2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "utils/common.h"
13 #include "utils/eloop.h"
14 #include "utils/ip_addr.h"
16 #include "radius_das.h"
19 struct radius_das_data {
22 size_t shared_secret_len;
23 struct hostapd_ip_addr client_addr;
24 unsigned int time_window;
25 int require_event_timestamp;
26 int require_message_authenticator;
28 enum radius_das_res (*disconnect)(void *ctx,
29 struct radius_das_attrs *attr);
30 enum radius_das_res (*coa)(void *ctx, struct radius_das_attrs *attr);
34 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
35 struct radius_msg *msg,
39 struct radius_hdr *hdr;
40 struct radius_msg *reply;
42 RADIUS_ATTR_USER_NAME,
43 RADIUS_ATTR_NAS_IP_ADDRESS,
44 RADIUS_ATTR_CALLING_STATION_ID,
45 RADIUS_ATTR_NAS_IDENTIFIER,
46 RADIUS_ATTR_ACCT_SESSION_ID,
47 RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
48 RADIUS_ATTR_EVENT_TIMESTAMP,
49 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
50 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
52 RADIUS_ATTR_NAS_IPV6_ADDRESS,
53 #endif /* CONFIG_IPV6 */
58 enum radius_das_res res;
59 struct radius_das_attrs attrs;
63 u8 sta_addr[ETH_ALEN];
65 hdr = radius_msg_get_hdr(msg);
67 attr = radius_msg_find_unlisted_attr(msg, allowed);
69 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
70 "Disconnect-Request from %s:%d", attr,
76 os_memset(&attrs, 0, sizeof(attrs));
78 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
79 &buf, &len, NULL) == 0) {
81 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d",
86 attrs.nas_ip_addr = buf;
90 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
91 &buf, &len, NULL) == 0) {
93 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d",
98 attrs.nas_ipv6_addr = buf;
100 #endif /* CONFIG_IPV6 */
102 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
103 &buf, &len, NULL) == 0) {
104 attrs.nas_identifier = buf;
105 attrs.nas_identifier_len = len;
108 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
109 &buf, &len, NULL) == 0) {
110 if (len >= sizeof(tmp))
111 len = sizeof(tmp) - 1;
112 os_memcpy(tmp, buf, len);
114 if (hwaddr_aton2(tmp, sta_addr) < 0) {
115 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
116 "'%s' from %s:%d", tmp, abuf, from_port);
120 attrs.sta_addr = sta_addr;
123 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
124 &buf, &len, NULL) == 0) {
125 attrs.user_name = buf;
126 attrs.user_name_len = len;
129 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
130 &buf, &len, NULL) == 0) {
131 attrs.acct_session_id = buf;
132 attrs.acct_session_id_len = len;
135 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
136 &buf, &len, NULL) == 0) {
137 attrs.acct_multi_session_id = buf;
138 attrs.acct_multi_session_id_len = len;
141 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
142 &buf, &len, NULL) == 0) {
147 res = das->disconnect(das->ctx, &attrs);
149 case RADIUS_DAS_NAS_MISMATCH:
150 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
154 case RADIUS_DAS_SESSION_NOT_FOUND:
155 wpa_printf(MSG_INFO, "DAS: Session not found for request from "
156 "%s:%d", abuf, from_port);
159 case RADIUS_DAS_MULTI_SESSION_MATCH:
161 "DAS: Multiple sessions match for request from %s:%d",
165 case RADIUS_DAS_COA_FAILED:
166 /* not used with Disconnect-Request */
169 case RADIUS_DAS_SUCCESS:
175 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
176 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
181 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
183 radius_msg_free(reply);
192 static struct radius_msg * radius_das_coa(struct radius_das_data *das,
193 struct radius_msg *msg,
194 const char *abuf, int from_port)
196 struct radius_hdr *hdr;
197 struct radius_msg *reply;
199 RADIUS_ATTR_USER_NAME,
200 RADIUS_ATTR_NAS_IP_ADDRESS,
201 RADIUS_ATTR_CALLING_STATION_ID,
202 RADIUS_ATTR_NAS_IDENTIFIER,
203 RADIUS_ATTR_ACCT_SESSION_ID,
204 RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
205 RADIUS_ATTR_EVENT_TIMESTAMP,
206 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
207 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
209 RADIUS_ATTR_VENDOR_SPECIFIC,
210 #endif /* CONFIG_HS20 */
212 RADIUS_ATTR_NAS_IPV6_ADDRESS,
213 #endif /* CONFIG_IPV6 */
218 enum radius_das_res res;
219 struct radius_das_attrs attrs;
223 u8 sta_addr[ETH_ALEN];
225 hdr = radius_msg_get_hdr(msg);
228 wpa_printf(MSG_INFO, "DAS: CoA not supported");
232 attr = radius_msg_find_unlisted_attr(msg, allowed);
235 "DAS: Unsupported attribute %u in CoA-Request from %s:%d",
236 attr, abuf, from_port);
241 os_memset(&attrs, 0, sizeof(attrs));
243 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
244 &buf, &len, NULL) == 0) {
246 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d",
251 attrs.nas_ip_addr = buf;
255 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
256 &buf, &len, NULL) == 0) {
258 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d",
263 attrs.nas_ipv6_addr = buf;
265 #endif /* CONFIG_IPV6 */
267 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
268 &buf, &len, NULL) == 0) {
269 attrs.nas_identifier = buf;
270 attrs.nas_identifier_len = len;
273 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
274 &buf, &len, NULL) == 0) {
275 if (len >= sizeof(tmp))
276 len = sizeof(tmp) - 1;
277 os_memcpy(tmp, buf, len);
279 if (hwaddr_aton2(tmp, sta_addr) < 0) {
280 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
281 "'%s' from %s:%d", tmp, abuf, from_port);
285 attrs.sta_addr = sta_addr;
288 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
289 &buf, &len, NULL) == 0) {
290 attrs.user_name = buf;
291 attrs.user_name_len = len;
294 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
295 &buf, &len, NULL) == 0) {
296 attrs.acct_session_id = buf;
297 attrs.acct_session_id_len = len;
300 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
301 &buf, &len, NULL) == 0) {
302 attrs.acct_multi_session_id = buf;
303 attrs.acct_multi_session_id_len = len;
306 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
307 &buf, &len, NULL) == 0) {
313 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC,
314 &buf, &len, NULL) == 0) {
315 if (len < 10 || WPA_GET_BE32(buf) != RADIUS_VENDOR_ID_WFA ||
316 buf[4] != RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING ||
319 "DAS: Unsupported attribute %u in CoA-Request from %s:%d",
320 attr, abuf, from_port);
324 attrs.hs20_t_c_filtering = &buf[6];
327 if (!attrs.hs20_t_c_filtering) {
329 "DAS: No supported authorization change attribute in CoA-Request from %s:%d",
334 #endif /* CONFIG_HS20 */
336 res = das->coa(das->ctx, &attrs);
338 case RADIUS_DAS_NAS_MISMATCH:
339 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
343 case RADIUS_DAS_SESSION_NOT_FOUND:
345 "DAS: Session not found for request from %s:%d",
349 case RADIUS_DAS_MULTI_SESSION_MATCH:
351 "DAS: Multiple sessions match for request from %s:%d",
355 case RADIUS_DAS_COA_FAILED:
356 wpa_printf(MSG_INFO, "DAS: CoA failed for request from %s:%d",
360 case RADIUS_DAS_SUCCESS:
366 reply = radius_msg_new(error ? RADIUS_CODE_COA_NAK :
367 RADIUS_CODE_COA_ACK, hdr->identifier);
372 !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) {
373 radius_msg_free(reply);
381 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
383 struct radius_das_data *das = eloop_ctx;
386 struct sockaddr_storage ss;
387 struct sockaddr_in sin;
389 struct sockaddr_in6 sin6;
390 #endif /* CONFIG_IPV6 */
396 struct radius_msg *msg, *reply = NULL;
397 struct radius_hdr *hdr;
403 fromlen = sizeof(from);
404 len = recvfrom(sock, buf, sizeof(buf), 0,
405 (struct sockaddr *) &from.ss, &fromlen);
407 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
411 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
412 from_port = ntohs(from.sin.sin_port);
414 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
415 len, abuf, from_port);
416 if (das->client_addr.u.v4.s_addr &&
417 das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
418 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
422 msg = radius_msg_parse(buf, len);
424 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
425 "from %s:%d failed", abuf, from_port);
429 if (wpa_debug_level <= MSG_MSGDUMP)
430 radius_msg_dump(msg);
432 if (radius_msg_verify_das_req(msg, das->shared_secret,
433 das->shared_secret_len,
434 das->require_message_authenticator)) {
435 wpa_printf(MSG_DEBUG,
436 "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop",
442 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
445 u32 timestamp = ntohl(val);
446 if ((unsigned int) abs((int) (now.sec - timestamp)) >
448 wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
449 "Event-Timestamp (%u; local time %u) in "
450 "packet from %s:%d - drop",
451 timestamp, (unsigned int) now.sec,
455 } else if (das->require_event_timestamp) {
456 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
457 "from %s:%d - drop", abuf, from_port);
461 hdr = radius_msg_get_hdr(msg);
464 case RADIUS_CODE_DISCONNECT_REQUEST:
465 reply = radius_das_disconnect(das, msg, abuf, from_port);
467 case RADIUS_CODE_COA_REQUEST:
468 reply = radius_das_coa(das, msg, abuf, from_port);
471 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
473 hdr->code, abuf, from_port);
477 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
479 if (!radius_msg_add_attr_int32(reply,
480 RADIUS_ATTR_EVENT_TIMESTAMP,
482 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
483 "Event-Timestamp attribute");
486 if (radius_msg_finish_das_resp(reply, das->shared_secret,
487 das->shared_secret_len, hdr) <
489 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
490 "Message-Authenticator attribute");
493 if (wpa_debug_level <= MSG_MSGDUMP)
494 radius_msg_dump(reply);
496 rbuf = radius_msg_get_buf(reply);
497 res = sendto(das->sock, wpabuf_head(rbuf),
499 (struct sockaddr *) &from.ss, fromlen);
501 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
502 abuf, from_port, strerror(errno));
507 radius_msg_free(msg);
508 radius_msg_free(reply);
512 static int radius_das_open_socket(int port)
515 struct sockaddr_in addr;
517 s = socket(PF_INET, SOCK_DGRAM, 0);
519 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno));
523 os_memset(&addr, 0, sizeof(addr));
524 addr.sin_family = AF_INET;
525 addr.sin_port = htons(port);
526 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
527 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno));
536 struct radius_das_data *
537 radius_das_init(struct radius_das_conf *conf)
539 struct radius_das_data *das;
541 if (conf->port == 0 || conf->shared_secret == NULL ||
542 conf->client_addr == NULL)
545 das = os_zalloc(sizeof(*das));
549 das->time_window = conf->time_window;
550 das->require_event_timestamp = conf->require_event_timestamp;
551 das->require_message_authenticator =
552 conf->require_message_authenticator;
553 das->ctx = conf->ctx;
554 das->disconnect = conf->disconnect;
555 das->coa = conf->coa;
557 os_memcpy(&das->client_addr, conf->client_addr,
558 sizeof(das->client_addr));
560 das->shared_secret = os_memdup(conf->shared_secret,
561 conf->shared_secret_len);
562 if (das->shared_secret == NULL) {
563 radius_das_deinit(das);
566 das->shared_secret_len = conf->shared_secret_len;
568 das->sock = radius_das_open_socket(conf->port);
570 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
572 radius_das_deinit(das);
576 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
578 radius_das_deinit(das);
586 void radius_das_deinit(struct radius_das_data *das)
591 if (das->sock >= 0) {
592 eloop_unregister_read_sock(das->sock);
596 os_free(das->shared_secret);