1 /*
2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <net/if.h>
11
12 #include "utils/common.h"
13 #include "utils/eloop.h"
14 #include "utils/ip_addr.h"
15 #include "radius.h"
16 #include "radius_das.h"
17
18
19 struct radius_das_data {
20 int sock;
21 u8 *shared_secret;
22 size_t shared_secret_len;
23 struct hostapd_ip_addr client_addr;
24 unsigned int time_window;
25 int require_event_timestamp;
26 void *ctx;
27 enum radius_das_res (*disconnect)(void *ctx,
28 struct radius_das_attrs *attr);
29 };
30
31
radius_das_disconnect(struct radius_das_data * das,struct radius_msg * msg,const char * abuf,int from_port)32 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
33 struct radius_msg *msg,
34 const char *abuf,
35 int from_port)
36 {
37 struct radius_hdr *hdr;
38 struct radius_msg *reply;
39 u8 allowed[] = {
40 RADIUS_ATTR_USER_NAME,
41 RADIUS_ATTR_NAS_IP_ADDRESS,
42 RADIUS_ATTR_CALLING_STATION_ID,
43 RADIUS_ATTR_NAS_IDENTIFIER,
44 RADIUS_ATTR_ACCT_SESSION_ID,
45 RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
46 RADIUS_ATTR_EVENT_TIMESTAMP,
47 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
48 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
49 #ifdef CONFIG_IPV6
50 RADIUS_ATTR_NAS_IPV6_ADDRESS,
51 #endif /* CONFIG_IPV6 */
52 0
53 };
54 int error = 405;
55 u8 attr;
56 enum radius_das_res res;
57 struct radius_das_attrs attrs;
58 u8 *buf;
59 size_t len;
60 char tmp[100];
61 u8 sta_addr[ETH_ALEN];
62
63 hdr = radius_msg_get_hdr(msg);
64
65 attr = radius_msg_find_unlisted_attr(msg, allowed);
66 if (attr) {
67 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
68 "Disconnect-Request from %s:%d", attr,
69 abuf, from_port);
70 error = 401;
71 goto fail;
72 }
73
74 os_memset(&attrs, 0, sizeof(attrs));
75
76 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
77 &buf, &len, NULL) == 0) {
78 if (len != 4) {
79 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d",
80 abuf, from_port);
81 error = 407;
82 goto fail;
83 }
84 attrs.nas_ip_addr = buf;
85 }
86
87 #ifdef CONFIG_IPV6
88 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
89 &buf, &len, NULL) == 0) {
90 if (len != 16) {
91 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d",
92 abuf, from_port);
93 error = 407;
94 goto fail;
95 }
96 attrs.nas_ipv6_addr = buf;
97 }
98 #endif /* CONFIG_IPV6 */
99
100 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
101 &buf, &len, NULL) == 0) {
102 attrs.nas_identifier = buf;
103 attrs.nas_identifier_len = len;
104 }
105
106 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
107 &buf, &len, NULL) == 0) {
108 if (len >= sizeof(tmp))
109 len = sizeof(tmp) - 1;
110 os_memcpy(tmp, buf, len);
111 tmp[len] = '\0';
112 if (hwaddr_aton2(tmp, sta_addr) < 0) {
113 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
114 "'%s' from %s:%d", tmp, abuf, from_port);
115 error = 407;
116 goto fail;
117 }
118 attrs.sta_addr = sta_addr;
119 }
120
121 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
122 &buf, &len, NULL) == 0) {
123 attrs.user_name = buf;
124 attrs.user_name_len = len;
125 }
126
127 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
128 &buf, &len, NULL) == 0) {
129 attrs.acct_session_id = buf;
130 attrs.acct_session_id_len = len;
131 }
132
133 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
134 &buf, &len, NULL) == 0) {
135 attrs.acct_multi_session_id = buf;
136 attrs.acct_multi_session_id_len = len;
137 }
138
139 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
140 &buf, &len, NULL) == 0) {
141 attrs.cui = buf;
142 attrs.cui_len = len;
143 }
144
145 res = das->disconnect(das->ctx, &attrs);
146 switch (res) {
147 case RADIUS_DAS_NAS_MISMATCH:
148 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
149 abuf, from_port);
150 error = 403;
151 break;
152 case RADIUS_DAS_SESSION_NOT_FOUND:
153 wpa_printf(MSG_INFO, "DAS: Session not found for request from "
154 "%s:%d", abuf, from_port);
155 error = 503;
156 break;
157 case RADIUS_DAS_MULTI_SESSION_MATCH:
158 wpa_printf(MSG_INFO,
159 "DAS: Multiple sessions match for request from %s:%d",
160 abuf, from_port);
161 error = 508;
162 break;
163 case RADIUS_DAS_SUCCESS:
164 error = 0;
165 break;
166 }
167
168 fail:
169 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
170 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
171 if (reply == NULL)
172 return NULL;
173
174 if (error) {
175 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
176 error)) {
177 radius_msg_free(reply);
178 return NULL;
179 }
180 }
181
182 return reply;
183 }
184
185
radius_das_receive(int sock,void * eloop_ctx,void * sock_ctx)186 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
187 {
188 struct radius_das_data *das = eloop_ctx;
189 u8 buf[1500];
190 union {
191 struct sockaddr_storage ss;
192 struct sockaddr_in sin;
193 #ifdef CONFIG_IPV6
194 struct sockaddr_in6 sin6;
195 #endif /* CONFIG_IPV6 */
196 } from;
197 char abuf[50];
198 int from_port = 0;
199 socklen_t fromlen;
200 int len;
201 struct radius_msg *msg, *reply = NULL;
202 struct radius_hdr *hdr;
203 struct wpabuf *rbuf;
204 u32 val;
205 int res;
206 struct os_time now;
207
208 fromlen = sizeof(from);
209 len = recvfrom(sock, buf, sizeof(buf), 0,
210 (struct sockaddr *) &from.ss, &fromlen);
211 if (len < 0) {
212 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
213 return;
214 }
215
216 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
217 from_port = ntohs(from.sin.sin_port);
218
219 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
220 len, abuf, from_port);
221 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
222 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
223 return;
224 }
225
226 msg = radius_msg_parse(buf, len);
227 if (msg == NULL) {
228 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
229 "from %s:%d failed", abuf, from_port);
230 return;
231 }
232
233 if (wpa_debug_level <= MSG_MSGDUMP)
234 radius_msg_dump(msg);
235
236 if (radius_msg_verify_das_req(msg, das->shared_secret,
237 das->shared_secret_len)) {
238 wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
239 "from %s:%d - drop", abuf, from_port);
240 goto fail;
241 }
242
243 os_get_time(&now);
244 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
245 (u8 *) &val, 4);
246 if (res == 4) {
247 u32 timestamp = ntohl(val);
248 if ((unsigned int) abs(now.sec - timestamp) >
249 das->time_window) {
250 wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
251 "Event-Timestamp (%u; local time %u) in "
252 "packet from %s:%d - drop",
253 timestamp, (unsigned int) now.sec,
254 abuf, from_port);
255 goto fail;
256 }
257 } else if (das->require_event_timestamp) {
258 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
259 "from %s:%d - drop", abuf, from_port);
260 goto fail;
261 }
262
263 hdr = radius_msg_get_hdr(msg);
264
265 switch (hdr->code) {
266 case RADIUS_CODE_DISCONNECT_REQUEST:
267 reply = radius_das_disconnect(das, msg, abuf, from_port);
268 break;
269 case RADIUS_CODE_COA_REQUEST:
270 /* TODO */
271 reply = radius_msg_new(RADIUS_CODE_COA_NAK,
272 hdr->identifier);
273 if (reply == NULL)
274 break;
275
276 /* Unsupported Service */
277 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
278 405)) {
279 radius_msg_free(reply);
280 reply = NULL;
281 break;
282 }
283 break;
284 default:
285 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
286 "packet from %s:%d",
287 hdr->code, abuf, from_port);
288 }
289
290 if (reply) {
291 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
292
293 if (!radius_msg_add_attr_int32(reply,
294 RADIUS_ATTR_EVENT_TIMESTAMP,
295 now.sec)) {
296 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
297 "Event-Timestamp attribute");
298 }
299
300 if (radius_msg_finish_das_resp(reply, das->shared_secret,
301 das->shared_secret_len, hdr) <
302 0) {
303 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
304 "Message-Authenticator attribute");
305 }
306
307 if (wpa_debug_level <= MSG_MSGDUMP)
308 radius_msg_dump(reply);
309
310 rbuf = radius_msg_get_buf(reply);
311 res = sendto(das->sock, wpabuf_head(rbuf),
312 wpabuf_len(rbuf), 0,
313 (struct sockaddr *) &from.ss, fromlen);
314 if (res < 0) {
315 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
316 abuf, from_port, strerror(errno));
317 }
318 }
319
320 fail:
321 radius_msg_free(msg);
322 radius_msg_free(reply);
323 }
324
325
radius_das_open_socket(int port)326 static int radius_das_open_socket(int port)
327 {
328 int s;
329 struct sockaddr_in addr;
330
331 s = socket(PF_INET, SOCK_DGRAM, 0);
332 if (s < 0) {
333 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno));
334 return -1;
335 }
336
337 os_memset(&addr, 0, sizeof(addr));
338 addr.sin_family = AF_INET;
339 addr.sin_port = htons(port);
340 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
341 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno));
342 close(s);
343 return -1;
344 }
345
346 return s;
347 }
348
349
350 struct radius_das_data *
radius_das_init(struct radius_das_conf * conf)351 radius_das_init(struct radius_das_conf *conf)
352 {
353 struct radius_das_data *das;
354
355 if (conf->port == 0 || conf->shared_secret == NULL ||
356 conf->client_addr == NULL)
357 return NULL;
358
359 das = os_zalloc(sizeof(*das));
360 if (das == NULL)
361 return NULL;
362
363 das->time_window = conf->time_window;
364 das->require_event_timestamp = conf->require_event_timestamp;
365 das->ctx = conf->ctx;
366 das->disconnect = conf->disconnect;
367
368 os_memcpy(&das->client_addr, conf->client_addr,
369 sizeof(das->client_addr));
370
371 das->shared_secret = os_malloc(conf->shared_secret_len);
372 if (das->shared_secret == NULL) {
373 radius_das_deinit(das);
374 return NULL;
375 }
376 os_memcpy(das->shared_secret, conf->shared_secret,
377 conf->shared_secret_len);
378 das->shared_secret_len = conf->shared_secret_len;
379
380 das->sock = radius_das_open_socket(conf->port);
381 if (das->sock < 0) {
382 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
383 "DAS");
384 radius_das_deinit(das);
385 return NULL;
386 }
387
388 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
389 {
390 radius_das_deinit(das);
391 return NULL;
392 }
393
394 return das;
395 }
396
397
radius_das_deinit(struct radius_das_data * das)398 void radius_das_deinit(struct radius_das_data *das)
399 {
400 if (das == NULL)
401 return;
402
403 if (das->sock >= 0) {
404 eloop_unregister_read_sock(das->sock);
405 close(das->sock);
406 }
407
408 os_free(das->shared_secret);
409 os_free(das);
410 }
411