diff options
Diffstat (limited to 'contrib/wpa_supplicant/radius_client.c')
-rw-r--r-- | contrib/wpa_supplicant/radius_client.c | 845 |
1 files changed, 643 insertions, 202 deletions
diff --git a/contrib/wpa_supplicant/radius_client.c b/contrib/wpa_supplicant/radius_client.c index 91ab3c7..abc28bd 100644 --- a/contrib/wpa_supplicant/radius_client.c +++ b/contrib/wpa_supplicant/radius_client.c @@ -1,41 +1,39 @@ /* * Host AP (software wireless LAN access point) user space daemon for - * Host AP kernel driver / RADIUS client / modified for eapol_test - * Copyright (c) 2002-2004, Jouni Malinen <jkmaline@cc.hut.fi> + * Host AP kernel driver / RADIUS client + * Copyright (c) 2002-2005, Jouni Malinen <jkmaline@cc.hut.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. See README and COPYING for - * more details. + * published by the Free Software Foundation. + * + * Alternatively, this software may be distributed under the terms of BSD + * license. + * + * See README and COPYING for more details. */ #include <stdlib.h> #include <stdio.h> #include <unistd.h> -#include <netinet/in.h> #include <string.h> #include <time.h> #include <sys/types.h> +#include <sys/time.h> +#include <errno.h> +#ifndef CONFIG_NATIVE_WINDOWS +#include <netinet/in.h> #include <sys/socket.h> #include <arpa/inet.h> +#endif /* CONFIG_NATIVE_WINDOWS */ -#include "common.h" -#include "wpa.h" -#include "config_ssid.h" -#include "wpa_supplicant.h" -#include "wpa_supplicant_i.h" +#include "hostapd.h" #include "radius.h" #include "radius_client.h" #include "eloop.h" -#include "l2_packet.h" - -#include "wpa_supplicant.h" -#define hostapd_logger(h, a, m, l, t...) wpa_printf(MSG_DEBUG, t) -#define HOSTAPD_DEBUG(l, a...) wpa_printf(MSG_DEBUG, a) -#define HOSTAPD_DEBUG_COND(l) 1 /* Defaults for RADIUS retransmit values (exponential backoff) */ -#define RADIUS_CLIENT_FIRST_WAIT 1 /* seconds */ +#define RADIUS_CLIENT_FIRST_WAIT 3 /* seconds */ #define RADIUS_CLIENT_MAX_WAIT 120 /* seconds */ #define RADIUS_CLIENT_MAX_RETRIES 10 /* maximum number of retransmit attempts * before entry is removed from retransmit @@ -47,11 +45,66 @@ * many failed retry attempts */ +struct radius_rx_handler { + RadiusRxResult (*handler)(struct radius_msg *msg, + struct radius_msg *req, + u8 *shared_secret, size_t shared_secret_len, + void *data); + void *data; +}; + + +/* RADIUS message retransmit list */ +struct radius_msg_list { + u8 addr[ETH_ALEN]; /* STA/client address; used to find RADIUS messages + * for the same STA. */ + struct radius_msg *msg; + RadiusType msg_type; + time_t first_try; + time_t next_try; + int attempts; + int next_wait; + struct timeval last_attempt; + + u8 *shared_secret; + size_t shared_secret_len; + + /* TODO: server config with failover to backup server(s) */ + + struct radius_msg_list *next; +}; + + +struct radius_client_data { + void *ctx; + struct hostapd_radius_servers *conf; + + int auth_serv_sock; /* socket for authentication RADIUS messages */ + int acct_serv_sock; /* socket for accounting RADIUS messages */ + int auth_serv_sock6; + int acct_serv_sock6; + int auth_sock; /* currently used socket */ + int acct_sock; /* currently used socket */ + + struct radius_rx_handler *auth_handlers; + size_t num_auth_handlers; + struct radius_rx_handler *acct_handlers; + size_t num_acct_handlers; + + struct radius_msg_list *msgs; + size_t num_msgs; + + u8 next_radius_identifier; +}; + static int -radius_change_server(struct wpa_supplicant *wpa_s, struct hostapd_radius_server *nserv, +radius_change_server(struct radius_client_data *radius, + struct hostapd_radius_server *nserv, struct hostapd_radius_server *oserv, - int sock, int auth); + int sock, int sock6, int auth); +static int radius_client_init_acct(struct radius_client_data *radius); +static int radius_client_init_auth(struct radius_client_data *radius); static void radius_client_msg_free(struct radius_msg_list *req) @@ -62,9 +115,9 @@ static void radius_client_msg_free(struct radius_msg_list *req) } -int radius_client_register(struct wpa_supplicant *wpa_s, RadiusType msg_type, - RadiusRxResult (*handler)(struct wpa_supplicant *wpa_s, - struct radius_msg *msg, +int radius_client_register(struct radius_client_data *radius, + RadiusType msg_type, + RadiusRxResult (*handler)(struct radius_msg *msg, struct radius_msg *req, u8 *shared_secret, size_t shared_secret_len, @@ -75,11 +128,11 @@ int radius_client_register(struct wpa_supplicant *wpa_s, RadiusType msg_type, size_t *num; if (msg_type == RADIUS_ACCT) { - handlers = &wpa_s->radius->acct_handlers; - num = &wpa_s->radius->num_acct_handlers; + handlers = &radius->acct_handlers; + num = &radius->num_acct_handlers; } else { - handlers = &wpa_s->radius->auth_handlers; - num = &wpa_s->radius->num_auth_handlers; + handlers = &radius->auth_handlers; + num = &radius->num_auth_handlers; } newh = (struct radius_rx_handler *) @@ -97,24 +150,62 @@ int radius_client_register(struct wpa_supplicant *wpa_s, RadiusType msg_type, } -static int radius_client_retransmit(struct wpa_supplicant *wpa_s, +static void radius_client_handle_send_error(struct radius_client_data *radius, + int s, RadiusType msg_type) +{ +#ifndef CONFIG_NATIVE_WINDOWS + int _errno = errno; + perror("send[RADIUS]"); + if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL) { + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_INFO, + "Send failed - maybe interface status changed -" + " try to connect again"); + eloop_unregister_read_sock(s); + close(s); + if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) + radius_client_init_acct(radius); + else + radius_client_init_auth(radius); + } +#endif /* CONFIG_NATIVE_WINDOWS */ +} + + +static int radius_client_retransmit(struct radius_client_data *radius, struct radius_msg_list *entry, time_t now) { + struct hostapd_radius_servers *conf = radius->conf; int s; if (entry->msg_type == RADIUS_ACCT || - entry->msg_type == RADIUS_ACCT_INTERIM) - s = wpa_s->radius->acct_serv_sock; - else - s = wpa_s->radius->auth_serv_sock; + entry->msg_type == RADIUS_ACCT_INTERIM) { + s = radius->acct_sock; + if (entry->attempts == 0) + conf->acct_server->requests++; + else { + conf->acct_server->timeouts++; + conf->acct_server->retransmissions++; + } + } else { + s = radius->auth_sock; + if (entry->attempts == 0) + conf->auth_server->requests++; + else { + conf->auth_server->timeouts++; + conf->auth_server->retransmissions++; + } + } /* retransmit; remove entry if too many attempts */ entry->attempts++; - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, "Resending RADIUS message (id=%d)" - "\n", entry->msg->hdr->identifier); + hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)", + entry->msg->hdr->identifier); + gettimeofday(&entry->last_attempt, NULL); if (send(s, entry->msg->buf, entry->msg->buf_used, 0) < 0) - perror("send[RADIUS]"); + radius_client_handle_send_error(radius, s, entry->msg_type); entry->next_try = now + entry->next_wait; entry->next_wait *= 2; @@ -132,12 +223,14 @@ static int radius_client_retransmit(struct wpa_supplicant *wpa_s, static void radius_client_timer(void *eloop_ctx, void *timeout_ctx) { - struct wpa_supplicant *wpa_s = eloop_ctx; + struct radius_client_data *radius = eloop_ctx; + struct hostapd_radius_servers *conf = radius->conf; time_t now, first; struct radius_msg_list *entry, *prev, *tmp; int auth_failover = 0, acct_failover = 0; + char abuf[50]; - entry = wpa_s->radius->msgs; + entry = radius->msgs; if (!entry) return; @@ -147,16 +240,16 @@ static void radius_client_timer(void *eloop_ctx, void *timeout_ctx) prev = NULL; while (entry) { if (now >= entry->next_try && - radius_client_retransmit(wpa_s, entry, now)) { + radius_client_retransmit(radius, entry, now)) { if (prev) prev->next = entry->next; else - wpa_s->radius->msgs = entry->next; + radius->msgs = entry->next; tmp = entry; entry = entry->next; radius_client_msg_free(tmp); - wpa_s->radius->num_msgs--; + radius->num_msgs--; continue; } @@ -175,51 +268,98 @@ static void radius_client_timer(void *eloop_ctx, void *timeout_ctx) entry = entry->next; } - if (wpa_s->radius->msgs) { + if (radius->msgs) { if (first < now) first = now; eloop_register_timeout(first - now, 0, - radius_client_timer, wpa_s, NULL); + radius_client_timer, radius, NULL); + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Next RADIUS client " + "retransmit in %ld seconds", + (long int) (first - now)); } - if (auth_failover && wpa_s->num_auth_servers > 1) { + if (auth_failover && conf->num_auth_servers > 1) { struct hostapd_radius_server *next, *old; - old = wpa_s->auth_server; - hostapd_logger(wpa_s, NULL, HOSTAPD_MODULE_RADIUS, + old = conf->auth_server; + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_NOTICE, "No response from Authentication server " "%s:%d - failover", - inet_ntoa(old->addr), old->port); + hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)), + old->port); + + for (entry = radius->msgs; entry; entry = entry->next) { + if (entry->msg_type == RADIUS_AUTH) + old->timeouts++; + } next = old + 1; - if (next > &(wpa_s->auth_servers - [wpa_s->num_auth_servers - 1])) - next = wpa_s->auth_servers; - wpa_s->auth_server = next; - radius_change_server(wpa_s, next, old, - wpa_s->radius->auth_serv_sock, 1); + if (next > &(conf->auth_servers[conf->num_auth_servers - 1])) + next = conf->auth_servers; + conf->auth_server = next; + radius_change_server(radius, next, old, + radius->auth_serv_sock, + radius->auth_serv_sock6, 1); } - if (acct_failover && wpa_s->num_acct_servers > 1) { + if (acct_failover && conf->num_acct_servers > 1) { struct hostapd_radius_server *next, *old; - old = wpa_s->acct_server; - hostapd_logger(wpa_s, NULL, HOSTAPD_MODULE_RADIUS, + old = conf->acct_server; + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_NOTICE, "No response from Accounting server " "%s:%d - failover", - inet_ntoa(old->addr), old->port); + hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)), + old->port); + + for (entry = radius->msgs; entry; entry = entry->next) { + if (entry->msg_type == RADIUS_ACCT || + entry->msg_type == RADIUS_ACCT_INTERIM) + old->timeouts++; + } + next = old + 1; - if (next > &wpa_s->acct_servers - [wpa_s->num_acct_servers - 1]) - next = wpa_s->acct_servers; - wpa_s->acct_server = next; - radius_change_server(wpa_s, next, old, - wpa_s->radius->acct_serv_sock, 0); + if (next > &conf->acct_servers[conf->num_acct_servers - 1]) + next = conf->acct_servers; + conf->acct_server = next; + radius_change_server(radius, next, old, + radius->acct_serv_sock, + radius->acct_serv_sock6, 0); } } -static void radius_client_list_add(struct wpa_supplicant *wpa_s, struct radius_msg *msg, +static void radius_client_update_timeout(struct radius_client_data *radius) +{ + time_t now, first; + struct radius_msg_list *entry; + + eloop_cancel_timeout(radius_client_timer, radius, NULL); + + if (radius->msgs == NULL) { + return; + } + + first = 0; + for (entry = radius->msgs; entry; entry = entry->next) { + if (first == 0 || entry->next_try < first) + first = entry->next_try; + } + + time(&now); + if (first < now) + first = now; + eloop_register_timeout(first - now, 0, radius_client_timer, radius, + NULL); + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in" + " %ld seconds\n", (long int) (first - now)); +} + + +static void radius_client_list_add(struct radius_client_data *radius, + struct radius_msg *msg, RadiusType msg_type, u8 *shared_secret, size_t shared_secret_len, u8 *addr) { @@ -251,16 +391,13 @@ static void radius_client_list_add(struct wpa_supplicant *wpa_s, struct radius_m time(&entry->first_try); entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT; entry->attempts = 1; + gettimeofday(&entry->last_attempt, NULL); entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2; + entry->next = radius->msgs; + radius->msgs = entry; + radius_client_update_timeout(radius); - if (!wpa_s->radius->msgs) - eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0, - radius_client_timer, wpa_s, NULL); - - entry->next = wpa_s->radius->msgs; - wpa_s->radius->msgs = entry; - - if (wpa_s->radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) { + if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) { printf("Removing the oldest un-ACKed RADIUS packet due to " "retransmit list limits.\n"); prev = NULL; @@ -273,11 +410,11 @@ static void radius_client_list_add(struct wpa_supplicant *wpa_s, struct radius_m radius_client_msg_free(entry); } } else - wpa_s->radius->num_msgs++; + radius->num_msgs++; } -static void radius_client_list_del(struct wpa_supplicant *wpa_s, +static void radius_client_list_del(struct radius_client_data *radius, RadiusType msg_type, u8 *addr) { struct radius_msg_list *entry, *prev, *tmp; @@ -285,7 +422,7 @@ static void radius_client_list_del(struct wpa_supplicant *wpa_s, if (addr == NULL) return; - entry = wpa_s->radius->msgs; + entry = radius->msgs; prev = NULL; while (entry) { if (entry->msg_type == msg_type && @@ -293,14 +430,15 @@ static void radius_client_list_del(struct wpa_supplicant *wpa_s, if (prev) prev->next = entry->next; else - wpa_s->radius->msgs = entry->next; + radius->msgs = entry->next; tmp = entry; entry = entry->next; - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "Removing matching RADIUS message for " - MACSTR "\n", MAC2STR(addr)); + hostapd_logger(radius->ctx, addr, + HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, + "Removing matching RADIUS message"); radius_client_msg_free(tmp); - wpa_s->radius->num_msgs--; + radius->num_msgs--; continue; } prev = entry; @@ -309,9 +447,10 @@ static void radius_client_list_del(struct wpa_supplicant *wpa_s, } -int radius_client_send(struct wpa_supplicant *wpa_s, struct radius_msg *msg, - RadiusType msg_type, u8 *addr) +int radius_client_send(struct radius_client_data *radius, + struct radius_msg *msg, RadiusType msg_type, u8 *addr) { + struct hostapd_radius_servers *conf = radius->conf; u8 *shared_secret; size_t shared_secret_len; char *name; @@ -319,33 +458,36 @@ int radius_client_send(struct wpa_supplicant *wpa_s, struct radius_msg *msg, if (msg_type == RADIUS_ACCT_INTERIM) { /* Remove any pending interim acct update for the same STA. */ - radius_client_list_del(wpa_s, msg_type, addr); + radius_client_list_del(radius, msg_type, addr); } if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) { - shared_secret = wpa_s->acct_server->shared_secret; - shared_secret_len = wpa_s->acct_server->shared_secret_len; + shared_secret = conf->acct_server->shared_secret; + shared_secret_len = conf->acct_server->shared_secret_len; radius_msg_finish_acct(msg, shared_secret, shared_secret_len); name = "accounting"; - s = wpa_s->radius->acct_serv_sock; + s = radius->acct_sock; + conf->acct_server->requests++; } else { - shared_secret = wpa_s->auth_server->shared_secret; - shared_secret_len = wpa_s->auth_server->shared_secret_len; + shared_secret = conf->auth_server->shared_secret; + shared_secret_len = conf->auth_server->shared_secret_len; radius_msg_finish(msg, shared_secret, shared_secret_len); name = "authentication"; - s = wpa_s->radius->auth_serv_sock; + s = radius->auth_sock; + conf->auth_server->requests++; } - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "Sending RADIUS message to %s server\n", name); - if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MSGDUMPS)) + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s " + "server", name); + if (conf->msg_dumps) radius_msg_dump(msg); res = send(s, msg->buf, msg->buf_used, 0); if (res < 0) - perror("send[RADIUS]"); + radius_client_handle_send_error(radius, s, msg_type); - radius_client_list_add(wpa_s, msg, msg_type, shared_secret, + radius_client_list_add(radius, msg, msg_type, shared_secret, shared_secret_len, addr); return res; @@ -354,22 +496,37 @@ int radius_client_send(struct wpa_supplicant *wpa_s, struct radius_msg *msg, static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx) { - struct wpa_supplicant *wpa_s = (struct wpa_supplicant *) eloop_ctx; + struct radius_client_data *radius = eloop_ctx; + struct hostapd_radius_servers *conf = radius->conf; RadiusType msg_type = (RadiusType) sock_ctx; - int len, i; + int len, i, roundtrip; unsigned char buf[3000]; struct radius_msg *msg; struct radius_rx_handler *handlers; size_t num_handlers; struct radius_msg_list *req, *prev_req; + struct timeval tv; + struct hostapd_radius_server *rconf; + int invalid_authenticator = 0; - len = recv(sock, buf, sizeof(buf), 0); + if (msg_type == RADIUS_ACCT) { + handlers = radius->acct_handlers; + num_handlers = radius->num_acct_handlers; + rconf = conf->acct_server; + } else { + handlers = radius->auth_handlers; + num_handlers = radius->num_auth_handlers; + rconf = conf->auth_server; + } + + len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT); if (len < 0) { perror("recv[RADIUS]"); return; } - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "Received %d bytes from RADIUS server\n", len); + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS " + "server", len); if (len == sizeof(buf)) { printf("Possibly too long UDP frame for our buffer - " "dropping it\n"); @@ -379,24 +536,32 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx) msg = radius_msg_parse(buf, len); if (msg == NULL) { printf("Parsing incoming RADIUS frame failed\n"); + rconf->malformed_responses++; return; } - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "Received RADIUS message\n"); - if (HOSTAPD_DEBUG_COND(HOSTAPD_DEBUG_MSGDUMPS)) + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "Received RADIUS message"); + if (conf->msg_dumps) radius_msg_dump(msg); - if (msg_type == RADIUS_ACCT) { - handlers = wpa_s->radius->acct_handlers; - num_handlers = wpa_s->radius->num_acct_handlers; - } else { - handlers = wpa_s->radius->auth_handlers; - num_handlers = wpa_s->radius->num_auth_handlers; + switch (msg->hdr->code) { + case RADIUS_CODE_ACCESS_ACCEPT: + rconf->access_accepts++; + break; + case RADIUS_CODE_ACCESS_REJECT: + rconf->access_rejects++; + break; + case RADIUS_CODE_ACCESS_CHALLENGE: + rconf->access_challenges++; + break; + case RADIUS_CODE_ACCOUNTING_RESPONSE: + rconf->responses++; + break; } prev_req = NULL; - req = wpa_s->radius->msgs; + req = radius->msgs; while (req) { /* TODO: also match by src addr:port of the packet when using * alternative RADIUS servers (?) */ @@ -411,24 +576,34 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx) } if (req == NULL) { - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "No matching RADIUS request found (type=%d " - "id=%d) - dropping packet\n", - msg_type, msg->hdr->identifier); + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, + "No matching RADIUS request found (type=%d " + "id=%d) - dropping packet", + msg_type, msg->hdr->identifier); goto fail; } + gettimeofday(&tv, NULL); + roundtrip = (tv.tv_sec - req->last_attempt.tv_sec) * 100 + + (tv.tv_usec - req->last_attempt.tv_usec) / 10000; + hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, + "Received RADIUS packet matched with a pending " + "request, round trip time %d.%02d sec", + roundtrip / 100, roundtrip % 100); + rconf->round_trip_time = roundtrip; + /* Remove ACKed RADIUS packet from retransmit list */ if (prev_req) prev_req->next = req->next; else - wpa_s->radius->msgs = req->next; - wpa_s->radius->num_msgs--; + radius->msgs = req->next; + radius->num_msgs--; for (i = 0; i < num_handlers; i++) { RadiusRxResult res; - res = handlers[i].handler(wpa_s, msg, req->msg, - req->shared_secret, + res = handlers[i].handler(msg, req->msg, req->shared_secret, req->shared_secret_len, handlers[i].data); switch (res) { @@ -439,14 +614,25 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx) case RADIUS_RX_QUEUED: radius_client_msg_free(req); return; + case RADIUS_RX_INVALID_AUTHENTICATOR: + invalid_authenticator++; + /* continue */ case RADIUS_RX_UNKNOWN: /* continue with next handler */ break; } } - printf("No RADIUS RX handler found (type=%d code=%d id=%d) - dropping " - "packet\n", msg_type, msg->hdr->code, msg->hdr->identifier); + if (invalid_authenticator) + rconf->bad_authenticators++; + else + rconf->unknown_types++; + hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found " + "(type=%d code=%d id=%d)%s - dropping packet", + msg_type, msg->hdr->code, msg->hdr->identifier, + invalid_authenticator ? " [INVALID AUTHENTICATOR]" : + ""); radius_client_msg_free(req); fail: @@ -455,24 +641,26 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx) } -u8 radius_client_get_id(struct wpa_supplicant *wpa_s) +u8 radius_client_get_id(struct radius_client_data *radius) { struct radius_msg_list *entry, *prev, *remove; - u8 id = wpa_s->radius->next_radius_identifier++; + u8 id = radius->next_radius_identifier++; /* remove entries with matching id from retransmit list to avoid * using new reply from the RADIUS server with an old request */ - entry = wpa_s->radius->msgs; + entry = radius->msgs; prev = NULL; while (entry) { if (entry->msg->hdr->identifier == id) { - HOSTAPD_DEBUG(HOSTAPD_DEBUG_MINIMAL, - "Removing pending RADIUS message, since " - "its id (%d) is reused\n", id); + hostapd_logger(radius->ctx, entry->addr, + HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, + "Removing pending RADIUS message, " + "since its id (%d) is reused", id); if (prev) prev->next = entry->next; else - wpa_s->radius->msgs = entry->next; + radius->msgs = entry->next; remove = entry; } else remove = NULL; @@ -487,18 +675,18 @@ u8 radius_client_get_id(struct wpa_supplicant *wpa_s) } -void radius_client_flush(struct wpa_supplicant *wpa_s) +void radius_client_flush(struct radius_client_data *radius) { struct radius_msg_list *entry, *prev; - if (!wpa_s->radius) + if (!radius) return; - eloop_cancel_timeout(radius_client_timer, wpa_s, NULL); + eloop_cancel_timeout(radius_client_timer, radius, NULL); - entry = wpa_s->radius->msgs; - wpa_s->radius->msgs = NULL; - wpa_s->radius->num_msgs = 0; + entry = radius->msgs; + radius->msgs = NULL; + radius->num_msgs = 0; while (entry) { prev = entry; entry = entry->next; @@ -508,16 +696,26 @@ void radius_client_flush(struct wpa_supplicant *wpa_s) static int -radius_change_server(struct wpa_supplicant *wpa_s, struct hostapd_radius_server *nserv, +radius_change_server(struct radius_client_data *radius, + struct hostapd_radius_server *nserv, struct hostapd_radius_server *oserv, - int sock, int auth) + int sock, int sock6, int auth) { struct sockaddr_in serv; - - hostapd_logger(wpa_s, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, +#ifdef CONFIG_IPV6 + struct sockaddr_in6 serv6; +#endif /* CONFIG_IPV6 */ + struct sockaddr *addr; + socklen_t addrlen; + char abuf[50]; + int sel_sock; + + hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_INFO, "%s server %s:%d", auth ? "Authentication" : "Accounting", - inet_ntoa(nserv->addr), nserv->port); + hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)), + nserv->port); if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len || memcmp(nserv->shared_secret, oserv->shared_secret, @@ -527,11 +725,11 @@ radius_change_server(struct wpa_supplicant *wpa_s, struct hostapd_radius_server * update all message authenticators and * User-Passwords, etc. and retry with new server. For * now, just drop all pending packets. */ - radius_client_flush(wpa_s); + radius_client_flush(radius); } else { /* Reset retry counters for the new server */ struct radius_msg_list *entry; - entry = wpa_s->radius->msgs; + entry = radius->msgs; while (entry) { entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT; @@ -539,136 +737,379 @@ radius_change_server(struct wpa_supplicant *wpa_s, struct hostapd_radius_server entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2; entry = entry->next; } - if (wpa_s->radius->msgs) { - eloop_cancel_timeout(radius_client_timer, wpa_s, NULL); + if (radius->msgs) { + eloop_cancel_timeout(radius_client_timer, radius, + NULL); eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0, - radius_client_timer, wpa_s, + radius_client_timer, radius, NULL); } } - memset(&serv, 0, sizeof(serv)); - serv.sin_family = AF_INET; - serv.sin_addr.s_addr = nserv->addr.s_addr; - serv.sin_port = htons(nserv->port); + switch (nserv->addr.af) { + case AF_INET: + memset(&serv, 0, sizeof(serv)); + serv.sin_family = AF_INET; + serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr; + serv.sin_port = htons(nserv->port); + addr = (struct sockaddr *) &serv; + addrlen = sizeof(serv); + sel_sock = sock; + break; +#ifdef CONFIG_IPV6 + case AF_INET6: + memset(&serv6, 0, sizeof(serv6)); + serv6.sin6_family = AF_INET6; + memcpy(&serv6.sin6_addr, &nserv->addr.u.v6, + sizeof(struct in6_addr)); + serv6.sin6_port = htons(nserv->port); + addr = (struct sockaddr *) &serv6; + addrlen = sizeof(serv6); + sel_sock = sock6; + break; +#endif /* CONFIG_IPV6 */ + default: + return -1; + } - if (connect(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) { + if (connect(sel_sock, addr, addrlen) < 0) { perror("connect[radius]"); return -1; } + if (auth) + radius->auth_sock = sel_sock; + else + radius->acct_sock = sel_sock; + return 0; } static void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx) { - struct wpa_supplicant *wpa_s = eloop_ctx; + struct radius_client_data *radius = eloop_ctx; + struct hostapd_radius_servers *conf = radius->conf; struct hostapd_radius_server *oserv; - if (wpa_s->radius->auth_serv_sock >= 0 && wpa_s->auth_servers && - wpa_s->auth_server != wpa_s->auth_servers) { - oserv = wpa_s->auth_server; - wpa_s->auth_server = wpa_s->auth_servers; - radius_change_server(wpa_s, wpa_s->auth_server, oserv, - wpa_s->radius->auth_serv_sock, 1); + if (radius->auth_sock >= 0 && conf->auth_servers && + conf->auth_server != conf->auth_servers) { + oserv = conf->auth_server; + conf->auth_server = conf->auth_servers; + radius_change_server(radius, conf->auth_server, oserv, + radius->auth_serv_sock, + radius->auth_serv_sock6, 1); } - if (wpa_s->radius->acct_serv_sock >= 0 && wpa_s->acct_servers && - wpa_s->acct_server != wpa_s->acct_servers) { - oserv = wpa_s->acct_server; - wpa_s->acct_server = wpa_s->acct_servers; - radius_change_server(wpa_s, wpa_s->acct_server, oserv, - wpa_s->radius->acct_serv_sock, 0); + if (radius->acct_sock >= 0 && conf->acct_servers && + conf->acct_server != conf->acct_servers) { + oserv = conf->acct_server; + conf->acct_server = conf->acct_servers; + radius_change_server(radius, conf->acct_server, oserv, + radius->acct_serv_sock, + radius->acct_serv_sock6, 0); } - if (wpa_s->radius_retry_primary_interval) - eloop_register_timeout(wpa_s-> - radius_retry_primary_interval, 0, - radius_retry_primary_timer, wpa_s, NULL); + if (conf->retry_primary_interval) + eloop_register_timeout(conf->retry_primary_interval, 0, + radius_retry_primary_timer, radius, + NULL); } -static int radius_client_init_auth(struct wpa_supplicant *wpa_s) +static int radius_client_init_auth(struct radius_client_data *radius) { - wpa_s->radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0); - if (wpa_s->radius->auth_serv_sock < 0) { + struct hostapd_radius_servers *conf = radius->conf; + int ok = 0; + + radius->auth_serv_sock = socket(PF_INET, SOCK_DGRAM, 0); + if (radius->auth_serv_sock < 0) perror("socket[PF_INET,SOCK_DGRAM]"); + else + ok++; + +#ifdef CONFIG_IPV6 + radius->auth_serv_sock6 = socket(PF_INET6, SOCK_DGRAM, 0); + if (radius->auth_serv_sock6 < 0) + perror("socket[PF_INET6,SOCK_DGRAM]"); + else + ok++; +#endif /* CONFIG_IPV6 */ + + if (ok == 0) return -1; - } - radius_change_server(wpa_s, wpa_s->auth_server, NULL, - wpa_s->radius->auth_serv_sock, 1); + radius_change_server(radius, conf->auth_server, NULL, + radius->auth_serv_sock, radius->auth_serv_sock6, + 1); + + if (radius->auth_serv_sock >= 0 && + eloop_register_read_sock(radius->auth_serv_sock, + radius_client_receive, radius, + (void *) RADIUS_AUTH)) { + printf("Could not register read socket for authentication " + "server\n"); + return -1; + } - if (eloop_register_read_sock(wpa_s->radius->auth_serv_sock, - radius_client_receive, wpa_s, +#ifdef CONFIG_IPV6 + if (radius->auth_serv_sock6 >= 0 && + eloop_register_read_sock(radius->auth_serv_sock6, + radius_client_receive, radius, (void *) RADIUS_AUTH)) { printf("Could not register read socket for authentication " "server\n"); return -1; } +#endif /* CONFIG_IPV6 */ return 0; } -static int radius_client_init_acct(struct wpa_supplicant *wpa_s) +static int radius_client_init_acct(struct radius_client_data *radius) { - wpa_s->radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0); - if (wpa_s->radius->acct_serv_sock < 0) { + struct hostapd_radius_servers *conf = radius->conf; + int ok = 0; + + radius->acct_serv_sock = socket(PF_INET, SOCK_DGRAM, 0); + if (radius->acct_serv_sock < 0) perror("socket[PF_INET,SOCK_DGRAM]"); + else + ok++; + + radius_change_server(radius, conf->acct_server, NULL, + radius->acct_serv_sock, radius->acct_serv_sock6, + 0); + + if (radius->acct_serv_sock >= 0 && + eloop_register_read_sock(radius->acct_serv_sock, + radius_client_receive, radius, + (void *) RADIUS_ACCT)) { + printf("Could not register read socket for accounting " + "server\n"); return -1; } - radius_change_server(wpa_s, wpa_s->acct_server, NULL, - wpa_s->radius->acct_serv_sock, 0); - - if (eloop_register_read_sock(wpa_s->radius->acct_serv_sock, - radius_client_receive, wpa_s, +#ifdef CONFIG_IPV6 + if (radius->acct_serv_sock6 >= 0 && + eloop_register_read_sock(radius->acct_serv_sock6, + radius_client_receive, radius, (void *) RADIUS_ACCT)) { printf("Could not register read socket for accounting " "server\n"); return -1; } +#endif /* CONFIG_IPV6 */ return 0; } -int radius_client_init(struct wpa_supplicant *wpa_s) +struct radius_client_data * +radius_client_init(void *ctx, struct hostapd_radius_servers *conf) { - wpa_s->radius = malloc(sizeof(struct radius_client_data)); - if (wpa_s->radius == NULL) - return -1; - - memset(wpa_s->radius, 0, sizeof(struct radius_client_data)); - wpa_s->radius->auth_serv_sock = wpa_s->radius->acct_serv_sock = -1; - - if (wpa_s->auth_server && radius_client_init_auth(wpa_s)) - return -1; + struct radius_client_data *radius; + + radius = malloc(sizeof(struct radius_client_data)); + if (radius == NULL) + return NULL; + + memset(radius, 0, sizeof(struct radius_client_data)); + radius->ctx = ctx; + radius->conf = conf; + radius->auth_serv_sock = radius->acct_serv_sock = + radius->auth_serv_sock6 = radius->acct_serv_sock6 = + radius->auth_sock = radius->acct_sock = -1; + + if (conf->auth_server && radius_client_init_auth(radius)) { + radius_client_deinit(radius); + return NULL; + } - if (wpa_s->acct_server && radius_client_init_acct(wpa_s)) - return -1; + if (conf->acct_server && radius_client_init_acct(radius)) { + radius_client_deinit(radius); + return NULL; + } - if (wpa_s->radius_retry_primary_interval) - eloop_register_timeout(wpa_s->radius_retry_primary_interval, 0, - radius_retry_primary_timer, wpa_s, + if (conf->retry_primary_interval) + eloop_register_timeout(conf->retry_primary_interval, 0, + radius_retry_primary_timer, radius, NULL); - return 0; + return radius; } -void radius_client_deinit(struct wpa_supplicant *wpa_s) +void radius_client_deinit(struct radius_client_data *radius) { - if (!wpa_s->radius) + if (!radius) return; - eloop_cancel_timeout(radius_retry_primary_timer, wpa_s, NULL); + eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL); + + radius_client_flush(radius); + free(radius->auth_handlers); + free(radius->acct_handlers); + free(radius); +} + + +void radius_client_flush_auth(struct radius_client_data *radius, u8 *addr) +{ + struct radius_msg_list *entry, *prev, *tmp; + + prev = NULL; + entry = radius->msgs; + while (entry) { + if (entry->msg_type == RADIUS_AUTH && + memcmp(entry->addr, addr, ETH_ALEN) == 0) { + hostapd_logger(radius->ctx, addr, + HOSTAPD_MODULE_RADIUS, + HOSTAPD_LEVEL_DEBUG, + "Removing pending RADIUS authentication" + " message for removed client"); + + if (prev) + prev->next = entry->next; + else + radius->msgs = entry->next; + + tmp = entry; + entry = entry->next; + radius_client_msg_free(tmp); + radius->num_msgs--; + continue; + } + + prev = entry; + entry = entry->next; + } +} + + +static int radius_client_dump_auth_server(char *buf, size_t buflen, + struct hostapd_radius_server *serv, + struct radius_client_data *cli) +{ + int pending = 0; + struct radius_msg_list *msg; + char abuf[50]; + + if (cli) { + for (msg = cli->msgs; msg; msg = msg->next) { + if (msg->msg_type == RADIUS_AUTH) + pending++; + } + } + + return snprintf(buf, buflen, + "radiusAuthServerIndex=%d\n" + "radiusAuthServerAddress=%s\n" + "radiusAuthClientServerPortNumber=%d\n" + "radiusAuthClientRoundTripTime=%d\n" + "radiusAuthClientAccessRequests=%u\n" + "radiusAuthClientAccessRetransmissions=%u\n" + "radiusAuthClientAccessAccepts=%u\n" + "radiusAuthClientAccessRejects=%u\n" + "radiusAuthClientAccessChallenges=%u\n" + "radiusAuthClientMalformedAccessResponses=%u\n" + "radiusAuthClientBadAuthenticators=%u\n" + "radiusAuthClientPendingRequests=%u\n" + "radiusAuthClientTimeouts=%u\n" + "radiusAuthClientUnknownTypes=%u\n" + "radiusAuthClientPacketsDropped=%u\n", + serv->index, + hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)), + serv->port, + serv->round_trip_time, + serv->requests, + serv->retransmissions, + serv->access_accepts, + serv->access_rejects, + serv->access_challenges, + serv->malformed_responses, + serv->bad_authenticators, + pending, + serv->timeouts, + serv->unknown_types, + serv->packets_dropped); +} + + +static int radius_client_dump_acct_server(char *buf, size_t buflen, + struct hostapd_radius_server *serv, + struct radius_client_data *cli) +{ + int pending = 0; + struct radius_msg_list *msg; + char abuf[50]; + + if (cli) { + for (msg = cli->msgs; msg; msg = msg->next) { + if (msg->msg_type == RADIUS_ACCT || + msg->msg_type == RADIUS_ACCT_INTERIM) + pending++; + } + } + + return snprintf(buf, buflen, + "radiusAccServerIndex=%d\n" + "radiusAccServerAddress=%s\n" + "radiusAccClientServerPortNumber=%d\n" + "radiusAccClientRoundTripTime=%d\n" + "radiusAccClientRequests=%u\n" + "radiusAccClientRetransmissions=%u\n" + "radiusAccClientResponses=%u\n" + "radiusAccClientMalformedResponses=%u\n" + "radiusAccClientBadAuthenticators=%u\n" + "radiusAccClientPendingRequests=%u\n" + "radiusAccClientTimeouts=%u\n" + "radiusAccClientUnknownTypes=%u\n" + "radiusAccClientPacketsDropped=%u\n", + serv->index, + hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)), + serv->port, + serv->round_trip_time, + serv->requests, + serv->retransmissions, + serv->responses, + serv->malformed_responses, + serv->bad_authenticators, + pending, + serv->timeouts, + serv->unknown_types, + serv->packets_dropped); +} + + +int radius_client_get_mib(struct radius_client_data *radius, char *buf, + size_t buflen) +{ + struct hostapd_radius_servers *conf = radius->conf; + int i; + struct hostapd_radius_server *serv; + int count = 0; + + if (conf->auth_servers) { + for (i = 0; i < conf->num_auth_servers; i++) { + serv = &conf->auth_servers[i]; + count += radius_client_dump_auth_server( + buf + count, buflen - count, serv, + serv == conf->auth_server ? + radius : NULL); + } + } + + if (conf->acct_servers) { + for (i = 0; i < conf->num_acct_servers; i++) { + serv = &conf->acct_servers[i]; + count += radius_client_dump_acct_server( + buf + count, buflen - count, serv, + serv == conf->acct_server ? + radius : NULL); + } + } - radius_client_flush(wpa_s); - free(wpa_s->radius->auth_handlers); - free(wpa_s->radius->acct_handlers); - free(wpa_s->radius); - wpa_s->radius = NULL; + return count; } |