed_acct_requests++; | |
1383 | client->counters.malformed_acct_requests++; | |
1384 | goto fail; | |
1385 | } | |
1386 | ||
1387 | os_free(buf); | |
1388 | buf = NULL; | |
1389 | ||
1390 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
1391 | radius_msg_dump(msg); | |
1392 | } | |
1393 | ||
1394 | if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCOUNTING_REQUEST) { | |
1395 | RADIUS_DEBUG("Unexpected RADIUS code %d", | |
1396 | radius_msg_get_hdr(msg)->code); | |
1397 | data->counters.unknown_acct_types++; | |
1398 | client->counters.unknown_acct_types++; | |
1399 | goto fail; | |
1400 | } | |
1401 | ||
1402 | data->counters.acct_requests++; | |
1403 | client->counters.acct_requests++; | |
1404 | ||
1405 | if (radius_msg_verify_acct_req(msg, (u8 *) client->shared_secret, | |
1406 | client->shared_secret_len)) { | |
1407 | RADIUS_DEBUG("Invalid Authenticator from %s", abuf); | |
1408 | data->counters.acct_bad_authenticators++; | |
1409 | client->counters.acct_bad_authenticators++; | |
1410 | goto fail; | |
1411 | } | |
1412 | ||
1413 | /* TODO: Write accounting information to a file or database */ | |
1414 | ||
1415 | hdr = radius_msg_get_hdr(msg); | |
1416 | ||
1417 | resp = radius_msg_new(RADIUS_CODE_ACCOUNTING_RESPONSE, hdr->identifier); | |
1418 | if (resp == NULL) | |
1419 | goto fail; | |
1420 | ||
1421 | radius_msg_finish_acct_resp(resp, (u8 *) client->shared_secret, | |
1422 | client->shared_secret_len, | |
1423 | hdr->authenticator); | |
1424 | ||
1425 | RADIUS_DEBUG("Reply to %s:%d", abuf, from_port); | |
1426 | if (wpa_debug_level <= MSG_MSGDUMP) { | |
1427 | radius_msg_dump(resp); | |
1428 | } | |
1429 | rbuf = radius_msg_get_buf(resp); | |
1430 | data->counters.acct_responses++; | |
1431 | client->counters.acct_responses++; | |
1432 | res = sendto(data->acct_sock, wpabuf_head(rbuf), wpabuf_len(rbuf), 0, | |
1433 | (struct sockaddr *) &from.ss, fromlen); | |
1434 | if (res < 0) { | |
1435 | wpa_printf(MSG_INFO, "sendto[RADIUS SRV]: %s", | |
1436 | strerror(errno)); | |
1437 | } | |
1438 | ||
1439 | fail: | |
1440 | radius_msg_free(resp); | |
1441 | radius_msg_free(msg); | |
1442 | os_free(buf); | |
1443 | } | |
1444 | ||
1445 | ||
5cd89c26 JM |
1446 | static int radius_server_disable_pmtu_discovery(int s) |
1447 | { | |
1448 | int r = -1; | |
1449 | #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) | |
1450 | /* Turn off Path MTU discovery on IPv4/UDP sockets. */ | |
1451 | int action = IP_PMTUDISC_DONT; | |
1452 | r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action, | |
1453 | sizeof(action)); | |
1454 | if (r == -1) | |
1455 | wpa_printf(MSG_ERROR, "Failed to set IP_MTU_DISCOVER: " | |
1456 | "%s", strerror(errno)); | |
1457 | #endif | |
1458 | return r; | |
1459 | } | |
1460 | ||
1461 | ||
6fc6879b JM |
1462 | static int radius_server_open_socket(int port) |
1463 | { | |
1464 | int s; | |
1465 | struct sockaddr_in addr; | |
1466 | ||
1467 | s = socket(PF_INET, SOCK_DGRAM, 0); | |
1468 | if (s < 0) { | |
61323e70 | 1469 | wpa_printf(MSG_INFO, "RADIUS: socket: %s", strerror(errno)); |
6fc6879b JM |
1470 | return -1; |
1471 | } | |
1472 | ||
5cd89c26 JM |
1473 | radius_server_disable_pmtu_discovery(s); |
1474 | ||
6fc6879b JM |
1475 | os_memset(&addr, 0, sizeof(addr)); |
1476 | addr.sin_family = AF_INET; | |
1477 | addr.sin_port = htons(port); | |
1478 | if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { | |
61323e70 | 1479 | wpa_printf(MSG_INFO, "RADIUS: bind: %s", strerror(errno)); |
6fc6879b JM |
1480 | close(s); |
1481 | return -1; | |
1482 | } | |
1483 | ||
1484 | return s; | |
1485 | } | |
1486 | ||
1487 | ||
1488 | #ifdef CONFIG_IPV6 | |
1489 | static int radius_server_open_socket6(int port) | |
1490 | { | |
1491 | int s; | |
1492 | struct sockaddr_in6 addr; | |
1493 | ||
1494 | s = socket(PF_INET6, SOCK_DGRAM, 0); | |
1495 | if (s < 0) { | |
61323e70 JM |
1496 | wpa_printf(MSG_INFO, "RADIUS: socket[IPv6]: %s", |
1497 | strerror(errno)); | |
6fc6879b JM |
1498 | return -1; |
1499 | } | |
1500 | ||
1501 | os_memset(&addr, 0, sizeof(addr)); | |
1502 | addr.sin6_family = AF_INET6; | |
1503 | os_memcpy(&addr.sin6_addr, &in6addr_any, sizeof(in6addr_any)); | |
1504 | addr.sin6_port = htons(port); | |
1505 | if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { | |
61323e70 | 1506 | wpa_printf(MSG_INFO, "RADIUS: bind: %s", strerror(errno)); |
6fc6879b JM |
1507 | close(s); |
1508 | return -1; | |
1509 | } | |
1510 | ||
1511 | return s; | |
1512 | } | |
1513 | #endif /* CONFIG_IPV6 */ | |
1514 | ||
1515 | ||
1516 | static void radius_server_free_sessions(struct radius_server_data *data, | |
1517 | struct radius_session *sessions) | |
1518 | { | |
1519 | struct radius_session *session, *prev; | |
1520 | ||
1521 | session = sessions; | |
1522 | while (session) { | |
1523 | prev = session; | |
1524 | session = session->next; | |
1525 | radius_server_session_free(data, prev); | |
1526 | } | |
1527 | } | |
1528 | ||
1529 | ||
1530 | static void radius_server_free_clients(struct radius_server_data *data, | |
1531 | struct radius_client *clients) | |
1532 | { | |
1533 | struct radius_client *client, *prev; | |
1534 | ||
1535 | client = clients; | |
1536 | while (client) { | |
1537 | prev = client; | |
1538 | client = client->next; | |
1539 | ||
1540 | radius_server_free_sessions(data, prev->sessions); | |
1541 | os_free(prev->shared_secret); | |
1542 | os_free(prev); | |
1543 | } | |
1544 | } | |
1545 | ||
1546 | ||
1547 | static struct radius_client * | |
1548 | radius_server_read_clients(const char *client_file, int ipv6) | |
1549 | { | |
1550 | FILE *f; | |
1551 | const int buf_size = 1024; | |
1552 | char *buf, *pos; | |
1553 | struct radius_client *clients, *tail, *entry; | |
1554 | int line = 0, mask, failed = 0, i; | |
1555 | struct in_addr addr; | |
1556 | #ifdef CONFIG_IPV6 | |
1557 | struct in6_addr addr6; | |
1558 | #endif /* CONFIG_IPV6 */ | |
1559 | unsigned int val; | |
1560 | ||
1561 | f = fopen(client_file, "r"); | |
1562 | if (f == NULL) { | |
1563 | RADIUS_ERROR("Could not open client file '%s'", client_file); | |
1564 | return NULL; | |
1565 | } | |
1566 | ||
1567 | buf = os_malloc(buf_size); | |
1568 | if (buf == NULL) { | |
1569 | fclose(f); | |
1570 | return NULL; | |
1571 | } | |
1572 | ||
1573 | clients = tail = NULL; | |
1574 | while (fgets(buf, buf_size, f)) { | |
1575 | /* Configuration file format: | |
1576 | * 192.168.1.0/24 secret | |
1577 | * 192.168.1.2 secret | |
1578 | * fe80::211:22ff:fe33:4455/64 secretipv6 | |
1579 | */ | |
1580 | line++; | |
1581 | buf[buf_size - 1] = '\0'; | |
1582 | pos = buf; | |
1583 | while (*pos != '\0' && *pos != '\n') | |
1584 | pos++; | |
1585 | if (*pos == '\n') | |
1586 | *pos = '\0'; | |
1587 | if (*buf == '\0' || *buf == '#') | |
1588 | continue; | |
1589 | ||
1590 | pos = buf; | |
1591 | while ((*pos >= '0' && *pos <= '9') || *pos == '.' || | |
1592 | (*pos >= 'a' && *pos <= 'f') || *pos == ':' || | |
1593 | (*pos >= 'A' && *pos <= 'F')) { | |
1594 | pos++; | |
1595 | } | |
1596 | ||
1597 | if (*pos == '\0') { | |
1598 | failed = 1; | |
1599 | break; | |
1600 | } | |
1601 | ||
1602 | if (*pos == '/') { | |
1603 | char *end; | |
1604 | *pos++ = '\0'; | |
1605 | mask = strtol(pos, &end, 10); | |
1606 | if ((pos == end) || | |
1607 | (mask < 0 || mask > (ipv6 ? 128 : 32))) { | |
1608 | failed = 1; | |
1609 | break; | |
1610 | } | |
1611 | pos = end; | |
1612 | } else { | |
1613 | mask = ipv6 ? 128 : 32; | |
1614 | *pos++ = '\0'; | |
1615 | } | |
1616 | ||
1617 | if (!ipv6 && inet_aton(buf, &addr) == 0) { | |
1618 | failed = 1; | |
1619 | break; | |
1620 | } | |
1621 | #ifdef CONFIG_IPV6 | |
1622 | if (ipv6 && inet_pton(AF_INET6, buf, &addr6) <= 0) { | |
1623 | if (inet_pton(AF_INET, buf, &addr) <= 0) { | |
1624 | failed = 1; | |
1625 | break; | |
1626 | } | |
1627 | /* Convert IPv4 address to IPv6 */ | |
1628 | if (mask <= 32) | |
1629 | mask += (128 - 32); | |
1630 | os_memset(addr6.s6_addr, 0, 10); | |
1631 | addr6.s6_addr[10] = 0xff; | |
1632 | addr6.s6_addr[11] = 0xff; | |
1633 | os_memcpy(addr6.s6_addr + 12, (char *) &addr.s_addr, | |
1634 | 4); | |
1635 | } | |
1636 | #endif /* CONFIG_IPV6 */ | |
1637 | ||
1638 | while (*pos == ' ' || *pos == '\t') { | |
1639 | pos++; | |
1640 | } | |
1641 | ||
1642 | if (*pos == '\0') { | |
1643 | failed = 1; | |
1644 | break; | |
1645 | } | |
1646 | ||
1647 | entry = os_zalloc(sizeof(*entry)); | |
1648 | if (entry == NULL) { | |
1649 | failed = 1; | |
1650 | break; | |
1651 | } | |
1652 | entry->shared_secret = os_strdup(pos); | |
1653 | if (entry->shared_secret == NULL) { | |
1654 | failed = 1; | |
1655 | os_free(entry); | |
1656 | break; | |
1657 | } | |
1658 | entry->shared_secret_len = os_strlen(entry->shared_secret); | |
6fc6879b | 1659 | if (!ipv6) { |
77381639 | 1660 | entry->addr.s_addr = addr.s_addr; |
6fc6879b JM |
1661 | val = 0; |
1662 | for (i = 0; i < mask; i++) | |
1663 | val |= 1 << (31 - i); | |
1664 | entry->mask.s_addr = htonl(val); | |
1665 | } | |
1666 | #ifdef CONFIG_IPV6 | |
1667 | if (ipv6) { | |
1668 | int offset = mask / 8; | |
1669 | ||
1670 | os_memcpy(entry->addr6.s6_addr, addr6.s6_addr, 16); | |
1671 | os_memset(entry->mask6.s6_addr, 0xff, offset); | |
1672 | val = 0; | |
1673 | for (i = 0; i < (mask % 8); i++) | |
1674 | val |= 1 << (7 - i); | |
1675 | if (offset < 16) | |
1676 | entry->mask6.s6_addr[offset] = val; | |
1677 | } | |
1678 | #endif /* CONFIG_IPV6 */ | |
1679 | ||
1680 | if (tail == NULL) { | |
1681 | clients = tail = entry; | |
1682 | } else { | |
1683 | tail->next = entry; | |
1684 | tail = entry; | |
1685 | } | |
1686 | } | |
1687 | ||
1688 | if (failed) { | |
1689 | RADIUS_ERROR("Invalid line %d in '%s'", line, client_file); | |
1690 | radius_server_free_clients(NULL, clients); | |
1691 | clients = NULL; | |
1692 | } | |
1693 | ||
1694 | os_free(buf); | |
1695 | fclose(f); | |
1696 | ||
1697 | return clients; | |
1698 | } | |
1699 | ||
1700 | ||
362bd35f JM |
1701 | /** |
1702 | * radius_server_init - Initialize RADIUS server | |
1703 | * @conf: Configuration for the RADIUS server | |
1704 | * Returns: Pointer to private RADIUS server context or %NULL on failure | |
1705 | * | |
1706 | * This initializes a RADIUS server instance and returns a context pointer that | |
1707 | * will be used in other calls to the RADIUS server module. The server can be | |
1708 | * deinitialize by calling radius_server_deinit(). | |
1709 | */ | |
6fc6879b JM |
1710 | struct radius_server_data * |
1711 | radius_server_init(struct radius_server_conf *conf) | |
1712 | { | |
1713 | struct radius_server_data *data; | |
1714 | ||
1715 | #ifndef CONFIG_IPV6 | |
1716 | if (conf->ipv6) { | |
61323e70 | 1717 | wpa_printf(MSG_ERROR, "RADIUS server compiled without IPv6 support"); |
6fc6879b JM |
1718 | return NULL; |
1719 | } | |
1720 | #endif /* CONFIG_IPV6 */ | |
1721 | ||
1722 | data = os_zalloc(sizeof(*data)); | |
1723 | if (data == NULL) | |
1724 | return NULL; | |
1725 | ||
d3bddd8b | 1726 | dl_list_init(&data->erp_keys); |
58707176 | 1727 | os_get_reltime(&data->start_time); |
6fc6879b JM |
1728 | data->conf_ctx = conf->conf_ctx; |
1729 | data->eap_sim_db_priv = conf->eap_sim_db_priv; | |
1730 | data->ssl_ctx = conf->ssl_ctx; | |
bb437f28 | 1731 | data->msg_ctx = conf->msg_ctx; |
6fc6879b JM |
1732 | data->ipv6 = conf->ipv6; |
1733 | if (conf->pac_opaque_encr_key) { | |
1734 | data->pac_opaque_encr_key = os_malloc(16); | |
4457f41b MJ |
1735 | if (data->pac_opaque_encr_key) { |
1736 | os_memcpy(data->pac_opaque_encr_key, | |
1737 | conf->pac_opaque_encr_key, 16); | |
1738 | } | |
6fc6879b | 1739 | } |
2d867244 JM |
1740 | if (conf->eap_fast_a_id) { |
1741 | data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); | |
1742 | if (data->eap_fast_a_id) { | |
1743 | os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id, | |
1744 | conf->eap_fast_a_id_len); | |
1745 | data->eap_fast_a_id_len = conf->eap_fast_a_id_len; | |
1746 | } | |
1747 | } | |
1748 | if (conf->eap_fast_a_id_info) | |
1749 | data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info); | |
378eae5e | 1750 | data->eap_fast_prov = conf->eap_fast_prov; |
a11c90a6 JM |
1751 | data->pac_key_lifetime = conf->pac_key_lifetime; |
1752 | data->pac_key_refresh_time = conf->pac_key_refresh_time; | |
6fc6879b JM |
1753 | data->get_eap_user = conf->get_eap_user; |
1754 | data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; | |
c3e258ae | 1755 | data->tnc = conf->tnc; |
ad08c363 | 1756 | data->wps = conf->wps; |
df684d82 | 1757 | data->pwd_group = conf->pwd_group; |
67fe933d | 1758 | data->server_id = conf->server_id; |
65d50f0a JM |
1759 | if (conf->eap_req_id_text) { |
1760 | data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len); | |
1761 | if (data->eap_req_id_text) { | |
1762 | os_memcpy(data->eap_req_id_text, conf->eap_req_id_text, | |
1763 | conf->eap_req_id_text_len); | |
1764 | data->eap_req_id_text_len = conf->eap_req_id_text_len; | |
1765 | } | |
1766 | } | |
d3bddd8b JM |
1767 | data->erp = conf->erp; |
1768 | data->erp_domain = conf->erp_domain; | |
681e199d | 1769 | data->tls_session_lifetime = conf->tls_session_lifetime; |
6418400d | 1770 | data->tls_flags = conf->tls_flags; |
6fc6879b | 1771 | |
8d2a9921 JM |
1772 | if (conf->subscr_remediation_url) { |
1773 | data->subscr_remediation_url = | |
1774 | os_strdup(conf->subscr_remediation_url); | |
1775 | } | |
f6fb1926 | 1776 | data->subscr_remediation_method = conf->subscr_remediation_method; |
8d2a9921 | 1777 | |
8a57da7e JM |
1778 | #ifdef CONFIG_SQLITE |
1779 | if (conf->sqlite_file) { | |
1780 | if (sqlite3_open(conf->sqlite_file, &data->db)) { | |
1781 | RADIUS_ERROR("Could not open SQLite file '%s'", | |
1782 | conf->sqlite_file); | |
1783 | radius_server_deinit(data); | |
1784 | return NULL; | |
1785 | } | |
1786 | } | |
1787 | #endif /* CONFIG_SQLITE */ | |
1788 | ||
505a3694 JM |
1789 | #ifdef CONFIG_RADIUS_TEST |
1790 | if (conf->dump_msk_file) | |
1791 | data->dump_msk_file = os_strdup(conf->dump_msk_file); | |
1792 | #endif /* CONFIG_RADIUS_TEST */ | |
1793 | ||
6fc6879b JM |
1794 | data->clients = radius_server_read_clients(conf->client_file, |
1795 | conf->ipv6); | |
1796 | if (data->clients == NULL) { | |
61323e70 | 1797 | wpa_printf(MSG_ERROR, "No RADIUS clients configured"); |
6fc6879b JM |
1798 | radius_server_deinit(data); |
1799 | return NULL; | |
1800 | } | |
1801 | ||
1802 | #ifdef CONFIG_IPV6 | |
1803 | if (conf->ipv6) | |
1804 | data->auth_sock = radius_server_open_socket6(conf->auth_port); | |
1805 | else | |
1806 | #endif /* CONFIG_IPV6 */ | |
1807 | data->auth_sock = radius_server_open_socket(conf->auth_port); | |
1808 | if (data->auth_sock < 0) { | |
61323e70 | 1809 | wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS authentication server"); |
6fc6879b JM |
1810 | radius_server_deinit(data); |
1811 | return NULL; | |
1812 | } | |
1813 | if (eloop_register_read_sock(data->auth_sock, | |
1814 | radius_server_receive_auth, | |
1815 | data, NULL)) { | |
1816 | radius_server_deinit(data); | |
1817 | return NULL; | |
1818 | } | |
1819 | ||
a1dd890a JM |
1820 | if (conf->acct_port) { |
1821 | #ifdef CONFIG_IPV6 | |
1822 | if (conf->ipv6) | |
1823 | data->acct_sock = radius_server_open_socket6( | |
1824 | conf->acct_port); | |
1825 | else | |
1826 | #endif /* CONFIG_IPV6 */ | |
1827 | data->acct_sock = radius_server_open_socket(conf->acct_port); | |
1828 | if (data->acct_sock < 0) { | |
1829 | wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS accounting server"); | |
1830 | radius_server_deinit(data); | |
1831 | return NULL; | |
1832 | } | |
1833 | if (eloop_register_read_sock(data->acct_sock, | |
1834 | radius_server_receive_acct, | |
1835 | data, NULL)) { | |
1836 | radius_server_deinit(data); | |
1837 | return NULL; | |
1838 | } | |
1839 | } else { | |
1840 | data->acct_sock = -1; | |
1841 | } | |
1842 | ||
6fc6879b JM |
1843 | return data; |
1844 | } | |
1845 | ||
1846 | ||
362bd35f | 1847 | /** |
2c6411ed | 1848 | * radius_server_erp_flush - Flush all ERP keys |
362bd35f JM |
1849 | * @data: RADIUS server context from radius_server_init() |
1850 | */ | |
2c6411ed | 1851 | void radius_server_erp_flush(struct radius_server_data *data) |
6fc6879b | 1852 | { |
d3bddd8b JM |
1853 | struct eap_server_erp_key *erp; |
1854 | ||
2c6411ed JM |
1855 | if (data == NULL) |
1856 | return; | |
1857 | while ((erp = dl_list_first(&data->erp_keys, struct eap_server_erp_key, | |
1858 | list)) != NULL) { | |
1859 | dl_list_del(&erp->list); | |
1860 | bin_clear_free(erp, sizeof(*erp)); | |
1861 | } | |
1862 | } | |
1863 | ||
1864 | ||
1865 | /** | |
1866 | * radius_server_deinit - Deinitialize RADIUS server | |
1867 | * @data: RADIUS server context from radius_server_init() | |
1868 | */ | |
1869 | void radius_server_deinit(struct radius_server_data *data) | |
1870 | { | |
6fc6879b JM |
1871 | if (data == NULL) |
1872 | return; | |
1873 | ||
1874 | if (data->auth_sock >= 0) { | |
1875 | eloop_unregister_read_sock(data->auth_sock); | |
1876 | close(data->auth_sock); | |
1877 | } | |
1878 | ||
a1dd890a JM |
1879 | if (data->acct_sock >= 0) { |
1880 | eloop_unregister_read_sock(data->acct_sock); | |
1881 | close(data->acct_sock); | |
1882 | } | |
1883 | ||
6fc6879b JM |
1884 | radius_server_free_clients(data, data->clients); |
1885 | ||
1886 | os_free(data->pac_opaque_encr_key); | |
1887 | os_free(data->eap_fast_a_id); | |
2d867244 | 1888 | os_free(data->eap_fast_a_id_info); |
65d50f0a | 1889 | os_free(data->eap_req_id_text); |
505a3694 JM |
1890 | #ifdef CONFIG_RADIUS_TEST |
1891 | os_free(data->dump_msk_file); | |
1892 | #endif /* CONFIG_RADIUS_TEST */ | |
8d2a9921 | 1893 | os_free(data->subscr_remediation_url); |
8a57da7e JM |
1894 | |
1895 | #ifdef CONFIG_SQLITE | |
1896 | if (data->db) | |
1897 | sqlite3_close(data->db); | |
1898 | #endif /* CONFIG_SQLITE */ | |
1899 | ||
2c6411ed | 1900 | radius_server_erp_flush(data); |
d3bddd8b | 1901 | |
6fc6879b JM |
1902 | os_free(data); |
1903 | } | |
1904 | ||
1905 | ||
362bd35f JM |
1906 | /** |
1907 | * radius_server_get_mib - Get RADIUS server MIB information | |
1908 | * @data: RADIUS server context from radius_server_init() | |
1909 | * @buf: Buffer for returning the MIB data in text format | |
1910 | * @buflen: buf length in octets | |
1911 | * Returns: Number of octets written into buf | |
1912 | */ | |
6fc6879b JM |
1913 | int radius_server_get_mib(struct radius_server_data *data, char *buf, |
1914 | size_t buflen) | |
1915 | { | |
1916 | int ret, uptime; | |
1917 | unsigned int idx; | |
1918 | char *end, *pos; | |
58707176 | 1919 | struct os_reltime now; |
6fc6879b JM |
1920 | struct radius_client *cli; |
1921 | ||
1922 | /* RFC 2619 - RADIUS Authentication Server MIB */ | |
1923 | ||
1924 | if (data == NULL || buflen == 0) | |
1925 | return 0; | |
1926 | ||
1927 | pos = buf; | |
1928 | end = buf + buflen; | |
1929 | ||
58707176 | 1930 | os_get_reltime(&now); |
6fc6879b JM |
1931 | uptime = (now.sec - data->start_time.sec) * 100 + |
1932 | ((now.usec - data->start_time.usec) / 10000) % 100; | |
1933 | ret = os_snprintf(pos, end - pos, | |
1934 | "RADIUS-AUTH-SERVER-MIB\n" | |
1935 | "radiusAuthServIdent=hostapd\n" | |
1936 | "radiusAuthServUpTime=%d\n" | |
1937 | "radiusAuthServResetTime=0\n" | |
1938 | "radiusAuthServConfigReset=4\n", | |
1939 | uptime); | |
d85e1fc8 | 1940 | if (os_snprintf_error(end - pos, ret)) { |
6fc6879b JM |
1941 | *pos = '\0'; |
1942 | return pos - buf; | |
1943 | } | |
1944 | pos += ret; | |
1945 | ||
1946 | ret = os_snprintf(pos, end - pos, | |
1947 | "radiusAuthServTotalAccessRequests=%u\n" | |
1948 | "radiusAuthServTotalInvalidRequests=%u\n" | |
1949 | "radiusAuthServTotalDupAccessRequests=%u\n" | |
1950 | "radiusAuthServTotalAccessAccepts=%u\n" | |
1951 | "radiusAuthServTotalAccessRejects=%u\n" | |
1952 | "radiusAuthServTotalAccessChallenges=%u\n" | |
1953 | "radiusAuthServTotalMalformedAccessRequests=%u\n" | |
1954 | "radiusAuthServTotalBadAuthenticators=%u\n" | |
1955 | "radiusAuthServTotalPacketsDropped=%u\n" | |
a1dd890a JM |
1956 | "radiusAuthServTotalUnknownTypes=%u\n" |
1957 | "radiusAccServTotalRequests=%u\n" | |
1958 | "radiusAccServTotalInvalidRequests=%u\n" | |
1959 | "radiusAccServTotalResponses=%u\n" | |
1960 | "radiusAccServTotalMalformedRequests=%u\n" | |
1961 | "radiusAccServTotalBadAuthenticators=%u\n" | |
1962 | "radiusAccServTotalUnknownTypes=%u\n", | |
6fc6879b JM |
1963 | data->counters.access_requests, |
1964 | data->counters.invalid_requests, | |
1965 | data->counters.dup_access_requests, | |
1966 | data->counters.access_accepts, | |
1967 | data->counters.access_rejects, | |
1968 | data->counters.access_challenges, | |
1969 | data->counters.malformed_access_requests, | |
1970 | data->counters.bad_authenticators, | |
1971 | data->counters.packets_dropped, | |
a1dd890a JM |
1972 | data->counters.unknown_types, |
1973 | data->counters.acct_requests, | |
1974 | data->counters.invalid_acct_requests, | |
1975 | data->counters.acct_responses, | |
1976 | data->counters.malformed_acct_requests, | |
1977 | data->counters.acct_bad_authenticators, | |
1978 | data->counters.unknown_acct_types); | |
d85e1fc8 | 1979 | if (os_snprintf_error(end - pos, ret)) { |
6fc6879b JM |
1980 | *pos = '\0'; |
1981 | return pos - buf; | |
1982 | } | |
1983 | pos += ret; | |
1984 | ||
1985 | for (cli = data->clients, idx = 0; cli; cli = cli->next, idx++) { | |
1986 | char abuf[50], mbuf[50]; | |
1987 | #ifdef CONFIG_IPV6 | |
1988 | if (data->ipv6) { | |
1989 | if (inet_ntop(AF_INET6, &cli->addr6, abuf, | |
1990 | sizeof(abuf)) == NULL) | |
1991 | abuf[0] = '\0'; | |
c9cd78e5 | 1992 | if (inet_ntop(AF_INET6, &cli->mask6, mbuf, |
6fc6879b JM |
1993 | sizeof(mbuf)) == NULL) |
1994 | mbuf[0] = '\0'; | |
1995 | } | |
1996 | #endif /* CONFIG_IPV6 */ | |
1997 | if (!data->ipv6) { | |
1998 | os_strlcpy(abuf, inet_ntoa(cli->addr), sizeof(abuf)); | |
1999 | os_strlcpy(mbuf, inet_ntoa(cli->mask), sizeof(mbuf)); | |
2000 | } | |
2001 | ||
2002 | ret = os_snprintf(pos, end - pos, | |
2003 | "radiusAuthClientIndex=%u\n" | |
2004 | "radiusAuthClientAddress=%s/%s\n" | |
2005 | "radiusAuthServAccessRequests=%u\n" | |
2006 | "radiusAuthServDupAccessRequests=%u\n" | |
2007 | "radiusAuthServAccessAccepts=%u\n" | |
2008 | "radiusAuthServAccessRejects=%u\n" | |
2009 | "radiusAuthServAccessChallenges=%u\n" | |
2010 | "radiusAuthServMalformedAccessRequests=%u\n" | |
2011 | "radiusAuthServBadAuthenticators=%u\n" | |
2012 | "radiusAuthServPacketsDropped=%u\n" | |
a1dd890a JM |
2013 | "radiusAuthServUnknownTypes=%u\n" |
2014 | "radiusAccServTotalRequests=%u\n" | |
2015 | "radiusAccServTotalInvalidRequests=%u\n" | |
2016 | "radiusAccServTotalResponses=%u\n" | |
2017 | "radiusAccServTotalMalformedRequests=%u\n" | |
2018 | "radiusAccServTotalBadAuthenticators=%u\n" | |
2019 | "radiusAccServTotalUnknownTypes=%u\n", | |
6fc6879b JM |
2020 | idx, |
2021 | abuf, mbuf, | |
2022 | cli->counters.access_requests, | |
2023 | cli->counters.dup_access_requests, | |
2024 | cli->counters.access_accepts, | |
2025 | cli->counters.access_rejects, | |
2026 | cli->counters.access_challenges, | |
2027 | cli->counters.malformed_access_requests, | |
2028 | cli->counters.bad_authenticators, | |
2029 | cli->counters.packets_dropped, | |
a1dd890a JM |
2030 | cli->counters.unknown_types, |
2031 | cli->counters.acct_requests, | |
2032 | cli->counters.invalid_acct_requests, | |
2033 | cli->counters.acct_responses, | |
2034 | cli->counters.malformed_acct_requests, | |
2035 | cli->counters.acct_bad_authenticators, | |
2036 | cli->counters.unknown_acct_types); | |
d85e1fc8 | 2037 | if (os_snprintf_error(end - pos, ret)) { |
6fc6879b JM |
2038 | *pos = '\0'; |
2039 | return pos - buf; | |
2040 | } | |
2041 | pos += ret; | |
2042 | } | |
2043 | ||
2044 | return pos - buf; | |
2045 | } | |
2046 | ||
2047 | ||
2048 | static int radius_server_get_eap_user(void *ctx, const u8 *identity, | |
2049 | size_t identity_len, int phase2, | |
2050 | struct eap_user *user) | |
2051 | { | |
2052 | struct radius_session *sess = ctx; | |
2053 | struct radius_server_data *data = sess->server; | |
8d2a9921 | 2054 | int ret; |
6fc6879b | 2055 | |
8d2a9921 JM |
2056 | ret = data->get_eap_user(data->conf_ctx, identity, identity_len, |
2057 | phase2, user); | |
d0ee16ed JM |
2058 | if (ret == 0 && user) { |
2059 | sess->accept_attr = user->accept_attr; | |
8d2a9921 | 2060 | sess->remediation = user->remediation; |
8943cc99 | 2061 | sess->macacl = user->macacl; |
d0ee16ed | 2062 | } |
fc48d33b BG |
2063 | |
2064 | if (ret) { | |
2065 | RADIUS_DEBUG("%s: User-Name not found from user database", | |
2066 | __func__); | |
2067 | } | |
2068 | ||
8d2a9921 | 2069 | return ret; |
6fc6879b JM |
2070 | } |
2071 | ||
2072 | ||
65d50f0a JM |
2073 | static const char * radius_server_get_eap_req_id_text(void *ctx, size_t *len) |
2074 | { | |
2075 | struct radius_session *sess = ctx; | |
2076 | struct radius_server_data *data = sess->server; | |
2077 | *len = data->eap_req_id_text_len; | |
2078 | return data->eap_req_id_text; | |
2079 | } | |
2080 | ||
2081 | ||
01f7fe10 JM |
2082 | static void radius_server_log_msg(void *ctx, const char *msg) |
2083 | { | |
2084 | struct radius_session *sess = ctx; | |
2085 | srv_log(sess, "EAP: %s", msg); | |
2086 | } | |
2087 | ||
2088 | ||
d3bddd8b JM |
2089 | #ifdef CONFIG_ERP |
2090 | ||
2091 | static const char * radius_server_get_erp_domain(void *ctx) | |
2092 | { | |
2093 | struct radius_session *sess = ctx; | |
2094 | struct radius_server_data *data = sess->server; | |
2095 | ||
2096 | return data->erp_domain; | |
2097 | } | |
2098 | ||
2099 | ||
2100 | static struct eap_server_erp_key * | |
2101 | radius_server_erp_get_key(void *ctx, const char *keyname) | |
2102 | { | |
2103 | struct radius_session *sess = ctx; | |
2104 | struct radius_server_data *data = sess->server; | |
2105 | struct eap_server_erp_key *erp; | |
2106 | ||
2107 | dl_list_for_each(erp, &data->erp_keys, struct eap_server_erp_key, | |
2108 | list) { | |
2109 | if (os_strcmp(erp->keyname_nai, keyname) == 0) | |
2110 | return erp; | |
2111 | } | |
2112 | ||
2113 | return NULL; | |
2114 | } | |
2115 | ||
2116 | ||
2117 | static int radius_server_erp_add_key(void *ctx, struct eap_server_erp_key *erp) | |
2118 | { | |
2119 | struct radius_session *sess = ctx; | |
2120 | struct radius_server_data *data = sess->server; | |
2121 | ||
2122 | dl_list_add(&data->erp_keys, &erp->list); | |
2123 | return 0; | |
2124 | } | |
2125 | ||
2126 | #endif /* CONFIG_ERP */ | |
2127 | ||
2128 | ||
8b423edb | 2129 | static const struct eapol_callbacks radius_server_eapol_cb = |
6fc6879b JM |
2130 | { |
2131 | .get_eap_user = radius_server_get_eap_user, | |
65d50f0a | 2132 | .get_eap_req_id_text = radius_server_get_eap_req_id_text, |
01f7fe10 | 2133 | .log_msg = radius_server_log_msg, |
d3bddd8b JM |
2134 | #ifdef CONFIG_ERP |
2135 | .get_erp_send_reauth_start = NULL, | |
2136 | .get_erp_domain = radius_server_get_erp_domain, | |
2137 | .erp_get_key = radius_server_erp_get_key, | |
2138 | .erp_add_key = radius_server_erp_add_key, | |
2139 | #endif /* CONFIG_ERP */ | |
6fc6879b JM |
2140 | }; |
2141 | ||
2142 | ||
362bd35f JM |
2143 | /** |
2144 | * radius_server_eap_pending_cb - Pending EAP data notification | |
2145 | * @data: RADIUS server context from radius_server_init() | |
2146 | * @ctx: Pending EAP context pointer | |
2147 | * | |
2148 | * This function is used to notify EAP server module that a pending operation | |
2149 | * has been completed and processing of the EAP session can proceed. | |
2150 | */ | |
6fc6879b JM |
2151 | void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx) |
2152 | { | |
2153 | struct radius_client *cli; | |
2154 | struct radius_session *s, *sess = NULL; | |
2155 | struct radius_msg *msg; | |
2156 | ||
2157 | if (data == NULL) | |
2158 | return; | |
2159 | ||
2160 | for (cli = data->clients; cli; cli = cli->next) { | |
2161 | for (s = cli->sessions; s; s = s->next) { | |
2162 | if (s->eap == ctx && s->last_msg) { | |
2163 | sess = s; | |
2164 | break; | |
2165 | } | |
6fc6879b JM |
2166 | } |
2167 | if (sess) | |
2168 | break; | |
2169 | } | |
2170 | ||
2171 | if (sess == NULL) { | |
2172 | RADIUS_DEBUG("No session matched callback ctx"); | |
2173 | return; | |
2174 | } | |
2175 | ||
2176 | msg = sess->last_msg; | |
2177 | sess->last_msg = NULL; | |
2178 | eap_sm_pending_cb(sess->eap); | |
2179 | if (radius_server_request(data, msg, | |
2180 | (struct sockaddr *) &sess->last_from, | |
2181 | sess->last_fromlen, cli, | |
2182 | sess->last_from_addr, | |
2183 | sess->last_from_port, sess) == -2) | |
2184 | return; /* msg was stored with the session */ | |
2185 | ||
2186 | radius_msg_free(msg); | |
6fc6879b | 2187 | } |