1 /* 2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176) 3 * Copyright (c) 2012-2013, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <net/if.h> 11 12 #include "utils/common.h" 13 #include "utils/eloop.h" 14 #include "utils/ip_addr.h" 15 #include "radius.h" 16 #include "radius_das.h" 17 18 19 struct radius_das_data { 20 int sock; 21 u8 *shared_secret; 22 size_t shared_secret_len; 23 struct hostapd_ip_addr client_addr; 24 unsigned int time_window; 25 int require_event_timestamp; 26 void *ctx; 27 enum radius_das_res (*disconnect)(void *ctx, 28 struct radius_das_attrs *attr); 29 }; 30 31 32 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das, 33 struct radius_msg *msg, 34 const char *abuf, 35 int from_port) 36 { 37 struct radius_hdr *hdr; 38 struct radius_msg *reply; 39 u8 allowed[] = { 40 RADIUS_ATTR_USER_NAME, 41 RADIUS_ATTR_NAS_IP_ADDRESS, 42 RADIUS_ATTR_CALLING_STATION_ID, 43 RADIUS_ATTR_NAS_IDENTIFIER, 44 RADIUS_ATTR_ACCT_SESSION_ID, 45 RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 46 RADIUS_ATTR_EVENT_TIMESTAMP, 47 RADIUS_ATTR_MESSAGE_AUTHENTICATOR, 48 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 49 #ifdef CONFIG_IPV6 50 RADIUS_ATTR_NAS_IPV6_ADDRESS, 51 #endif /* CONFIG_IPV6 */ 52 0 53 }; 54 int error = 405; 55 u8 attr; 56 enum radius_das_res res; 57 struct radius_das_attrs attrs; 58 u8 *buf; 59 size_t len; 60 char tmp[100]; 61 u8 sta_addr[ETH_ALEN]; 62 63 hdr = radius_msg_get_hdr(msg); 64 65 attr = radius_msg_find_unlisted_attr(msg, allowed); 66 if (attr) { 67 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in " 68 "Disconnect-Request from %s:%d", attr, 69 abuf, from_port); 70 error = 401; 71 goto fail; 72 } 73 74 os_memset(&attrs, 0, sizeof(attrs)); 75 76 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 77 &buf, &len, NULL) == 0) { 78 if (len != 4) { 79 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", 80 abuf, from_port); 81 error = 407; 82 goto fail; 83 } 84 attrs.nas_ip_addr = buf; 85 } 86 87 #ifdef CONFIG_IPV6 88 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 89 &buf, &len, NULL) == 0) { 90 if (len != 16) { 91 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", 92 abuf, from_port); 93 error = 407; 94 goto fail; 95 } 96 attrs.nas_ipv6_addr = buf; 97 } 98 #endif /* CONFIG_IPV6 */ 99 100 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 101 &buf, &len, NULL) == 0) { 102 attrs.nas_identifier = buf; 103 attrs.nas_identifier_len = len; 104 } 105 106 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, 107 &buf, &len, NULL) == 0) { 108 if (len >= sizeof(tmp)) 109 len = sizeof(tmp) - 1; 110 os_memcpy(tmp, buf, len); 111 tmp[len] = '\0'; 112 if (hwaddr_aton2(tmp, sta_addr) < 0) { 113 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " 114 "'%s' from %s:%d", tmp, abuf, from_port); 115 error = 407; 116 goto fail; 117 } 118 attrs.sta_addr = sta_addr; 119 } 120 121 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, 122 &buf, &len, NULL) == 0) { 123 attrs.user_name = buf; 124 attrs.user_name_len = len; 125 } 126 127 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 128 &buf, &len, NULL) == 0) { 129 attrs.acct_session_id = buf; 130 attrs.acct_session_id_len = len; 131 } 132 133 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 134 &buf, &len, NULL) == 0) { 135 attrs.acct_multi_session_id = buf; 136 attrs.acct_multi_session_id_len = len; 137 } 138 139 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 140 &buf, &len, NULL) == 0) { 141 attrs.cui = buf; 142 attrs.cui_len = len; 143 } 144 145 res = das->disconnect(das->ctx, &attrs); 146 switch (res) { 147 case RADIUS_DAS_NAS_MISMATCH: 148 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", 149 abuf, from_port); 150 error = 403; 151 break; 152 case RADIUS_DAS_SESSION_NOT_FOUND: 153 wpa_printf(MSG_INFO, "DAS: Session not found for request from " 154 "%s:%d", abuf, from_port); 155 error = 503; 156 break; 157 case RADIUS_DAS_MULTI_SESSION_MATCH: 158 wpa_printf(MSG_INFO, 159 "DAS: Multiple sessions match for request from %s:%d", 160 abuf, from_port); 161 error = 508; 162 break; 163 case RADIUS_DAS_SUCCESS: 164 error = 0; 165 break; 166 } 167 168 fail: 169 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK : 170 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier); 171 if (reply == NULL) 172 return NULL; 173 174 if (error) { 175 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, 176 error)) { 177 radius_msg_free(reply); 178 return NULL; 179 } 180 } 181 182 return reply; 183 } 184 185 186 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx) 187 { 188 struct radius_das_data *das = eloop_ctx; 189 u8 buf[1500]; 190 union { 191 struct sockaddr_storage ss; 192 struct sockaddr_in sin; 193 #ifdef CONFIG_IPV6 194 struct sockaddr_in6 sin6; 195 #endif /* CONFIG_IPV6 */ 196 } from; 197 char abuf[50]; 198 int from_port = 0; 199 socklen_t fromlen; 200 int len; 201 struct radius_msg *msg, *reply = NULL; 202 struct radius_hdr *hdr; 203 struct wpabuf *rbuf; 204 u32 val; 205 int res; 206 struct os_time now; 207 208 fromlen = sizeof(from); 209 len = recvfrom(sock, buf, sizeof(buf), 0, 210 (struct sockaddr *) &from.ss, &fromlen); 211 if (len < 0) { 212 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno)); 213 return; 214 } 215 216 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); 217 from_port = ntohs(from.sin.sin_port); 218 219 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d", 220 len, abuf, from_port); 221 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) { 222 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client"); 223 return; 224 } 225 226 msg = radius_msg_parse(buf, len); 227 if (msg == NULL) { 228 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet " 229 "from %s:%d failed", abuf, from_port); 230 return; 231 } 232 233 if (wpa_debug_level <= MSG_MSGDUMP) 234 radius_msg_dump(msg); 235 236 if (radius_msg_verify_das_req(msg, das->shared_secret, 237 das->shared_secret_len)) { 238 wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator in packet " 239 "from %s:%d - drop", abuf, from_port); 240 goto fail; 241 } 242 243 os_get_time(&now); 244 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP, 245 (u8 *) &val, 4); 246 if (res == 4) { 247 u32 timestamp = ntohl(val); 248 if ((unsigned int) abs(now.sec - timestamp) > 249 das->time_window) { 250 wpa_printf(MSG_DEBUG, "DAS: Unacceptable " 251 "Event-Timestamp (%u; local time %u) in " 252 "packet from %s:%d - drop", 253 timestamp, (unsigned int) now.sec, 254 abuf, from_port); 255 goto fail; 256 } 257 } else if (das->require_event_timestamp) { 258 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet " 259 "from %s:%d - drop", abuf, from_port); 260 goto fail; 261 } 262 263 hdr = radius_msg_get_hdr(msg); 264 265 switch (hdr->code) { 266 case RADIUS_CODE_DISCONNECT_REQUEST: 267 reply = radius_das_disconnect(das, msg, abuf, from_port); 268 break; 269 case RADIUS_CODE_COA_REQUEST: 270 /* TODO */ 271 reply = radius_msg_new(RADIUS_CODE_COA_NAK, 272 hdr->identifier); 273 if (reply == NULL) 274 break; 275 276 /* Unsupported Service */ 277 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, 278 405)) { 279 radius_msg_free(reply); 280 reply = NULL; 281 break; 282 } 283 break; 284 default: 285 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in " 286 "packet from %s:%d", 287 hdr->code, abuf, from_port); 288 } 289 290 if (reply) { 291 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port); 292 293 if (!radius_msg_add_attr_int32(reply, 294 RADIUS_ATTR_EVENT_TIMESTAMP, 295 now.sec)) { 296 wpa_printf(MSG_DEBUG, "DAS: Failed to add " 297 "Event-Timestamp attribute"); 298 } 299 300 if (radius_msg_finish_das_resp(reply, das->shared_secret, 301 das->shared_secret_len, hdr) < 302 0) { 303 wpa_printf(MSG_DEBUG, "DAS: Failed to add " 304 "Message-Authenticator attribute"); 305 } 306 307 if (wpa_debug_level <= MSG_MSGDUMP) 308 radius_msg_dump(reply); 309 310 rbuf = radius_msg_get_buf(reply); 311 res = sendto(das->sock, wpabuf_head(rbuf), 312 wpabuf_len(rbuf), 0, 313 (struct sockaddr *) &from.ss, fromlen); 314 if (res < 0) { 315 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s", 316 abuf, from_port, strerror(errno)); 317 } 318 } 319 320 fail: 321 radius_msg_free(msg); 322 radius_msg_free(reply); 323 } 324 325 326 static int radius_das_open_socket(int port) 327 { 328 int s; 329 struct sockaddr_in addr; 330 331 s = socket(PF_INET, SOCK_DGRAM, 0); 332 if (s < 0) { 333 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno)); 334 return -1; 335 } 336 337 os_memset(&addr, 0, sizeof(addr)); 338 addr.sin_family = AF_INET; 339 addr.sin_port = htons(port); 340 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { 341 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno)); 342 close(s); 343 return -1; 344 } 345 346 return s; 347 } 348 349 350 struct radius_das_data * 351 radius_das_init(struct radius_das_conf *conf) 352 { 353 struct radius_das_data *das; 354 355 if (conf->port == 0 || conf->shared_secret == NULL || 356 conf->client_addr == NULL) 357 return NULL; 358 359 das = os_zalloc(sizeof(*das)); 360 if (das == NULL) 361 return NULL; 362 363 das->time_window = conf->time_window; 364 das->require_event_timestamp = conf->require_event_timestamp; 365 das->ctx = conf->ctx; 366 das->disconnect = conf->disconnect; 367 368 os_memcpy(&das->client_addr, conf->client_addr, 369 sizeof(das->client_addr)); 370 371 das->shared_secret = os_malloc(conf->shared_secret_len); 372 if (das->shared_secret == NULL) { 373 radius_das_deinit(das); 374 return NULL; 375 } 376 os_memcpy(das->shared_secret, conf->shared_secret, 377 conf->shared_secret_len); 378 das->shared_secret_len = conf->shared_secret_len; 379 380 das->sock = radius_das_open_socket(conf->port); 381 if (das->sock < 0) { 382 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS " 383 "DAS"); 384 radius_das_deinit(das); 385 return NULL; 386 } 387 388 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL)) 389 { 390 radius_das_deinit(das); 391 return NULL; 392 } 393 394 return das; 395 } 396 397 398 void radius_das_deinit(struct radius_das_data *das) 399 { 400 if (das == NULL) 401 return; 402 403 if (das->sock >= 0) { 404 eloop_unregister_read_sock(das->sock); 405 close(das->sock); 406 } 407 408 os_free(das->shared_secret); 409 os_free(das); 410 } 411
