1 /* 2 * RADIUS Dynamic Authorization Server (DAS) (RFC 5176) 3 * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <net/if.h> 11 12 #include "utils/common.h" 13 #include "utils/eloop.h" 14 #include "utils/ip_addr.h" 15 #include "radius.h" 16 #include "radius_das.h" 17 18 19 struct radius_das_data { 20 int sock; 21 u8 *shared_secret; 22 size_t shared_secret_len; 23 struct hostapd_ip_addr client_addr; 24 unsigned int time_window; 25 int require_event_timestamp; 26 int require_message_authenticator; 27 void *ctx; 28 enum radius_das_res (*disconnect)(void *ctx, 29 struct radius_das_attrs *attr); 30 }; 31 32 33 static struct radius_msg * radius_das_disconnect(struct radius_das_data *das, 34 struct radius_msg *msg, 35 const char *abuf, 36 int from_port) 37 { 38 struct radius_hdr *hdr; 39 struct radius_msg *reply; 40 u8 allowed[] = { 41 RADIUS_ATTR_USER_NAME, 42 RADIUS_ATTR_NAS_IP_ADDRESS, 43 RADIUS_ATTR_CALLING_STATION_ID, 44 RADIUS_ATTR_NAS_IDENTIFIER, 45 RADIUS_ATTR_ACCT_SESSION_ID, 46 RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 47 RADIUS_ATTR_EVENT_TIMESTAMP, 48 RADIUS_ATTR_MESSAGE_AUTHENTICATOR, 49 RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 50 #ifdef CONFIG_IPV6 51 RADIUS_ATTR_NAS_IPV6_ADDRESS, 52 #endif /* CONFIG_IPV6 */ 53 0 54 }; 55 int error = 405; 56 u8 attr; 57 enum radius_das_res res; 58 struct radius_das_attrs attrs; 59 u8 *buf; 60 size_t len; 61 char tmp[100]; 62 u8 sta_addr[ETH_ALEN]; 63 64 hdr = radius_msg_get_hdr(msg); 65 66 attr = radius_msg_find_unlisted_attr(msg, allowed); 67 if (attr) { 68 wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in " 69 "Disconnect-Request from %s:%d", attr, 70 abuf, from_port); 71 error = 401; 72 goto fail; 73 } 74 75 os_memset(&attrs, 0, sizeof(attrs)); 76 77 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, 78 &buf, &len, NULL) == 0) { 79 if (len != 4) { 80 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", 81 abuf, from_port); 82 error = 407; 83 goto fail; 84 } 85 attrs.nas_ip_addr = buf; 86 } 87 88 #ifdef CONFIG_IPV6 89 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, 90 &buf, &len, NULL) == 0) { 91 if (len != 16) { 92 wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", 93 abuf, from_port); 94 error = 407; 95 goto fail; 96 } 97 attrs.nas_ipv6_addr = buf; 98 } 99 #endif /* CONFIG_IPV6 */ 100 101 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, 102 &buf, &len, NULL) == 0) { 103 attrs.nas_identifier = buf; 104 attrs.nas_identifier_len = len; 105 } 106 107 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, 108 &buf, &len, NULL) == 0) { 109 if (len >= sizeof(tmp)) 110 len = sizeof(tmp) - 1; 111 os_memcpy(tmp, buf, len); 112 tmp[len] = '\0'; 113 if (hwaddr_aton2(tmp, sta_addr) < 0) { 114 wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " 115 "'%s' from %s:%d", tmp, abuf, from_port); 116 error = 407; 117 goto fail; 118 } 119 attrs.sta_addr = sta_addr; 120 } 121 122 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, 123 &buf, &len, NULL) == 0) { 124 attrs.user_name = buf; 125 attrs.user_name_len = len; 126 } 127 128 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, 129 &buf, &len, NULL) == 0) { 130 attrs.acct_session_id = buf; 131 attrs.acct_session_id_len = len; 132 } 133 134 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, 135 &buf, &len, NULL) == 0) { 136 attrs.acct_multi_session_id = buf; 137 attrs.acct_multi_session_id_len = len; 138 } 139 140 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, 141 &buf, &len, NULL) == 0) { 142 attrs.cui = buf; 143 attrs.cui_len = len; 144 } 145 146 res = das->disconnect(das->ctx, &attrs); 147 switch (res) { 148 case RADIUS_DAS_NAS_MISMATCH: 149 wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", 150 abuf, from_port); 151 error = 403; 152 break; 153 case RADIUS_DAS_SESSION_NOT_FOUND: 154 wpa_printf(MSG_INFO, "DAS: Session not found for request from " 155 "%s:%d", abuf, from_port); 156 error = 503; 157 break; 158 case RADIUS_DAS_MULTI_SESSION_MATCH: 159 wpa_printf(MSG_INFO, 160 "DAS: Multiple sessions match for request from %s:%d", 161 abuf, from_port); 162 error = 508; 163 break; 164 case RADIUS_DAS_SUCCESS: 165 error = 0; 166 break; 167 } 168 169 fail: 170 reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK : 171 RADIUS_CODE_DISCONNECT_ACK, hdr->identifier); 172 if (reply == NULL) 173 return NULL; 174 175 if (error) { 176 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, 177 error)) { 178 radius_msg_free(reply); 179 return NULL; 180 } 181 } 182 183 return reply; 184 } 185 186 187 static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx) 188 { 189 struct radius_das_data *das = eloop_ctx; 190 u8 buf[1500]; 191 union { 192 struct sockaddr_storage ss; 193 struct sockaddr_in sin; 194 #ifdef CONFIG_IPV6 195 struct sockaddr_in6 sin6; 196 #endif /* CONFIG_IPV6 */ 197 } from; 198 char abuf[50]; 199 int from_port = 0; 200 socklen_t fromlen; 201 int len; 202 struct radius_msg *msg, *reply = NULL; 203 struct radius_hdr *hdr; 204 struct wpabuf *rbuf; 205 u32 val; 206 int res; 207 struct os_time now; 208 209 fromlen = sizeof(from); 210 len = recvfrom(sock, buf, sizeof(buf), 0, 211 (struct sockaddr *) &from.ss, &fromlen); 212 if (len < 0) { 213 wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno)); 214 return; 215 } 216 217 os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); 218 from_port = ntohs(from.sin.sin_port); 219 220 wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d", 221 len, abuf, from_port); 222 if (das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) { 223 wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client"); 224 return; 225 } 226 227 msg = radius_msg_parse(buf, len); 228 if (msg == NULL) { 229 wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet " 230 "from %s:%d failed", abuf, from_port); 231 return; 232 } 233 234 if (wpa_debug_level <= MSG_MSGDUMP) 235 radius_msg_dump(msg); 236 237 if (radius_msg_verify_das_req(msg, das->shared_secret, 238 das->shared_secret_len, 239 das->require_message_authenticator)) { 240 wpa_printf(MSG_DEBUG, 241 "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop", 242 abuf, from_port); 243 goto fail; 244 } 245 246 os_get_time(&now); 247 res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP, 248 (u8 *) &val, 4); 249 if (res == 4) { 250 u32 timestamp = ntohl(val); 251 if ((unsigned int) abs((int) (now.sec - timestamp)) > 252 das->time_window) { 253 wpa_printf(MSG_DEBUG, "DAS: Unacceptable " 254 "Event-Timestamp (%u; local time %u) in " 255 "packet from %s:%d - drop", 256 timestamp, (unsigned int) now.sec, 257 abuf, from_port); 258 goto fail; 259 } 260 } else if (das->require_event_timestamp) { 261 wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet " 262 "from %s:%d - drop", abuf, from_port); 263 goto fail; 264 } 265 266 hdr = radius_msg_get_hdr(msg); 267 268 switch (hdr->code) { 269 case RADIUS_CODE_DISCONNECT_REQUEST: 270 reply = radius_das_disconnect(das, msg, abuf, from_port); 271 break; 272 case RADIUS_CODE_COA_REQUEST: 273 /* TODO */ 274 reply = radius_msg_new(RADIUS_CODE_COA_NAK, 275 hdr->identifier); 276 if (reply == NULL) 277 break; 278 279 /* Unsupported Service */ 280 if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, 281 405)) { 282 radius_msg_free(reply); 283 reply = NULL; 284 break; 285 } 286 break; 287 default: 288 wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in " 289 "packet from %s:%d", 290 hdr->code, abuf, from_port); 291 } 292 293 if (reply) { 294 wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port); 295 296 if (!radius_msg_add_attr_int32(reply, 297 RADIUS_ATTR_EVENT_TIMESTAMP, 298 now.sec)) { 299 wpa_printf(MSG_DEBUG, "DAS: Failed to add " 300 "Event-Timestamp attribute"); 301 } 302 303 if (radius_msg_finish_das_resp(reply, das->shared_secret, 304 das->shared_secret_len, hdr) < 305 0) { 306 wpa_printf(MSG_DEBUG, "DAS: Failed to add " 307 "Message-Authenticator attribute"); 308 } 309 310 if (wpa_debug_level <= MSG_MSGDUMP) 311 radius_msg_dump(reply); 312 313 rbuf = radius_msg_get_buf(reply); 314 res = sendto(das->sock, wpabuf_head(rbuf), 315 wpabuf_len(rbuf), 0, 316 (struct sockaddr *) &from.ss, fromlen); 317 if (res < 0) { 318 wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s", 319 abuf, from_port, strerror(errno)); 320 } 321 } 322 323 fail: 324 radius_msg_free(msg); 325 radius_msg_free(reply); 326 } 327 328 329 static int radius_das_open_socket(int port) 330 { 331 int s; 332 struct sockaddr_in addr; 333 334 s = socket(PF_INET, SOCK_DGRAM, 0); 335 if (s < 0) { 336 wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno)); 337 return -1; 338 } 339 340 os_memset(&addr, 0, sizeof(addr)); 341 addr.sin_family = AF_INET; 342 addr.sin_port = htons(port); 343 if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { 344 wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno)); 345 close(s); 346 return -1; 347 } 348 349 return s; 350 } 351 352 353 struct radius_das_data * 354 radius_das_init(struct radius_das_conf *conf) 355 { 356 struct radius_das_data *das; 357 358 if (conf->port == 0 || conf->shared_secret == NULL || 359 conf->client_addr == NULL) 360 return NULL; 361 362 das = os_zalloc(sizeof(*das)); 363 if (das == NULL) 364 return NULL; 365 366 das->time_window = conf->time_window; 367 das->require_event_timestamp = conf->require_event_timestamp; 368 das->require_message_authenticator = 369 conf->require_message_authenticator; 370 das->ctx = conf->ctx; 371 das->disconnect = conf->disconnect; 372 373 os_memcpy(&das->client_addr, conf->client_addr, 374 sizeof(das->client_addr)); 375 376 das->shared_secret = os_malloc(conf->shared_secret_len); 377 if (das->shared_secret == NULL) { 378 radius_das_deinit(das); 379 return NULL; 380 } 381 os_memcpy(das->shared_secret, conf->shared_secret, 382 conf->shared_secret_len); 383 das->shared_secret_len = conf->shared_secret_len; 384 385 das->sock = radius_das_open_socket(conf->port); 386 if (das->sock < 0) { 387 wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS " 388 "DAS"); 389 radius_das_deinit(das); 390 return NULL; 391 } 392 393 if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL)) 394 { 395 radius_das_deinit(das); 396 return NULL; 397 } 398 399 return das; 400 } 401 402 403 void radius_das_deinit(struct radius_das_data *das) 404 { 405 if (das == NULL) 406 return; 407 408 if (das->sock >= 0) { 409 eloop_unregister_read_sock(das->sock); 410 close(das->sock); 411 } 412 413 os_free(das->shared_secret); 414 os_free(das); 415 } 416