1 /*
2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10 #include <net/if.h>
11
12 #include "utils/common.h"
13 #include "utils/eloop.h"
14 #include "utils/ip_addr.h"
15 #include "radius.h"
16 #include "radius_das.h"
17
18
19 struct radius_das_data {
20 int sock;
21 u8 *shared_secret;
22 size_t shared_secret_len;
23 struct hostapd_ip_addr client_addr;
24 unsigned int time_window;
25 int require_event_timestamp;
26 int require_message_authenticator;
27 void *ctx;
28 enum radius_das_res (*disconnect)(void *ctx,
29 struct radius_das_attrs *attr);
30 };
31
32
radius_das_disconnect(struct radius_das_data * das,struct radius_msg * msg,const char * abuf,int from_port)33 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
34 struct radius_msg *msg,
35 const char *abuf,
36 int from_port)
37 {
38 struct radius_hdr *hdr;
39 struct radius_msg *reply;
40 u8 allowed[] = {
41 RADIUS_ATTR_USER_NAME,
42 RADIUS_ATTR_NAS_IP_ADDRESS,
43 RADIUS_ATTR_CALLING_STATION_ID,
44 RADIUS_ATTR_NAS_IDENTIFIER,
45 RADIUS_ATTR_ACCT_SESSION_ID,
46 RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
47 RADIUS_ATTR_EVENT_TIMESTAMP,
48 RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
49 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
50 #ifdef CONFIG_IPV6
51 RADIUS_ATTR_NAS_IPV6_ADDRESS,
52 #endif /* CONFIG_IPV6 */
53 0
54 };
55 int error = 405;
56 u8 attr;
57 enum radius_das_res res;
58 struct radius_das_attrs attrs;
59 u8 *buf;
60 size_t len;
61 char tmp[100];
62 u8 sta_addr[ETH_ALEN];
63
64 hdr = radius_msg_get_hdr(msg);
65
66 attr = radius_msg_find_unlisted_attr(msg, allowed);
67 if (attr) {
68 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
69 "Disconnect-Request from %s:%d", attr,
70 abuf, from_port);
71 error = 401;
72 goto fail;
73 }
74
75 os_memset(&attrs, 0, sizeof(attrs));
76
77 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
78 &buf, &len, NULL) == 0) {
79 if (len != 4) {
80 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d",
81 abuf, from_port);
82 error = 407;
83 goto fail;
84 }
85 attrs.nas_ip_addr = buf;
86 }
87
88 #ifdef CONFIG_IPV6
89 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
90 &buf, &len, NULL) == 0) {
91 if (len != 16) {
92 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d",
93 abuf, from_port);
94 error = 407;
95 goto fail;
96 }
97 attrs.nas_ipv6_addr = buf;
98 }
99 #endif /* CONFIG_IPV6 */
100
101 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
102 &buf, &len, NULL) == 0) {
103 attrs.nas_identifier = buf;
104 attrs.nas_identifier_len = len;
105 }
106
107 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
108 &buf, &len, NULL) == 0) {
109 if (len >= sizeof(tmp))
110 len = sizeof(tmp) - 1;
111 os_memcpy(tmp, buf, len);
112 tmp[len] = '\0';
113 if (hwaddr_aton2(tmp, sta_addr) < 0) {
114 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
115 "'%s' from %s:%d", tmp, abuf, from_port);
116 error = 407;
117 goto fail;
118 }
119 attrs.sta_addr = sta_addr;
120 }
121
122 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
123 &buf, &len, NULL) == 0) {
124 attrs.user_name = buf;
125 attrs.user_name_len = len;
126 }
127
128 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
129 &buf, &len, NULL) == 0) {
130 attrs.acct_session_id = buf;
131 attrs.acct_session_id_len = len;
132 }
133
134 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID,
135 &buf, &len, NULL) == 0) {
136 attrs.acct_multi_session_id = buf;
137 attrs.acct_multi_session_id_len = len;
138 }
139
140 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
141 &buf, &len, NULL) == 0) {
142 attrs.cui = buf;
143 attrs.cui_len = len;
144 }
145
146 res = das->disconnect(das->ctx, &attrs);
147 switch (res) {
148 case RADIUS_DAS_NAS_MISMATCH:
149 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
150 abuf, from_port);
151 error = 403;
152 break;
153 case RADIUS_DAS_SESSION_NOT_FOUND:
154 wpa_printf(MSG_INFO, "DAS: Session not found for request from "
155 "%s:%d", abuf, from_port);
156 error = 503;
157 break;
158 case RADIUS_DAS_MULTI_SESSION_MATCH:
159 wpa_printf(MSG_INFO,
160 "DAS: Multiple sessions match for request from %s:%d",
161 abuf, from_port);
162 error = 508;
163 break;
164 case RADIUS_DAS_SUCCESS:
165 error = 0;
166 break;
167 }
168
169 fail:
170 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
171 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
172 if (reply == NULL)
173 return NULL;
174
175 if (error) {
176 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
177 error)) {
178 radius_msg_free(reply);
179 return NULL;
180 }
181 }
182
183 return reply;
184 }
185
186
radius_das_receive(int sock,void * eloop_ctx,void * sock_ctx)187 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
188 {
189 struct radius_das_data *das = eloop_ctx;
190 u8 buf[1500];
191 union {
192 struct sockaddr_storage ss;
193 struct sockaddr_in sin;
194 #ifdef CONFIG_IPV6
195 struct sockaddr_in6 sin6;
196 #endif /* CONFIG_IPV6 */
197 } from;
198 char abuf[50];
199 int from_port = 0;
200 socklen_t fromlen;
201 int len;
202 struct radius_msg *msg, *reply = NULL;
203 struct radius_hdr *hdr;
204 struct wpabuf *rbuf;
205 u32 val;
206 int res;
207 struct os_time now;
208
209 fromlen = sizeof(from);
210 len = recvfrom(sock, buf, sizeof(buf), 0,
211 (struct sockaddr *) &from.ss, &fromlen);
212 if (len < 0) {
213 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
214 return;
215 }
216
217 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
218 from_port = ntohs(from.sin.sin_port);
219
220 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
221 len, abuf, from_port);
222 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
223 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
224 return;
225 }
226
227 msg = radius_msg_parse(buf, len);
228 if (msg == NULL) {
229 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
230 "from %s:%d failed", abuf, from_port);
231 return;
232 }
233
234 if (wpa_debug_level <= MSG_MSGDUMP)
235 radius_msg_dump(msg);
236
237 if (radius_msg_verify_das_req(msg, das->shared_secret,
238 das->shared_secret_len,
239 das->require_message_authenticator)) {
240 wpa_printf(MSG_DEBUG,
241 "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop",
242 abuf, from_port);
243 goto fail;
244 }
245
246 os_get_time(&now);
247 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
248 (u8 *) &val, 4);
249 if (res == 4) {
250 u32 timestamp = ntohl(val);
251 if ((unsigned int) abs((int) (now.sec - timestamp)) >
252 das->time_window) {
253 wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
254 "Event-Timestamp (%u; local time %u) in "
255 "packet from %s:%d - drop",
256 timestamp, (unsigned int) now.sec,
257 abuf, from_port);
258 goto fail;
259 }
260 } else if (das->require_event_timestamp) {
261 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
262 "from %s:%d - drop", abuf, from_port);
263 goto fail;
264 }
265
266 hdr = radius_msg_get_hdr(msg);
267
268 switch (hdr->code) {
269 case RADIUS_CODE_DISCONNECT_REQUEST:
270 reply = radius_das_disconnect(das, msg, abuf, from_port);
271 break;
272 case RADIUS_CODE_COA_REQUEST:
273 /* TODO */
274 reply = radius_msg_new(RADIUS_CODE_COA_NAK,
275 hdr->identifier);
276 if (reply == NULL)
277 break;
278
279 /* Unsupported Service */
280 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
281 405)) {
282 radius_msg_free(reply);
283 reply = NULL;
284 break;
285 }
286 break;
287 default:
288 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
289 "packet from %s:%d",
290 hdr->code, abuf, from_port);
291 }
292
293 if (reply) {
294 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
295
296 if (!radius_msg_add_attr_int32(reply,
297 RADIUS_ATTR_EVENT_TIMESTAMP,
298 now.sec)) {
299 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
300 "Event-Timestamp attribute");
301 }
302
303 if (radius_msg_finish_das_resp(reply, das->shared_secret,
304 das->shared_secret_len, hdr) <
305 0) {
306 wpa_printf(MSG_DEBUG, "DAS: Failed to add "
307 "Message-Authenticator attribute");
308 }
309
310 if (wpa_debug_level <= MSG_MSGDUMP)
311 radius_msg_dump(reply);
312
313 rbuf = radius_msg_get_buf(reply);
314 res = sendto(das->sock, wpabuf_head(rbuf),
315 wpabuf_len(rbuf), 0,
316 (struct sockaddr *) &from.ss, fromlen);
317 if (res < 0) {
318 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
319 abuf, from_port, strerror(errno));
320 }
321 }
322
323 fail:
324 radius_msg_free(msg);
325 radius_msg_free(reply);
326 }
327
328
radius_das_open_socket(int port)329 static int radius_das_open_socket(int port)
330 {
331 int s;
332 struct sockaddr_in addr;
333
334 s = socket(PF_INET, SOCK_DGRAM, 0);
335 if (s < 0) {
336 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno));
337 return -1;
338 }
339
340 os_memset(&addr, 0, sizeof(addr));
341 addr.sin_family = AF_INET;
342 addr.sin_port = htons(port);
343 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
344 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno));
345 close(s);
346 return -1;
347 }
348
349 return s;
350 }
351
352
353 struct radius_das_data *
radius_das_init(struct radius_das_conf * conf)354 radius_das_init(struct radius_das_conf *conf)
355 {
356 struct radius_das_data *das;
357
358 if (conf->port == 0 || conf->shared_secret == NULL ||
359 conf->client_addr == NULL)
360 return NULL;
361
362 das = os_zalloc(sizeof(*das));
363 if (das == NULL)
364 return NULL;
365
366 das->time_window = conf->time_window;
367 das->require_event_timestamp = conf->require_event_timestamp;
368 das->require_message_authenticator =
369 conf->require_message_authenticator;
370 das->ctx = conf->ctx;
371 das->disconnect = conf->disconnect;
372
373 os_memcpy(&das->client_addr, conf->client_addr,
374 sizeof(das->client_addr));
375
376 das->shared_secret = os_malloc(conf->shared_secret_len);
377 if (das->shared_secret == NULL) {
378 radius_das_deinit(das);
379 return NULL;
380 }
381 os_memcpy(das->shared_secret, conf->shared_secret,
382 conf->shared_secret_len);
383 das->shared_secret_len = conf->shared_secret_len;
384
385 das->sock = radius_das_open_socket(conf->port);
386 if (das->sock < 0) {
387 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
388 "DAS");
389 radius_das_deinit(das);
390 return NULL;
391 }
392
393 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
394 {
395 radius_das_deinit(das);
396 return NULL;
397 }
398
399 return das;
400 }
401
402
radius_das_deinit(struct radius_das_data * das)403 void radius_das_deinit(struct radius_das_data *das)
404 {
405 if (das == NULL)
406 return;
407
408 if (das->sock >= 0) {
409 eloop_unregister_read_sock(das->sock);
410 close(das->sock);
411 }
412
413 os_free(das->shared_secret);
414 os_free(das);
415 }
416