2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "utils/common.h"
13 #include "utils/eloop.h"
14 #include "utils/ip_addr.h"
16 #include "radius_das.h"
19 struct radius_das_data {
22 size_t shared_secret_len;
23 struct hostapd_ip_addr client_addr;
24 unsigned int time_window;
25 int require_event_timestamp;
27 enum radius_das_res (*disconnect)(void *ctx,
28 struct radius_das_attrs *attr);
32 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
33 struct radius_msg *msg,
37 struct radius_hdr *hdr;
38 struct radius_msg *reply;
40 RADIUS_ATTR_USER_NAME,
41 RADIUS_ATTR_NAS_IP_ADDRESS,
42 RADIUS_ATTR_CALLING_STATION_ID,
43 RADIUS_ATTR_NAS_IDENTIFIER,
44 RADIUS_ATTR_ACCT_SESSION_ID,
45 RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
46 RADIUS_ATTR_EVENT_TIMESTAMP,
47 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
48 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
50 RADIUS_ATTR_NAS_IPV6_ADDRESS,
51 #endif /* CONFIG_IPV6 */
56 enum radius_das_res res;
57 struct radius_das_attrs attrs;
61 u8 sta_addr[ETH_ALEN];
63 hdr = radius_msg_get_hdr(msg);
65 attr = radius_msg_find_unlisted_attr(msg, allowed);
67 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
68 "Disconnect-Request from %s:%d", attr,
74 os_memset(&attrs, 0, sizeof(attrs));
76 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
77 &buf, &len, NULL) == 0) {
79 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d",
84 attrs.nas_ip_addr = buf;
88 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
89 &buf, &len, NULL) == 0) {
91 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d",
96 attrs.nas_ipv6_addr = buf;
98 #endif /* CONFIG_IPV6 */
100 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
101 &buf, &len, NULL) == 0) {
102 attrs.nas_identifier = buf;
103 attrs.nas_identifier_len = len;
106 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
107 &buf, &len, NULL) == 0) {
108 if (len >= sizeof(tmp))
109 len = sizeof(tmp) - 1;
110 os_memcpy(tmp, buf, len);
112 if (hwaddr_aton2(tmp, sta_addr) < 0) {
113 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
114 "'%s' from %s:%d", tmp, abuf, from_port);
118 attrs.sta_addr = sta_addr;
121 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
122 &buf, &len, NULL) == 0) {
123 attrs.user_name = buf;
124 attrs.user_name_len = len;
127 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
128 &buf, &len, NULL) == 0) {
129 attrs.acct_session_id = buf;
130 attrs.acct_session_id_len = len;
133 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
134 &buf, &len, NULL) == 0) {
135 attrs.acct_multi_session_id = buf;
136 attrs.acct_multi_session_id_len = len;
139 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
140 &buf, &len, NULL) == 0) {
145 res = das->disconnect(das->ctx, &attrs);
147 case RADIUS_DAS_NAS_MISMATCH:
148 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
152 case RADIUS_DAS_SESSION_NOT_FOUND:
153 wpa_printf(MSG_INFO, "DAS: Session not found for request from "
154 "%s:%d", abuf, from_port);
157 case RADIUS_DAS_MULTI_SESSION_MATCH:
159 "DAS: Multiple sessions match for request from %s:%d",
163 case RADIUS_DAS_SUCCESS:
169 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
170 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
175 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
177 radius_msg_free(reply);
186 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
188 struct radius_das_data *das = eloop_ctx;
191 struct sockaddr_storage ss;
192 struct sockaddr_in sin;
194 struct sockaddr_in6 sin6;
195 #endif /* CONFIG_IPV6 */
201 struct radius_msg *msg, *reply = NULL;
202 struct radius_hdr *hdr;
208 fromlen = sizeof(from);
209 len = recvfrom(sock, buf, sizeof(buf), 0,
210 (struct sockaddr *) &from.ss, &fromlen);
212 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
216 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
217 from_port = ntohs(from.sin.sin_port);
219 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
220 len, abuf, from_port);
221 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
222 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
226 msg = radius_msg_parse(buf, len);
228 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
229 "from %s:%d failed", abuf, from_port);
233 if (wpa_debug_level <= MSG_MSGDUMP)
234 radius_msg_dump(msg);
236 if (radius_msg_verify_das_req(msg, das->shared_secret,
237 das->shared_secret_len)) {
238 wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
239 "from %s:%d - drop", abuf, from_port);
244 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
247 u32 timestamp = ntohl(val);
248 if ((unsigned int) abs((int) (now.sec - timestamp)) >
250 wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
251 "Event-Timestamp (%u; local time %u) in "
252 "packet from %s:%d - drop",
253 timestamp, (unsigned int) now.sec,
257 } else if (das->require_event_timestamp) {
258 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
259 "from %s:%d - drop", abuf, from_port);
263 hdr = radius_msg_get_hdr(msg);
266 case RADIUS_CODE_DISCONNECT_REQUEST:
267 reply = radius_das_disconnect(das, msg, abuf, from_port);
269 case RADIUS_CODE_COA_REQUEST:
271 reply = radius_msg_new(RADIUS_CODE_COA_NAK,
276 /* Unsupported Service */
277 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
279 radius_msg_free(reply);
285 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
287 hdr->code, abuf, from_port);
291 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
293 if (!radius_msg_add_attr_int32(reply,
294 RADIUS_ATTR_EVENT_TIMESTAMP,
296 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
297 "Event-Timestamp attribute");
300 if (radius_msg_finish_das_resp(reply, das->shared_secret,
301 das->shared_secret_len, hdr) <
303 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
304 "Message-Authenticator attribute");
307 if (wpa_debug_level <= MSG_MSGDUMP)
308 radius_msg_dump(reply);
310 rbuf = radius_msg_get_buf(reply);
311 res = sendto(das->sock, wpabuf_head(rbuf),
313 (struct sockaddr *) &from.ss, fromlen);
315 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
316 abuf, from_port, strerror(errno));
321 radius_msg_free(msg);
322 radius_msg_free(reply);
326 static int radius_das_open_socket(int port)
329 struct sockaddr_in addr;
331 s = socket(PF_INET, SOCK_DGRAM, 0);
333 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno));
337 os_memset(&addr, 0, sizeof(addr));
338 addr.sin_family = AF_INET;
339 addr.sin_port = htons(port);
340 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
341 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno));
350 struct radius_das_data *
351 radius_das_init(struct radius_das_conf *conf)
353 struct radius_das_data *das;
355 if (conf->port == 0 || conf->shared_secret == NULL ||
356 conf->client_addr == NULL)
359 das = os_zalloc(sizeof(*das));
363 das->time_window = conf->time_window;
364 das->require_event_timestamp = conf->require_event_timestamp;
365 das->ctx = conf->ctx;
366 das->disconnect = conf->disconnect;
368 os_memcpy(&das->client_addr, conf->client_addr,
369 sizeof(das->client_addr));
371 das->shared_secret = os_malloc(conf->shared_secret_len);
372 if (das->shared_secret == NULL) {
373 radius_das_deinit(das);
376 os_memcpy(das->shared_secret, conf->shared_secret,
377 conf->shared_secret_len);
378 das->shared_secret_len = conf->shared_secret_len;
380 das->sock = radius_das_open_socket(conf->port);
382 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
384 radius_das_deinit(das);
388 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
390 radius_das_deinit(das);
398 void radius_das_deinit(struct radius_das_data *das)
403 if (das->sock >= 0) {
404 eloop_unregister_read_sock(das->sock);
408 os_free(das->shared_secret);