src/radius/radius_client.c

39beb93cSSam Leffler/*
e28a4053SRui Paulo * RADIUS client
*a90b9d01SCy Schubert * Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi>
39beb93cSSam Leffler *
f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license.
f05cddf9SRui Paulo * See README for more details.
39beb93cSSam Leffler */
39beb93cSSam Leffler
39beb93cSSam Leffler#include "includes.h"
*a90b9d01SCy Schubert#include <fcntl.h>
c1d255d3SCy Schubert#include <net/if.h>
39beb93cSSam Leffler
39beb93cSSam Leffler#include "common.h"
*a90b9d01SCy Schubert#include "eloop.h"
*a90b9d01SCy Schubert#include "crypto/tls.h"
39beb93cSSam Leffler#include "radius.h"
39beb93cSSam Leffler#include "radius_client.h"
39beb93cSSam Leffler
39beb93cSSam Leffler/* Defaults for RADIUS retransmit values (exponential backoff) */
e28a4053SRui Paulo
e28a4053SRui Paulo/**
e28a4053SRui Paulo * RADIUS_CLIENT_FIRST_WAIT - RADIUS client timeout for first retry in seconds
e28a4053SRui Paulo */
e28a4053SRui Paulo#define RADIUS_CLIENT_FIRST_WAIT 3
e28a4053SRui Paulo
e28a4053SRui Paulo/**
e28a4053SRui Paulo * RADIUS_CLIENT_MAX_WAIT - RADIUS client maximum retry timeout in seconds
e28a4053SRui Paulo */
e28a4053SRui Paulo#define RADIUS_CLIENT_MAX_WAIT 120
e28a4053SRui Paulo
e28a4053SRui Paulo/**
4bc52338SCy Schubert * RADIUS_CLIENT_MAX_FAILOVER - RADIUS client maximum retries
e28a4053SRui Paulo *
4bc52338SCy Schubert * Maximum number of server failovers before the entry is removed from
e28a4053SRui Paulo * retransmit list.
e28a4053SRui Paulo */
4bc52338SCy Schubert#define RADIUS_CLIENT_MAX_FAILOVER 3
e28a4053SRui Paulo
e28a4053SRui Paulo/**
e28a4053SRui Paulo * RADIUS_CLIENT_MAX_ENTRIES - RADIUS client maximum pending messages
e28a4053SRui Paulo *
e28a4053SRui Paulo * Maximum number of entries in retransmit list (oldest entries will be
e28a4053SRui Paulo * removed, if this limit is exceeded).
e28a4053SRui Paulo */
e28a4053SRui Paulo#define RADIUS_CLIENT_MAX_ENTRIES 30
e28a4053SRui Paulo
e28a4053SRui Paulo/**
e28a4053SRui Paulo * RADIUS_CLIENT_NUM_FAILOVER - RADIUS client failover point
e28a4053SRui Paulo *
e28a4053SRui Paulo * The number of failed retry attempts after which the RADIUS server will be
e28a4053SRui Paulo * changed (if one of more backup servers are configured).
e28a4053SRui Paulo */
e28a4053SRui Paulo#define RADIUS_CLIENT_NUM_FAILOVER 4
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * struct radius_rx_handler - RADIUS client RX handler
e28a4053SRui Paulo *
e28a4053SRui Paulo * This data structure is used internally inside the RADIUS client module to
e28a4053SRui Paulo * store registered RX handlers. These handlers are registered by calls to
e28a4053SRui Paulo * radius_client_register() and unregistered when the RADIUS client is
e28a4053SRui Paulo * deinitialized with a call to radius_client_deinit().
e28a4053SRui Paulo */
39beb93cSSam Lefflerstruct radius_rx_handler {
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * handler - Received RADIUS message handler
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	RadiusRxResult (*handler)(struct radius_msg *msg,
39beb93cSSam Leffler				  struct radius_msg *req,
39beb93cSSam Leffler				  const u8 *shared_secret,
39beb93cSSam Leffler				  size_t shared_secret_len,
39beb93cSSam Leffler				  void *data);
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * data - Context data for the handler
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	void *data;
39beb93cSSam Leffler};
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * struct radius_msg_list - RADIUS client message retransmit list
e28a4053SRui Paulo *
e28a4053SRui Paulo * This data structure is used internally inside the RADIUS client module to
e28a4053SRui Paulo * store pending RADIUS requests that may still need to be retransmitted.
e28a4053SRui Paulo */
39beb93cSSam Lefflerstruct radius_msg_list {
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * addr - STA/client address
e28a4053SRui Paulo	 *
e28a4053SRui Paulo	 * This is used to find RADIUS messages for the same STA.
e28a4053SRui Paulo	 */
e28a4053SRui Paulo	u8 addr[ETH_ALEN];
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * msg - RADIUS message
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct radius_msg *msg;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * msg_type - Message type
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	RadiusType msg_type;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * first_try - Time of the first transmission attempt
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	os_time_t first_try;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * next_try - Time for the next transmission attempt
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	os_time_t next_try;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
4bc52338SCy Schubert	 * attempts - Number of transmission attempts for one server
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	int attempts;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
4bc52338SCy Schubert	 * accu_attempts - Number of accumulated attempts
4bc52338SCy Schubert	 */
4bc52338SCy Schubert	int accu_attempts;
4bc52338SCy Schubert
4bc52338SCy Schubert	/**
e28a4053SRui Paulo	 * next_wait - Next retransmission wait time in seconds
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	int next_wait;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * last_attempt - Time of the last transmission attempt
e28a4053SRui Paulo	 */
5b9c547cSRui Paulo	struct os_reltime last_attempt;
39beb93cSSam Leffler
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * shared_secret - Shared secret with the target RADIUS server
e28a4053SRui Paulo	 */
e28a4053SRui Paulo	const u8 *shared_secret;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * shared_secret_len - shared_secret length in octets
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	size_t shared_secret_len;
39beb93cSSam Leffler
39beb93cSSam Leffler	/* TODO: server config with failover to backup server(s) */
39beb93cSSam Leffler
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * next - Next message in the list
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct radius_msg_list *next;
39beb93cSSam Leffler};
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * struct radius_client_data - Internal RADIUS client data
e28a4053SRui Paulo *
e28a4053SRui Paulo * This data structure is used internally inside the RADIUS client module.
e28a4053SRui Paulo * External users allocate this by calling radius_client_init() and free it by
e28a4053SRui Paulo * calling radius_client_deinit(). The pointer to this opaque data is used in
e28a4053SRui Paulo * calls to other functions as an identifier for the RADIUS client instance.
e28a4053SRui Paulo */
39beb93cSSam Lefflerstruct radius_client_data {
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * ctx - Context pointer for hostapd_logger() callbacks
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	void *ctx;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * conf - RADIUS client configuration (list of RADIUS servers to use)
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct hostapd_radius_servers *conf;
39beb93cSSam Leffler
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * auth_sock - Currently used socket for RADIUS authentication server
e28a4053SRui Paulo	 */
e28a4053SRui Paulo	int auth_sock;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
*a90b9d01SCy Schubert	 * auth_tls - Whether current authentication connection uses TLS
*a90b9d01SCy Schubert	 */
*a90b9d01SCy Schubert	bool auth_tls;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	/**
*a90b9d01SCy Schubert	 * auth_tls_ready - Whether authentication TLS is ready
*a90b9d01SCy Schubert	 */
*a90b9d01SCy Schubert	bool auth_tls_ready;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	/**
e28a4053SRui Paulo	 * acct_sock - Currently used socket for RADIUS accounting server
e28a4053SRui Paulo	 */
e28a4053SRui Paulo	int acct_sock;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
*a90b9d01SCy Schubert	 * acct_tls - Whether current accounting connection uses TLS
*a90b9d01SCy Schubert	 */
*a90b9d01SCy Schubert	bool acct_tls;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	/**
*a90b9d01SCy Schubert	 * acct_tls_ready - Whether accounting TLS is ready
*a90b9d01SCy Schubert	 */
*a90b9d01SCy Schubert	bool acct_tls_ready;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	/**
e28a4053SRui Paulo	 * auth_handlers - Authentication message handlers
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct radius_rx_handler *auth_handlers;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * num_auth_handlers - Number of handlers in auth_handlers
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	size_t num_auth_handlers;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * acct_handlers - Accounting message handlers
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct radius_rx_handler *acct_handlers;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * num_acct_handlers - Number of handlers in acct_handlers
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	size_t num_acct_handlers;
39beb93cSSam Leffler
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * msgs - Pending outgoing RADIUS messages
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	struct radius_msg_list *msgs;
e28a4053SRui Paulo
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * num_msgs - Number of pending messages in the msgs list
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	size_t num_msgs;
39beb93cSSam Leffler
e28a4053SRui Paulo	/**
e28a4053SRui Paulo	 * next_radius_identifier - Next RADIUS message identifier to use
e28a4053SRui Paulo	 */
39beb93cSSam Leffler	u8 next_radius_identifier;
780fb4a2SCy Schubert
780fb4a2SCy Schubert	/**
780fb4a2SCy Schubert	 * interim_error_cb - Interim accounting error callback
780fb4a2SCy Schubert	 */
780fb4a2SCy Schubert	void (*interim_error_cb)(const u8 *addr, void *ctx);
780fb4a2SCy Schubert
780fb4a2SCy Schubert	/**
780fb4a2SCy Schubert	 * interim_error_cb_ctx - interim_error_cb() context data
780fb4a2SCy Schubert	 */
780fb4a2SCy Schubert	void *interim_error_cb_ctx;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	void *tls_ctx;
*a90b9d01SCy Schubert	struct tls_connection *auth_tls_conn;
*a90b9d01SCy Schubert	struct tls_connection *acct_tls_conn;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler};
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int
39beb93cSSam Lefflerradius_change_server(struct radius_client_data *radius,
39beb93cSSam Leffler		     struct hostapd_radius_server *nserv,
39beb93cSSam Leffler		     struct hostapd_radius_server *oserv,
*a90b9d01SCy Schubert		     int auth);
39beb93cSSam Lefflerstatic int radius_client_init_acct(struct radius_client_data *radius);
39beb93cSSam Lefflerstatic int radius_client_init_auth(struct radius_client_data *radius);
5b9c547cSRui Paulostatic void radius_client_auth_failover(struct radius_client_data *radius);
5b9c547cSRui Paulostatic void radius_client_acct_failover(struct radius_client_data *radius);
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_client_msg_free(struct radius_msg_list *req)
39beb93cSSam Leffler{
39beb93cSSam Leffler	radius_msg_free(req->msg);
39beb93cSSam Leffler	os_free(req);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_register - Register a RADIUS client RX handler
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * @msg_type: RADIUS client type (RADIUS_AUTH or RADIUS_ACCT)
e28a4053SRui Paulo * @handler: Handler for received RADIUS messages
e28a4053SRui Paulo * @data: Context pointer for handler callbacks
e28a4053SRui Paulo * Returns: 0 on success, -1 on failure
e28a4053SRui Paulo *
e28a4053SRui Paulo * This function is used to register a handler for processing received RADIUS
e28a4053SRui Paulo * authentication and accounting messages. The handler() callback function will
e28a4053SRui Paulo * be called whenever a RADIUS message is received from the active server.
e28a4053SRui Paulo *
e28a4053SRui Paulo * There can be multiple registered RADIUS message handlers. The handlers will
e28a4053SRui Paulo * be called in order until one of them indicates that it has processed or
e28a4053SRui Paulo * queued the message.
e28a4053SRui Paulo */
39beb93cSSam Lefflerint radius_client_register(struct radius_client_data *radius,
39beb93cSSam Leffler			   RadiusType msg_type,
39beb93cSSam Leffler			   RadiusRxResult (*handler)(struct radius_msg *msg,
39beb93cSSam Leffler						     struct radius_msg *req,
39beb93cSSam Leffler						     const u8 *shared_secret,
39beb93cSSam Leffler						     size_t shared_secret_len,
39beb93cSSam Leffler						     void *data),
39beb93cSSam Leffler			   void *data)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_rx_handler **handlers, *newh;
39beb93cSSam Leffler	size_t *num;
39beb93cSSam Leffler
39beb93cSSam Leffler	if (msg_type == RADIUS_ACCT) {
39beb93cSSam Leffler		handlers = &radius->acct_handlers;
39beb93cSSam Leffler		num = &radius->num_acct_handlers;
39beb93cSSam Leffler	} else {
39beb93cSSam Leffler		handlers = &radius->auth_handlers;
39beb93cSSam Leffler		num = &radius->num_auth_handlers;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
f05cddf9SRui Paulo	newh = os_realloc_array(*handlers, *num + 1,
f05cddf9SRui Paulo				sizeof(struct radius_rx_handler));
39beb93cSSam Leffler	if (newh == NULL)
39beb93cSSam Leffler		return -1;
39beb93cSSam Leffler
39beb93cSSam Leffler	newh[*num].handler = handler;
39beb93cSSam Leffler	newh[*num].data = data;
39beb93cSSam Leffler	(*num)++;
39beb93cSSam Leffler	*handlers = newh;
39beb93cSSam Leffler
39beb93cSSam Leffler	return 0;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
780fb4a2SCy Schubert/**
780fb4a2SCy Schubert * radius_client_set_interim_erro_cb - Register an interim acct error callback
780fb4a2SCy Schubert * @radius: RADIUS client context from radius_client_init()
780fb4a2SCy Schubert * @addr: Station address from the failed message
780fb4a2SCy Schubert * @cb: Handler for interim accounting errors
780fb4a2SCy Schubert * @ctx: Context pointer for handler callbacks
780fb4a2SCy Schubert *
780fb4a2SCy Schubert * This function is used to register a handler for processing failed
780fb4a2SCy Schubert * transmission attempts of interim accounting update messages.
780fb4a2SCy Schubert */
780fb4a2SCy Schubertvoid radius_client_set_interim_error_cb(struct radius_client_data *radius,
780fb4a2SCy Schubert					void (*cb)(const u8 *addr, void *ctx),
780fb4a2SCy Schubert					void *ctx)
780fb4a2SCy Schubert{
780fb4a2SCy Schubert	radius->interim_error_cb = cb;
780fb4a2SCy Schubert	radius->interim_error_cb_ctx = ctx;
780fb4a2SCy Schubert}
780fb4a2SCy Schubert
780fb4a2SCy Schubert
5b9c547cSRui Paulo/*
5b9c547cSRui Paulo * Returns >0 if message queue was flushed (i.e., the message that triggered
5b9c547cSRui Paulo * the error is not available anymore)
5b9c547cSRui Paulo */
5b9c547cSRui Paulostatic int radius_client_handle_send_error(struct radius_client_data *radius,
39beb93cSSam Leffler					   int s, RadiusType msg_type)
39beb93cSSam Leffler{
39beb93cSSam Leffler#ifndef CONFIG_NATIVE_WINDOWS
39beb93cSSam Leffler	int _errno = errno;
5b9c547cSRui Paulo	wpa_printf(MSG_INFO, "send[RADIUS,s=%d]: %s", s, strerror(errno));
39beb93cSSam Leffler	if (_errno == ENOTCONN || _errno == EDESTADDRREQ || _errno == EINVAL ||
780fb4a2SCy Schubert	    _errno == EBADF || _errno == ENETUNREACH || _errno == EACCES) {
39beb93cSSam Leffler		hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler			       HOSTAPD_LEVEL_INFO,
39beb93cSSam Leffler			       "Send failed - maybe interface status changed -"
39beb93cSSam Leffler			       " try to connect again");
5b9c547cSRui Paulo		if (msg_type == RADIUS_ACCT ||
5b9c547cSRui Paulo		    msg_type == RADIUS_ACCT_INTERIM) {
39beb93cSSam Leffler			radius_client_init_acct(radius);
5b9c547cSRui Paulo			return 0;
5b9c547cSRui Paulo		} else {
39beb93cSSam Leffler			radius_client_init_auth(radius);
5b9c547cSRui Paulo			return 1;
5b9c547cSRui Paulo		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler#endif /* CONFIG_NATIVE_WINDOWS */
5b9c547cSRui Paulo
5b9c547cSRui Paulo	return 0;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int radius_client_retransmit(struct radius_client_data *radius,
39beb93cSSam Leffler				    struct radius_msg_list *entry,
39beb93cSSam Leffler				    os_time_t now)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct hostapd_radius_servers *conf = radius->conf;
39beb93cSSam Leffler	int s;
e28a4053SRui Paulo	struct wpabuf *buf;
5b9c547cSRui Paulo	size_t prev_num_msgs;
780fb4a2SCy Schubert	u8 *acct_delay_time;
780fb4a2SCy Schubert	size_t acct_delay_time_len;
4bc52338SCy Schubert	int num_servers;
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	struct wpabuf *out = NULL;
*a90b9d01SCy Schubert	struct tls_connection *conn = NULL;
*a90b9d01SCy Schubert	bool acct = false;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler
39beb93cSSam Leffler	if (entry->msg_type == RADIUS_ACCT ||
39beb93cSSam Leffler	    entry->msg_type == RADIUS_ACCT_INTERIM) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		acct = true;
*a90b9d01SCy Schubert		if (radius->acct_tls)
*a90b9d01SCy Schubert			conn = radius->acct_tls_conn;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
4bc52338SCy Schubert		num_servers = conf->num_acct_servers;
5b9c547cSRui Paulo		if (radius->acct_sock < 0)
5b9c547cSRui Paulo			radius_client_init_acct(radius);
5b9c547cSRui Paulo		if (radius->acct_sock < 0 && conf->num_acct_servers > 1) {
5b9c547cSRui Paulo			prev_num_msgs = radius->num_msgs;
5b9c547cSRui Paulo			radius_client_acct_failover(radius);
5b9c547cSRui Paulo			if (prev_num_msgs != radius->num_msgs)
5b9c547cSRui Paulo				return 0;
5b9c547cSRui Paulo		}
39beb93cSSam Leffler		s = radius->acct_sock;
39beb93cSSam Leffler		if (entry->attempts == 0)
39beb93cSSam Leffler			conf->acct_server->requests++;
39beb93cSSam Leffler		else {
39beb93cSSam Leffler			conf->acct_server->timeouts++;
39beb93cSSam Leffler			conf->acct_server->retransmissions++;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	} else {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->auth_tls)
*a90b9d01SCy Schubert			conn = radius->auth_tls_conn;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
4bc52338SCy Schubert		num_servers = conf->num_auth_servers;
5b9c547cSRui Paulo		if (radius->auth_sock < 0)
5b9c547cSRui Paulo			radius_client_init_auth(radius);
5b9c547cSRui Paulo		if (radius->auth_sock < 0 && conf->num_auth_servers > 1) {
5b9c547cSRui Paulo			prev_num_msgs = radius->num_msgs;
5b9c547cSRui Paulo			radius_client_auth_failover(radius);
5b9c547cSRui Paulo			if (prev_num_msgs != radius->num_msgs)
5b9c547cSRui Paulo				return 0;
5b9c547cSRui Paulo		}
39beb93cSSam Leffler		s = radius->auth_sock;
39beb93cSSam Leffler		if (entry->attempts == 0)
39beb93cSSam Leffler			conf->auth_server->requests++;
39beb93cSSam Leffler		else {
39beb93cSSam Leffler			conf->auth_server->timeouts++;
39beb93cSSam Leffler			conf->auth_server->retransmissions++;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
780fb4a2SCy Schubert
780fb4a2SCy Schubert	if (entry->msg_type == RADIUS_ACCT_INTERIM) {
780fb4a2SCy Schubert		wpa_printf(MSG_DEBUG,
780fb4a2SCy Schubert			   "RADIUS: Failed to transmit interim accounting update to "
780fb4a2SCy Schubert			   MACSTR " - drop message and request a new update",
780fb4a2SCy Schubert			   MAC2STR(entry->addr));
780fb4a2SCy Schubert		if (radius->interim_error_cb)
780fb4a2SCy Schubert			radius->interim_error_cb(entry->addr,
780fb4a2SCy Schubert						 radius->interim_error_cb_ctx);
780fb4a2SCy Schubert		return 1;
780fb4a2SCy Schubert	}
780fb4a2SCy Schubert
5b9c547cSRui Paulo	if (s < 0) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO,
5b9c547cSRui Paulo			   "RADIUS: No valid socket for retransmission");
5b9c547cSRui Paulo		return 1;
5b9c547cSRui Paulo	}
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if ((acct && radius->acct_tls && !radius->acct_tls_ready) ||
*a90b9d01SCy Schubert	    (!acct && radius->auth_tls && !radius->auth_tls_ready)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: TLS connection not yet ready for TX");
*a90b9d01SCy Schubert		goto not_ready;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
780fb4a2SCy Schubert	if (entry->msg_type == RADIUS_ACCT &&
780fb4a2SCy Schubert	    radius_msg_get_attr_ptr(entry->msg, RADIUS_ATTR_ACCT_DELAY_TIME,
780fb4a2SCy Schubert				    &acct_delay_time, &acct_delay_time_len,
780fb4a2SCy Schubert				    NULL) == 0 &&
780fb4a2SCy Schubert	    acct_delay_time_len == 4) {
780fb4a2SCy Schubert		struct radius_hdr *hdr;
780fb4a2SCy Schubert		u32 delay_time;
780fb4a2SCy Schubert
780fb4a2SCy Schubert		/*
780fb4a2SCy Schubert		 * Need to assign a new identifier since attribute contents
780fb4a2SCy Schubert		 * changes.
780fb4a2SCy Schubert		 */
780fb4a2SCy Schubert		hdr = radius_msg_get_hdr(entry->msg);
780fb4a2SCy Schubert		hdr->identifier = radius_client_get_id(radius);
780fb4a2SCy Schubert
780fb4a2SCy Schubert		/* Update Acct-Delay-Time to show wait time in queue */
780fb4a2SCy Schubert		delay_time = now - entry->first_try;
780fb4a2SCy Schubert		WPA_PUT_BE32(acct_delay_time, delay_time);
780fb4a2SCy Schubert
780fb4a2SCy Schubert		wpa_printf(MSG_DEBUG,
780fb4a2SCy Schubert			   "RADIUS: Updated Acct-Delay-Time to %u for retransmission",
780fb4a2SCy Schubert			   delay_time);
780fb4a2SCy Schubert		radius_msg_finish_acct(entry->msg, entry->shared_secret,
780fb4a2SCy Schubert				       entry->shared_secret_len);
780fb4a2SCy Schubert		if (radius->conf->msg_dumps)
780fb4a2SCy Schubert			radius_msg_dump(entry->msg);
780fb4a2SCy Schubert	}
780fb4a2SCy Schubert
39beb93cSSam Leffler	/* retransmit; remove entry if too many attempts */
c1d255d3SCy Schubert	if (entry->accu_attempts >= RADIUS_CLIENT_MAX_FAILOVER *
4bc52338SCy Schubert	    RADIUS_CLIENT_NUM_FAILOVER * num_servers) {
4bc52338SCy Schubert		wpa_printf(MSG_INFO,
4bc52338SCy Schubert			   "RADIUS: Removing un-ACKed message due to too many failed retransmit attempts");
4bc52338SCy Schubert		return 1;
4bc52338SCy Schubert	}
4bc52338SCy Schubert
39beb93cSSam Leffler	entry->attempts++;
4bc52338SCy Schubert	entry->accu_attempts++;
39beb93cSSam Leffler	hostapd_logger(radius->ctx, entry->addr, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "Resending RADIUS message (id=%d)",
e28a4053SRui Paulo		       radius_msg_get_hdr(entry->msg)->identifier);
39beb93cSSam Leffler
5b9c547cSRui Paulo	os_get_reltime(&entry->last_attempt);
e28a4053SRui Paulo	buf = radius_msg_get_buf(entry->msg);
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (conn) {
*a90b9d01SCy Schubert		out = tls_connection_encrypt(radius->tls_ctx, conn, buf);
*a90b9d01SCy Schubert		if (!out) {
*a90b9d01SCy Schubert			wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert				   "RADIUS: Failed to encrypt RADIUS message (TLS)");
*a90b9d01SCy Schubert			return -1;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: TLS encryption of %zu bytes of plaintext to %zu bytes of ciphertext",
*a90b9d01SCy Schubert			   wpabuf_len(buf), wpabuf_len(out));
*a90b9d01SCy Schubert		buf = out;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: Send %zu bytes to the server",
*a90b9d01SCy Schubert		   wpabuf_len(buf));
5b9c547cSRui Paulo	if (send(s, wpabuf_head(buf), wpabuf_len(buf), 0) < 0) {
5b9c547cSRui Paulo		if (radius_client_handle_send_error(radius, s, entry->msg_type)
*a90b9d01SCy Schubert		    > 0) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert			wpabuf_free(out);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
5b9c547cSRui Paulo			return 0;
5b9c547cSRui Paulo		}
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertnot_ready:
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler
39beb93cSSam Leffler	entry->next_try = now + entry->next_wait;
39beb93cSSam Leffler	entry->next_wait *= 2;
39beb93cSSam Leffler	if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
39beb93cSSam Leffler		entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
39beb93cSSam Leffler
39beb93cSSam Leffler	return 0;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_client_timer(void *eloop_ctx, void *timeout_ctx)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_client_data *radius = eloop_ctx;
5b9c547cSRui Paulo	struct os_reltime now;
39beb93cSSam Leffler	os_time_t first;
39beb93cSSam Leffler	struct radius_msg_list *entry, *prev, *tmp;
39beb93cSSam Leffler	int auth_failover = 0, acct_failover = 0;
5b9c547cSRui Paulo	size_t prev_num_msgs;
5b9c547cSRui Paulo	int s;
39beb93cSSam Leffler
39beb93cSSam Leffler	entry = radius->msgs;
39beb93cSSam Leffler	if (!entry)
39beb93cSSam Leffler		return;
39beb93cSSam Leffler
5b9c547cSRui Paulo	os_get_reltime(&now);
4bc52338SCy Schubert
4bc52338SCy Schubert	while (entry) {
4bc52338SCy Schubert		if (now.sec >= entry->next_try) {
4bc52338SCy Schubert			s = entry->msg_type == RADIUS_AUTH ? radius->auth_sock :
4bc52338SCy Schubert				radius->acct_sock;
c1d255d3SCy Schubert			if (entry->attempts >= RADIUS_CLIENT_NUM_FAILOVER ||
4bc52338SCy Schubert			    (s < 0 && entry->attempts > 0)) {
4bc52338SCy Schubert				if (entry->msg_type == RADIUS_ACCT ||
4bc52338SCy Schubert				    entry->msg_type == RADIUS_ACCT_INTERIM)
4bc52338SCy Schubert					acct_failover++;
4bc52338SCy Schubert				else
4bc52338SCy Schubert					auth_failover++;
4bc52338SCy Schubert			}
4bc52338SCy Schubert		}
4bc52338SCy Schubert		entry = entry->next;
4bc52338SCy Schubert	}
4bc52338SCy Schubert
4bc52338SCy Schubert	if (auth_failover)
4bc52338SCy Schubert		radius_client_auth_failover(radius);
4bc52338SCy Schubert
4bc52338SCy Schubert	if (acct_failover)
4bc52338SCy Schubert		radius_client_acct_failover(radius);
4bc52338SCy Schubert
4bc52338SCy Schubert	entry = radius->msgs;
39beb93cSSam Leffler	first = 0;
39beb93cSSam Leffler
39beb93cSSam Leffler	prev = NULL;
39beb93cSSam Leffler	while (entry) {
5b9c547cSRui Paulo		prev_num_msgs = radius->num_msgs;
39beb93cSSam Leffler		if (now.sec >= entry->next_try &&
39beb93cSSam Leffler		    radius_client_retransmit(radius, entry, now.sec)) {
39beb93cSSam Leffler			if (prev)
39beb93cSSam Leffler				prev->next = entry->next;
39beb93cSSam Leffler			else
39beb93cSSam Leffler				radius->msgs = entry->next;
39beb93cSSam Leffler
39beb93cSSam Leffler			tmp = entry;
39beb93cSSam Leffler			entry = entry->next;
39beb93cSSam Leffler			radius_client_msg_free(tmp);
39beb93cSSam Leffler			radius->num_msgs--;
39beb93cSSam Leffler			continue;
39beb93cSSam Leffler		}
39beb93cSSam Leffler
5b9c547cSRui Paulo		if (prev_num_msgs != radius->num_msgs) {
5b9c547cSRui Paulo			wpa_printf(MSG_DEBUG,
5b9c547cSRui Paulo				   "RADIUS: Message removed from queue - restart from beginning");
5b9c547cSRui Paulo			entry = radius->msgs;
5b9c547cSRui Paulo			prev = NULL;
5b9c547cSRui Paulo			continue;
5b9c547cSRui Paulo		}
5b9c547cSRui Paulo
39beb93cSSam Leffler		if (first == 0 || entry->next_try < first)
39beb93cSSam Leffler			first = entry->next_try;
39beb93cSSam Leffler
39beb93cSSam Leffler		prev = entry;
39beb93cSSam Leffler		entry = entry->next;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->msgs) {
39beb93cSSam Leffler		if (first < now.sec)
39beb93cSSam Leffler			first = now.sec;
4bc52338SCy Schubert		eloop_cancel_timeout(radius_client_timer, radius, NULL);
39beb93cSSam Leffler		eloop_register_timeout(first - now.sec, 0,
39beb93cSSam Leffler				       radius_client_timer, radius, NULL);
39beb93cSSam Leffler		hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler			       HOSTAPD_LEVEL_DEBUG, "Next RADIUS client "
39beb93cSSam Leffler			       "retransmit in %ld seconds",
39beb93cSSam Leffler			       (long int) (first - now.sec));
39beb93cSSam Leffler	}
5b9c547cSRui Paulo}
5b9c547cSRui Paulo
5b9c547cSRui Paulo
5b9c547cSRui Paulostatic void radius_client_auth_failover(struct radius_client_data *radius)
5b9c547cSRui Paulo{
5b9c547cSRui Paulo	struct hostapd_radius_servers *conf = radius->conf;
39beb93cSSam Leffler	struct hostapd_radius_server *next, *old;
5b9c547cSRui Paulo	struct radius_msg_list *entry;
5b9c547cSRui Paulo	char abuf[50];
5b9c547cSRui Paulo
39beb93cSSam Leffler	old = conf->auth_server;
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_NOTICE,
5b9c547cSRui Paulo		       "No response from Authentication server %s:%d - failover",
39beb93cSSam Leffler		       hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
39beb93cSSam Leffler		       old->port);
39beb93cSSam Leffler
39beb93cSSam Leffler	for (entry = radius->msgs; entry; entry = entry->next) {
39beb93cSSam Leffler		if (entry->msg_type == RADIUS_AUTH)
39beb93cSSam Leffler			old->timeouts++;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	next = old + 1;
39beb93cSSam Leffler	if (next > &(conf->auth_servers[conf->num_auth_servers - 1]))
39beb93cSSam Leffler		next = conf->auth_servers;
39beb93cSSam Leffler	conf->auth_server = next;
*a90b9d01SCy Schubert	radius_change_server(radius, next, old, 1);
39beb93cSSam Leffler}
39beb93cSSam Leffler
5b9c547cSRui Paulo
5b9c547cSRui Paulostatic void radius_client_acct_failover(struct radius_client_data *radius)
5b9c547cSRui Paulo{
5b9c547cSRui Paulo	struct hostapd_radius_servers *conf = radius->conf;
39beb93cSSam Leffler	struct hostapd_radius_server *next, *old;
5b9c547cSRui Paulo	struct radius_msg_list *entry;
5b9c547cSRui Paulo	char abuf[50];
5b9c547cSRui Paulo
39beb93cSSam Leffler	old = conf->acct_server;
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_NOTICE,
5b9c547cSRui Paulo		       "No response from Accounting server %s:%d - failover",
39beb93cSSam Leffler		       hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)),
39beb93cSSam Leffler		       old->port);
39beb93cSSam Leffler
39beb93cSSam Leffler	for (entry = radius->msgs; entry; entry = entry->next) {
39beb93cSSam Leffler		if (entry->msg_type == RADIUS_ACCT ||
39beb93cSSam Leffler		    entry->msg_type == RADIUS_ACCT_INTERIM)
39beb93cSSam Leffler			old->timeouts++;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	next = old + 1;
39beb93cSSam Leffler	if (next > &conf->acct_servers[conf->num_acct_servers - 1])
39beb93cSSam Leffler		next = conf->acct_servers;
39beb93cSSam Leffler	conf->acct_server = next;
*a90b9d01SCy Schubert	radius_change_server(radius, next, old, 0);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_client_update_timeout(struct radius_client_data *radius)
39beb93cSSam Leffler{
5b9c547cSRui Paulo	struct os_reltime now;
39beb93cSSam Leffler	os_time_t first;
39beb93cSSam Leffler	struct radius_msg_list *entry;
39beb93cSSam Leffler
39beb93cSSam Leffler	eloop_cancel_timeout(radius_client_timer, radius, NULL);
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->msgs == NULL) {
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	first = 0;
39beb93cSSam Leffler	for (entry = radius->msgs; entry; entry = entry->next) {
39beb93cSSam Leffler		if (first == 0 || entry->next_try < first)
39beb93cSSam Leffler			first = entry->next_try;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
5b9c547cSRui Paulo	os_get_reltime(&now);
39beb93cSSam Leffler	if (first < now.sec)
39beb93cSSam Leffler		first = now.sec;
39beb93cSSam Leffler	eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius,
39beb93cSSam Leffler			       NULL);
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "Next RADIUS client retransmit in"
f05cddf9SRui Paulo		       " %ld seconds", (long int) (first - now.sec));
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_client_list_add(struct radius_client_data *radius,
39beb93cSSam Leffler				   struct radius_msg *msg,
e28a4053SRui Paulo				   RadiusType msg_type,
e28a4053SRui Paulo				   const u8 *shared_secret,
39beb93cSSam Leffler				   size_t shared_secret_len, const u8 *addr)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_msg_list *entry, *prev;
39beb93cSSam Leffler
39beb93cSSam Leffler	if (eloop_terminated()) {
39beb93cSSam Leffler		/* No point in adding entries to retransmit queue since event
39beb93cSSam Leffler		 * loop has already been terminated. */
39beb93cSSam Leffler		radius_msg_free(msg);
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	entry = os_zalloc(sizeof(*entry));
39beb93cSSam Leffler	if (entry == NULL) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO, "RADIUS: Failed to add packet into retransmit list");
39beb93cSSam Leffler		radius_msg_free(msg);
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (addr)
39beb93cSSam Leffler		os_memcpy(entry->addr, addr, ETH_ALEN);
39beb93cSSam Leffler	entry->msg = msg;
39beb93cSSam Leffler	entry->msg_type = msg_type;
39beb93cSSam Leffler	entry->shared_secret = shared_secret;
39beb93cSSam Leffler	entry->shared_secret_len = shared_secret_len;
5b9c547cSRui Paulo	os_get_reltime(&entry->last_attempt);
39beb93cSSam Leffler	entry->first_try = entry->last_attempt.sec;
39beb93cSSam Leffler	entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
39beb93cSSam Leffler	entry->attempts = 1;
4bc52338SCy Schubert	entry->accu_attempts = 1;
39beb93cSSam Leffler	entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
4bc52338SCy Schubert	if (entry->next_wait > RADIUS_CLIENT_MAX_WAIT)
4bc52338SCy Schubert		entry->next_wait = RADIUS_CLIENT_MAX_WAIT;
39beb93cSSam Leffler	entry->next = radius->msgs;
39beb93cSSam Leffler	radius->msgs = entry;
39beb93cSSam Leffler	radius_client_update_timeout(radius);
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->num_msgs >= RADIUS_CLIENT_MAX_ENTRIES) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO, "RADIUS: Removing the oldest un-ACKed packet due to retransmit list limits");
39beb93cSSam Leffler		prev = NULL;
39beb93cSSam Leffler		while (entry->next) {
39beb93cSSam Leffler			prev = entry;
39beb93cSSam Leffler			entry = entry->next;
39beb93cSSam Leffler		}
39beb93cSSam Leffler		if (prev) {
39beb93cSSam Leffler			prev->next = NULL;
39beb93cSSam Leffler			radius_client_msg_free(entry);
39beb93cSSam Leffler		}
39beb93cSSam Leffler	} else
39beb93cSSam Leffler		radius->num_msgs++;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
*a90b9d01SCy Schubertstatic int radius_client_disable_pmtu_discovery(int s)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	int r = -1;
*a90b9d01SCy Schubert#if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
*a90b9d01SCy Schubert	/* Turn off Path MTU discovery on IPv4/UDP sockets. */
*a90b9d01SCy Schubert	int action = IP_PMTUDISC_DONT;
*a90b9d01SCy Schubert	r = setsockopt(s, IPPROTO_IP, IP_MTU_DISCOVER, &action,
*a90b9d01SCy Schubert		       sizeof(action));
*a90b9d01SCy Schubert	if (r == -1)
*a90b9d01SCy Schubert		wpa_printf(MSG_ERROR, "RADIUS: Failed to set IP_MTU_DISCOVER: %s",
*a90b9d01SCy Schubert			   strerror(errno));
*a90b9d01SCy Schubert#endif
*a90b9d01SCy Schubert	return r;
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertstatic void radius_close_auth_socket(struct radius_client_data *radius)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	if (radius->auth_sock >= 0) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->conf->auth_server->tls)
*a90b9d01SCy Schubert			eloop_unregister_sock(radius->auth_sock,
*a90b9d01SCy Schubert					      EVENT_TYPE_WRITE);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert		eloop_unregister_read_sock(radius->auth_sock);
*a90b9d01SCy Schubert		close(radius->auth_sock);
*a90b9d01SCy Schubert		radius->auth_sock = -1;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertstatic void radius_close_acct_socket(struct radius_client_data *radius)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	if (radius->acct_sock >= 0) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->conf->acct_server->tls)
*a90b9d01SCy Schubert			eloop_unregister_sock(radius->acct_sock,
*a90b9d01SCy Schubert					      EVENT_TYPE_WRITE);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert		eloop_unregister_read_sock(radius->acct_sock);
*a90b9d01SCy Schubert		close(radius->acct_sock);
*a90b9d01SCy Schubert		radius->acct_sock = -1;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_send - Send a RADIUS request
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * @msg: RADIUS message to be sent
e28a4053SRui Paulo * @msg_type: Message type (RADIUS_AUTH, RADIUS_ACCT, RADIUS_ACCT_INTERIM)
e28a4053SRui Paulo * @addr: MAC address of the device related to this message or %NULL
e28a4053SRui Paulo * Returns: 0 on success, -1 on failure
e28a4053SRui Paulo *
e28a4053SRui Paulo * This function is used to transmit a RADIUS authentication (RADIUS_AUTH) or
e28a4053SRui Paulo * accounting request (RADIUS_ACCT or RADIUS_ACCT_INTERIM). The only difference
e28a4053SRui Paulo * between accounting and interim accounting messages is that the interim
780fb4a2SCy Schubert * message will not be retransmitted. Instead, a callback is used to indicate
780fb4a2SCy Schubert * that the transmission failed for the specific station @addr so that a new
780fb4a2SCy Schubert * interim accounting update message can be generated with up-to-date session
780fb4a2SCy Schubert * data instead of trying to resend old information.
e28a4053SRui Paulo *
e28a4053SRui Paulo * The message is added on the retransmission queue and will be retransmitted
e28a4053SRui Paulo * automatically until a response is received or maximum number of retries
4bc52338SCy Schubert * (RADIUS_CLIENT_MAX_FAILOVER * RADIUS_CLIENT_NUM_FAILOVER) is reached. No
4bc52338SCy Schubert * such retries are used with RADIUS_ACCT_INTERIM, i.e., such a pending message
4bc52338SCy Schubert * is removed from the queue automatically on transmission failure.
e28a4053SRui Paulo *
e28a4053SRui Paulo * The related device MAC address can be used to identify pending messages that
780fb4a2SCy Schubert * can be removed with radius_client_flush_auth().
e28a4053SRui Paulo */
39beb93cSSam Lefflerint radius_client_send(struct radius_client_data *radius,
39beb93cSSam Leffler		       struct radius_msg *msg, RadiusType msg_type,
39beb93cSSam Leffler		       const u8 *addr)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct hostapd_radius_servers *conf = radius->conf;
e28a4053SRui Paulo	const u8 *shared_secret;
39beb93cSSam Leffler	size_t shared_secret_len;
39beb93cSSam Leffler	char *name;
39beb93cSSam Leffler	int s, res;
e28a4053SRui Paulo	struct wpabuf *buf;
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	struct wpabuf *out = NULL;
*a90b9d01SCy Schubert	struct tls_connection *conn = NULL;
*a90b9d01SCy Schubert	bool acct = false;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler
39beb93cSSam Leffler	if (msg_type == RADIUS_ACCT || msg_type == RADIUS_ACCT_INTERIM) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		acct = true;
*a90b9d01SCy Schubert		if (radius->acct_tls)
*a90b9d01SCy Schubert			conn = radius->acct_tls_conn;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
5b9c547cSRui Paulo		if (conf->acct_server && radius->acct_sock < 0)
5b9c547cSRui Paulo			radius_client_init_acct(radius);
5b9c547cSRui Paulo
5b9c547cSRui Paulo		if (conf->acct_server == NULL || radius->acct_sock < 0 ||
5b9c547cSRui Paulo		    conf->acct_server->shared_secret == NULL) {
39beb93cSSam Leffler			hostapd_logger(radius->ctx, NULL,
39beb93cSSam Leffler				       HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler				       HOSTAPD_LEVEL_INFO,
39beb93cSSam Leffler				       "No accounting server configured");
39beb93cSSam Leffler			return -1;
39beb93cSSam Leffler		}
39beb93cSSam Leffler		shared_secret = conf->acct_server->shared_secret;
39beb93cSSam Leffler		shared_secret_len = conf->acct_server->shared_secret_len;
39beb93cSSam Leffler		radius_msg_finish_acct(msg, shared_secret, shared_secret_len);
39beb93cSSam Leffler		name = "accounting";
39beb93cSSam Leffler		s = radius->acct_sock;
39beb93cSSam Leffler		conf->acct_server->requests++;
39beb93cSSam Leffler	} else {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->auth_tls)
*a90b9d01SCy Schubert			conn = radius->auth_tls_conn;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
5b9c547cSRui Paulo		if (conf->auth_server && radius->auth_sock < 0)
5b9c547cSRui Paulo			radius_client_init_auth(radius);
5b9c547cSRui Paulo
5b9c547cSRui Paulo		if (conf->auth_server == NULL || radius->auth_sock < 0 ||
5b9c547cSRui Paulo		    conf->auth_server->shared_secret == NULL) {
39beb93cSSam Leffler			hostapd_logger(radius->ctx, NULL,
39beb93cSSam Leffler				       HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler				       HOSTAPD_LEVEL_INFO,
39beb93cSSam Leffler				       "No authentication server configured");
39beb93cSSam Leffler			return -1;
39beb93cSSam Leffler		}
39beb93cSSam Leffler		shared_secret = conf->auth_server->shared_secret;
39beb93cSSam Leffler		shared_secret_len = conf->auth_server->shared_secret_len;
39beb93cSSam Leffler		radius_msg_finish(msg, shared_secret, shared_secret_len);
39beb93cSSam Leffler		name = "authentication";
39beb93cSSam Leffler		s = radius->auth_sock;
39beb93cSSam Leffler		conf->auth_server->requests++;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "Sending RADIUS message to %s "
39beb93cSSam Leffler		       "server", name);
39beb93cSSam Leffler	if (conf->msg_dumps)
39beb93cSSam Leffler		radius_msg_dump(msg);
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if ((acct && radius->acct_tls && !radius->acct_tls_ready) ||
*a90b9d01SCy Schubert	    (!acct && radius->auth_tls && !radius->auth_tls_ready)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: TLS connection not yet ready for TX");
*a90b9d01SCy Schubert		goto skip_send;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
e28a4053SRui Paulo	buf = radius_msg_get_buf(msg);
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (conn) {
*a90b9d01SCy Schubert		out = tls_connection_encrypt(radius->tls_ctx, conn, buf);
*a90b9d01SCy Schubert		if (!out) {
*a90b9d01SCy Schubert			wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert				   "RADIUS: Failed to encrypt RADIUS message (TLS)");
*a90b9d01SCy Schubert			return -1;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: TLS encryption of %zu bytes of plaintext to %zu bytes of ciphertext",
*a90b9d01SCy Schubert			   wpabuf_len(buf), wpabuf_len(out));
*a90b9d01SCy Schubert		buf = out;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: Send %zu bytes to the server",
*a90b9d01SCy Schubert		   wpabuf_len(buf));
e28a4053SRui Paulo	res = send(s, wpabuf_head(buf), wpabuf_len(buf), 0);
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler	if (res < 0)
39beb93cSSam Leffler		radius_client_handle_send_error(radius, s, msg_type);
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubertskip_send:
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler	radius_client_list_add(radius, msg, msg_type, shared_secret,
39beb93cSSam Leffler			       shared_secret_len, addr);
39beb93cSSam Leffler
f05cddf9SRui Paulo	return 0;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertstatic void radius_client_close_tcp(struct radius_client_data *radius,
*a90b9d01SCy Schubert				    int sock, RadiusType msg_type)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: Closing TCP connection (sock %d)",
*a90b9d01SCy Schubert		   sock);
*a90b9d01SCy Schubert	if (msg_type == RADIUS_ACCT) {
*a90b9d01SCy Schubert		radius->acct_tls_ready = false;
*a90b9d01SCy Schubert		radius_close_acct_socket(radius);
*a90b9d01SCy Schubert	} else {
*a90b9d01SCy Schubert		radius->auth_tls_ready = false;
*a90b9d01SCy Schubert		radius_close_auth_socket(radius);
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertstatic void
*a90b9d01SCy Schubertradius_client_process_tls_handshake(struct radius_client_data *radius,
*a90b9d01SCy Schubert				    int sock, RadiusType msg_type,
*a90b9d01SCy Schubert				    u8 *buf, size_t len)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	struct wpabuf *in, *out = NULL, *appl;
*a90b9d01SCy Schubert	struct tls_connection *conn;
*a90b9d01SCy Schubert	int res;
*a90b9d01SCy Schubert	bool ready = false;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert		   "RADIUS: Process %zu bytes of received TLS handshake message",
*a90b9d01SCy Schubert		   len);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (msg_type == RADIUS_ACCT)
*a90b9d01SCy Schubert		conn = radius->acct_tls_conn;
*a90b9d01SCy Schubert	else
*a90b9d01SCy Schubert		conn = radius->auth_tls_conn;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	in = wpabuf_alloc_copy(buf, len);
*a90b9d01SCy Schubert	if (!in)
*a90b9d01SCy Schubert		return;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	appl = NULL;
*a90b9d01SCy Schubert	out = tls_connection_handshake(radius->tls_ctx, conn, in, &appl);
*a90b9d01SCy Schubert	wpabuf_free(in);
*a90b9d01SCy Schubert	if (!out) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: Could not generate TLS handshake data");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (tls_connection_get_failed(radius->tls_ctx, conn)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO, "RADIUS: TLS handshake failed");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (tls_connection_established(radius->tls_ctx, conn)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: TLS connection established (sock=%d)",
*a90b9d01SCy Schubert			   sock);
*a90b9d01SCy Schubert		if (msg_type == RADIUS_ACCT)
*a90b9d01SCy Schubert			radius->acct_tls_ready = true;
*a90b9d01SCy Schubert		else
*a90b9d01SCy Schubert			radius->auth_tls_ready = true;
*a90b9d01SCy Schubert		ready = true;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: Sending %zu bytes of TLS handshake",
*a90b9d01SCy Schubert		   wpabuf_len(out));
*a90b9d01SCy Schubert	res = send(sock, wpabuf_head(out), wpabuf_len(out), 0);
*a90b9d01SCy Schubert	if (res < 0) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO, "RADIUS: send: %s", strerror(errno));
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert	if ((size_t) res != wpabuf_len(out)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert			   "RADIUS: Could not send all data for TLS handshake: only %d bytes sent",
*a90b9d01SCy Schubert			   res);
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (ready) {
*a90b9d01SCy Schubert		struct radius_msg_list *entry, *prev, *tmp;
*a90b9d01SCy Schubert		struct os_reltime now;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert		/* Send all pending message of matching type since the TLS
*a90b9d01SCy Schubert		 * tunnel has now been established. */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert		os_get_reltime(&now);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert		entry = radius->msgs;
*a90b9d01SCy Schubert		prev = NULL;
*a90b9d01SCy Schubert		while (entry) {
*a90b9d01SCy Schubert			if (entry->msg_type != msg_type) {
*a90b9d01SCy Schubert				prev = entry;
*a90b9d01SCy Schubert				entry = entry->next;
*a90b9d01SCy Schubert				continue;
*a90b9d01SCy Schubert			}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert			if (radius_client_retransmit(radius, entry, now.sec)) {
*a90b9d01SCy Schubert				if (prev)
*a90b9d01SCy Schubert					prev->next = entry->next;
*a90b9d01SCy Schubert				else
*a90b9d01SCy Schubert					radius->msgs = entry->next;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert				tmp = entry;
*a90b9d01SCy Schubert				entry = entry->next;
*a90b9d01SCy Schubert				radius_client_msg_free(tmp);
*a90b9d01SCy Schubert				radius->num_msgs--;
*a90b9d01SCy Schubert				continue;
*a90b9d01SCy Schubert			}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert			prev = entry;
*a90b9d01SCy Schubert			entry = entry->next;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	return;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertfail:
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert	tls_connection_deinit(radius->tls_ctx, conn);
*a90b9d01SCy Schubert	if (msg_type == RADIUS_ACCT)
*a90b9d01SCy Schubert		radius->acct_tls_conn = NULL;
*a90b9d01SCy Schubert	else
*a90b9d01SCy Schubert		radius->auth_tls_conn = NULL;
*a90b9d01SCy Schubert	radius_client_close_tcp(radius, sock, msg_type);
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
39beb93cSSam Lefflerstatic void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_client_data *radius = eloop_ctx;
39beb93cSSam Leffler	struct hostapd_radius_servers *conf = radius->conf;
4b72b91aSCy Schubert	RadiusType msg_type = (uintptr_t) sock_ctx;
39beb93cSSam Leffler	int len, roundtrip;
c1d255d3SCy Schubert	unsigned char buf[RADIUS_MAX_MSG_LEN];
c1d255d3SCy Schubert	struct msghdr msghdr = {0};
c1d255d3SCy Schubert	struct iovec iov;
39beb93cSSam Leffler	struct radius_msg *msg;
e28a4053SRui Paulo	struct radius_hdr *hdr;
39beb93cSSam Leffler	struct radius_rx_handler *handlers;
39beb93cSSam Leffler	size_t num_handlers, i;
39beb93cSSam Leffler	struct radius_msg_list *req, *prev_req;
5b9c547cSRui Paulo	struct os_reltime now;
39beb93cSSam Leffler	struct hostapd_radius_server *rconf;
39beb93cSSam Leffler	int invalid_authenticator = 0;
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	struct tls_connection *conn = NULL;
*a90b9d01SCy Schubert	bool tls, tls_ready;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler
39beb93cSSam Leffler	if (msg_type == RADIUS_ACCT) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->acct_tls)
*a90b9d01SCy Schubert			conn = radius->acct_tls_conn;
*a90b9d01SCy Schubert		tls = radius->acct_tls;
*a90b9d01SCy Schubert		tls_ready = radius->acct_tls_ready;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler		handlers = radius->acct_handlers;
39beb93cSSam Leffler		num_handlers = radius->num_acct_handlers;
39beb93cSSam Leffler		rconf = conf->acct_server;
39beb93cSSam Leffler	} else {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		if (radius->auth_tls)
*a90b9d01SCy Schubert			conn = radius->auth_tls_conn;
*a90b9d01SCy Schubert		tls = radius->auth_tls;
*a90b9d01SCy Schubert		tls_ready = radius->auth_tls_ready;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler		handlers = radius->auth_handlers;
39beb93cSSam Leffler		num_handlers = radius->num_auth_handlers;
39beb93cSSam Leffler		rconf = conf->auth_server;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
c1d255d3SCy Schubert	iov.iov_base = buf;
c1d255d3SCy Schubert	iov.iov_len = RADIUS_MAX_MSG_LEN;
c1d255d3SCy Schubert	msghdr.msg_iov = &iov;
c1d255d3SCy Schubert	msghdr.msg_iovlen = 1;
c1d255d3SCy Schubert	msghdr.msg_flags = 0;
c1d255d3SCy Schubert	len = recvmsg(sock, &msghdr, MSG_DONTWAIT);
39beb93cSSam Leffler	if (len < 0) {
c1d255d3SCy Schubert		wpa_printf(MSG_INFO, "recvmsg[RADIUS]: %s", strerror(errno));
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (tls && len == 0) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG, "RADIUS: No TCP data available");
*a90b9d01SCy Schubert		goto close_tcp;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (tls && !tls_ready) {
*a90b9d01SCy Schubert		radius_client_process_tls_handshake(radius, sock, msg_type,
*a90b9d01SCy Schubert						    buf, len);
*a90b9d01SCy Schubert		return;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (conn) {
*a90b9d01SCy Schubert		struct wpabuf *out, *in;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert		in = wpabuf_alloc_copy(buf, len);
*a90b9d01SCy Schubert		if (!in)
*a90b9d01SCy Schubert			return;
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: Process %d bytes of encrypted TLS data",
*a90b9d01SCy Schubert			   len);
*a90b9d01SCy Schubert		out = tls_connection_decrypt(radius->tls_ctx, conn, in);
*a90b9d01SCy Schubert		wpabuf_free(in);
*a90b9d01SCy Schubert		if (!out) {
*a90b9d01SCy Schubert			wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert				   "RADIUS: Failed to decrypt TLS data");
*a90b9d01SCy Schubert			goto close_tcp;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		if (wpabuf_len(out) == 0) {
*a90b9d01SCy Schubert			wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert				   "RADIUS: Full message not yet received - continue waiting for additional TLS data");
*a90b9d01SCy Schubert			wpabuf_free(out);
*a90b9d01SCy Schubert			return;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		if (wpabuf_len(out) > RADIUS_MAX_MSG_LEN) {
*a90b9d01SCy Schubert			wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert				   "RADIUS: Too long RADIUS message from TLS: %zu",
*a90b9d01SCy Schubert				   wpabuf_len(out));
*a90b9d01SCy Schubert			wpabuf_free(out);
*a90b9d01SCy Schubert			goto close_tcp;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		os_memcpy(buf, wpabuf_head(out), wpabuf_len(out));
*a90b9d01SCy Schubert		len = wpabuf_len(out);
*a90b9d01SCy Schubert		wpabuf_free(out);
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
c1d255d3SCy Schubert
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "Received %d bytes from RADIUS "
39beb93cSSam Leffler		       "server", len);
c1d255d3SCy Schubert
c1d255d3SCy Schubert	if (msghdr.msg_flags & MSG_TRUNC) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO, "RADIUS: Possibly too long UDP frame for our buffer - dropping it");
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	msg = radius_msg_parse(buf, len);
39beb93cSSam Leffler	if (msg == NULL) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO, "RADIUS: Parsing incoming frame failed");
39beb93cSSam Leffler		rconf->malformed_responses++;
39beb93cSSam Leffler		return;
39beb93cSSam Leffler	}
e28a4053SRui Paulo	hdr = radius_msg_get_hdr(msg);
39beb93cSSam Leffler
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "Received RADIUS message");
39beb93cSSam Leffler	if (conf->msg_dumps)
39beb93cSSam Leffler		radius_msg_dump(msg);
39beb93cSSam Leffler
e28a4053SRui Paulo	switch (hdr->code) {
39beb93cSSam Leffler	case RADIUS_CODE_ACCESS_ACCEPT:
39beb93cSSam Leffler		rconf->access_accepts++;
39beb93cSSam Leffler		break;
39beb93cSSam Leffler	case RADIUS_CODE_ACCESS_REJECT:
39beb93cSSam Leffler		rconf->access_rejects++;
39beb93cSSam Leffler		break;
39beb93cSSam Leffler	case RADIUS_CODE_ACCESS_CHALLENGE:
39beb93cSSam Leffler		rconf->access_challenges++;
39beb93cSSam Leffler		break;
39beb93cSSam Leffler	case RADIUS_CODE_ACCOUNTING_RESPONSE:
39beb93cSSam Leffler		rconf->responses++;
39beb93cSSam Leffler		break;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	prev_req = NULL;
39beb93cSSam Leffler	req = radius->msgs;
39beb93cSSam Leffler	while (req) {
39beb93cSSam Leffler		/* TODO: also match by src addr:port of the packet when using
39beb93cSSam Leffler		 * alternative RADIUS servers (?) */
39beb93cSSam Leffler		if ((req->msg_type == msg_type ||
39beb93cSSam Leffler		     (req->msg_type == RADIUS_ACCT_INTERIM &&
39beb93cSSam Leffler		      msg_type == RADIUS_ACCT)) &&
e28a4053SRui Paulo		    radius_msg_get_hdr(req->msg)->identifier ==
e28a4053SRui Paulo		    hdr->identifier)
39beb93cSSam Leffler			break;
39beb93cSSam Leffler
39beb93cSSam Leffler		prev_req = req;
39beb93cSSam Leffler		req = req->next;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (req == NULL) {
39beb93cSSam Leffler		hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler			       HOSTAPD_LEVEL_DEBUG,
39beb93cSSam Leffler			       "No matching RADIUS request found (type=%d "
39beb93cSSam Leffler			       "id=%d) - dropping packet",
e28a4053SRui Paulo			       msg_type, hdr->identifier);
39beb93cSSam Leffler		goto fail;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
5b9c547cSRui Paulo	os_get_reltime(&now);
39beb93cSSam Leffler	roundtrip = (now.sec - req->last_attempt.sec) * 100 +
39beb93cSSam Leffler		(now.usec - req->last_attempt.usec) / 10000;
39beb93cSSam Leffler	hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG,
39beb93cSSam Leffler		       "Received RADIUS packet matched with a pending "
39beb93cSSam Leffler		       "request, round trip time %d.%02d sec",
39beb93cSSam Leffler		       roundtrip / 100, roundtrip % 100);
39beb93cSSam Leffler	rconf->round_trip_time = roundtrip;
39beb93cSSam Leffler
39beb93cSSam Leffler	/* Remove ACKed RADIUS packet from retransmit list */
39beb93cSSam Leffler	if (prev_req)
39beb93cSSam Leffler		prev_req->next = req->next;
39beb93cSSam Leffler	else
39beb93cSSam Leffler		radius->msgs = req->next;
39beb93cSSam Leffler	radius->num_msgs--;
39beb93cSSam Leffler
39beb93cSSam Leffler	for (i = 0; i < num_handlers; i++) {
39beb93cSSam Leffler		RadiusRxResult res;
39beb93cSSam Leffler		res = handlers[i].handler(msg, req->msg, req->shared_secret,
39beb93cSSam Leffler					  req->shared_secret_len,
39beb93cSSam Leffler					  handlers[i].data);
39beb93cSSam Leffler		switch (res) {
39beb93cSSam Leffler		case RADIUS_RX_PROCESSED:
39beb93cSSam Leffler			radius_msg_free(msg);
85732ac8SCy Schubert			/* fall through */
39beb93cSSam Leffler		case RADIUS_RX_QUEUED:
39beb93cSSam Leffler			radius_client_msg_free(req);
39beb93cSSam Leffler			return;
39beb93cSSam Leffler		case RADIUS_RX_INVALID_AUTHENTICATOR:
39beb93cSSam Leffler			invalid_authenticator++;
85732ac8SCy Schubert			/* fall through */
39beb93cSSam Leffler		case RADIUS_RX_UNKNOWN:
39beb93cSSam Leffler			/* continue with next handler */
39beb93cSSam Leffler			break;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (invalid_authenticator)
39beb93cSSam Leffler		rconf->bad_authenticators++;
39beb93cSSam Leffler	else
39beb93cSSam Leffler		rconf->unknown_types++;
39beb93cSSam Leffler	hostapd_logger(radius->ctx, req->addr, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_DEBUG, "No RADIUS RX handler found "
39beb93cSSam Leffler		       "(type=%d code=%d id=%d)%s - dropping packet",
e28a4053SRui Paulo		       msg_type, hdr->code, hdr->identifier,
39beb93cSSam Leffler		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
39beb93cSSam Leffler		       "");
39beb93cSSam Leffler	radius_client_msg_free(req);
39beb93cSSam Leffler
39beb93cSSam Leffler fail:
39beb93cSSam Leffler	radius_msg_free(msg);
*a90b9d01SCy Schubert	return;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubertclose_tcp:
*a90b9d01SCy Schubert	radius_client_close_tcp(radius, sock, msg_type);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubertstatic void radius_client_write_ready(int sock, void *eloop_ctx, void *sock_ctx)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	struct radius_client_data *radius = eloop_ctx;
*a90b9d01SCy Schubert	RadiusType msg_type = (uintptr_t) sock_ctx;
*a90b9d01SCy Schubert	struct tls_connection *conn = NULL;
*a90b9d01SCy Schubert	struct wpabuf *in, *out = NULL, *appl;
*a90b9d01SCy Schubert	int res = -1;
*a90b9d01SCy Schubert	struct tls_connection_params params;
*a90b9d01SCy Schubert	struct hostapd_radius_server *server;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: TCP connection established - start TLS handshake (sock=%d)",
*a90b9d01SCy Schubert		   sock);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (msg_type == RADIUS_ACCT) {
*a90b9d01SCy Schubert		eloop_unregister_sock(sock, EVENT_TYPE_WRITE);
*a90b9d01SCy Schubert		eloop_register_read_sock(sock, radius_client_receive, radius,
*a90b9d01SCy Schubert					 (void *) RADIUS_ACCT);
*a90b9d01SCy Schubert		if (radius->acct_tls_conn) {
*a90b9d01SCy Schubert			wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert				   "RADIUS: Deinit previously used TLS connection");
*a90b9d01SCy Schubert			tls_connection_deinit(radius->tls_ctx,
*a90b9d01SCy Schubert					      radius->acct_tls_conn);
*a90b9d01SCy Schubert			radius->acct_tls_conn = NULL;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		server = radius->conf->acct_server;
*a90b9d01SCy Schubert	} else {
*a90b9d01SCy Schubert		eloop_unregister_sock(sock, EVENT_TYPE_WRITE);
*a90b9d01SCy Schubert		eloop_register_read_sock(sock, radius_client_receive, radius,
*a90b9d01SCy Schubert					 (void *) RADIUS_AUTH);
*a90b9d01SCy Schubert		if (radius->auth_tls_conn) {
*a90b9d01SCy Schubert			wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert				   "RADIUS: Deinit previously used TLS connection");
*a90b9d01SCy Schubert			tls_connection_deinit(radius->tls_ctx,
*a90b9d01SCy Schubert					      radius->auth_tls_conn);
*a90b9d01SCy Schubert			radius->auth_tls_conn = NULL;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert		server = radius->conf->auth_server;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (!server)
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	conn = tls_connection_init(radius->tls_ctx);
*a90b9d01SCy Schubert	if (!conn) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert			   "RADIUS: Failed to initiate TLS connection");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	os_memset(&params, 0, sizeof(params));
*a90b9d01SCy Schubert	params.ca_cert = server->ca_cert;
*a90b9d01SCy Schubert	params.client_cert = server->client_cert;
*a90b9d01SCy Schubert	params.private_key = server->private_key;
*a90b9d01SCy Schubert	params.private_key_passwd = server->private_key_passwd;
*a90b9d01SCy Schubert	params.flags = TLS_CONN_DISABLE_TLSv1_0 | TLS_CONN_DISABLE_TLSv1_1;
*a90b9d01SCy Schubert	if (tls_connection_set_params(radius->tls_ctx, conn, &params)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert			   "RADIUS: Failed to set TLS connection parameters");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	in = NULL;
*a90b9d01SCy Schubert	appl = NULL;
*a90b9d01SCy Schubert	out = tls_connection_handshake(radius->tls_ctx, conn, in, &appl);
*a90b9d01SCy Schubert	if (!out) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert			   "RADIUS: Could not generate TLS handshake data");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (tls_connection_get_failed(radius->tls_ctx, conn)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO, "RADIUS: TLS handshake failed");
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: Sending %zu bytes of TLS handshake",
*a90b9d01SCy Schubert		   wpabuf_len(out));
*a90b9d01SCy Schubert	res = send(sock, wpabuf_head(out), wpabuf_len(out), 0);
*a90b9d01SCy Schubert	if (res < 0) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO, "RADIUS: send: %s", strerror(errno));
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert	if ((size_t) res != wpabuf_len(out)) {
*a90b9d01SCy Schubert		wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert			   "RADIUS: Could not send all data for TLS handshake: only %d bytes sent",
*a90b9d01SCy Schubert			   res);
*a90b9d01SCy Schubert		goto fail;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (msg_type == RADIUS_ACCT)
*a90b9d01SCy Schubert		radius->acct_tls_conn = conn;
*a90b9d01SCy Schubert	else
*a90b9d01SCy Schubert		radius->auth_tls_conn = conn;
*a90b9d01SCy Schubert	return;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubertfail:
*a90b9d01SCy Schubert	wpa_printf(MSG_INFO, "RADIUS: Failed to perform TLS handshake");
*a90b9d01SCy Schubert	tls_connection_deinit(radius->tls_ctx, conn);
*a90b9d01SCy Schubert	wpabuf_free(out);
*a90b9d01SCy Schubert	radius_client_close_tcp(radius, sock, msg_type);
*a90b9d01SCy Schubert}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_get_id - Get an identifier for a new RADIUS message
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * Returns: Allocated identifier
e28a4053SRui Paulo *
e28a4053SRui Paulo * This function is used to fetch a unique (among pending requests) identifier
e28a4053SRui Paulo * for a new RADIUS message.
e28a4053SRui Paulo */
39beb93cSSam Leffleru8 radius_client_get_id(struct radius_client_data *radius)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_msg_list *entry, *prev, *_remove;
39beb93cSSam Leffler	u8 id = radius->next_radius_identifier++;
39beb93cSSam Leffler
39beb93cSSam Leffler	/* remove entries with matching id from retransmit list to avoid
39beb93cSSam Leffler	 * using new reply from the RADIUS server with an old request */
39beb93cSSam Leffler	entry = radius->msgs;
39beb93cSSam Leffler	prev = NULL;
39beb93cSSam Leffler	while (entry) {
e28a4053SRui Paulo		if (radius_msg_get_hdr(entry->msg)->identifier == id) {
39beb93cSSam Leffler			hostapd_logger(radius->ctx, entry->addr,
39beb93cSSam Leffler				       HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler				       HOSTAPD_LEVEL_DEBUG,
39beb93cSSam Leffler				       "Removing pending RADIUS message, "
39beb93cSSam Leffler				       "since its id (%d) is reused", id);
39beb93cSSam Leffler			if (prev)
39beb93cSSam Leffler				prev->next = entry->next;
39beb93cSSam Leffler			else
39beb93cSSam Leffler				radius->msgs = entry->next;
39beb93cSSam Leffler			_remove = entry;
39beb93cSSam Leffler		} else {
39beb93cSSam Leffler			_remove = NULL;
39beb93cSSam Leffler			prev = entry;
39beb93cSSam Leffler		}
39beb93cSSam Leffler		entry = entry->next;
39beb93cSSam Leffler
39beb93cSSam Leffler		if (_remove)
39beb93cSSam Leffler			radius_client_msg_free(_remove);
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	return id;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_flush - Flush all pending RADIUS client messages
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * @only_auth: Whether only authentication messages are removed
e28a4053SRui Paulo */
39beb93cSSam Lefflervoid radius_client_flush(struct radius_client_data *radius, int only_auth)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_msg_list *entry, *prev, *tmp;
39beb93cSSam Leffler
39beb93cSSam Leffler	if (!radius)
39beb93cSSam Leffler		return;
39beb93cSSam Leffler
39beb93cSSam Leffler	prev = NULL;
39beb93cSSam Leffler	entry = radius->msgs;
39beb93cSSam Leffler
39beb93cSSam Leffler	while (entry) {
39beb93cSSam Leffler		if (!only_auth || entry->msg_type == RADIUS_AUTH) {
39beb93cSSam Leffler			if (prev)
39beb93cSSam Leffler				prev->next = entry->next;
39beb93cSSam Leffler			else
39beb93cSSam Leffler				radius->msgs = entry->next;
39beb93cSSam Leffler
39beb93cSSam Leffler			tmp = entry;
39beb93cSSam Leffler			entry = entry->next;
39beb93cSSam Leffler			radius_client_msg_free(tmp);
39beb93cSSam Leffler			radius->num_msgs--;
39beb93cSSam Leffler		} else {
39beb93cSSam Leffler			prev = entry;
39beb93cSSam Leffler			entry = entry->next;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->msgs == NULL)
39beb93cSSam Leffler		eloop_cancel_timeout(radius_client_timer, radius, NULL);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_client_update_acct_msgs(struct radius_client_data *radius,
e28a4053SRui Paulo					   const u8 *shared_secret,
39beb93cSSam Leffler					   size_t shared_secret_len)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_msg_list *entry;
39beb93cSSam Leffler
39beb93cSSam Leffler	if (!radius)
39beb93cSSam Leffler		return;
39beb93cSSam Leffler
39beb93cSSam Leffler	for (entry = radius->msgs; entry; entry = entry->next) {
39beb93cSSam Leffler		if (entry->msg_type == RADIUS_ACCT) {
39beb93cSSam Leffler			entry->shared_secret = shared_secret;
39beb93cSSam Leffler			entry->shared_secret_len = shared_secret_len;
39beb93cSSam Leffler			radius_msg_finish_acct(entry->msg, shared_secret,
39beb93cSSam Leffler					       shared_secret_len);
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int
39beb93cSSam Lefflerradius_change_server(struct radius_client_data *radius,
39beb93cSSam Leffler		     struct hostapd_radius_server *nserv,
39beb93cSSam Leffler		     struct hostapd_radius_server *oserv,
*a90b9d01SCy Schubert		     int auth)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct sockaddr_in serv, claddr;
39beb93cSSam Leffler#ifdef CONFIG_IPV6
39beb93cSSam Leffler	struct sockaddr_in6 serv6, claddr6;
39beb93cSSam Leffler#endif /* CONFIG_IPV6 */
39beb93cSSam Leffler	struct sockaddr *addr, *cl_addr;
39beb93cSSam Leffler	socklen_t addrlen, claddrlen;
39beb93cSSam Leffler	char abuf[50];
39beb93cSSam Leffler	int sel_sock;
39beb93cSSam Leffler	struct radius_msg_list *entry;
39beb93cSSam Leffler	struct hostapd_radius_servers *conf = radius->conf;
*a90b9d01SCy Schubert	int type = SOCK_DGRAM;
*a90b9d01SCy Schubert	bool tls = nserv->tls;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (tls) {
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert		type = SOCK_STREAM;
*a90b9d01SCy Schubert#else /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert		wpa_printf(MSG_ERROR, "RADIUS: TLS not supported");
*a90b9d01SCy Schubert		return -1;
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert	}
39beb93cSSam Leffler
39beb93cSSam Leffler	hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler		       HOSTAPD_LEVEL_INFO,
39beb93cSSam Leffler		       "%s server %s:%d",
39beb93cSSam Leffler		       auth ? "Authentication" : "Accounting",
39beb93cSSam Leffler		       hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)),
39beb93cSSam Leffler		       nserv->port);
39beb93cSSam Leffler
780fb4a2SCy Schubert	if (oserv && oserv == nserv) {
780fb4a2SCy Schubert		/* Reconnect to same server, flush */
780fb4a2SCy Schubert		if (auth)
780fb4a2SCy Schubert			radius_client_flush(radius, 1);
780fb4a2SCy Schubert	}
780fb4a2SCy Schubert
5b9c547cSRui Paulo	if (oserv && oserv != nserv &&
5b9c547cSRui Paulo	    (nserv->shared_secret_len != oserv->shared_secret_len ||
39beb93cSSam Leffler	     os_memcmp(nserv->shared_secret, oserv->shared_secret,
5b9c547cSRui Paulo		       nserv->shared_secret_len) != 0)) {
39beb93cSSam Leffler		/* Pending RADIUS packets used different shared secret, so
39beb93cSSam Leffler		 * they need to be modified. Update accounting message
39beb93cSSam Leffler		 * authenticators here. Authentication messages are removed
39beb93cSSam Leffler		 * since they would require more changes and the new RADIUS
39beb93cSSam Leffler		 * server may not be prepared to receive them anyway due to
39beb93cSSam Leffler		 * missing state information. Client will likely retry
39beb93cSSam Leffler		 * authentication, so this should not be an issue. */
39beb93cSSam Leffler		if (auth)
39beb93cSSam Leffler			radius_client_flush(radius, 1);
39beb93cSSam Leffler		else {
39beb93cSSam Leffler			radius_client_update_acct_msgs(
39beb93cSSam Leffler				radius, nserv->shared_secret,
39beb93cSSam Leffler				nserv->shared_secret_len);
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
4bc52338SCy Schubert	/* Reset retry counters */
4bc52338SCy Schubert	for (entry = radius->msgs; oserv && entry; entry = entry->next) {
39beb93cSSam Leffler		if ((auth && entry->msg_type != RADIUS_AUTH) ||
39beb93cSSam Leffler		    (!auth && entry->msg_type != RADIUS_ACCT))
39beb93cSSam Leffler			continue;
39beb93cSSam Leffler		entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT;
c1d255d3SCy Schubert		entry->attempts = 0;
39beb93cSSam Leffler		entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->msgs) {
39beb93cSSam Leffler		eloop_cancel_timeout(radius_client_timer, radius, NULL);
39beb93cSSam Leffler		eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0,
39beb93cSSam Leffler				       radius_client_timer, radius, NULL);
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	switch (nserv->addr.af) {
39beb93cSSam Leffler	case AF_INET:
39beb93cSSam Leffler		os_memset(&serv, 0, sizeof(serv));
39beb93cSSam Leffler		serv.sin_family = AF_INET;
39beb93cSSam Leffler		serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr;
39beb93cSSam Leffler		serv.sin_port = htons(nserv->port);
39beb93cSSam Leffler		addr = (struct sockaddr *) &serv;
39beb93cSSam Leffler		addrlen = sizeof(serv);
*a90b9d01SCy Schubert		sel_sock = socket(PF_INET, type, 0);
*a90b9d01SCy Schubert		if (sel_sock >= 0)
*a90b9d01SCy Schubert			radius_client_disable_pmtu_discovery(sel_sock);
39beb93cSSam Leffler		break;
39beb93cSSam Leffler#ifdef CONFIG_IPV6
39beb93cSSam Leffler	case AF_INET6:
39beb93cSSam Leffler		os_memset(&serv6, 0, sizeof(serv6));
39beb93cSSam Leffler		serv6.sin6_family = AF_INET6;
39beb93cSSam Leffler		os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6,
39beb93cSSam Leffler			  sizeof(struct in6_addr));
39beb93cSSam Leffler		serv6.sin6_port = htons(nserv->port);
39beb93cSSam Leffler		addr = (struct sockaddr *) &serv6;
39beb93cSSam Leffler		addrlen = sizeof(serv6);
*a90b9d01SCy Schubert		sel_sock = socket(PF_INET6, type, 0);
39beb93cSSam Leffler		break;
39beb93cSSam Leffler#endif /* CONFIG_IPV6 */
39beb93cSSam Leffler	default:
39beb93cSSam Leffler		return -1;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
5b9c547cSRui Paulo	if (sel_sock < 0) {
5b9c547cSRui Paulo		wpa_printf(MSG_INFO,
*a90b9d01SCy Schubert			   "RADIUS: Failed to open server socket (af=%d auth=%d)",
*a90b9d01SCy Schubert			   nserv->addr.af, auth);
5b9c547cSRui Paulo		return -1;
5b9c547cSRui Paulo	}
5b9c547cSRui Paulo
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (tls && fcntl(sel_sock, F_SETFL, O_NONBLOCK) != 0) {
*a90b9d01SCy Schubert		wpa_printf(MSG_DEBUG, "RADIUS: fnctl(O_NONBLOCK) failed: %s",
*a90b9d01SCy Schubert			   strerror(errno));
*a90b9d01SCy Schubert		close(sel_sock);
*a90b9d01SCy Schubert		return -1;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
c1d255d3SCy Schubert
c1d255d3SCy Schubert#ifdef __linux__
c1d255d3SCy Schubert	if (conf->force_client_dev && conf->force_client_dev[0]) {
c1d255d3SCy Schubert		if (setsockopt(sel_sock, SOL_SOCKET, SO_BINDTODEVICE,
c1d255d3SCy Schubert			       conf->force_client_dev,
c1d255d3SCy Schubert			       os_strlen(conf->force_client_dev)) < 0) {
c1d255d3SCy Schubert			wpa_printf(MSG_ERROR,
c1d255d3SCy Schubert				   "RADIUS: setsockopt[SO_BINDTODEVICE]: %s",
c1d255d3SCy Schubert				   strerror(errno));
c1d255d3SCy Schubert			/* Probably not a critical error; continue on and hope
c1d255d3SCy Schubert			 * for the best. */
c1d255d3SCy Schubert		} else {
c1d255d3SCy Schubert			wpa_printf(MSG_DEBUG,
c1d255d3SCy Schubert				   "RADIUS: Bound client socket to device: %s",
c1d255d3SCy Schubert				   conf->force_client_dev);
c1d255d3SCy Schubert		}
c1d255d3SCy Schubert	}
c1d255d3SCy Schubert#endif /* __linux__ */
c1d255d3SCy Schubert
39beb93cSSam Leffler	if (conf->force_client_addr) {
39beb93cSSam Leffler		switch (conf->client_addr.af) {
39beb93cSSam Leffler		case AF_INET:
39beb93cSSam Leffler			os_memset(&claddr, 0, sizeof(claddr));
39beb93cSSam Leffler			claddr.sin_family = AF_INET;
39beb93cSSam Leffler			claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr;
39beb93cSSam Leffler			claddr.sin_port = htons(0);
39beb93cSSam Leffler			cl_addr = (struct sockaddr *) &claddr;
39beb93cSSam Leffler			claddrlen = sizeof(claddr);
39beb93cSSam Leffler			break;
39beb93cSSam Leffler#ifdef CONFIG_IPV6
39beb93cSSam Leffler		case AF_INET6:
39beb93cSSam Leffler			os_memset(&claddr6, 0, sizeof(claddr6));
39beb93cSSam Leffler			claddr6.sin6_family = AF_INET6;
39beb93cSSam Leffler			os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6,
39beb93cSSam Leffler				  sizeof(struct in6_addr));
39beb93cSSam Leffler			claddr6.sin6_port = htons(0);
39beb93cSSam Leffler			cl_addr = (struct sockaddr *) &claddr6;
39beb93cSSam Leffler			claddrlen = sizeof(claddr6);
39beb93cSSam Leffler			break;
39beb93cSSam Leffler#endif /* CONFIG_IPV6 */
39beb93cSSam Leffler		default:
*a90b9d01SCy Schubert			close(sel_sock);
39beb93cSSam Leffler			return -1;
39beb93cSSam Leffler		}
39beb93cSSam Leffler
39beb93cSSam Leffler		if (bind(sel_sock, cl_addr, claddrlen) < 0) {
5b9c547cSRui Paulo			wpa_printf(MSG_INFO, "bind[radius]: %s",
5b9c547cSRui Paulo				   strerror(errno));
*a90b9d01SCy Schubert			close(sel_sock);
*a90b9d01SCy Schubert			return -2;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (connect(sel_sock, addr, addrlen) < 0) {
*a90b9d01SCy Schubert		if (nserv->tls && errno == EINPROGRESS) {
*a90b9d01SCy Schubert			wpa_printf(MSG_DEBUG,
*a90b9d01SCy Schubert				   "RADIUS: TCP connection establishment in progress (sock %d)",
*a90b9d01SCy Schubert				   sel_sock);
*a90b9d01SCy Schubert		} else {
*a90b9d01SCy Schubert			wpa_printf(MSG_INFO, "connect[radius]: %s",
*a90b9d01SCy Schubert				   strerror(errno));
*a90b9d01SCy Schubert			close(sel_sock);
*a90b9d01SCy Schubert			return -2;
*a90b9d01SCy Schubert		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler#ifndef CONFIG_NATIVE_WINDOWS
39beb93cSSam Leffler	switch (nserv->addr.af) {
39beb93cSSam Leffler	case AF_INET:
39beb93cSSam Leffler		claddrlen = sizeof(claddr);
5b9c547cSRui Paulo		if (getsockname(sel_sock, (struct sockaddr *) &claddr,
5b9c547cSRui Paulo				&claddrlen) == 0) {
39beb93cSSam Leffler			wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
5b9c547cSRui Paulo				   inet_ntoa(claddr.sin_addr),
5b9c547cSRui Paulo				   ntohs(claddr.sin_port));
5b9c547cSRui Paulo		}
39beb93cSSam Leffler		break;
39beb93cSSam Leffler#ifdef CONFIG_IPV6
39beb93cSSam Leffler	case AF_INET6: {
39beb93cSSam Leffler		claddrlen = sizeof(claddr6);
5b9c547cSRui Paulo		if (getsockname(sel_sock, (struct sockaddr *) &claddr6,
5b9c547cSRui Paulo				&claddrlen) == 0) {
39beb93cSSam Leffler			wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
39beb93cSSam Leffler				   inet_ntop(AF_INET6, &claddr6.sin6_addr,
39beb93cSSam Leffler					     abuf, sizeof(abuf)),
39beb93cSSam Leffler				   ntohs(claddr6.sin6_port));
5b9c547cSRui Paulo		}
39beb93cSSam Leffler		break;
39beb93cSSam Leffler	}
39beb93cSSam Leffler#endif /* CONFIG_IPV6 */
39beb93cSSam Leffler	}
39beb93cSSam Leffler#endif /* CONFIG_NATIVE_WINDOWS */
39beb93cSSam Leffler
*a90b9d01SCy Schubert	if (auth) {
*a90b9d01SCy Schubert		radius_close_auth_socket(radius);
39beb93cSSam Leffler		radius->auth_sock = sel_sock;
*a90b9d01SCy Schubert	} else {
*a90b9d01SCy Schubert		radius_close_acct_socket(radius);
39beb93cSSam Leffler		radius->acct_sock = sel_sock;
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (!tls)
*a90b9d01SCy Schubert		eloop_register_read_sock(sel_sock, radius_client_receive,
*a90b9d01SCy Schubert					 radius,
*a90b9d01SCy Schubert					 auth ? (void *) RADIUS_AUTH :
*a90b9d01SCy Schubert					 (void *) RADIUS_ACCT);
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (tls)
*a90b9d01SCy Schubert		eloop_register_sock(sel_sock, EVENT_TYPE_WRITE,
*a90b9d01SCy Schubert				    radius_client_write_ready, radius,
*a90b9d01SCy Schubert				    auth ? (void *) RADIUS_AUTH :
*a90b9d01SCy Schubert				    (void *) RADIUS_ACCT);
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert	if (auth) {
*a90b9d01SCy Schubert		radius->auth_tls = nserv->tls;
*a90b9d01SCy Schubert		radius->auth_tls_ready = false;
*a90b9d01SCy Schubert	} else {
*a90b9d01SCy Schubert		radius->acct_tls = nserv->tls;
*a90b9d01SCy Schubert		radius->acct_tls_ready = false;
*a90b9d01SCy Schubert	}
39beb93cSSam Leffler
39beb93cSSam Leffler	return 0;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic void radius_retry_primary_timer(void *eloop_ctx, void *timeout_ctx)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_client_data *radius = eloop_ctx;
39beb93cSSam Leffler	struct hostapd_radius_servers *conf = radius->conf;
39beb93cSSam Leffler	struct hostapd_radius_server *oserv;
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->auth_sock >= 0 && conf->auth_servers &&
39beb93cSSam Leffler	    conf->auth_server != conf->auth_servers) {
39beb93cSSam Leffler		oserv = conf->auth_server;
39beb93cSSam Leffler		conf->auth_server = conf->auth_servers;
5b9c547cSRui Paulo		if (radius_change_server(radius, conf->auth_server, oserv,
*a90b9d01SCy Schubert					 1) < 0) {
5b9c547cSRui Paulo			conf->auth_server = oserv;
5b9c547cSRui Paulo			radius_change_server(radius, oserv, conf->auth_server,
*a90b9d01SCy Schubert					     1);
39beb93cSSam Leffler		}
5b9c547cSRui Paulo	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (radius->acct_sock >= 0 && conf->acct_servers &&
39beb93cSSam Leffler	    conf->acct_server != conf->acct_servers) {
39beb93cSSam Leffler		oserv = conf->acct_server;
39beb93cSSam Leffler		conf->acct_server = conf->acct_servers;
5b9c547cSRui Paulo		if (radius_change_server(radius, conf->acct_server, oserv,
*a90b9d01SCy Schubert					 0) < 0) {
5b9c547cSRui Paulo			conf->acct_server = oserv;
5b9c547cSRui Paulo			radius_change_server(radius, oserv, conf->acct_server,
*a90b9d01SCy Schubert					     0);
39beb93cSSam Leffler		}
5b9c547cSRui Paulo	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (conf->retry_primary_interval)
39beb93cSSam Leffler		eloop_register_timeout(conf->retry_primary_interval, 0,
39beb93cSSam Leffler				       radius_retry_primary_timer, radius,
39beb93cSSam Leffler				       NULL);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int radius_client_init_auth(struct radius_client_data *radius)
39beb93cSSam Leffler{
*a90b9d01SCy Schubert	radius_close_auth_socket(radius);
*a90b9d01SCy Schubert	return radius_change_server(radius, radius->conf->auth_server, NULL, 1);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int radius_client_init_acct(struct radius_client_data *radius)
39beb93cSSam Leffler{
*a90b9d01SCy Schubert	radius_close_acct_socket(radius);
*a90b9d01SCy Schubert	return radius_change_server(radius, radius->conf->acct_server, NULL, 0);
3157ba21SRui Paulo}
39beb93cSSam Leffler
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubertstatic void radius_tls_event_cb(void *ctx, enum tls_event ev,
*a90b9d01SCy Schubert				union tls_event_data *data)
*a90b9d01SCy Schubert{
*a90b9d01SCy Schubert	wpa_printf(MSG_DEBUG, "RADIUS: TLS event %d", ev);
39beb93cSSam Leffler}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_init - Initialize RADIUS client
e28a4053SRui Paulo * @ctx: Callback context to be used in hostapd_logger() calls
e28a4053SRui Paulo * @conf: RADIUS client configuration (RADIUS servers)
e28a4053SRui Paulo * Returns: Pointer to private RADIUS client context or %NULL on failure
e28a4053SRui Paulo *
e28a4053SRui Paulo * The caller is responsible for keeping the configuration data available for
e28a4053SRui Paulo * the lifetime of the RADIUS client, i.e., until radius_client_deinit() is
e28a4053SRui Paulo * called for the returned context pointer.
e28a4053SRui Paulo */
39beb93cSSam Lefflerstruct radius_client_data *
39beb93cSSam Lefflerradius_client_init(void *ctx, struct hostapd_radius_servers *conf)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_client_data *radius;
39beb93cSSam Leffler
39beb93cSSam Leffler	radius = os_zalloc(sizeof(struct radius_client_data));
39beb93cSSam Leffler	if (radius == NULL)
39beb93cSSam Leffler		return NULL;
39beb93cSSam Leffler
39beb93cSSam Leffler	radius->ctx = ctx;
39beb93cSSam Leffler	radius->conf = conf;
39beb93cSSam Leffler	radius->auth_sock = radius->acct_sock = -1;
39beb93cSSam Leffler
*a90b9d01SCy Schubert	if (conf->auth_server && radius_client_init_auth(radius) == -1) {
39beb93cSSam Leffler		radius_client_deinit(radius);
39beb93cSSam Leffler		return NULL;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
*a90b9d01SCy Schubert	if (conf->acct_server && radius_client_init_acct(radius) == -1) {
39beb93cSSam Leffler		radius_client_deinit(radius);
39beb93cSSam Leffler		return NULL;
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (conf->retry_primary_interval)
39beb93cSSam Leffler		eloop_register_timeout(conf->retry_primary_interval, 0,
39beb93cSSam Leffler				       radius_retry_primary_timer, radius,
39beb93cSSam Leffler				       NULL);
39beb93cSSam Leffler
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if ((conf->auth_server && conf->auth_server->tls) ||
*a90b9d01SCy Schubert	    (conf->acct_server && conf->acct_server->tls)) {
*a90b9d01SCy Schubert		struct tls_config tls_conf;
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert		os_memset(&tls_conf, 0, sizeof(tls_conf));
*a90b9d01SCy Schubert		tls_conf.event_cb = radius_tls_event_cb;
*a90b9d01SCy Schubert		radius->tls_ctx = tls_init(&tls_conf);
*a90b9d01SCy Schubert		if (!radius->tls_ctx) {
*a90b9d01SCy Schubert			radius_client_deinit(radius);
*a90b9d01SCy Schubert			return NULL;
*a90b9d01SCy Schubert		}
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
*a90b9d01SCy Schubert
*a90b9d01SCy Schubert
39beb93cSSam Leffler	return radius;
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_deinit - Deinitialize RADIUS client
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo */
39beb93cSSam Lefflervoid radius_client_deinit(struct radius_client_data *radius)
39beb93cSSam Leffler{
39beb93cSSam Leffler	if (!radius)
39beb93cSSam Leffler		return;
39beb93cSSam Leffler
*a90b9d01SCy Schubert	radius_close_auth_socket(radius);
*a90b9d01SCy Schubert	radius_close_acct_socket(radius);
39beb93cSSam Leffler
39beb93cSSam Leffler	eloop_cancel_timeout(radius_retry_primary_timer, radius, NULL);
39beb93cSSam Leffler
39beb93cSSam Leffler	radius_client_flush(radius, 0);
39beb93cSSam Leffler	os_free(radius->auth_handlers);
39beb93cSSam Leffler	os_free(radius->acct_handlers);
*a90b9d01SCy Schubert#ifdef CONFIG_RADIUS_TLS
*a90b9d01SCy Schubert	if (radius->tls_ctx) {
*a90b9d01SCy Schubert		tls_connection_deinit(radius->tls_ctx, radius->auth_tls_conn);
*a90b9d01SCy Schubert		tls_connection_deinit(radius->tls_ctx, radius->acct_tls_conn);
*a90b9d01SCy Schubert		tls_deinit(radius->tls_ctx);
*a90b9d01SCy Schubert	}
*a90b9d01SCy Schubert#endif /* CONFIG_RADIUS_TLS */
39beb93cSSam Leffler	os_free(radius);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_flush_auth - Flush pending RADIUS messages for an address
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * @addr: MAC address of the related device
e28a4053SRui Paulo *
e28a4053SRui Paulo * This function can be used to remove pending RADIUS authentication messages
e28a4053SRui Paulo * that are related to a specific device. The addr parameter is matched with
e28a4053SRui Paulo * the one used in radius_client_send() call that was used to transmit the
e28a4053SRui Paulo * authentication request.
e28a4053SRui Paulo */
e28a4053SRui Paulovoid radius_client_flush_auth(struct radius_client_data *radius,
e28a4053SRui Paulo			      const u8 *addr)
39beb93cSSam Leffler{
39beb93cSSam Leffler	struct radius_msg_list *entry, *prev, *tmp;
39beb93cSSam Leffler
39beb93cSSam Leffler	prev = NULL;
39beb93cSSam Leffler	entry = radius->msgs;
39beb93cSSam Leffler	while (entry) {
39beb93cSSam Leffler		if (entry->msg_type == RADIUS_AUTH &&
*a90b9d01SCy Schubert		    ether_addr_equal(entry->addr, addr)) {
39beb93cSSam Leffler			hostapd_logger(radius->ctx, addr,
39beb93cSSam Leffler				       HOSTAPD_MODULE_RADIUS,
39beb93cSSam Leffler				       HOSTAPD_LEVEL_DEBUG,
39beb93cSSam Leffler				       "Removing pending RADIUS authentication"
39beb93cSSam Leffler				       " message for removed client");
39beb93cSSam Leffler
39beb93cSSam Leffler			if (prev)
39beb93cSSam Leffler				prev->next = entry->next;
39beb93cSSam Leffler			else
39beb93cSSam Leffler				radius->msgs = entry->next;
39beb93cSSam Leffler
39beb93cSSam Leffler			tmp = entry;
39beb93cSSam Leffler			entry = entry->next;
39beb93cSSam Leffler			radius_client_msg_free(tmp);
39beb93cSSam Leffler			radius->num_msgs--;
39beb93cSSam Leffler			continue;
39beb93cSSam Leffler		}
39beb93cSSam Leffler
39beb93cSSam Leffler		prev = entry;
39beb93cSSam Leffler		entry = entry->next;
39beb93cSSam Leffler	}
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int radius_client_dump_auth_server(char *buf, size_t buflen,
39beb93cSSam Leffler					  struct hostapd_radius_server *serv,
39beb93cSSam Leffler					  struct radius_client_data *cli)
39beb93cSSam Leffler{
39beb93cSSam Leffler	int pending = 0;
39beb93cSSam Leffler	struct radius_msg_list *msg;
39beb93cSSam Leffler	char abuf[50];
39beb93cSSam Leffler
39beb93cSSam Leffler	if (cli) {
39beb93cSSam Leffler		for (msg = cli->msgs; msg; msg = msg->next) {
39beb93cSSam Leffler			if (msg->msg_type == RADIUS_AUTH)
39beb93cSSam Leffler				pending++;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	return os_snprintf(buf, buflen,
39beb93cSSam Leffler			   "radiusAuthServerIndex=%d\n"
39beb93cSSam Leffler			   "radiusAuthServerAddress=%s\n"
39beb93cSSam Leffler			   "radiusAuthClientServerPortNumber=%d\n"
39beb93cSSam Leffler			   "radiusAuthClientRoundTripTime=%d\n"
39beb93cSSam Leffler			   "radiusAuthClientAccessRequests=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientAccessRetransmissions=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientAccessAccepts=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientAccessRejects=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientAccessChallenges=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientMalformedAccessResponses=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientBadAuthenticators=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientPendingRequests=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientTimeouts=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientUnknownTypes=%u\n"
39beb93cSSam Leffler			   "radiusAuthClientPacketsDropped=%u\n",
39beb93cSSam Leffler			   serv->index,
39beb93cSSam Leffler			   hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
39beb93cSSam Leffler			   serv->port,
39beb93cSSam Leffler			   serv->round_trip_time,
39beb93cSSam Leffler			   serv->requests,
39beb93cSSam Leffler			   serv->retransmissions,
39beb93cSSam Leffler			   serv->access_accepts,
39beb93cSSam Leffler			   serv->access_rejects,
39beb93cSSam Leffler			   serv->access_challenges,
39beb93cSSam Leffler			   serv->malformed_responses,
39beb93cSSam Leffler			   serv->bad_authenticators,
39beb93cSSam Leffler			   pending,
39beb93cSSam Leffler			   serv->timeouts,
39beb93cSSam Leffler			   serv->unknown_types,
39beb93cSSam Leffler			   serv->packets_dropped);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
39beb93cSSam Lefflerstatic int radius_client_dump_acct_server(char *buf, size_t buflen,
39beb93cSSam Leffler					  struct hostapd_radius_server *serv,
39beb93cSSam Leffler					  struct radius_client_data *cli)
39beb93cSSam Leffler{
39beb93cSSam Leffler	int pending = 0;
39beb93cSSam Leffler	struct radius_msg_list *msg;
39beb93cSSam Leffler	char abuf[50];
39beb93cSSam Leffler
39beb93cSSam Leffler	if (cli) {
39beb93cSSam Leffler		for (msg = cli->msgs; msg; msg = msg->next) {
39beb93cSSam Leffler			if (msg->msg_type == RADIUS_ACCT ||
39beb93cSSam Leffler			    msg->msg_type == RADIUS_ACCT_INTERIM)
39beb93cSSam Leffler				pending++;
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	return os_snprintf(buf, buflen,
39beb93cSSam Leffler			   "radiusAccServerIndex=%d\n"
39beb93cSSam Leffler			   "radiusAccServerAddress=%s\n"
39beb93cSSam Leffler			   "radiusAccClientServerPortNumber=%d\n"
39beb93cSSam Leffler			   "radiusAccClientRoundTripTime=%d\n"
39beb93cSSam Leffler			   "radiusAccClientRequests=%u\n"
39beb93cSSam Leffler			   "radiusAccClientRetransmissions=%u\n"
39beb93cSSam Leffler			   "radiusAccClientResponses=%u\n"
39beb93cSSam Leffler			   "radiusAccClientMalformedResponses=%u\n"
39beb93cSSam Leffler			   "radiusAccClientBadAuthenticators=%u\n"
39beb93cSSam Leffler			   "radiusAccClientPendingRequests=%u\n"
39beb93cSSam Leffler			   "radiusAccClientTimeouts=%u\n"
39beb93cSSam Leffler			   "radiusAccClientUnknownTypes=%u\n"
39beb93cSSam Leffler			   "radiusAccClientPacketsDropped=%u\n",
39beb93cSSam Leffler			   serv->index,
39beb93cSSam Leffler			   hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)),
39beb93cSSam Leffler			   serv->port,
39beb93cSSam Leffler			   serv->round_trip_time,
39beb93cSSam Leffler			   serv->requests,
39beb93cSSam Leffler			   serv->retransmissions,
39beb93cSSam Leffler			   serv->responses,
39beb93cSSam Leffler			   serv->malformed_responses,
39beb93cSSam Leffler			   serv->bad_authenticators,
39beb93cSSam Leffler			   pending,
39beb93cSSam Leffler			   serv->timeouts,
39beb93cSSam Leffler			   serv->unknown_types,
39beb93cSSam Leffler			   serv->packets_dropped);
39beb93cSSam Leffler}
39beb93cSSam Leffler
39beb93cSSam Leffler
e28a4053SRui Paulo/**
e28a4053SRui Paulo * radius_client_get_mib - Get RADIUS client MIB information
e28a4053SRui Paulo * @radius: RADIUS client context from radius_client_init()
e28a4053SRui Paulo * @buf: Buffer for returning MIB data in text format
e28a4053SRui Paulo * @buflen: Maximum buf length in octets
e28a4053SRui Paulo * Returns: Number of octets written into the buffer
e28a4053SRui Paulo */
39beb93cSSam Lefflerint radius_client_get_mib(struct radius_client_data *radius, char *buf,
39beb93cSSam Leffler			  size_t buflen)
39beb93cSSam Leffler{
780fb4a2SCy Schubert	struct hostapd_radius_servers *conf;
39beb93cSSam Leffler	int i;
39beb93cSSam Leffler	struct hostapd_radius_server *serv;
39beb93cSSam Leffler	int count = 0;
39beb93cSSam Leffler
780fb4a2SCy Schubert	if (!radius)
780fb4a2SCy Schubert		return 0;
780fb4a2SCy Schubert
780fb4a2SCy Schubert	conf = radius->conf;
780fb4a2SCy Schubert
39beb93cSSam Leffler	if (conf->auth_servers) {
39beb93cSSam Leffler		for (i = 0; i < conf->num_auth_servers; i++) {
39beb93cSSam Leffler			serv = &conf->auth_servers[i];
39beb93cSSam Leffler			count += radius_client_dump_auth_server(
39beb93cSSam Leffler				buf + count, buflen - count, serv,
39beb93cSSam Leffler				serv == conf->auth_server ?
39beb93cSSam Leffler				radius : NULL);
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	if (conf->acct_servers) {
39beb93cSSam Leffler		for (i = 0; i < conf->num_acct_servers; i++) {
39beb93cSSam Leffler			serv = &conf->acct_servers[i];
39beb93cSSam Leffler			count += radius_client_dump_acct_server(
39beb93cSSam Leffler				buf + count, buflen - count, serv,
39beb93cSSam Leffler				serv == conf->acct_server ?
39beb93cSSam Leffler				radius : NULL);
39beb93cSSam Leffler		}
39beb93cSSam Leffler	}
39beb93cSSam Leffler
39beb93cSSam Leffler	return count;
39beb93cSSam Leffler}
f05cddf9SRui Paulo
f05cddf9SRui Paulo
f05cddf9SRui Paulovoid radius_client_reconfig(struct radius_client_data *radius,
f05cddf9SRui Paulo			    struct hostapd_radius_servers *conf)
f05cddf9SRui Paulo{
f05cddf9SRui Paulo	if (radius)
f05cddf9SRui Paulo		radius->conf = conf;
f05cddf9SRui Paulo}