Home | History | Annotate | Download | only in radius
      1 /*
      2  * RADIUS Dynamic Authorization Server (DAS) (RFC 5176)
      3  * Copyright (c) 2012, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "includes.h"
     10 #include <net/if.h>
     11 
     12 #include "utils/common.h"
     13 #include "utils/eloop.h"
     14 #include "utils/ip_addr.h"
     15 #include "radius.h"
     16 #include "radius_das.h"
     17 
     18 
     19 extern int wpa_debug_level;
     20 
     21 
     22 struct radius_das_data {
     23 	int sock;
     24 	u8 *shared_secret;
     25 	size_t shared_secret_len;
     26 	struct hostapd_ip_addr client_addr;
     27 	unsigned int time_window;
     28 	int require_event_timestamp;
     29 	void *ctx;
     30 	enum radius_das_res (*disconnect)(void *ctx,
     31 					  struct radius_das_attrs *attr);
     32 };
     33 
     34 
     35 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das,
     36 						 struct radius_msg *msg,
     37 						 const char *abuf,
     38 						 int from_port)
     39 {
     40 	struct radius_hdr *hdr;
     41 	struct radius_msg *reply;
     42 	u8 allowed[] = {
     43 		RADIUS_ATTR_USER_NAME,
     44 		RADIUS_ATTR_CALLING_STATION_ID,
     45 		RADIUS_ATTR_ACCT_SESSION_ID,
     46 		RADIUS_ATTR_EVENT_TIMESTAMP,
     47 		RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
     48 		RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
     49 		0
     50 	};
     51 	int error = 405;
     52 	u8 attr;
     53 	enum radius_das_res res;
     54 	struct radius_das_attrs attrs;
     55 	u8 *buf;
     56 	size_t len;
     57 	char tmp[100];
     58 	u8 sta_addr[ETH_ALEN];
     59 
     60 	hdr = radius_msg_get_hdr(msg);
     61 
     62 	attr = radius_msg_find_unlisted_attr(msg, allowed);
     63 	if (attr) {
     64 		wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in "
     65 			   "Disconnect-Request from %s:%d", attr,
     66 			   abuf, from_port);
     67 		error = 401;
     68 		goto fail;
     69 	}
     70 
     71 	os_memset(&attrs, 0, sizeof(attrs));
     72 
     73 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID,
     74 				    &buf, &len, NULL) == 0) {
     75 		if (len >= sizeof(tmp))
     76 			len = sizeof(tmp) - 1;
     77 		os_memcpy(tmp, buf, len);
     78 		tmp[len] = '\0';
     79 		if (hwaddr_aton2(tmp, sta_addr) < 0) {
     80 			wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id "
     81 				   "'%s' from %s:%d", tmp, abuf, from_port);
     82 			error = 407;
     83 			goto fail;
     84 		}
     85 		attrs.sta_addr = sta_addr;
     86 	}
     87 
     88 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME,
     89 				    &buf, &len, NULL) == 0) {
     90 		attrs.user_name = buf;
     91 		attrs.user_name_len = len;
     92 	}
     93 
     94 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID,
     95 				    &buf, &len, NULL) == 0) {
     96 		attrs.acct_session_id = buf;
     97 		attrs.acct_session_id_len = len;
     98 	}
     99 
    100 	if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
    101 				    &buf, &len, NULL) == 0) {
    102 		attrs.cui = buf;
    103 		attrs.cui_len = len;
    104 	}
    105 
    106 	res = das->disconnect(das->ctx, &attrs);
    107 	switch (res) {
    108 	case RADIUS_DAS_NAS_MISMATCH:
    109 		wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d",
    110 			   abuf, from_port);
    111 		error = 403;
    112 		break;
    113 	case RADIUS_DAS_SESSION_NOT_FOUND:
    114 		wpa_printf(MSG_INFO, "DAS: Session not found for request from "
    115 			   "%s:%d", abuf, from_port);
    116 		error = 503;
    117 		break;
    118 	case RADIUS_DAS_SUCCESS:
    119 		error = 0;
    120 		break;
    121 	}
    122 
    123 fail:
    124 	reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK :
    125 			       RADIUS_CODE_DISCONNECT_ACK, hdr->identifier);
    126 	if (reply == NULL)
    127 		return NULL;
    128 
    129 	if (error) {
    130 		if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
    131 					       error)) {
    132 			radius_msg_free(reply);
    133 			return NULL;
    134 		}
    135 	}
    136 
    137 	return reply;
    138 }
    139 
    140 
    141 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
    142 {
    143 	struct radius_das_data *das = eloop_ctx;
    144 	u8 buf[1500];
    145 	union {
    146 		struct sockaddr_storage ss;
    147 		struct sockaddr_in sin;
    148 #ifdef CONFIG_IPV6
    149 		struct sockaddr_in6 sin6;
    150 #endif /* CONFIG_IPV6 */
    151 	} from;
    152 	char abuf[50];
    153 	int from_port = 0;
    154 	socklen_t fromlen;
    155 	int len;
    156 	struct radius_msg *msg, *reply = NULL;
    157 	struct radius_hdr *hdr;
    158 	struct wpabuf *rbuf;
    159 	u32 val;
    160 	int res;
    161 	struct os_time now;
    162 
    163 	fromlen = sizeof(from);
    164 	len = recvfrom(sock, buf, sizeof(buf), 0,
    165 		       (struct sockaddr *) &from.ss, &fromlen);
    166 	if (len < 0) {
    167 		wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
    168 		return;
    169 	}
    170 
    171 	os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
    172 	from_port = ntohs(from.sin.sin_port);
    173 
    174 	wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
    175 		   len, abuf, from_port);
    176 	if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
    177 		wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
    178 		return;
    179 	}
    180 
    181 	msg = radius_msg_parse(buf, len);
    182 	if (msg == NULL) {
    183 		wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
    184 			   "from %s:%d failed", abuf, from_port);
    185 		return;
    186 	}
    187 
    188 	if (wpa_debug_level <= MSG_MSGDUMP)
    189 		radius_msg_dump(msg);
    190 
    191 	if (radius_msg_verify_das_req(msg, das->shared_secret,
    192 				       das->shared_secret_len)) {
    193 		wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet "
    194 			   "from %s:%d - drop", abuf, from_port);
    195 		goto fail;
    196 	}
    197 
    198 	os_get_time(&now);
    199 	res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP,
    200 				  (u8 *) &val, 4);
    201 	if (res == 4) {
    202 		u32 timestamp = ntohl(val);
    203 		if (abs(now.sec - timestamp) > das->time_window) {
    204 			wpa_printf(MSG_DEBUG, "DAS: Unacceptable "
    205 				   "Event-Timestamp (%u; local time %u) in "
    206 				   "packet from %s:%d - drop",
    207 				   timestamp, (unsigned int) now.sec,
    208 				   abuf, from_port);
    209 			goto fail;
    210 		}
    211 	} else if (das->require_event_timestamp) {
    212 		wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet "
    213 			   "from %s:%d - drop", abuf, from_port);
    214 		goto fail;
    215 	}
    216 
    217 	hdr = radius_msg_get_hdr(msg);
    218 
    219 	switch (hdr->code) {
    220 	case RADIUS_CODE_DISCONNECT_REQUEST:
    221 		reply = radius_das_disconnect(das, msg, abuf, from_port);
    222 		break;
    223 	case RADIUS_CODE_COA_REQUEST:
    224 		/* TODO */
    225 		reply = radius_msg_new(RADIUS_CODE_COA_NAK,
    226 				       hdr->identifier);
    227 		if (reply == NULL)
    228 			break;
    229 
    230 		/* Unsupported Service */
    231 		if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE,
    232 					       405)) {
    233 			radius_msg_free(reply);
    234 			reply = NULL;
    235 			break;
    236 		}
    237 		break;
    238 	default:
    239 		wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in "
    240 			   "packet from %s:%d",
    241 			   hdr->code, abuf, from_port);
    242 	}
    243 
    244 	if (reply) {
    245 		wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port);
    246 
    247 		if (!radius_msg_add_attr_int32(reply,
    248 					       RADIUS_ATTR_EVENT_TIMESTAMP,
    249 					       now.sec)) {
    250 			wpa_printf(MSG_DEBUG, "DAS: Failed to add "
    251 				   "Event-Timestamp attribute");
    252 		}
    253 
    254 		if (radius_msg_finish_das_resp(reply, das->shared_secret,
    255 					       das->shared_secret_len, hdr) <
    256 		    0) {
    257 			wpa_printf(MSG_DEBUG, "DAS: Failed to add "
    258 				   "Message-Authenticator attribute");
    259 		}
    260 
    261 		if (wpa_debug_level <= MSG_MSGDUMP)
    262 			radius_msg_dump(reply);
    263 
    264 		rbuf = radius_msg_get_buf(reply);
    265 		res = sendto(das->sock, wpabuf_head(rbuf),
    266 			     wpabuf_len(rbuf), 0,
    267 			     (struct sockaddr *) &from.ss, fromlen);
    268 		if (res < 0) {
    269 			wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
    270 				   abuf, from_port, strerror(errno));
    271 		}
    272 	}
    273 
    274 fail:
    275 	radius_msg_free(msg);
    276 	radius_msg_free(reply);
    277 }
    278 
    279 
    280 static int radius_das_open_socket(int port)
    281 {
    282 	int s;
    283 	struct sockaddr_in addr;
    284 
    285 	s = socket(PF_INET, SOCK_DGRAM, 0);
    286 	if (s < 0) {
    287 		perror("socket");
    288 		return -1;
    289 	}
    290 
    291 	os_memset(&addr, 0, sizeof(addr));
    292 	addr.sin_family = AF_INET;
    293 	addr.sin_port = htons(port);
    294 	if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
    295 		perror("bind");
    296 		close(s);
    297 		return -1;
    298 	}
    299 
    300 	return s;
    301 }
    302 
    303 
    304 struct radius_das_data *
    305 radius_das_init(struct radius_das_conf *conf)
    306 {
    307 	struct radius_das_data *das;
    308 
    309 	if (conf->port == 0 || conf->shared_secret == NULL ||
    310 	    conf->client_addr == NULL)
    311 		return NULL;
    312 
    313 	das = os_zalloc(sizeof(*das));
    314 	if (das == NULL)
    315 		return NULL;
    316 
    317 	das->time_window = conf->time_window;
    318 	das->require_event_timestamp = conf->require_event_timestamp;
    319 	das->ctx = conf->ctx;
    320 	das->disconnect = conf->disconnect;
    321 
    322 	os_memcpy(&das->client_addr, conf->client_addr,
    323 		  sizeof(das->client_addr));
    324 
    325 	das->shared_secret = os_malloc(conf->shared_secret_len);
    326 	if (das->shared_secret == NULL) {
    327 		radius_das_deinit(das);
    328 		return NULL;
    329 	}
    330 	os_memcpy(das->shared_secret, conf->shared_secret,
    331 		  conf->shared_secret_len);
    332 	das->shared_secret_len = conf->shared_secret_len;
    333 
    334 	das->sock = radius_das_open_socket(conf->port);
    335 	if (das->sock < 0) {
    336 		wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
    337 			   "DAS");
    338 		radius_das_deinit(das);
    339 		return NULL;
    340 	}
    341 
    342 	if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
    343 	{
    344 		radius_das_deinit(das);
    345 		return NULL;
    346 	}
    347 
    348 	return das;
    349 }
    350 
    351 
    352 void radius_das_deinit(struct radius_das_data *das)
    353 {
    354 	if (das == NULL)
    355 		return;
    356 
    357 	if (das->sock >= 0) {
    358 		eloop_unregister_read_sock(das->sock);
    359 		close(das->sock);
    360 	}
    361 
    362 	os_free(das->shared_secret);
    363 	os_free(das);
    364 }
    365