2 * hostapd / RADIUS authentication server
3 * Copyright (c) 2005-2006, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
23 #include "radius_server.h"
25 #define RADIUS_SESSION_TIMEOUT 60
26 #define RADIUS_MAX_SESSION 100
27 #define RADIUS_MAX_MSG_LEN 3000
29 static struct eapol_callbacks radius_server_eapol_cb
;
32 struct radius_server_data
;
34 struct radius_server_counters
{
37 u32 dup_access_requests
;
40 u32 access_challenges
;
41 u32 malformed_access_requests
;
42 u32 bad_authenticators
;
47 struct radius_session
{
48 struct radius_session
*next
;
49 struct radius_client
*client
;
50 struct radius_server_data
*server
;
53 u8
*eapKeyData
, *eapReqData
;
54 size_t eapKeyDataLen
, eapReqDataLen
;
55 Boolean eapSuccess
, eapRestart
, eapFail
, eapResp
, eapReq
, eapNoReq
;
56 Boolean portEnabled
, eapTimeout
;
58 struct radius_msg
*last_msg
;
61 struct sockaddr_storage last_from
;
62 socklen_t last_fromlen
;
64 struct radius_msg
*last_reply
;
65 u8 last_authenticator
[16];
68 struct radius_client
{
69 struct radius_client
*next
;
73 struct in6_addr addr6
;
74 struct in6_addr mask6
;
75 #endif /* CONFIG_IPV6 */
77 int shared_secret_len
;
78 struct radius_session
*sessions
;
79 struct radius_server_counters counters
;
82 struct radius_server_data
{
84 struct radius_client
*clients
;
85 unsigned int next_sess_id
;
88 void *eap_sim_db_priv
;
91 struct os_time start_time
;
92 struct radius_server_counters counters
;
96 extern int wpa_debug_level
;
98 #define RADIUS_DEBUG(args...) \
99 wpa_printf(MSG_DEBUG, "RADIUS SRV: " args)
100 #define RADIUS_ERROR(args...) \
101 wpa_printf(MSG_ERROR, "RADIUS SRV: " args)
102 #define RADIUS_DUMP(args...) \
103 wpa_hexdump(MSG_MSGDUMP, "RADIUS SRV: " args)
104 #define RADIUS_DUMP_ASCII(args...) \
105 wpa_hexdump_ascii(MSG_MSGDUMP, "RADIUS SRV: " args)
108 static void radius_server_session_timeout(void *eloop_ctx
, void *timeout_ctx
);
112 static struct radius_client
*
113 radius_server_get_client(struct radius_server_data
*data
, struct in_addr
*addr
,
116 struct radius_client
*client
= data
->clients
;
121 struct in6_addr
*addr6
;
124 addr6
= (struct in6_addr
*) addr
;
125 for (i
= 0; i
< 16; i
++) {
126 if ((addr6
->s6_addr
[i
] &
127 client
->mask6
.s6_addr
[i
]) !=
128 (client
->addr6
.s6_addr
[i
] &
129 client
->mask6
.s6_addr
[i
])) {
138 #endif /* CONFIG_IPV6 */
139 if (!ipv6
&& (client
->addr
.s_addr
& client
->mask
.s_addr
) ==
140 (addr
->s_addr
& client
->mask
.s_addr
)) {
144 client
= client
->next
;
151 static struct radius_session
*
152 radius_server_get_session(struct radius_client
*client
, unsigned int sess_id
)
154 struct radius_session
*sess
= client
->sessions
;
157 if (sess
->sess_id
== sess_id
) {
167 static void radius_server_session_free(struct radius_server_data
*data
,
168 struct radius_session
*sess
)
170 eloop_cancel_timeout(radius_server_session_timeout
, data
, sess
);
171 free(sess
->eapKeyData
);
172 free(sess
->eapReqData
);
173 eap_sm_deinit(sess
->eap
);
174 if (sess
->last_msg
) {
175 radius_msg_free(sess
->last_msg
);
176 free(sess
->last_msg
);
178 free(sess
->last_from_addr
);
179 if (sess
->last_reply
) {
180 radius_msg_free(sess
->last_reply
);
181 free(sess
->last_reply
);
188 static void radius_server_session_remove_timeout(void *eloop_ctx
,
191 static void radius_server_session_remove(struct radius_server_data
*data
,
192 struct radius_session
*sess
)
194 struct radius_client
*client
= sess
->client
;
195 struct radius_session
*session
, *prev
;
197 eloop_cancel_timeout(radius_server_session_remove_timeout
, data
, sess
);
200 session
= client
->sessions
;
202 if (session
== sess
) {
204 client
->sessions
= sess
->next
;
206 prev
->next
= sess
->next
;
208 radius_server_session_free(data
, sess
);
212 session
= session
->next
;
217 static void radius_server_session_remove_timeout(void *eloop_ctx
,
220 struct radius_server_data
*data
= eloop_ctx
;
221 struct radius_session
*sess
= timeout_ctx
;
222 RADIUS_DEBUG("Removing completed session 0x%x", sess
->sess_id
);
223 radius_server_session_remove(data
, sess
);
227 static void radius_server_session_timeout(void *eloop_ctx
, void *timeout_ctx
)
229 struct radius_server_data
*data
= eloop_ctx
;
230 struct radius_session
*sess
= timeout_ctx
;
232 RADIUS_DEBUG("Timing out authentication session 0x%x", sess
->sess_id
);
233 radius_server_session_remove(data
, sess
);
237 static struct radius_session
*
238 radius_server_new_session(struct radius_server_data
*data
,
239 struct radius_client
*client
)
241 struct radius_session
*sess
;
243 if (data
->num_sess
>= RADIUS_MAX_SESSION
) {
244 RADIUS_DEBUG("Maximum number of existing session - no room "
245 "for a new session");
249 sess
= wpa_zalloc(sizeof(*sess
));
254 sess
->client
= client
;
255 sess
->sess_id
= data
->next_sess_id
++;
256 sess
->next
= client
->sessions
;
257 client
->sessions
= sess
;
258 eloop_register_timeout(RADIUS_SESSION_TIMEOUT
, 0,
259 radius_server_session_timeout
, data
, sess
);
265 static struct radius_session
*
266 radius_server_get_new_session(struct radius_server_data
*data
,
267 struct radius_client
*client
,
268 struct radius_msg
*msg
)
272 const struct hostapd_eap_user
*eap_user
;
274 struct radius_session
*sess
;
275 struct eap_config eap_conf
;
277 RADIUS_DEBUG("Creating a new session");
283 res
= radius_msg_get_attr(msg
, RADIUS_ATTR_USER_NAME
, user
, 256);
284 if (res
< 0 || res
> 256) {
285 RADIUS_DEBUG("Could not get User-Name");
290 RADIUS_DUMP_ASCII("User-Name", user
, user_len
);
292 eap_user
= hostapd_get_eap_user(data
->hostapd_conf
, user
, user_len
, 0);
296 RADIUS_DEBUG("Matching user entry found");
297 sess
= radius_server_new_session(data
, client
);
299 RADIUS_DEBUG("Failed to create a new session");
303 RADIUS_DEBUG("User-Name not found from user database");
307 memset(&eap_conf
, 0, sizeof(eap_conf
));
308 eap_conf
.ssl_ctx
= data
->ssl_ctx
;
309 eap_conf
.eap_sim_db_priv
= data
->eap_sim_db_priv
;
310 eap_conf
.backend_auth
= TRUE
;
311 sess
->eap
= eap_sm_init(sess
, &radius_server_eapol_cb
, &eap_conf
);
312 if (sess
->eap
== NULL
) {
313 RADIUS_DEBUG("Failed to initialize EAP state machine for the "
315 radius_server_session_free(data
, sess
);
318 sess
->eapRestart
= TRUE
;
319 sess
->portEnabled
= TRUE
;
321 RADIUS_DEBUG("New session 0x%x initialized", sess
->sess_id
);
327 static struct radius_msg
*
328 radius_server_encapsulate_eap(struct radius_server_data
*data
,
329 struct radius_client
*client
,
330 struct radius_session
*sess
,
331 struct radius_msg
*request
)
333 struct radius_msg
*msg
;
335 unsigned int sess_id
;
338 code
= RADIUS_CODE_ACCESS_REJECT
;
339 } else if (sess
->eapSuccess
) {
340 code
= RADIUS_CODE_ACCESS_ACCEPT
;
342 code
= RADIUS_CODE_ACCESS_CHALLENGE
;
345 msg
= radius_msg_new(code
, request
->hdr
->identifier
);
347 RADIUS_DEBUG("Failed to allocate reply message");
351 sess_id
= htonl(sess
->sess_id
);
352 if (code
== RADIUS_CODE_ACCESS_CHALLENGE
&&
353 !radius_msg_add_attr(msg
, RADIUS_ATTR_STATE
,
354 (u8
*) &sess_id
, sizeof(sess_id
))) {
355 RADIUS_DEBUG("Failed to add State attribute");
358 if (sess
->eapReqData
&&
359 !radius_msg_add_eap(msg
, sess
->eapReqData
, sess
->eapReqDataLen
)) {
360 RADIUS_DEBUG("Failed to add EAP-Message attribute");
363 if (code
== RADIUS_CODE_ACCESS_ACCEPT
&& sess
->eapKeyData
) {
365 if (sess
->eapKeyDataLen
> 64) {
368 len
= sess
->eapKeyDataLen
/ 2;
370 if (!radius_msg_add_mppe_keys(msg
, request
->hdr
->authenticator
,
371 (u8
*) client
->shared_secret
,
372 client
->shared_secret_len
,
373 sess
->eapKeyData
+ len
, len
,
374 sess
->eapKeyData
, len
)) {
375 RADIUS_DEBUG("Failed to add MPPE key attributes");
379 if (radius_msg_finish_srv(msg
, (u8
*) client
->shared_secret
,
380 client
->shared_secret_len
,
381 request
->hdr
->authenticator
) < 0) {
382 RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
389 static int radius_server_reject(struct radius_server_data
*data
,
390 struct radius_client
*client
,
391 struct radius_msg
*request
,
392 struct sockaddr
*from
, socklen_t fromlen
,
393 const char *from_addr
, int from_port
)
395 struct radius_msg
*msg
;
397 struct eap_hdr eapfail
;
399 RADIUS_DEBUG("Reject invalid request from %s:%d",
400 from_addr
, from_port
);
402 msg
= radius_msg_new(RADIUS_CODE_ACCESS_REJECT
,
403 request
->hdr
->identifier
);
408 memset(&eapfail
, 0, sizeof(eapfail
));
409 eapfail
.code
= EAP_CODE_FAILURE
;
410 eapfail
.identifier
= 0;
411 eapfail
.length
= htons(sizeof(eapfail
));
413 if (!radius_msg_add_eap(msg
, (u8
*) &eapfail
, sizeof(eapfail
))) {
414 RADIUS_DEBUG("Failed to add EAP-Message attribute");
418 if (radius_msg_finish_srv(msg
, (u8
*) client
->shared_secret
,
419 client
->shared_secret_len
,
420 request
->hdr
->authenticator
) < 0) {
421 RADIUS_DEBUG("Failed to add Message-Authenticator attribute");
424 if (wpa_debug_level
<= MSG_MSGDUMP
) {
425 radius_msg_dump(msg
);
428 data
->counters
.access_rejects
++;
429 client
->counters
.access_rejects
++;
430 if (sendto(data
->auth_sock
, msg
->buf
, msg
->buf_used
, 0,
431 (struct sockaddr
*) from
, sizeof(*from
)) < 0) {
432 perror("sendto[RADIUS SRV]");
436 radius_msg_free(msg
);
443 static int radius_server_request(struct radius_server_data
*data
,
444 struct radius_msg
*msg
,
445 struct sockaddr
*from
, socklen_t fromlen
,
446 struct radius_client
*client
,
447 const char *from_addr
, int from_port
,
448 struct radius_session
*force_sess
)
452 int res
, state_included
= 0;
453 u8 statebuf
[4], resp_id
;
455 struct radius_session
*sess
;
456 struct radius_msg
*reply
;
462 res
= radius_msg_get_attr(msg
, RADIUS_ATTR_STATE
, statebuf
,
464 state_included
= res
>= 0;
465 if (res
== sizeof(statebuf
)) {
466 state
= (statebuf
[0] << 24) | (statebuf
[1] << 16) |
467 (statebuf
[2] << 8) | statebuf
[3];
468 sess
= radius_server_get_session(client
, state
);
475 RADIUS_DEBUG("Request for session 0x%x", sess
->sess_id
);
476 } else if (state_included
) {
477 RADIUS_DEBUG("State attribute included but no session found");
478 radius_server_reject(data
, client
, msg
, from
, fromlen
,
479 from_addr
, from_port
);
482 sess
= radius_server_get_new_session(data
, client
, msg
);
484 RADIUS_DEBUG("Could not create a new session");
485 radius_server_reject(data
, client
, msg
, from
, fromlen
,
486 from_addr
, from_port
);
491 if (sess
->last_from_port
== from_port
&&
492 sess
->last_identifier
== msg
->hdr
->identifier
&&
493 os_memcmp(sess
->last_authenticator
, msg
->hdr
->authenticator
, 16) ==
495 RADIUS_DEBUG("Duplicate message from %s", from_addr
);
496 data
->counters
.dup_access_requests
++;
497 client
->counters
.dup_access_requests
++;
499 if (sess
->last_reply
) {
500 res
= sendto(data
->auth_sock
, sess
->last_reply
->buf
,
501 sess
->last_reply
->buf_used
, 0,
502 (struct sockaddr
*) from
, fromlen
);
504 perror("sendto[RADIUS SRV]");
509 RADIUS_DEBUG("No previous reply available for duplicate "
514 eap
= radius_msg_get_eap(msg
, &eap_len
);
516 RADIUS_DEBUG("No EAP-Message in RADIUS packet from %s",
518 data
->counters
.packets_dropped
++;
519 client
->counters
.packets_dropped
++;
523 RADIUS_DUMP("Received EAP data", eap
, eap_len
);
524 if (eap_len
>= sizeof(*hdr
)) {
525 hdr
= (struct eap_hdr
*) eap
;
526 resp_id
= hdr
->identifier
;
531 /* FIX: if Code is Request, Success, or Failure, send Access-Reject;
532 * RFC3579 Sect. 2.6.2.
533 * Include EAP-Response/Nak with no preferred method if
535 * If code is not 1-4, discard the packet silently.
536 * Or is this already done by the EAP state machine? */
538 eap_set_eapRespData(sess
->eap
, eap
, eap_len
);
541 sess
->eapResp
= TRUE
;
542 eap_sm_step(sess
->eap
);
544 if (sess
->eapReqData
) {
545 RADIUS_DUMP("EAP data from the state machine",
546 sess
->eapReqData
, sess
->eapReqDataLen
);
547 } else if (sess
->eapFail
) {
548 RADIUS_DEBUG("No EAP data from the state machine, but eapFail "
549 "set - generate EAP-Failure");
550 hdr
= wpa_zalloc(sizeof(*hdr
));
552 hdr
->identifier
= resp_id
;
553 hdr
->length
= htons(sizeof(*hdr
));
554 sess
->eapReqData
= (u8
*) hdr
;
555 sess
->eapReqDataLen
= sizeof(*hdr
);
557 } else if (eap_sm_method_pending(sess
->eap
)) {
558 if (sess
->last_msg
) {
559 radius_msg_free(sess
->last_msg
);
560 free(sess
->last_msg
);
562 sess
->last_msg
= msg
;
563 sess
->last_from_port
= from_port
;
564 free(sess
->last_from_addr
);
565 sess
->last_from_addr
= strdup(from_addr
);
566 sess
->last_fromlen
= fromlen
;
567 memcpy(&sess
->last_from
, from
, fromlen
);
570 RADIUS_DEBUG("No EAP data from the state machine - ignore this"
571 " Access-Request silently (assuming it was a "
573 data
->counters
.packets_dropped
++;
574 client
->counters
.packets_dropped
++;
578 reply
= radius_server_encapsulate_eap(data
, client
, sess
, msg
);
580 free(sess
->eapReqData
);
581 sess
->eapReqData
= NULL
;
582 sess
->eapReqDataLen
= 0;
585 RADIUS_DEBUG("Reply to %s:%d", from_addr
, from_port
);
586 if (wpa_debug_level
<= MSG_MSGDUMP
) {
587 radius_msg_dump(reply
);
590 switch (reply
->hdr
->code
) {
591 case RADIUS_CODE_ACCESS_ACCEPT
:
592 data
->counters
.access_accepts
++;
593 client
->counters
.access_accepts
++;
595 case RADIUS_CODE_ACCESS_REJECT
:
596 data
->counters
.access_rejects
++;
597 client
->counters
.access_rejects
++;
599 case RADIUS_CODE_ACCESS_CHALLENGE
:
600 data
->counters
.access_challenges
++;
601 client
->counters
.access_challenges
++;
604 res
= sendto(data
->auth_sock
, reply
->buf
, reply
->buf_used
, 0,
605 (struct sockaddr
*) from
, fromlen
);
607 perror("sendto[RADIUS SRV]");
609 if (sess
->last_reply
) {
610 radius_msg_free(sess
->last_reply
);
611 free(sess
->last_reply
);
613 sess
->last_reply
= reply
;
614 sess
->last_from_port
= from_port
;
615 sess
->last_identifier
= msg
->hdr
->identifier
;
616 os_memcpy(sess
->last_authenticator
, msg
->hdr
->authenticator
,
619 data
->counters
.packets_dropped
++;
620 client
->counters
.packets_dropped
++;
623 if (sess
->eapSuccess
|| sess
->eapFail
) {
624 RADIUS_DEBUG("Removing completed session 0x%x after timeout",
626 eloop_cancel_timeout(radius_server_session_remove_timeout
,
628 eloop_register_timeout(10, 0,
629 radius_server_session_remove_timeout
,
637 static void radius_server_receive_auth(int sock
, void *eloop_ctx
,
640 struct radius_server_data
*data
= eloop_ctx
;
642 struct sockaddr_storage from
;
645 struct radius_client
*client
= NULL
;
646 struct radius_msg
*msg
= NULL
;
650 buf
= malloc(RADIUS_MAX_MSG_LEN
);
655 fromlen
= sizeof(from
);
656 len
= recvfrom(sock
, buf
, RADIUS_MAX_MSG_LEN
, 0,
657 (struct sockaddr
*) &from
, &fromlen
);
659 perror("recvfrom[radius_server]");
665 struct sockaddr_in6
*from6
= (struct sockaddr_in6
*) &from
;
666 if (inet_ntop(AF_INET6
, &from6
->sin6_addr
, abuf
, sizeof(abuf
))
669 from_port
= ntohs(from6
->sin6_port
);
670 RADIUS_DEBUG("Received %d bytes from %s:%d",
671 len
, abuf
, from_port
);
673 client
= radius_server_get_client(data
,
675 &from6
->sin6_addr
, 1);
677 #endif /* CONFIG_IPV6 */
680 struct sockaddr_in
*from4
= (struct sockaddr_in
*) &from
;
681 snprintf(abuf
, sizeof(abuf
), "%s", inet_ntoa(from4
->sin_addr
));
682 from_port
= ntohs(from4
->sin_port
);
683 RADIUS_DEBUG("Received %d bytes from %s:%d",
684 len
, abuf
, from_port
);
686 client
= radius_server_get_client(data
, &from4
->sin_addr
, 0);
689 RADIUS_DUMP("Received data", buf
, len
);
691 if (client
== NULL
) {
692 RADIUS_DEBUG("Unknown client %s - packet ignored", abuf
);
693 data
->counters
.invalid_requests
++;
697 msg
= radius_msg_parse(buf
, len
);
699 RADIUS_DEBUG("Parsing incoming RADIUS frame failed");
700 data
->counters
.malformed_access_requests
++;
701 client
->counters
.malformed_access_requests
++;
708 if (wpa_debug_level
<= MSG_MSGDUMP
) {
709 radius_msg_dump(msg
);
712 if (msg
->hdr
->code
!= RADIUS_CODE_ACCESS_REQUEST
) {
713 RADIUS_DEBUG("Unexpected RADIUS code %d", msg
->hdr
->code
);
714 data
->counters
.unknown_types
++;
715 client
->counters
.unknown_types
++;
719 data
->counters
.access_requests
++;
720 client
->counters
.access_requests
++;
722 if (radius_msg_verify_msg_auth(msg
, (u8
*) client
->shared_secret
,
723 client
->shared_secret_len
, NULL
)) {
724 RADIUS_DEBUG("Invalid Message-Authenticator from %s", abuf
);
725 data
->counters
.bad_authenticators
++;
726 client
->counters
.bad_authenticators
++;
730 if (radius_server_request(data
, msg
, (struct sockaddr
*) &from
,
731 fromlen
, client
, abuf
, from_port
, NULL
) ==
733 return; /* msg was stored with the session */
737 radius_msg_free(msg
);
744 static int radius_server_open_socket(int port
)
747 struct sockaddr_in addr
;
749 s
= socket(PF_INET
, SOCK_DGRAM
, 0);
755 memset(&addr
, 0, sizeof(addr
));
756 addr
.sin_family
= AF_INET
;
757 addr
.sin_port
= htons(port
);
758 if (bind(s
, (struct sockaddr
*) &addr
, sizeof(addr
)) < 0) {
769 static int radius_server_open_socket6(int port
)
772 struct sockaddr_in6 addr
;
774 s
= socket(PF_INET6
, SOCK_DGRAM
, 0);
776 perror("socket[IPv6]");
780 memset(&addr
, 0, sizeof(addr
));
781 addr
.sin6_family
= AF_INET6
;
782 memcpy(&addr
.sin6_addr
, &in6addr_any
, sizeof(in6addr_any
));
783 addr
.sin6_port
= htons(port
);
784 if (bind(s
, (struct sockaddr
*) &addr
, sizeof(addr
)) < 0) {
792 #endif /* CONFIG_IPV6 */
795 static void radius_server_free_sessions(struct radius_server_data
*data
,
796 struct radius_session
*sessions
)
798 struct radius_session
*session
, *prev
;
803 session
= session
->next
;
804 radius_server_session_free(data
, prev
);
809 static void radius_server_free_clients(struct radius_server_data
*data
,
810 struct radius_client
*clients
)
812 struct radius_client
*client
, *prev
;
817 client
= client
->next
;
819 radius_server_free_sessions(data
, prev
->sessions
);
820 free(prev
->shared_secret
);
826 static struct radius_client
*
827 radius_server_read_clients(const char *client_file
, int ipv6
)
830 const int buf_size
= 1024;
832 struct radius_client
*clients
, *tail
, *entry
;
833 int line
= 0, mask
, failed
= 0, i
;
836 struct in6_addr addr6
;
837 #endif /* CONFIG_IPV6 */
840 f
= fopen(client_file
, "r");
842 RADIUS_ERROR("Could not open client file '%s'", client_file
);
846 buf
= malloc(buf_size
);
852 clients
= tail
= NULL
;
853 while (fgets(buf
, buf_size
, f
)) {
854 /* Configuration file format:
855 * 192.168.1.0/24 secret
857 * fe80::211:22ff:fe33:4455/64 secretipv6
860 buf
[buf_size
- 1] = '\0';
862 while (*pos
!= '\0' && *pos
!= '\n')
866 if (*buf
== '\0' || *buf
== '#')
870 while ((*pos
>= '0' && *pos
<= '9') || *pos
== '.' ||
871 (*pos
>= 'a' && *pos
<= 'f') || *pos
== ':' ||
872 (*pos
>= 'A' && *pos
<= 'F')) {
884 mask
= strtol(pos
, &end
, 10);
886 (mask
< 0 || mask
> (ipv6
? 128 : 32))) {
892 mask
= ipv6
? 128 : 32;
896 if (!ipv6
&& inet_aton(buf
, &addr
) == 0) {
901 if (ipv6
&& inet_pton(AF_INET6
, buf
, &addr6
) <= 0) {
902 if (inet_pton(AF_INET
, buf
, &addr
) <= 0) {
906 /* Convert IPv4 address to IPv6 */
909 memset(addr6
.s6_addr
, 0, 10);
910 addr6
.s6_addr
[10] = 0xff;
911 addr6
.s6_addr
[11] = 0xff;
912 memcpy(addr6
.s6_addr
+ 12, (char *) &addr
.s_addr
, 4);
914 #endif /* CONFIG_IPV6 */
916 while (*pos
== ' ' || *pos
== '\t') {
925 entry
= wpa_zalloc(sizeof(*entry
));
930 entry
->shared_secret
= strdup(pos
);
931 if (entry
->shared_secret
== NULL
) {
936 entry
->shared_secret_len
= strlen(entry
->shared_secret
);
937 entry
->addr
.s_addr
= addr
.s_addr
;
940 for (i
= 0; i
< mask
; i
++)
941 val
|= 1 << (31 - i
);
942 entry
->mask
.s_addr
= htonl(val
);
946 int offset
= mask
/ 8;
948 memcpy(entry
->addr6
.s6_addr
, addr6
.s6_addr
, 16);
949 memset(entry
->mask6
.s6_addr
, 0xff, offset
);
951 for (i
= 0; i
< (mask
% 8); i
++)
954 entry
->mask6
.s6_addr
[offset
] = val
;
956 #endif /* CONFIG_IPV6 */
959 clients
= tail
= entry
;
967 RADIUS_ERROR("Invalid line %d in '%s'", line
, client_file
);
968 radius_server_free_clients(NULL
, clients
);
979 struct radius_server_data
*
980 radius_server_init(struct radius_server_conf
*conf
)
982 struct radius_server_data
*data
;
986 fprintf(stderr
, "RADIUS server compiled without IPv6 "
990 #endif /* CONFIG_IPV6 */
992 data
= wpa_zalloc(sizeof(*data
));
996 os_get_time(&data
->start_time
);
997 data
->hostapd_conf
= conf
->hostapd_conf
;
998 data
->eap_sim_db_priv
= conf
->eap_sim_db_priv
;
999 data
->ssl_ctx
= conf
->ssl_ctx
;
1000 data
->ipv6
= conf
->ipv6
;
1002 data
->clients
= radius_server_read_clients(conf
->client_file
,
1004 if (data
->clients
== NULL
) {
1005 printf("No RADIUS clients configured.\n");
1006 radius_server_deinit(data
);
1012 data
->auth_sock
= radius_server_open_socket6(conf
->auth_port
);
1014 #endif /* CONFIG_IPV6 */
1015 data
->auth_sock
= radius_server_open_socket(conf
->auth_port
);
1016 if (data
->auth_sock
< 0) {
1017 printf("Failed to open UDP socket for RADIUS authentication "
1019 radius_server_deinit(data
);
1022 if (eloop_register_read_sock(data
->auth_sock
,
1023 radius_server_receive_auth
,
1025 radius_server_deinit(data
);
1033 void radius_server_deinit(struct radius_server_data
*data
)
1038 if (data
->auth_sock
>= 0) {
1039 eloop_unregister_read_sock(data
->auth_sock
);
1040 close(data
->auth_sock
);
1043 radius_server_free_clients(data
, data
->clients
);
1049 int radius_server_get_mib(struct radius_server_data
*data
, char *buf
,
1056 struct radius_client
*cli
;
1058 /* RFC 2619 - RADIUS Authentication Server MIB */
1060 if (data
== NULL
|| buflen
== 0)
1067 uptime
= (now
.sec
- data
->start_time
.sec
) * 100 +
1068 ((now
.usec
- data
->start_time
.usec
) / 10000) % 100;
1069 ret
= snprintf(pos
, end
- pos
,
1070 "RADIUS-AUTH-SERVER-MIB\n"
1071 "radiusAuthServIdent=hostapd\n"
1072 "radiusAuthServUpTime=%d\n"
1073 "radiusAuthServResetTime=0\n"
1074 "radiusAuthServConfigReset=4\n",
1076 if (ret
< 0 || ret
>= end
- pos
) {
1082 ret
= snprintf(pos
, end
- pos
,
1083 "radiusAuthServTotalAccessRequests=%u\n"
1084 "radiusAuthServTotalInvalidRequests=%u\n"
1085 "radiusAuthServTotalDupAccessRequests=%u\n"
1086 "radiusAuthServTotalAccessAccepts=%u\n"
1087 "radiusAuthServTotalAccessRejects=%u\n"
1088 "radiusAuthServTotalAccessChallenges=%u\n"
1089 "radiusAuthServTotalMalformedAccessRequests=%u\n"
1090 "radiusAuthServTotalBadAuthenticators=%u\n"
1091 "radiusAuthServTotalPacketsDropped=%u\n"
1092 "radiusAuthServTotalUnknownTypes=%u\n",
1093 data
->counters
.access_requests
,
1094 data
->counters
.invalid_requests
,
1095 data
->counters
.dup_access_requests
,
1096 data
->counters
.access_accepts
,
1097 data
->counters
.access_rejects
,
1098 data
->counters
.access_challenges
,
1099 data
->counters
.malformed_access_requests
,
1100 data
->counters
.bad_authenticators
,
1101 data
->counters
.packets_dropped
,
1102 data
->counters
.unknown_types
);
1103 if (ret
< 0 || ret
>= end
- pos
) {
1109 for (cli
= data
->clients
, idx
= 0; cli
; cli
= cli
->next
, idx
++) {
1110 char abuf
[50], mbuf
[50];
1113 if (inet_ntop(AF_INET6
, &cli
->addr6
, abuf
,
1114 sizeof(abuf
)) == NULL
)
1116 if (inet_ntop(AF_INET6
, &cli
->mask6
, abuf
,
1117 sizeof(mbuf
)) == NULL
)
1120 #endif /* CONFIG_IPV6 */
1122 snprintf(abuf
, sizeof(abuf
), "%s",
1123 inet_ntoa(cli
->addr
));
1124 snprintf(mbuf
, sizeof(mbuf
), "%s",
1125 inet_ntoa(cli
->mask
));
1128 ret
= snprintf(pos
, end
- pos
,
1129 "radiusAuthClientIndex=%u\n"
1130 "radiusAuthClientAddress=%s/%s\n"
1131 "radiusAuthServAccessRequests=%u\n"
1132 "radiusAuthServDupAccessRequests=%u\n"
1133 "radiusAuthServAccessAccepts=%u\n"
1134 "radiusAuthServAccessRejects=%u\n"
1135 "radiusAuthServAccessChallenges=%u\n"
1136 "radiusAuthServMalformedAccessRequests=%u\n"
1137 "radiusAuthServBadAuthenticators=%u\n"
1138 "radiusAuthServPacketsDropped=%u\n"
1139 "radiusAuthServUnknownTypes=%u\n",
1142 cli
->counters
.access_requests
,
1143 cli
->counters
.dup_access_requests
,
1144 cli
->counters
.access_accepts
,
1145 cli
->counters
.access_rejects
,
1146 cli
->counters
.access_challenges
,
1147 cli
->counters
.malformed_access_requests
,
1148 cli
->counters
.bad_authenticators
,
1149 cli
->counters
.packets_dropped
,
1150 cli
->counters
.unknown_types
);
1151 if (ret
< 0 || ret
>= end
- pos
) {
1162 static Boolean
radius_server_get_bool(void *ctx
, enum eapol_bool_var variable
)
1164 struct radius_session
*sess
= ctx
;
1168 case EAPOL_eapSuccess
:
1169 return sess
->eapSuccess
;
1170 case EAPOL_eapRestart
:
1171 return sess
->eapRestart
;
1173 return sess
->eapFail
;
1175 return sess
->eapResp
;
1177 return sess
->eapReq
;
1178 case EAPOL_eapNoReq
:
1179 return sess
->eapNoReq
;
1180 case EAPOL_portEnabled
:
1181 return sess
->portEnabled
;
1182 case EAPOL_eapTimeout
:
1183 return sess
->eapTimeout
;
1189 static void radius_server_set_bool(void *ctx
, enum eapol_bool_var variable
,
1192 struct radius_session
*sess
= ctx
;
1196 case EAPOL_eapSuccess
:
1197 sess
->eapSuccess
= value
;
1199 case EAPOL_eapRestart
:
1200 sess
->eapRestart
= value
;
1203 sess
->eapFail
= value
;
1206 sess
->eapResp
= value
;
1209 sess
->eapReq
= value
;
1211 case EAPOL_eapNoReq
:
1212 sess
->eapNoReq
= value
;
1214 case EAPOL_portEnabled
:
1215 sess
->portEnabled
= value
;
1217 case EAPOL_eapTimeout
:
1218 sess
->eapTimeout
= value
;
1224 static void radius_server_set_eapReqData(void *ctx
, const u8
*eapReqData
,
1225 size_t eapReqDataLen
)
1227 struct radius_session
*sess
= ctx
;
1231 free(sess
->eapReqData
);
1232 sess
->eapReqData
= malloc(eapReqDataLen
);
1233 if (sess
->eapReqData
) {
1234 memcpy(sess
->eapReqData
, eapReqData
, eapReqDataLen
);
1235 sess
->eapReqDataLen
= eapReqDataLen
;
1237 sess
->eapReqDataLen
= 0;
1242 static void radius_server_set_eapKeyData(void *ctx
, const u8
*eapKeyData
,
1243 size_t eapKeyDataLen
)
1245 struct radius_session
*sess
= ctx
;
1250 free(sess
->eapKeyData
);
1252 sess
->eapKeyData
= malloc(eapKeyDataLen
);
1253 if (sess
->eapKeyData
) {
1254 memcpy(sess
->eapKeyData
, eapKeyData
, eapKeyDataLen
);
1255 sess
->eapKeyDataLen
= eapKeyDataLen
;
1257 sess
->eapKeyDataLen
= 0;
1260 sess
->eapKeyData
= NULL
;
1261 sess
->eapKeyDataLen
= 0;
1266 static int radius_server_get_eap_user(void *ctx
, const u8
*identity
,
1267 size_t identity_len
, int phase2
,
1268 struct eap_user
*user
)
1270 struct radius_session
*sess
= ctx
;
1271 const struct hostapd_eap_user
*eap_user
;
1274 eap_user
= hostapd_get_eap_user(sess
->server
->hostapd_conf
, identity
,
1275 identity_len
, phase2
);
1276 if (eap_user
== NULL
)
1279 memset(user
, 0, sizeof(*user
));
1280 count
= EAP_USER_MAX_METHODS
;
1281 if (count
> EAP_MAX_METHODS
)
1282 count
= EAP_MAX_METHODS
;
1283 for (i
= 0; i
< count
; i
++) {
1284 user
->methods
[i
].vendor
= eap_user
->methods
[i
].vendor
;
1285 user
->methods
[i
].method
= eap_user
->methods
[i
].method
;
1288 if (eap_user
->password
) {
1289 user
->password
= malloc(eap_user
->password_len
);
1290 if (user
->password
== NULL
)
1292 memcpy(user
->password
, eap_user
->password
,
1293 eap_user
->password_len
);
1294 user
->password_len
= eap_user
->password_len
;
1295 user
->password_hash
= eap_user
->password_hash
;
1297 user
->force_version
= eap_user
->force_version
;
1303 static struct eapol_callbacks radius_server_eapol_cb
=
1305 .get_bool
= radius_server_get_bool
,
1306 .set_bool
= radius_server_set_bool
,
1307 .set_eapReqData
= radius_server_set_eapReqData
,
1308 .set_eapKeyData
= radius_server_set_eapKeyData
,
1309 .get_eap_user
= radius_server_get_eap_user
,
1313 void radius_server_eap_pending_cb(struct radius_server_data
*data
, void *ctx
)
1315 struct radius_client
*cli
;
1316 struct radius_session
*s
, *sess
= NULL
;
1317 struct radius_msg
*msg
;
1322 for (cli
= data
->clients
; cli
; cli
= cli
->next
) {
1323 for (s
= cli
->sessions
; s
; s
= s
->next
) {
1324 if (s
->eap
== ctx
&& s
->last_msg
) {
1336 RADIUS_DEBUG("No session matched callback ctx");
1340 msg
= sess
->last_msg
;
1341 sess
->last_msg
= NULL
;
1342 eap_sm_pending_cb(sess
->eap
);
1343 if (radius_server_request(data
, msg
,
1344 (struct sockaddr
*) &sess
->last_from
,
1345 sess
->last_fromlen
, cli
,
1346 sess
->last_from_addr
,
1347 sess
->last_from_port
, sess
) == -2)
1348 return; /* msg was stored with the session */
1350 radius_msg_free(msg
);
