/src/hostap/src/radius/radius_das.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * RADIUS Dynamic Authorization Server (DAS) (RFC 5176) |
3 | | * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi> |
4 | | * |
5 | | * This software may be distributed under the terms of the BSD license. |
6 | | * See README for more details. |
7 | | */ |
8 | | |
9 | | #include "includes.h" |
10 | | #include <net/if.h> |
11 | | |
12 | | #include "utils/common.h" |
13 | | #include "utils/eloop.h" |
14 | | #include "utils/ip_addr.h" |
15 | | #include "radius.h" |
16 | | #include "radius_das.h" |
17 | | |
18 | | |
19 | | struct radius_das_data { |
20 | | int sock; |
21 | | u8 *shared_secret; |
22 | | size_t shared_secret_len; |
23 | | struct hostapd_ip_addr client_addr; |
24 | | unsigned int time_window; |
25 | | int require_event_timestamp; |
26 | | int require_message_authenticator; |
27 | | void *ctx; |
28 | | enum radius_das_res (*disconnect)(void *ctx, |
29 | | struct radius_das_attrs *attr); |
30 | | enum radius_das_res (*coa)(void *ctx, struct radius_das_attrs *attr); |
31 | | }; |
32 | | |
33 | | |
34 | | static struct radius_msg * radius_das_disconnect(struct radius_das_data *das, |
35 | | struct radius_msg *msg, |
36 | | const char *abuf, |
37 | | int from_port) |
38 | 0 | { |
39 | 0 | struct radius_hdr *hdr; |
40 | 0 | struct radius_msg *reply; |
41 | 0 | u8 allowed[] = { |
42 | 0 | RADIUS_ATTR_USER_NAME, |
43 | 0 | RADIUS_ATTR_NAS_IP_ADDRESS, |
44 | 0 | RADIUS_ATTR_CALLING_STATION_ID, |
45 | 0 | RADIUS_ATTR_NAS_IDENTIFIER, |
46 | 0 | RADIUS_ATTR_ACCT_SESSION_ID, |
47 | 0 | RADIUS_ATTR_ACCT_MULTI_SESSION_ID, |
48 | 0 | RADIUS_ATTR_EVENT_TIMESTAMP, |
49 | 0 | RADIUS_ATTR_MESSAGE_AUTHENTICATOR, |
50 | 0 | RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, |
51 | 0 | #ifdef CONFIG_IPV6 |
52 | 0 | RADIUS_ATTR_NAS_IPV6_ADDRESS, |
53 | 0 | #endif /* CONFIG_IPV6 */ |
54 | 0 | 0 |
55 | 0 | }; |
56 | 0 | int error = 405; |
57 | 0 | u8 attr; |
58 | 0 | enum radius_das_res res; |
59 | 0 | struct radius_das_attrs attrs; |
60 | 0 | u8 *buf; |
61 | 0 | size_t len; |
62 | 0 | char tmp[100]; |
63 | 0 | u8 sta_addr[ETH_ALEN]; |
64 | |
|
65 | 0 | hdr = radius_msg_get_hdr(msg); |
66 | |
|
67 | 0 | attr = radius_msg_find_unlisted_attr(msg, allowed); |
68 | 0 | if (attr) { |
69 | 0 | wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in " |
70 | 0 | "Disconnect-Request from %s:%d", attr, |
71 | 0 | abuf, from_port); |
72 | 0 | error = 401; |
73 | 0 | goto fail; |
74 | 0 | } |
75 | | |
76 | 0 | os_memset(&attrs, 0, sizeof(attrs)); |
77 | |
|
78 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, |
79 | 0 | &buf, &len, NULL) == 0) { |
80 | 0 | if (len != 4) { |
81 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", |
82 | 0 | abuf, from_port); |
83 | 0 | error = 407; |
84 | 0 | goto fail; |
85 | 0 | } |
86 | 0 | attrs.nas_ip_addr = buf; |
87 | 0 | } |
88 | | |
89 | 0 | #ifdef CONFIG_IPV6 |
90 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, |
91 | 0 | &buf, &len, NULL) == 0) { |
92 | 0 | if (len != 16) { |
93 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", |
94 | 0 | abuf, from_port); |
95 | 0 | error = 407; |
96 | 0 | goto fail; |
97 | 0 | } |
98 | 0 | attrs.nas_ipv6_addr = buf; |
99 | 0 | } |
100 | 0 | #endif /* CONFIG_IPV6 */ |
101 | | |
102 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, |
103 | 0 | &buf, &len, NULL) == 0) { |
104 | 0 | attrs.nas_identifier = buf; |
105 | 0 | attrs.nas_identifier_len = len; |
106 | 0 | } |
107 | |
|
108 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, |
109 | 0 | &buf, &len, NULL) == 0) { |
110 | 0 | if (len >= sizeof(tmp)) |
111 | 0 | len = sizeof(tmp) - 1; |
112 | 0 | os_memcpy(tmp, buf, len); |
113 | 0 | tmp[len] = '\0'; |
114 | 0 | if (hwaddr_aton2(tmp, sta_addr) < 0) { |
115 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " |
116 | 0 | "'%s' from %s:%d", tmp, abuf, from_port); |
117 | 0 | error = 407; |
118 | 0 | goto fail; |
119 | 0 | } |
120 | 0 | attrs.sta_addr = sta_addr; |
121 | 0 | } |
122 | | |
123 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, |
124 | 0 | &buf, &len, NULL) == 0) { |
125 | 0 | attrs.user_name = buf; |
126 | 0 | attrs.user_name_len = len; |
127 | 0 | } |
128 | |
|
129 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, |
130 | 0 | &buf, &len, NULL) == 0) { |
131 | 0 | attrs.acct_session_id = buf; |
132 | 0 | attrs.acct_session_id_len = len; |
133 | 0 | } |
134 | |
|
135 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, |
136 | 0 | &buf, &len, NULL) == 0) { |
137 | 0 | attrs.acct_multi_session_id = buf; |
138 | 0 | attrs.acct_multi_session_id_len = len; |
139 | 0 | } |
140 | |
|
141 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, |
142 | 0 | &buf, &len, NULL) == 0) { |
143 | 0 | attrs.cui = buf; |
144 | 0 | attrs.cui_len = len; |
145 | 0 | } |
146 | |
|
147 | 0 | res = das->disconnect(das->ctx, &attrs); |
148 | 0 | switch (res) { |
149 | 0 | case RADIUS_DAS_NAS_MISMATCH: |
150 | 0 | wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", |
151 | 0 | abuf, from_port); |
152 | 0 | error = 403; |
153 | 0 | break; |
154 | 0 | case RADIUS_DAS_SESSION_NOT_FOUND: |
155 | 0 | wpa_printf(MSG_INFO, "DAS: Session not found for request from " |
156 | 0 | "%s:%d", abuf, from_port); |
157 | 0 | error = 503; |
158 | 0 | break; |
159 | 0 | case RADIUS_DAS_MULTI_SESSION_MATCH: |
160 | 0 | wpa_printf(MSG_INFO, |
161 | 0 | "DAS: Multiple sessions match for request from %s:%d", |
162 | 0 | abuf, from_port); |
163 | 0 | error = 508; |
164 | 0 | break; |
165 | 0 | case RADIUS_DAS_COA_FAILED: |
166 | | /* not used with Disconnect-Request */ |
167 | 0 | error = 405; |
168 | 0 | break; |
169 | 0 | case RADIUS_DAS_SUCCESS: |
170 | 0 | error = 0; |
171 | 0 | break; |
172 | 0 | } |
173 | | |
174 | 0 | fail: |
175 | 0 | reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK : |
176 | 0 | RADIUS_CODE_DISCONNECT_ACK, hdr->identifier); |
177 | 0 | if (reply == NULL) |
178 | 0 | return NULL; |
179 | | |
180 | 0 | if (!radius_msg_add_msg_auth(reply)) { |
181 | 0 | radius_msg_free(reply); |
182 | 0 | return NULL; |
183 | 0 | } |
184 | | |
185 | 0 | if (error) { |
186 | 0 | if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, |
187 | 0 | error)) { |
188 | 0 | radius_msg_free(reply); |
189 | 0 | return NULL; |
190 | 0 | } |
191 | 0 | } |
192 | | |
193 | 0 | return reply; |
194 | 0 | } |
195 | | |
196 | | |
197 | | static struct radius_msg * radius_das_coa(struct radius_das_data *das, |
198 | | struct radius_msg *msg, |
199 | | const char *abuf, int from_port) |
200 | 0 | { |
201 | 0 | struct radius_hdr *hdr; |
202 | 0 | struct radius_msg *reply; |
203 | 0 | u8 allowed[] = { |
204 | 0 | RADIUS_ATTR_USER_NAME, |
205 | 0 | RADIUS_ATTR_NAS_IP_ADDRESS, |
206 | 0 | RADIUS_ATTR_CALLING_STATION_ID, |
207 | 0 | RADIUS_ATTR_NAS_IDENTIFIER, |
208 | 0 | RADIUS_ATTR_ACCT_SESSION_ID, |
209 | 0 | RADIUS_ATTR_ACCT_MULTI_SESSION_ID, |
210 | 0 | RADIUS_ATTR_EVENT_TIMESTAMP, |
211 | 0 | RADIUS_ATTR_MESSAGE_AUTHENTICATOR, |
212 | 0 | RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, |
213 | 0 | #ifdef CONFIG_HS20 |
214 | 0 | RADIUS_ATTR_VENDOR_SPECIFIC, |
215 | 0 | #endif /* CONFIG_HS20 */ |
216 | 0 | #ifdef CONFIG_IPV6 |
217 | 0 | RADIUS_ATTR_NAS_IPV6_ADDRESS, |
218 | 0 | #endif /* CONFIG_IPV6 */ |
219 | 0 | 0 |
220 | 0 | }; |
221 | 0 | int error = 405; |
222 | 0 | u8 attr; |
223 | 0 | enum radius_das_res res; |
224 | 0 | struct radius_das_attrs attrs; |
225 | 0 | u8 *buf; |
226 | 0 | size_t len; |
227 | 0 | char tmp[100]; |
228 | 0 | u8 sta_addr[ETH_ALEN]; |
229 | |
|
230 | 0 | hdr = radius_msg_get_hdr(msg); |
231 | |
|
232 | 0 | if (!das->coa) { |
233 | 0 | wpa_printf(MSG_INFO, "DAS: CoA not supported"); |
234 | 0 | goto fail; |
235 | 0 | } |
236 | | |
237 | 0 | attr = radius_msg_find_unlisted_attr(msg, allowed); |
238 | 0 | if (attr) { |
239 | 0 | wpa_printf(MSG_INFO, |
240 | 0 | "DAS: Unsupported attribute %u in CoA-Request from %s:%d", |
241 | 0 | attr, abuf, from_port); |
242 | 0 | error = 401; |
243 | 0 | goto fail; |
244 | 0 | } |
245 | | |
246 | 0 | os_memset(&attrs, 0, sizeof(attrs)); |
247 | |
|
248 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, |
249 | 0 | &buf, &len, NULL) == 0) { |
250 | 0 | if (len != 4) { |
251 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", |
252 | 0 | abuf, from_port); |
253 | 0 | error = 407; |
254 | 0 | goto fail; |
255 | 0 | } |
256 | 0 | attrs.nas_ip_addr = buf; |
257 | 0 | } |
258 | | |
259 | 0 | #ifdef CONFIG_IPV6 |
260 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, |
261 | 0 | &buf, &len, NULL) == 0) { |
262 | 0 | if (len != 16) { |
263 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", |
264 | 0 | abuf, from_port); |
265 | 0 | error = 407; |
266 | 0 | goto fail; |
267 | 0 | } |
268 | 0 | attrs.nas_ipv6_addr = buf; |
269 | 0 | } |
270 | 0 | #endif /* CONFIG_IPV6 */ |
271 | | |
272 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, |
273 | 0 | &buf, &len, NULL) == 0) { |
274 | 0 | attrs.nas_identifier = buf; |
275 | 0 | attrs.nas_identifier_len = len; |
276 | 0 | } |
277 | |
|
278 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, |
279 | 0 | &buf, &len, NULL) == 0) { |
280 | 0 | if (len >= sizeof(tmp)) |
281 | 0 | len = sizeof(tmp) - 1; |
282 | 0 | os_memcpy(tmp, buf, len); |
283 | 0 | tmp[len] = '\0'; |
284 | 0 | if (hwaddr_aton2(tmp, sta_addr) < 0) { |
285 | 0 | wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " |
286 | 0 | "'%s' from %s:%d", tmp, abuf, from_port); |
287 | 0 | error = 407; |
288 | 0 | goto fail; |
289 | 0 | } |
290 | 0 | attrs.sta_addr = sta_addr; |
291 | 0 | } |
292 | | |
293 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, |
294 | 0 | &buf, &len, NULL) == 0) { |
295 | 0 | attrs.user_name = buf; |
296 | 0 | attrs.user_name_len = len; |
297 | 0 | } |
298 | |
|
299 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, |
300 | 0 | &buf, &len, NULL) == 0) { |
301 | 0 | attrs.acct_session_id = buf; |
302 | 0 | attrs.acct_session_id_len = len; |
303 | 0 | } |
304 | |
|
305 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, |
306 | 0 | &buf, &len, NULL) == 0) { |
307 | 0 | attrs.acct_multi_session_id = buf; |
308 | 0 | attrs.acct_multi_session_id_len = len; |
309 | 0 | } |
310 | |
|
311 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, |
312 | 0 | &buf, &len, NULL) == 0) { |
313 | 0 | attrs.cui = buf; |
314 | 0 | attrs.cui_len = len; |
315 | 0 | } |
316 | |
|
317 | 0 | #ifdef CONFIG_HS20 |
318 | 0 | if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, |
319 | 0 | &buf, &len, NULL) == 0) { |
320 | 0 | if (len < 10 || WPA_GET_BE32(buf) != RADIUS_VENDOR_ID_WFA || |
321 | 0 | buf[4] != RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING || |
322 | 0 | buf[5] < 6) { |
323 | 0 | wpa_printf(MSG_INFO, |
324 | 0 | "DAS: Unsupported attribute %u in CoA-Request from %s:%d", |
325 | 0 | attr, abuf, from_port); |
326 | 0 | error = 401; |
327 | 0 | goto fail; |
328 | 0 | } |
329 | 0 | attrs.hs20_t_c_filtering = &buf[6]; |
330 | 0 | } |
331 | | |
332 | 0 | if (!attrs.hs20_t_c_filtering) { |
333 | 0 | wpa_printf(MSG_INFO, |
334 | 0 | "DAS: No supported authorization change attribute in CoA-Request from %s:%d", |
335 | 0 | abuf, from_port); |
336 | 0 | error = 402; |
337 | 0 | goto fail; |
338 | 0 | } |
339 | 0 | #endif /* CONFIG_HS20 */ |
340 | | |
341 | 0 | res = das->coa(das->ctx, &attrs); |
342 | 0 | switch (res) { |
343 | 0 | case RADIUS_DAS_NAS_MISMATCH: |
344 | 0 | wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", |
345 | 0 | abuf, from_port); |
346 | 0 | error = 403; |
347 | 0 | break; |
348 | 0 | case RADIUS_DAS_SESSION_NOT_FOUND: |
349 | 0 | wpa_printf(MSG_INFO, |
350 | 0 | "DAS: Session not found for request from %s:%d", |
351 | 0 | abuf, from_port); |
352 | 0 | error = 503; |
353 | 0 | break; |
354 | 0 | case RADIUS_DAS_MULTI_SESSION_MATCH: |
355 | 0 | wpa_printf(MSG_INFO, |
356 | 0 | "DAS: Multiple sessions match for request from %s:%d", |
357 | 0 | abuf, from_port); |
358 | 0 | error = 508; |
359 | 0 | break; |
360 | 0 | case RADIUS_DAS_COA_FAILED: |
361 | 0 | wpa_printf(MSG_INFO, "DAS: CoA failed for request from %s:%d", |
362 | 0 | abuf, from_port); |
363 | 0 | error = 407; |
364 | 0 | break; |
365 | 0 | case RADIUS_DAS_SUCCESS: |
366 | 0 | error = 0; |
367 | 0 | break; |
368 | 0 | } |
369 | | |
370 | 0 | fail: |
371 | 0 | reply = radius_msg_new(error ? RADIUS_CODE_COA_NAK : |
372 | 0 | RADIUS_CODE_COA_ACK, hdr->identifier); |
373 | 0 | if (!reply) |
374 | 0 | return NULL; |
375 | | |
376 | 0 | if (!radius_msg_add_msg_auth(reply)) { |
377 | 0 | radius_msg_free(reply); |
378 | 0 | return NULL; |
379 | 0 | } |
380 | | |
381 | 0 | if (error && |
382 | 0 | !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { |
383 | 0 | radius_msg_free(reply); |
384 | 0 | return NULL; |
385 | 0 | } |
386 | | |
387 | 0 | return reply; |
388 | 0 | } |
389 | | |
390 | | |
391 | | static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx) |
392 | 0 | { |
393 | 0 | struct radius_das_data *das = eloop_ctx; |
394 | 0 | u8 buf[1500]; |
395 | 0 | union { |
396 | 0 | struct sockaddr_storage ss; |
397 | 0 | struct sockaddr_in sin; |
398 | 0 | #ifdef CONFIG_IPV6 |
399 | 0 | struct sockaddr_in6 sin6; |
400 | 0 | #endif /* CONFIG_IPV6 */ |
401 | 0 | } from; |
402 | 0 | char abuf[50]; |
403 | 0 | int from_port = 0; |
404 | 0 | socklen_t fromlen; |
405 | 0 | int len; |
406 | 0 | struct radius_msg *msg, *reply = NULL; |
407 | 0 | struct radius_hdr *hdr; |
408 | 0 | struct wpabuf *rbuf; |
409 | 0 | u32 val; |
410 | 0 | int res; |
411 | 0 | struct os_time now; |
412 | |
|
413 | 0 | fromlen = sizeof(from); |
414 | 0 | len = recvfrom(sock, buf, sizeof(buf), 0, |
415 | 0 | (struct sockaddr *) &from.ss, &fromlen); |
416 | 0 | if (len < 0) { |
417 | 0 | wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno)); |
418 | 0 | return; |
419 | 0 | } |
420 | | |
421 | 0 | os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); |
422 | 0 | from_port = ntohs(from.sin.sin_port); |
423 | |
|
424 | 0 | wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d", |
425 | 0 | len, abuf, from_port); |
426 | 0 | if (das->client_addr.u.v4.s_addr && |
427 | 0 | das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) { |
428 | 0 | wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client"); |
429 | 0 | return; |
430 | 0 | } |
431 | | |
432 | 0 | msg = radius_msg_parse(buf, len); |
433 | 0 | if (msg == NULL) { |
434 | 0 | wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet " |
435 | 0 | "from %s:%d failed", abuf, from_port); |
436 | 0 | return; |
437 | 0 | } |
438 | | |
439 | 0 | if (wpa_debug_level <= MSG_MSGDUMP) |
440 | 0 | radius_msg_dump(msg); |
441 | |
|
442 | 0 | if (radius_msg_verify_das_req(msg, das->shared_secret, |
443 | 0 | das->shared_secret_len, |
444 | 0 | das->require_message_authenticator)) { |
445 | 0 | wpa_printf(MSG_DEBUG, |
446 | 0 | "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop", |
447 | 0 | abuf, from_port); |
448 | 0 | goto fail; |
449 | 0 | } |
450 | | |
451 | 0 | os_get_time(&now); |
452 | 0 | res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP, |
453 | 0 | (u8 *) &val, 4); |
454 | 0 | if (res == 4) { |
455 | 0 | u32 timestamp = ntohl(val); |
456 | 0 | if ((unsigned int) abs((int) (now.sec - timestamp)) > |
457 | 0 | das->time_window) { |
458 | 0 | wpa_printf(MSG_DEBUG, "DAS: Unacceptable " |
459 | 0 | "Event-Timestamp (%u; local time %u) in " |
460 | 0 | "packet from %s:%d - drop", |
461 | 0 | timestamp, (unsigned int) now.sec, |
462 | 0 | abuf, from_port); |
463 | 0 | goto fail; |
464 | 0 | } |
465 | 0 | } else if (das->require_event_timestamp) { |
466 | 0 | wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet " |
467 | 0 | "from %s:%d - drop", abuf, from_port); |
468 | 0 | goto fail; |
469 | 0 | } |
470 | | |
471 | 0 | hdr = radius_msg_get_hdr(msg); |
472 | |
|
473 | 0 | switch (hdr->code) { |
474 | 0 | case RADIUS_CODE_DISCONNECT_REQUEST: |
475 | 0 | reply = radius_das_disconnect(das, msg, abuf, from_port); |
476 | 0 | break; |
477 | 0 | case RADIUS_CODE_COA_REQUEST: |
478 | 0 | reply = radius_das_coa(das, msg, abuf, from_port); |
479 | 0 | break; |
480 | 0 | default: |
481 | 0 | wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in " |
482 | 0 | "packet from %s:%d", |
483 | 0 | hdr->code, abuf, from_port); |
484 | 0 | } |
485 | | |
486 | 0 | if (reply) { |
487 | 0 | wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port); |
488 | |
|
489 | 0 | if (!radius_msg_add_attr_int32(reply, |
490 | 0 | RADIUS_ATTR_EVENT_TIMESTAMP, |
491 | 0 | now.sec)) { |
492 | 0 | wpa_printf(MSG_DEBUG, "DAS: Failed to add " |
493 | 0 | "Event-Timestamp attribute"); |
494 | 0 | } |
495 | |
|
496 | 0 | if (radius_msg_finish_das_resp(reply, das->shared_secret, |
497 | 0 | das->shared_secret_len, hdr) < |
498 | 0 | 0) { |
499 | 0 | wpa_printf(MSG_DEBUG, "DAS: Failed to add " |
500 | 0 | "Message-Authenticator attribute"); |
501 | 0 | } |
502 | |
|
503 | 0 | if (wpa_debug_level <= MSG_MSGDUMP) |
504 | 0 | radius_msg_dump(reply); |
505 | |
|
506 | 0 | rbuf = radius_msg_get_buf(reply); |
507 | 0 | res = sendto(das->sock, wpabuf_head(rbuf), |
508 | 0 | wpabuf_len(rbuf), 0, |
509 | 0 | (struct sockaddr *) &from.ss, fromlen); |
510 | 0 | if (res < 0) { |
511 | 0 | wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s", |
512 | 0 | abuf, from_port, strerror(errno)); |
513 | 0 | } |
514 | 0 | } |
515 | |
|
516 | 0 | fail: |
517 | 0 | radius_msg_free(msg); |
518 | 0 | radius_msg_free(reply); |
519 | 0 | } |
520 | | |
521 | | |
522 | | static int radius_das_open_socket(int port) |
523 | 0 | { |
524 | 0 | int s; |
525 | 0 | struct sockaddr_in addr; |
526 | |
|
527 | 0 | s = socket(PF_INET, SOCK_DGRAM, 0); |
528 | 0 | if (s < 0) { |
529 | 0 | wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno)); |
530 | 0 | return -1; |
531 | 0 | } |
532 | | |
533 | 0 | os_memset(&addr, 0, sizeof(addr)); |
534 | 0 | addr.sin_family = AF_INET; |
535 | 0 | addr.sin_port = htons(port); |
536 | 0 | if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { |
537 | 0 | wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno)); |
538 | 0 | close(s); |
539 | 0 | return -1; |
540 | 0 | } |
541 | | |
542 | 0 | return s; |
543 | 0 | } |
544 | | |
545 | | |
546 | | struct radius_das_data * |
547 | | radius_das_init(struct radius_das_conf *conf) |
548 | 0 | { |
549 | 0 | struct radius_das_data *das; |
550 | |
|
551 | 0 | if (conf->port == 0 || conf->shared_secret == NULL || |
552 | 0 | conf->client_addr == NULL) |
553 | 0 | return NULL; |
554 | | |
555 | 0 | das = os_zalloc(sizeof(*das)); |
556 | 0 | if (das == NULL) |
557 | 0 | return NULL; |
558 | | |
559 | 0 | das->time_window = conf->time_window; |
560 | 0 | das->require_event_timestamp = conf->require_event_timestamp; |
561 | 0 | das->require_message_authenticator = |
562 | 0 | conf->require_message_authenticator; |
563 | 0 | das->ctx = conf->ctx; |
564 | 0 | das->disconnect = conf->disconnect; |
565 | 0 | das->coa = conf->coa; |
566 | |
|
567 | 0 | os_memcpy(&das->client_addr, conf->client_addr, |
568 | 0 | sizeof(das->client_addr)); |
569 | |
|
570 | 0 | das->shared_secret = os_memdup(conf->shared_secret, |
571 | 0 | conf->shared_secret_len); |
572 | 0 | if (das->shared_secret == NULL) { |
573 | 0 | radius_das_deinit(das); |
574 | 0 | return NULL; |
575 | 0 | } |
576 | 0 | das->shared_secret_len = conf->shared_secret_len; |
577 | |
|
578 | 0 | das->sock = radius_das_open_socket(conf->port); |
579 | 0 | if (das->sock < 0) { |
580 | 0 | wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS " |
581 | 0 | "DAS"); |
582 | 0 | radius_das_deinit(das); |
583 | 0 | return NULL; |
584 | 0 | } |
585 | | |
586 | 0 | if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL)) |
587 | 0 | { |
588 | 0 | radius_das_deinit(das); |
589 | 0 | return NULL; |
590 | 0 | } |
591 | | |
592 | 0 | return das; |
593 | 0 | } |
594 | | |
595 | | |
596 | | void radius_das_deinit(struct radius_das_data *das) |
597 | 0 | { |
598 | 0 | if (das == NULL) |
599 | 0 | return; |
600 | | |
601 | 0 | if (das->sock >= 0) { |
602 | 0 | eloop_unregister_read_sock(das->sock); |
603 | 0 | close(das->sock); |
604 | 0 | } |
605 | |
|
606 | 0 | os_free(das->shared_secret); |
607 | 0 | os_free(das); |
608 | 0 | } |