Stripped down import of hostapd v0.3.7

1 files changed, 1016 insertions, 0 deletions

diff --git a/contrib/hostapd/radius_client.c b/contrib/hostapd/radius_client.c
new file mode 100644
index 0000000..e173775
--- /dev/null
+++ b/contrib/hostapd/radius_client.c
@@ -0,0 +1,1016 @@
+/*
+ * Host AP (software wireless LAN access point) user space daemon for
+ * Host AP kernel driver / RADIUS client
+ * Copyright (c) 2002-2005, Jouni Malinen <jkmaline@cc.hut.fi>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Alternatively, this software may be distributed under the terms of BSD
+ * license.
+ *
+ * See README and COPYING for more details.
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <netinet/in.h>
+#include <string.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <errno.h>
+
+#include "hostapd.h"
+#include "radius.h"
+#include "radius_client.h"
+#include "eloop.h"
+
+/* Defaults for RADIUS retransmit values (exponential backoff) */
+#define RADIUS_CLIENT_FIRST_WAIT 3 /* seconds */
+#define RADIUS_CLIENT_MAX_WAIT 120 /* seconds */
+#define RADIUS_CLIENT_MAX_RETRIES 10 /* maximum number of retransmit attempts
+				      * before entry is removed from retransmit
+				      * list */
+#define RADIUS_CLIENT_MAX_ENTRIES 30 /* maximum number of entries in retransmit
+				      * list (oldest will be removed, if this
+				      * limit is exceeded) */
+#define RADIUS_CLIENT_NUM_FAILOVER 4 /* try to change RADIUS server after this
+				      * many failed retry attempts */
+
+
+struct radius_rx_handler {
+	RadiusRxResult (*handler)(struct radius_msg *msg,
+				  struct radius_msg *req,
+				  u8 *shared_secret, size_t shared_secret_len,
+				  void *data);
+	void *data;
+};
+
+
+/* RADIUS message retransmit list */
+struct radius_msg_list {
+	u8 addr[ETH_ALEN]; /* STA/client address; used to find RADIUS messages
+			    * for the same STA. */
+	struct radius_msg *msg;
+	RadiusType msg_type;
+	time_t first_try;
+	time_t next_try;
+	int attempts;
+	int next_wait;
+	struct timeval last_attempt;
+
+	u8 *shared_secret;
+	size_t shared_secret_len;
+
+	/* TODO: server config with failover to backup server(s) */
+
+	struct radius_msg_list *next;
+};
+
+
+struct radius_client_data {
+	struct hostapd_data *hapd;
+
+	int auth_serv_sock; /* socket for authentication RADIUS messages */
+	int acct_serv_sock; /* socket for accounting RADIUS messages */
+
+	struct radius_rx_handler *auth_handlers;
+	size_t num_auth_handlers;
+	struct radius_rx_handler *acct_handlers;
+	size_t num_acct_handlers;
+
+	struct radius_msg_list *msgs;
+	size_t num_msgs;
+
+	u8 next_radius_identifier;
+};
+
+
+static int
+radius_change_server(struct radius_client_data *radius,
+		     struct hostapd_radius_server *nserv,
+		     struct hostapd_radius_server *oserv,
+		     int sock, int auth);
+static int radius_client_init_acct(struct radius_client_data *radius);
+static int radius_client_init_auth(struct radius_client_data *radius);
+
+
+static void radius_client_msg_free(struct radius_msg_list *req)
+{
+	radius_msg_free(req->msg);
+	free(req->msg);
+	free(req);
+}
+
+
+int radius_client_register(struct radius_client_data *radius,
+			   RadiusType msg_type,
+			   RadiusRxResult (*handler)(struct radius_msg *msg,
+						     struct radius_msg *req,
+						     u8 *shared_secret,
+						     size_t shared_secret_len,
+						     void *data),
+			   void *data)
+{
+	struct radius_rx_handler **handlers, *newh;
+	size_t *num;
+
+	if (msg_type == RADIUS_ACCT) {
+		handlers = &radius->acct_handlers;
+		num = &radius->num_acct_handlers;
+	} else {
+		handlers = &radius->auth_handlers;
+		num = &radius->num_auth_handlers;
+	}
+
+	newh = (struct radius_rx_handler *)
+		realloc(*handlers,
+			(*num + 1) * sizeof(struct radius_rx_handler));
+	if (newh == NULL)
+		return -1;
+
+	newh[*num].handler = handler;
+	newh[*num].data = data;
+	(*num)++;
+	*handlers = newh;
+
+	return 0;
+}
+
+
+static void radius_client_handle_send_error(struct radius_client_data *radius,
+					    int s, RadiusType msg_type)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	int _errno = errno;
+	perror("send[RADIUS]");
+	if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL) {
+		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_RADIUS,
+			       HOSTAPD_LEVEL_INFO,
+			       "Send failed - maybe interface status changed -"
+			       " try to connect again");
+		eloop_unregister_read_sock(s);
+		close(s);
+		if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM)
+			radius_client_init_acct(radius);
+		else
+			radius_client_init_auth(radius);
+	}
+}
+
+
+static int radius_client_retransmit(struct radius_client_data *radius,
+				    struct radius_msg_list *entry, time_t now)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	int s;
+
+	if (entry->msg_type == RADIUS_ACCT ||
+	    entry->msg_type == RADIUS_ACCT_INTERIM) {
+		s = radius->acct_serv_sock;
+		if (entry->attempts == 0)
+			hapd->conf->acct_server->requests++;
+		else {
+			hapd->conf->acct_server->timeouts++;
+			hapd->conf->acct_server->retransmissions++;
+		}
+	} else {
+		s = radius->auth_serv_sock;
+		if (entry->attempts == 0)
+			hapd->conf->auth_server->requests++;
+		else {
+			hapd->conf->auth_server->timeouts++;
+			hapd->conf->auth_server->retransmissions++;
+		}
+	}
+
+	/* retransmit; remove entry if too many attempts */
+	entry->attempts++;
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Resending RADIUS message (id=%d)"
+		      "\n", entry->msg->hdr->identifier);
+
+	gettimeofday(&entry->last_attempt, NULL);
+	if (send(s, entry->msg->buf, entry->msg->buf_used, 0) < 0)
+		radius_client_handle_send_error(radius, s, entry->msg_type);
+
+	entry->next_try = now + entry->next_wait;
+	entry->next_wait *= 2;
+	if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
+		entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
+	if (entry->attempts >= RADIUS_CLIENT_MAX_RETRIES) {
+		printf("Removing un-ACKed RADIUS message due to too many "
+		       "failed retransmit attempts\n");
+		return 1;
+	}
+
+	return 0;
+}
+
+
+static void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
+{
+	struct radius_client_data *radius = eloop_ctx;
+	struct hostapd_data *hapd = radius->hapd;
+	time_t now, first;
+	struct radius_msg_list *entry, *prev, *tmp;
+	int auth_failover = 0, acct_failover = 0;
+
+	entry = radius->msgs;
+	if (!entry)
+		return;
+
+	time(&now);
+	first = 0;
+
+	prev = NULL;
+	while (entry) {
+		if (now >= entry->next_try &&
+		    radius_client_retransmit(radius, entry, now)) {
+			if (prev)
+				prev->next = entry->next;
+			else
+				radius->msgs = entry->next;
+
+			tmp = entry;
+			entry = entry->next;
+			radius_client_msg_free(tmp);
+			radius->num_msgs--;
+			continue;
+		}
+
+		if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER) {
+			if (entry->msg_type == RADIUS_ACCT ||
+			    entry->msg_type == RADIUS_ACCT_INTERIM)
+				acct_failover++;
+			else
+				auth_failover++;
+		}
+
+		if (first == 0 || entry->next_try < first)
+			first = entry->next_try;
+
+		prev = entry;
+		entry = entry->next;
+	}
+
+	if (radius->msgs) {
+		if (first < now)
+			first = now;
+		eloop_register_timeout(first - now, 0,
+				       radius_client_timer, radius, NULL);
+		HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Next RADIUS client "
+			      "retransmit in %ld seconds\n",
+			      (long int) (first - now));
+
+	}
+
+	if (auth_failover && hapd->conf->num_auth_servers > 1) {
+		struct hostapd_radius_server *next, *old;
+		old = hapd->conf->auth_server;
+		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_RADIUS,
+			       HOSTAPD_LEVEL_NOTICE,
+			       "No response from Authentication server "
+			       "%s:%d - failover",
+			       inet_ntoa(old->addr), old->port);
+
+		for (entry = radius->msgs; entry; entry = entry->next) {
+			if (entry->msg_type == RADIUS_AUTH)
+				old->timeouts++;
+		}
+
+		next = old + 1;
+		if (next > &(hapd->conf->auth_servers
+			     [hapd->conf->num_auth_servers - 1]))
+			next = hapd->conf->auth_servers;
+		hapd->conf->auth_server = next;
+		radius_change_server(radius, next, old,
+				     radius->auth_serv_sock, 1);
+	}
+
+	if (acct_failover && hapd->conf->num_acct_servers > 1) {
+		struct hostapd_radius_server *next, *old;
+		old = hapd->conf->acct_server;
+		hostapd_logger(hapd, NULL, HOSTAPD_MODULE_RADIUS,
+			       HOSTAPD_LEVEL_NOTICE,
+			       "No response from Accounting server "
+			       "%s:%d - failover",
+			       inet_ntoa(old->addr), old->port);
+
+		for (entry = radius->msgs; entry; entry = entry->next) {
+			if (entry->msg_type == RADIUS_ACCT ||
+			    entry->msg_type == RADIUS_ACCT_INTERIM)
+				old->timeouts++;
+		}
+
+		next = old + 1;
+		if (next > &hapd->conf->acct_servers
+		    [hapd->conf->num_acct_servers - 1])
+			next = hapd->conf->acct_servers;
+		hapd->conf->acct_server = next;
+		radius_change_server(radius, next, old,
+				     radius->acct_serv_sock, 0);
+	}
+}
+
+
+static void radius_client_update_timeout(struct radius_client_data *radius)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	time_t now, first;
+	struct radius_msg_list *entry;
+
+	eloop_cancel_timeout(radius_client_timer, radius, NULL);
+
+	if (radius->msgs == NULL) {
+		return;
+	}
+
+	first = 0;
+	for (entry = radius->msgs; entry; entry = entry->next) {
+		if (first == 0 || entry->next_try < first)
+			first = entry->next_try;
+	}
+
+	time(&now);
+	if (first < now)
+		first = now;
+	eloop_register_timeout(first - now, 0, radius_client_timer, radius,
+			       NULL);
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Next RADIUS client retransmit in"
+		      " %ld seconds\n", (long int) (first - now));
+}
+
+
+static void radius_client_list_add(struct radius_client_data *radius,
+				   struct radius_msg *msg,
+				   RadiusType msg_type, u8 *shared_secret,
+				   size_t shared_secret_len, u8 *addr)
+{
+	struct radius_msg_list *entry, *prev;
+
+	if (eloop_terminated()) {
+		/* No point in adding entries to retransmit queue since event
+		 * loop has already been terminated. */
+		radius_msg_free(msg);
+		free(msg);
+		return;
+	}
+
+	entry = malloc(sizeof(*entry));
+	if (entry == NULL) {
+		printf("Failed to add RADIUS packet into retransmit list\n");
+		radius_msg_free(msg);
+		free(msg);
+		return;
+	}
+
+	memset(entry, 0, sizeof(*entry));
+	if (addr)
+		memcpy(entry->addr, addr, ETH_ALEN);
+	entry->msg = msg;
+	entry->msg_type = msg_type;
+	entry->shared_secret = shared_secret;
+	entry->shared_secret_len = shared_secret_len;
+	time(&entry->first_try);
+	entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
+	entry->attempts = 1;
+	gettimeofday(&entry->last_attempt, NULL);
+	entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
+	entry->next = radius->msgs;
+	radius->msgs = entry;
+	radius_client_update_timeout(radius);
+
+	if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
+		printf("Removing the oldest un-ACKed RADIUS packet due to "
+		       "retransmit list limits.\n");
+		prev = NULL;
+		while (entry->next) {
+			prev = entry;
+			entry = entry->next;
+		}
+		if (prev) {
+			prev->next = NULL;
+			radius_client_msg_free(entry);
+		}
+	} else
+		radius->num_msgs++;
+}
+
+
+static void radius_client_list_del(struct radius_client_data *radius,
+				   RadiusType msg_type, u8 *addr)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	struct radius_msg_list *entry, *prev, *tmp;
+
+	if (addr == NULL)
+		return;
+
+	entry = radius->msgs;
+	prev = NULL;
+	while (entry) {
+		if (entry->msg_type == msg_type &&
+		    memcmp(entry->addr, addr, ETH_ALEN) == 0) {
+			if (prev)
+				prev->next = entry->next;
+			else
+				radius->msgs = entry->next;
+			tmp = entry;
+			entry = entry->next;
+			HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+				      "Removing matching RADIUS message for "
+				      MACSTR "\n", MAC2STR(addr));
+			radius_client_msg_free(tmp);
+			radius->num_msgs--;
+			continue;
+		}
+		prev = entry;
+		entry = entry->next;
+	}
+}
+
+
+int radius_client_send(struct radius_client_data *radius,
+		       struct radius_msg *msg, RadiusType msg_type, u8 *addr)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	u8 *shared_secret;
+	size_t shared_secret_len;
+	char *name;
+	int s, res;
+
+	if (msg_type == RADIUS_ACCT_INTERIM) {
+		/* Remove any pending interim acct update for the same STA. */
+		radius_client_list_del(radius, msg_type, addr);
+	}
+
+	if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
+		shared_secret = hapd->conf->acct_server->shared_secret;
+		shared_secret_len = hapd->conf->acct_server->shared_secret_len;
+		radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
+		name = "accounting";
+		s = radius->acct_serv_sock;
+		hapd->conf->acct_server->requests++;
+	} else {
+		shared_secret = hapd->conf->auth_server->shared_secret;
+		shared_secret_len = hapd->conf->auth_server->shared_secret_len;
+		radius_msg_finish(msg, shared_secret, shared_secret_len);
+		name = "authentication";
+		s = radius->auth_serv_sock;
+		hapd->conf->auth_server->requests++;
+	}
+
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+		      "Sending RADIUS message to %s server\n", name);
+	if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MSGDUMPS))
+		radius_msg_dump(msg);
+
+	res = send(s, msg->buf, msg->buf_used, 0);
+	if (res < 0)
+		radius_client_handle_send_error(radius, s, msg_type);
+
+	radius_client_list_add(radius, msg, msg_type, shared_secret,
+			       shared_secret_len, addr);
+
+	return res;
+}
+
+
+static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+{
+	struct radius_client_data *radius = eloop_ctx;
+	struct hostapd_data *hapd = radius->hapd;
+	RadiusType msg_type = (RadiusType) sock_ctx;
+	int len, i, roundtrip;
+	unsigned char buf[3000];
+	struct radius_msg *msg;
+	struct radius_rx_handler *handlers;
+	size_t num_handlers;
+	struct radius_msg_list *req, *prev_req;
+	struct timeval tv;
+	struct hostapd_radius_server *rconf;
+	int invalid_authenticator = 0;
+
+	if (msg_type == RADIUS_ACCT) {
+		handlers = radius->acct_handlers;
+		num_handlers = radius->num_acct_handlers;
+		rconf = hapd->conf->acct_server;
+	} else {
+		handlers = radius->auth_handlers;
+		num_handlers = radius->num_auth_handlers;
+		rconf = hapd->conf->auth_server;
+	}
+
+	len = recv(sock, buf, sizeof(buf), 0);
+	if (len < 0) {
+		perror("recv[RADIUS]");
+		return;
+	}
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+		      "Received %d bytes from RADIUS server\n", len);
+	if (len == sizeof(buf)) {
+		printf("Possibly too long UDP frame for our buffer - "
+		       "dropping it\n");
+		return;
+	}
+
+	msg = radius_msg_parse(buf, len);
+	if (msg == NULL) {
+		printf("Parsing incoming RADIUS frame failed\n");
+		rconf->malformed_responses++;
+		return;
+	}
+
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+		      "Received RADIUS message\n");
+	if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MSGDUMPS))
+		radius_msg_dump(msg);
+
+	switch (msg->hdr->code) {
+	case RADIUS_CODE_ACCESS_ACCEPT:
+		rconf->access_accepts++;
+		break;
+	case RADIUS_CODE_ACCESS_REJECT:
+		rconf->access_rejects++;
+		break;
+	case RADIUS_CODE_ACCESS_CHALLENGE:
+		rconf->access_challenges++;
+		break;
+	case RADIUS_CODE_ACCOUNTING_RESPONSE:
+		rconf->responses++;
+		break;
+	}
+
+	prev_req = NULL;
+	req = radius->msgs;
+	while (req) {
+		/* TODO: also match by src addr:port of the packet when using
+		 * alternative RADIUS servers (?) */
+		if ((req->msg_type == msg_type ||
+		     (req->msg_type == RADIUS_ACCT_INTERIM &&
+		      msg_type == RADIUS_ACCT)) &&
+		    req->msg->hdr->identifier == msg->hdr->identifier)
+			break;
+
+		prev_req = req;
+		req = req->next;
+	}
+
+	if (req == NULL) {
+		HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+			      "No matching RADIUS request found (type=%d "
+			      "id=%d) - dropping packet\n",
+			      msg_type, msg->hdr->identifier);
+		goto fail;
+	}
+
+	gettimeofday(&tv, NULL);
+	roundtrip = (tv.tv_sec - req->last_attempt.tv_sec) * 100 +
+		(tv.tv_usec - req->last_attempt.tv_usec) / 10000;
+	HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Received RADIUS packet matched "
+		      "with a pending request, round trip time %d.%02d sec\n",
+		      roundtrip / 100, roundtrip % 100);
+	rconf->round_trip_time = roundtrip;
+
+	/* Remove ACKed RADIUS packet from retransmit list */
+	if (prev_req)
+		prev_req->next = req->next;
+	else
+		radius->msgs = req->next;
+	radius->num_msgs--;
+
+	for (i = 0; i < num_handlers; i++) {
+		RadiusRxResult res;
+		res = handlers[i].handler(msg, req->msg, req->shared_secret,
+					  req->shared_secret_len,
+					  handlers[i].data);
+		switch (res) {
+		case RADIUS_RX_PROCESSED:
+			radius_msg_free(msg);
+			free(msg);
+			/* continue */
+		case RADIUS_RX_QUEUED:
+			radius_client_msg_free(req);
+			return;
+		case RADIUS_RX_INVALID_AUTHENTICATOR:
+			invalid_authenticator++;
+			/* continue */
+		case RADIUS_RX_UNKNOWN:
+			/* continue with next handler */
+			break;
+		}
+	}
+
+	if (invalid_authenticator)
+		rconf->bad_authenticators++;
+	else
+		rconf->unknown_types++;
+	hostapd_logger(hapd, req->addr, HOSTAPD_MODULE_RADIUS,
+		       HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
+		       "(type=%d code=%d id=%d)%s - dropping packet",
+		       msg_type, msg->hdr->code, msg->hdr->identifier,
+		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+		       "");
+	radius_client_msg_free(req);
+
+ fail:
+	radius_msg_free(msg);
+	free(msg);
+}
+
+
+u8 radius_client_get_id(struct radius_client_data *radius)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	struct radius_msg_list *entry, *prev, *remove;
+	u8 id = radius->next_radius_identifier++;
+
+	/* remove entries with matching id from retransmit list to avoid
+	 * using new reply from the RADIUS server with an old request */
+	entry = radius->msgs;
+	prev = NULL;
+	while (entry) {
+		if (entry->msg->hdr->identifier == id) {
+			HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL,
+				      "Removing pending RADIUS message, since "
+				      "its id (%d) is reused\n", id);
+			if (prev)
+				prev->next = entry->next;
+			else
+				radius->msgs = entry->next;
+			remove = entry;
+		} else
+			remove = NULL;
+		prev = entry;
+		entry = entry->next;
+
+		if (remove)
+			radius_client_msg_free(remove);
+	}
+
+	return id;
+}
+
+
+void radius_client_flush(struct radius_client_data *radius)
+{
+	struct radius_msg_list *entry, *prev;
+
+	if (!radius)
+		return;
+
+	eloop_cancel_timeout(radius_client_timer, radius, NULL);
+
+	entry = radius->msgs;
+	radius->msgs = NULL;
+	radius->num_msgs = 0;
+	while (entry) {
+		prev = entry;
+		entry = entry->next;
+		radius_client_msg_free(prev);
+	}
+}
+
+
+static int
+radius_change_server(struct radius_client_data *radius,
+		     struct hostapd_radius_server *nserv,
+		     struct hostapd_radius_server *oserv,
+		     int sock, int auth)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	struct sockaddr_in serv;
+
+	hostapd_logger(hapd, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO,
+		       "%s server %s:%d",
+		       auth ? "Authentication" : "Accounting",
+		       inet_ntoa(nserv->addr), nserv->port);
+
+	if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len ||
+	    memcmp(nserv->shared_secret, oserv->shared_secret,
+		   nserv->shared_secret_len) != 0) {
+		/* Pending RADIUS packets used different shared
+		 * secret, so they would need to be modified. Could
+		 * update all message authenticators and
+		 * User-Passwords, etc. and retry with new server. For
+		 * now, just drop all pending packets. */
+		radius_client_flush(radius);
+	} else {
+		/* Reset retry counters for the new server */
+		struct radius_msg_list *entry;
+		entry = radius->msgs;
+		while (entry) {
+			entry->next_try = entry->first_try +
+				RADIUS_CLIENT_FIRST_WAIT;
+			entry->attempts = 0;
+			entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
+			entry = entry->next;
+		}
+		if (radius->msgs) {
+			eloop_cancel_timeout(radius_client_timer, radius,
+					     NULL);
+			eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
+					       radius_client_timer, radius,
+					       NULL);
+		}
+	}
+
+	memset(&serv, 0, sizeof(serv));
+	serv.sin_family = AF_INET;
+	serv.sin_addr.s_addr = nserv->addr.s_addr;
+	serv.sin_port = htons(nserv->port);
+
+	if (connect(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
+		perror("connect[radius]");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
+{
+	struct radius_client_data *radius = eloop_ctx;
+	struct hostapd_data *hapd = radius->hapd;
+	struct hostapd_radius_server *oserv;
+
+	if (radius->auth_serv_sock >= 0 && hapd->conf->auth_servers &&
+	    hapd->conf->auth_server != hapd->conf->auth_servers) {
+		oserv = hapd->conf->auth_server;
+		hapd->conf->auth_server = hapd->conf->auth_servers;
+		radius_change_server(radius, hapd->conf->auth_server, oserv,
+				     radius->auth_serv_sock, 1);
+	}
+
+	if (radius->acct_serv_sock >= 0 && hapd->conf->acct_servers &&
+	    hapd->conf->acct_server != hapd->conf->acct_servers) {
+		oserv = hapd->conf->acct_server;
+		hapd->conf->acct_server = hapd->conf->acct_servers;
+		radius_change_server(radius, hapd->conf->acct_server, oserv,
+				     radius->acct_serv_sock, 0);
+	}
+
+	if (hapd->conf->radius_retry_primary_interval)
+		eloop_register_timeout(hapd->conf->
+				       radius_retry_primary_interval, 0,
+				       radius_retry_primary_timer, radius,
+				       NULL);
+}
+
+
+static int radius_client_init_auth(struct radius_client_data *radius)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
+	if (radius->auth_serv_sock < 0) {
+		perror("socket[PF_INET,SOCK_DGRAM]");
+		return -1;
+	}
+
+	radius_change_server(radius, hapd->conf->auth_server, NULL,
+			     radius->auth_serv_sock, 1);
+
+	if (eloop_register_read_sock(radius->auth_serv_sock,
+				     radius_client_receive, radius,
+				     (void *) RADIUS_AUTH)) {
+		printf("Could not register read socket for authentication "
+		       "server\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+static int radius_client_init_acct(struct radius_client_data *radius)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0);
+	if (radius->acct_serv_sock < 0) {
+		perror("socket[PF_INET,SOCK_DGRAM]");
+		return -1;
+	}
+
+	radius_change_server(radius, hapd->conf->acct_server, NULL,
+			     radius->acct_serv_sock, 0);
+
+	if (eloop_register_read_sock(radius->acct_serv_sock,
+				     radius_client_receive, radius,
+				     (void *) RADIUS_ACCT)) {
+		printf("Could not register read socket for accounting "
+		       "server\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+
+struct radius_client_data * radius_client_init(struct hostapd_data *hapd)
+{
+	struct radius_client_data *radius;
+
+	radius = malloc(sizeof(struct radius_client_data));
+	if (radius == NULL)
+		return NULL;
+
+	memset(radius, 0, sizeof(struct radius_client_data));
+	radius->hapd = hapd;
+	radius->auth_serv_sock = radius->acct_serv_sock = -1;
+
+	if (hapd->conf->auth_server && radius_client_init_auth(radius)) {
+		radius_client_deinit(radius);
+		return NULL;
+	}
+
+	if (hapd->conf->acct_server && radius_client_init_acct(radius)) {
+		radius_client_deinit(radius);
+		return NULL;
+	}
+
+	if (hapd->conf->radius_retry_primary_interval)
+		eloop_register_timeout(hapd->conf->
+				       radius_retry_primary_interval, 0,
+				       radius_retry_primary_timer, radius,
+				       NULL);
+
+	return radius;
+}
+
+
+void radius_client_deinit(struct radius_client_data *radius)
+{
+	if (!radius)
+		return;
+
+	eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
+
+	radius_client_flush(radius);
+	free(radius->auth_handlers);
+	free(radius->acct_handlers);
+	free(radius);
+}
+
+
+void radius_client_flush_auth(struct radius_client_data *radius, u8 *addr)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	struct radius_msg_list *entry, *prev, *tmp;
+
+	prev = NULL;
+	entry = radius->msgs;
+	while (entry) {
+		if (entry->msg_type == RADIUS_AUTH &&
+		    memcmp(entry->addr, addr, ETH_ALEN) == 0) {
+			hostapd_logger(hapd, addr, HOSTAPD_MODULE_RADIUS,
+				       HOSTAPD_LEVEL_DEBUG,
+				       "Removing pending RADIUS authentication"
+				       " message for removed client");
+
+			if (prev)
+				prev->next = entry->next;
+			else
+				radius->msgs = entry->next;
+
+			tmp = entry;
+			entry = entry->next;
+			radius_client_msg_free(tmp);
+			radius->num_msgs--;
+			continue;
+		}
+
+		prev = entry;
+		entry = entry->next;
+	}
+}
+
+
+static int radius_client_dump_auth_server(char *buf, size_t buflen,
+					  struct hostapd_radius_server *serv,
+					  struct radius_client_data *cli)
+{
+	int pending = 0;
+	struct radius_msg_list *msg;
+
+	if (cli) {
+		for (msg = cli->msgs; msg; msg = msg->next) {
+			if (msg->msg_type == RADIUS_AUTH)
+				pending++;
+		}
+	}
+
+	return snprintf(buf, buflen,
+			"radiusAuthServerIndex=%d\n"
+			"radiusAuthServerAddress=%s\n"
+			"radiusAuthClientServerPortNumber=%d\n"
+			"radiusAuthClientRoundTripTime=%d\n"
+			"radiusAuthClientAccessRequests=%u\n"
+			"radiusAuthClientAccessRetransmissions=%u\n"
+			"radiusAuthClientAccessAccepts=%u\n"
+			"radiusAuthClientAccessRejects=%u\n"
+			"radiusAuthClientAccessChallenges=%u\n"
+			"radiusAuthClientMalformedAccessResponses=%u\n"
+			"radiusAuthClientBadAuthenticators=%u\n"
+			"radiusAuthClientPendingRequests=%u\n"
+			"radiusAuthClientTimeouts=%u\n"
+			"radiusAuthClientUnknownTypes=%u\n"
+			"radiusAuthClientPacketsDropped=%u\n",
+			serv->index,
+			inet_ntoa(serv->addr),
+			serv->port,
+			serv->round_trip_time,
+			serv->requests,
+			serv->retransmissions,
+			serv->access_accepts,
+			serv->access_rejects,
+			serv->access_challenges,
+			serv->malformed_responses,
+			serv->bad_authenticators,
+			pending,
+			serv->timeouts,
+			serv->unknown_types,
+			serv->packets_dropped);
+}
+
+
+static int radius_client_dump_acct_server(char *buf, size_t buflen,
+					  struct hostapd_radius_server *serv,
+					  struct radius_client_data *cli)
+{
+	int pending = 0;
+	struct radius_msg_list *msg;
+
+	if (cli) {
+		for (msg = cli->msgs; msg; msg = msg->next) {
+			if (msg->msg_type == RADIUS_ACCT ||
+			    msg->msg_type == RADIUS_ACCT_INTERIM)
+				pending++;
+		}
+	}
+
+	return snprintf(buf, buflen,
+			"radiusAccServerIndex=%d\n"
+			"radiusAccServerAddress=%s\n"
+			"radiusAccClientServerPortNumber=%d\n"
+			"radiusAccClientRoundTripTime=%d\n"
+			"radiusAccClientRequests=%u\n"
+			"radiusAccClientRetransmissions=%u\n"
+			"radiusAccClientResponses=%u\n"
+			"radiusAccClientMalformedResponses=%u\n"
+			"radiusAccClientBadAuthenticators=%u\n"
+			"radiusAccClientPendingRequests=%u\n"
+			"radiusAccClientTimeouts=%u\n"
+			"radiusAccClientUnknownTypes=%u\n"
+			"radiusAccClientPacketsDropped=%u\n",
+			serv->index,
+			inet_ntoa(serv->addr),
+			serv->port,
+			serv->round_trip_time,
+			serv->requests,
+			serv->retransmissions,
+			serv->responses,
+			serv->malformed_responses,
+			serv->bad_authenticators,
+			pending,
+			serv->timeouts,
+			serv->unknown_types,
+			serv->packets_dropped);
+}
+
+
+int radius_client_get_mib(struct radius_client_data *radius, char *buf,
+			  size_t buflen)
+{
+	struct hostapd_data *hapd = radius->hapd;
+	int i;
+	struct hostapd_radius_server *serv;
+	int count = 0;
+
+	if (hapd->conf->auth_servers) {
+		for (i = 0; i < hapd->conf->num_auth_servers; i++) {
+			serv = &hapd->conf->auth_servers[i];
+			count += radius_client_dump_auth_server(
+				buf + count, buflen - count, serv,
+				serv == hapd->conf->auth_server ?
+				radius : NULL);
+		}
+	}
+
+	if (hapd->conf->acct_servers) {
+		for (i = 0; i < hapd->conf->num_acct_servers; i++) {
+			serv = &hapd->conf->acct_servers[i];
+			count += radius_client_dump_acct_server(
+				buf + count, buflen - count, serv,
+				serv == hapd->conf->acct_server ?
+				radius : NULL);
+		}
+	}
+
+	return count;
+}