const u8 *shared_secret, size_t shared_secret_len,
void *data)
{
- if (msg->hdr->code != RADIUS_CODE_ACCOUNTING_RESPONSE) {
+ if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCOUNTING_RESPONSE) {
printf("Unknown RADIUS message code\n");
return RADIUS_RX_UNKNOWN;
}
struct hostapd_data *hapd = data;
struct hostapd_acl_query_data *query, *prev;
struct hostapd_cached_radius_acl *cache;
+ struct radius_hdr *hdr = radius_msg_get_hdr(msg);
query = hapd->acl_queries;
prev = NULL;
while (query) {
- if (query->radius_id == msg->hdr->identifier)
+ if (query->radius_id == hdr->identifier)
break;
prev = query;
query = query->next;
return RADIUS_RX_INVALID_AUTHENTICATOR;
}
- if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
- msg->hdr->code != RADIUS_CODE_ACCESS_REJECT) {
+ if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
+ hdr->code != RADIUS_CODE_ACCESS_REJECT) {
wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL "
- "query", msg->hdr->code);
+ "query", hdr->code);
return RADIUS_RX_UNKNOWN;
}
}
time(&cache->timestamp);
os_memcpy(cache->addr, query->addr, sizeof(cache->addr));
- if (msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) {
+ if (hdr->code == RADIUS_CODE_ACCESS_ACCEPT) {
if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
&cache->session_timeout) == 0)
cache->accepted = HOSTAPD_ACL_ACCEPT_TIMEOUT;
/* State attribute must be copied if and only if this packet is
* Access-Request reply to the previous Access-Challenge */
- if (sm->last_recv_radius && sm->last_recv_radius->hdr->code ==
+ if (sm->last_recv_radius &&
+ radius_msg_get_hdr(sm->last_recv_radius)->code ==
RADIUS_CODE_ACCESS_CHALLENGE) {
int res = radius_msg_copy_attr(msg, sm->last_recv_radius,
RADIUS_ATTR_STATE);
int session_timeout_set, old_vlanid = 0;
struct eapol_state_machine *sm;
int override_eapReq = 0;
+ struct radius_hdr *hdr = radius_msg_get_hdr(msg);
- sm = ieee802_1x_search_radius_identifier(hapd, msg->hdr->identifier);
+ sm = ieee802_1x_search_radius_identifier(hapd, hdr->identifier);
if (sm == NULL) {
wpa_printf(MSG_DEBUG, "IEEE 802.1X: Could not find matching "
"station for this RADIUS message");
/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
* present when packet contains an EAP-Message attribute */
- if (msg->hdr->code == RADIUS_CODE_ACCESS_REJECT &&
+ if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
0) < 0 &&
radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
return RADIUS_RX_INVALID_AUTHENTICATOR;
}
- if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
- msg->hdr->code != RADIUS_CODE_ACCESS_REJECT &&
- msg->hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
+ if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
+ hdr->code != RADIUS_CODE_ACCESS_REJECT &&
+ hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
printf("Unknown RADIUS message code\n");
return RADIUS_RX_UNKNOWN;
}
termination_action = RADIUS_TERMINATION_ACTION_DEFAULT;
if (hapd->conf->acct_interim_interval == 0 &&
- msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
+ hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
radius_msg_get_attr_int32(msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
&acct_interim_interval) == 0) {
if (acct_interim_interval < 60) {
}
- switch (msg->hdr->code) {
+ switch (hdr->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
if (sta->ssid->dynamic_vlan == DYNAMIC_VLAN_DISABLED)
sta->vlan_id = 0;
#include "radius.h"
+/**
+ * struct radius_msg - RADIUS message structure for new and parsed messages
+ */
+struct radius_msg {
+ /**
+ * buf - Allocated buffer for RADIUS message
+ */
+ struct wpabuf *buf;
+
+ /**
+ * hdr - Pointer to the RADIUS header in buf
+ */
+ struct radius_hdr *hdr;
+
+ /**
+ * attr_pos - Array of indexes to attributes
+ *
+ * The values are number of bytes from buf to the beginning of
+ * struct radius_attr_hdr.
+ */
+ size_t *attr_pos;
+
+ /**
+ * attr_size - Total size of the attribute pointer array
+ */
+ size_t attr_size;
+
+ /**
+ * attr_used - Total number of attributes in the array
+ */
+ size_t attr_used;
+};
+
+
+struct radius_hdr * radius_msg_get_hdr(struct radius_msg *msg)
+{
+ return msg->hdr;
+}
+
+
+struct wpabuf * radius_msg_get_buf(struct radius_msg *msg)
+{
+ return msg->buf;
+}
+
+
static struct radius_attr_hdr *
radius_get_attr_hdr(struct radius_msg *msg, int idx)
{
};
-/**
- * struct radius_msg - RADIUS message structure for new and parsed messages
- */
-struct radius_msg {
- /**
- * buf - Allocated buffer for RADIUS message
- */
- struct wpabuf *buf;
-
- /**
- * hdr - Pointer to the RADIUS header in buf
- */
- struct radius_hdr *hdr;
-
- /**
- * attr_pos - Array of indexes to attributes
- *
- * The values are number of bytes from buf to the beginning of
- * struct radius_attr_hdr.
- */
- size_t *attr_pos;
-
- /**
- * attr_size - Total size of the attribute pointer array
- */
- size_t attr_size;
-
- /**
- * attr_used - Total number of attributes in the array
- */
- size_t attr_used;
-};
-
+struct radius_msg;
/* Default size to be allocated for new RADIUS messages */
#define RADIUS_DEFAULT_MSG_SIZE 1024
/* MAC address ASCII format for non-802.1X use */
#define RADIUS_ADDR_FORMAT "%02x%02x%02x%02x%02x%02x"
+struct radius_hdr * radius_msg_get_hdr(struct radius_msg *msg);
+struct wpabuf * radius_msg_get_buf(struct radius_msg *msg);
struct radius_msg * radius_msg_new(u8 code, u8 identifier);
void radius_msg_free(struct radius_msg *msg);
void radius_msg_dump(struct radius_msg *msg);
{
struct hostapd_radius_servers *conf = radius->conf;
int s;
+ struct wpabuf *buf;
if (entry->msg_type == RADIUS_ACCT ||
entry->msg_type == RADIUS_ACCT_INTERIM) {
entry->attempts++;
hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
- entry->msg->hdr->identifier);
+ radius_msg_get_hdr(entry->msg)->identifier);
os_get_time(&entry->last_attempt);
- if (send(s, wpabuf_head(entry->msg->buf), wpabuf_len(entry->msg->buf),
- 0) < 0)
+ buf = radius_msg_get_buf(entry->msg);
+ if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0)
radius_client_handle_send_error(radius, s, entry->msg_type);
entry->next_try = now + entry->next_wait;
size_t shared_secret_len;
char *name;
int s, res;
+ struct wpabuf *buf;
if (msg_type == RADIUS_ACCT_INTERIM) {
/* Remove any pending interim acct update for the same STA. */
if (conf->msg_dumps)
radius_msg_dump(msg);
- res = send(s, wpabuf_head(msg->buf), wpabuf_len(msg->buf), 0);
+ buf = radius_msg_get_buf(msg);
+ res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
if (res < 0)
radius_client_handle_send_error(radius, s, msg_type);
int len, roundtrip;
unsigned char buf[3000];
struct radius_msg *msg;
+ struct radius_hdr *hdr;
struct radius_rx_handler *handlers;
size_t num_handlers, i;
struct radius_msg_list *req, *prev_req;
rconf->malformed_responses++;
return;
}
+ hdr = radius_msg_get_hdr(msg);
hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
if (conf->msg_dumps)
radius_msg_dump(msg);
- switch (msg->hdr->code) {
+ switch (hdr->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
rconf->access_accepts++;
break;
if ((req->msg_type == msg_type ||
(req->msg_type == RADIUS_ACCT_INTERIM &&
msg_type == RADIUS_ACCT)) &&
- req->msg->hdr->identifier == msg->hdr->identifier)
+ radius_msg_get_hdr(req->msg)->identifier ==
+ hdr->identifier)
break;
prev_req = req;
HOSTAPD_LEVEL_DEBUG,
"No matching RADIUS request found (type=%d "
"id=%d) - dropping packet",
- msg_type, msg->hdr->identifier);
+ msg_type, hdr->identifier);
goto fail;
}
hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
"(type=%d code=%d id=%d)%s - dropping packet",
- msg_type, msg->hdr->code, msg->hdr->identifier,
+ msg_type, hdr->code, hdr->identifier,
invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
"");
radius_client_msg_free(req);
entry = radius->msgs;
prev = NULL;
while (entry) {
- if (entry->msg->hdr->identifier == id) {
+ if (radius_msg_get_hdr(entry->msg)->identifier == id) {
hostapd_logger(radius->ctx, entry->addr,
HOSTAPD_MODULE_RADIUS,
HOSTAPD_LEVEL_DEBUG,
struct radius_msg *msg;
int code;
unsigned int sess_id;
+ struct radius_hdr *hdr = radius_msg_get_hdr(request);
if (sess->eap_if->eapFail) {
sess->eap_if->eapFail = FALSE;
code = RADIUS_CODE_ACCESS_CHALLENGE;
}
- msg = radius_msg_new(code, request->hdr->identifier);
+ msg = radius_msg_new(code, hdr->identifier);
if (msg == NULL) {
RADIUS_DEBUG("Failed to allocate reply message");
return NULL;
} else {
len = sess->eap_if->eapKeyDataLen / 2;
}
- if (!radius_msg_add_mppe_keys(msg, request->hdr->authenticator,
+ if (!radius_msg_add_mppe_keys(msg, hdr->authenticator,
(u8 *) client->shared_secret,
client->shared_secret_len,
sess->eap_if->eapKeyData + len,
if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
client->shared_secret_len,
- request->hdr->authenticator) < 0) {
+ hdr->authenticator) < 0) {
RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
}
struct radius_msg *msg;
int ret = 0;
struct eap_hdr eapfail;
+ struct wpabuf *buf;
+ struct radius_hdr *hdr = radius_msg_get_hdr(request);
RADIUS_DEBUG("Reject invalid request from %s:%d",
from_addr, from_port);
- msg = radius_msg_new(RADIUS_CODE_ACCESS_REJECT,
- request->hdr->identifier);
+ msg = radius_msg_new(RADIUS_CODE_ACCESS_REJECT, hdr->identifier);
if (msg == NULL) {
return -1;
}
if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret,
client->shared_secret_len,
- request->hdr->authenticator) < 0) {
+ hdr->authenticator) <
+ 0) {
RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
}
data->counters.access_rejects++;
client->counters.access_rejects++;
- if (sendto(data->auth_sock, wpabuf_head(msg->buf),
- wpabuf_len(msg->buf), 0,
+ buf = radius_msg_get_buf(msg);
+ if (sendto(data->auth_sock, wpabuf_head(buf), wpabuf_len(buf), 0,
(struct sockaddr *) from, sizeof(*from)) < 0) {
perror("sendto[RADIUS SRV]");
ret = -1;
}
if (sess->last_from_port == from_port &&
- sess->last_identifier == msg->hdr->identifier &&
- os_memcmp(sess->last_authenticator, msg->hdr->authenticator, 16) ==
- 0) {
+ sess->last_identifier == radius_msg_get_hdr(msg)->identifier &&
+ os_memcmp(sess->last_authenticator,
+ radius_msg_get_hdr(msg)->authenticator, 16) == 0) {
RADIUS_DEBUG("Duplicate message from %s", from_addr);
data->counters.dup_access_requests++;
client->counters.dup_access_requests++;
if (sess->last_reply) {
- res = sendto(data->auth_sock,
- wpabuf_head(sess->last_reply->buf),
- wpabuf_len(sess->last_reply->buf), 0,
+ struct wpabuf *buf;
+ buf = radius_msg_get_buf(sess->last_reply);
+ res = sendto(data->auth_sock, wpabuf_head(buf),
+ wpabuf_len(buf), 0,
(struct sockaddr *) from, fromlen);
if (res < 0) {
perror("sendto[RADIUS SRV]");
reply = radius_server_encapsulate_eap(data, client, sess, msg);
if (reply) {
+ struct wpabuf *buf;
+ struct radius_hdr *hdr;
+
RADIUS_DEBUG("Reply to %s:%d", from_addr, from_port);
if (wpa_debug_level <= MSG_MSGDUMP) {
radius_msg_dump(reply);
}
- switch (reply->hdr->code) {
+ switch (radius_msg_get_hdr(reply)->code) {
case RADIUS_CODE_ACCESS_ACCEPT:
data->counters.access_accepts++;
client->counters.access_accepts++;
client->counters.access_challenges++;
break;
}
- res = sendto(data->auth_sock, wpabuf_head(reply->buf),
- wpabuf_len(reply->buf), 0,
+ buf = radius_msg_get_buf(reply);
+ res = sendto(data->auth_sock, wpabuf_head(buf),
+ wpabuf_len(buf), 0,
(struct sockaddr *) from, fromlen);
if (res < 0) {
perror("sendto[RADIUS SRV]");
radius_msg_free(sess->last_reply);
sess->last_reply = reply;
sess->last_from_port = from_port;
- sess->last_identifier = msg->hdr->identifier;
- os_memcpy(sess->last_authenticator, msg->hdr->authenticator,
- 16);
+ hdr = radius_msg_get_hdr(msg);
+ sess->last_identifier = hdr->identifier;
+ os_memcpy(sess->last_authenticator, hdr->authenticator, 16);
} else {
data->counters.packets_dropped++;
client->counters.packets_dropped++;
radius_msg_dump(msg);
}
- if (msg->hdr->code != RADIUS_CODE_ACCESS_REQUEST) {
- RADIUS_DEBUG("Unexpected RADIUS code %d", msg->hdr->code);
+ if (radius_msg_get_hdr(msg)->code != RADIUS_CODE_ACCESS_REQUEST) {
+ RADIUS_DEBUG("Unexpected RADIUS code %d",
+ radius_msg_get_hdr(msg)->code);
data->counters.unknown_types++;
client->counters.unknown_types++;
goto fail;