/* * RADIUS Dynamic Authorization Server (DAS) (RFC 5176) * Copyright (c) 2012-2013, Jouni Malinen <j@w1.fi> * * This software may be distributed under the terms of the BSD license. * See README for more details. */ #include "includes.h" #include <net/if.h> #include "utils/common.h" #include "utils/eloop.h" #include "utils/ip_addr.h" #include "radius.h" #include "radius_das.h" struct radius_das_data { int sock; u8 *shared_secret; size_t shared_secret_len; struct hostapd_ip_addr client_addr; unsigned int time_window; int require_event_timestamp; int require_message_authenticator; void *ctx; enum radius_das_res (*disconnect)(void *ctx, struct radius_das_attrs *attr); enum radius_das_res (*coa)(void *ctx, struct radius_das_attrs *attr); }; static struct radius_msg * radius_das_disconnect(struct radius_das_data *das, struct radius_msg *msg, const char *abuf, int from_port) { struct radius_hdr *hdr; struct radius_msg *reply; u8 allowed[] = { RADIUS_ATTR_USER_NAME, RADIUS_ATTR_NAS_IP_ADDRESS, RADIUS_ATTR_CALLING_STATION_ID, RADIUS_ATTR_NAS_IDENTIFIER, RADIUS_ATTR_ACCT_SESSION_ID, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, RADIUS_ATTR_EVENT_TIMESTAMP, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, #ifdef CONFIG_IPV6 RADIUS_ATTR_NAS_IPV6_ADDRESS, #endif /* CONFIG_IPV6 */ 0 }; int error = 405; u8 attr; enum radius_das_res res; struct radius_das_attrs attrs; u8 *buf; size_t len; char tmp[100]; u8 sta_addr[ETH_ALEN]; hdr = radius_msg_get_hdr(msg); attr = radius_msg_find_unlisted_attr(msg, allowed); if (attr) { wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in " "Disconnect-Request from %s:%d", attr, abuf, from_port); error = 401; goto fail; } os_memset(&attrs, 0, sizeof(attrs)); if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, &buf, &len, NULL) == 0) { if (len != 4) { wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", abuf, from_port); error = 407; goto fail; } attrs.nas_ip_addr = buf; } #ifdef CONFIG_IPV6 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, &buf, &len, NULL) == 0) { if (len != 16) { wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", abuf, from_port); error = 407; goto fail; } attrs.nas_ipv6_addr = buf; } #endif /* CONFIG_IPV6 */ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, &buf, &len, NULL) == 0) { attrs.nas_identifier = buf; attrs.nas_identifier_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, &buf, &len, NULL) == 0) { if (len >= sizeof(tmp)) len = sizeof(tmp) - 1; os_memcpy(tmp, buf, len); tmp[len] = '\0'; if (hwaddr_aton2(tmp, sta_addr) < 0) { wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " "'%s' from %s:%d", tmp, abuf, from_port); error = 407; goto fail; } attrs.sta_addr = sta_addr; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, NULL) == 0) { attrs.user_name = buf; attrs.user_name_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, &buf, &len, NULL) == 0) { attrs.acct_session_id = buf; attrs.acct_session_id_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, &buf, &len, NULL) == 0) { attrs.acct_multi_session_id = buf; attrs.acct_multi_session_id_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, &buf, &len, NULL) == 0) { attrs.cui = buf; attrs.cui_len = len; } res = das->disconnect(das->ctx, &attrs); switch (res) { case RADIUS_DAS_NAS_MISMATCH: wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", abuf, from_port); error = 403; break; case RADIUS_DAS_SESSION_NOT_FOUND: wpa_printf(MSG_INFO, "DAS: Session not found for request from " "%s:%d", abuf, from_port); error = 503; break; case RADIUS_DAS_MULTI_SESSION_MATCH: wpa_printf(MSG_INFO, "DAS: Multiple sessions match for request from %s:%d", abuf, from_port); error = 508; break; case RADIUS_DAS_COA_FAILED: /* not used with Disconnect-Request */ error = 405; break; case RADIUS_DAS_SUCCESS: error = 0; break; } fail: reply = radius_msg_new(error ? RADIUS_CODE_DISCONNECT_NAK : RADIUS_CODE_DISCONNECT_ACK, hdr->identifier); if (reply == NULL) return NULL; if (error) { if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { radius_msg_free(reply); return NULL; } } return reply; } static struct radius_msg * radius_das_coa(struct radius_das_data *das, struct radius_msg *msg, const char *abuf, int from_port) { struct radius_hdr *hdr; struct radius_msg *reply; u8 allowed[] = { RADIUS_ATTR_USER_NAME, RADIUS_ATTR_NAS_IP_ADDRESS, RADIUS_ATTR_CALLING_STATION_ID, RADIUS_ATTR_NAS_IDENTIFIER, RADIUS_ATTR_ACCT_SESSION_ID, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, RADIUS_ATTR_EVENT_TIMESTAMP, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, #ifdef CONFIG_HS20 RADIUS_ATTR_VENDOR_SPECIFIC, #endif /* CONFIG_HS20 */ #ifdef CONFIG_IPV6 RADIUS_ATTR_NAS_IPV6_ADDRESS, #endif /* CONFIG_IPV6 */ 0 }; int error = 405; u8 attr; enum radius_das_res res; struct radius_das_attrs attrs; u8 *buf; size_t len; char tmp[100]; u8 sta_addr[ETH_ALEN]; hdr = radius_msg_get_hdr(msg); if (!das->coa) { wpa_printf(MSG_INFO, "DAS: CoA not supported"); goto fail; } attr = radius_msg_find_unlisted_attr(msg, allowed); if (attr) { wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in CoA-Request from %s:%d", attr, abuf, from_port); error = 401; goto fail; } os_memset(&attrs, 0, sizeof(attrs)); if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, &buf, &len, NULL) == 0) { if (len != 4) { wpa_printf(MSG_INFO, "DAS: Invalid NAS-IP-Address from %s:%d", abuf, from_port); error = 407; goto fail; } attrs.nas_ip_addr = buf; } #ifdef CONFIG_IPV6 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS, &buf, &len, NULL) == 0) { if (len != 16) { wpa_printf(MSG_INFO, "DAS: Invalid NAS-IPv6-Address from %s:%d", abuf, from_port); error = 407; goto fail; } attrs.nas_ipv6_addr = buf; } #endif /* CONFIG_IPV6 */ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER, &buf, &len, NULL) == 0) { attrs.nas_identifier = buf; attrs.nas_identifier_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CALLING_STATION_ID, &buf, &len, NULL) == 0) { if (len >= sizeof(tmp)) len = sizeof(tmp) - 1; os_memcpy(tmp, buf, len); tmp[len] = '\0'; if (hwaddr_aton2(tmp, sta_addr) < 0) { wpa_printf(MSG_INFO, "DAS: Invalid Calling-Station-Id " "'%s' from %s:%d", tmp, abuf, from_port); error = 407; goto fail; } attrs.sta_addr = sta_addr; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_USER_NAME, &buf, &len, NULL) == 0) { attrs.user_name = buf; attrs.user_name_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_SESSION_ID, &buf, &len, NULL) == 0) { attrs.acct_session_id = buf; attrs.acct_session_id_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_ACCT_MULTI_SESSION_ID, &buf, &len, NULL) == 0) { attrs.acct_multi_session_id = buf; attrs.acct_multi_session_id_len = len; } if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_CHARGEABLE_USER_IDENTITY, &buf, &len, NULL) == 0) { attrs.cui = buf; attrs.cui_len = len; } #ifdef CONFIG_HS20 if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_VENDOR_SPECIFIC, &buf, &len, NULL) == 0) { if (len < 10 || WPA_GET_BE32(buf) != RADIUS_VENDOR_ID_WFA || buf[4] != RADIUS_VENDOR_ATTR_WFA_HS20_T_C_FILTERING || buf[5] < 6) { wpa_printf(MSG_INFO, "DAS: Unsupported attribute %u in CoA-Request from %s:%d", attr, abuf, from_port); error = 401; goto fail; } attrs.hs20_t_c_filtering = &buf[6]; } if (!attrs.hs20_t_c_filtering) { wpa_printf(MSG_INFO, "DAS: No supported authorization change attribute in CoA-Request from %s:%d", abuf, from_port); error = 402; goto fail; } #endif /* CONFIG_HS20 */ res = das->coa(das->ctx, &attrs); switch (res) { case RADIUS_DAS_NAS_MISMATCH: wpa_printf(MSG_INFO, "DAS: NAS mismatch from %s:%d", abuf, from_port); error = 403; break; case RADIUS_DAS_SESSION_NOT_FOUND: wpa_printf(MSG_INFO, "DAS: Session not found for request from %s:%d", abuf, from_port); error = 503; break; case RADIUS_DAS_MULTI_SESSION_MATCH: wpa_printf(MSG_INFO, "DAS: Multiple sessions match for request from %s:%d", abuf, from_port); error = 508; break; case RADIUS_DAS_COA_FAILED: wpa_printf(MSG_INFO, "DAS: CoA failed for request from %s:%d", abuf, from_port); error = 407; break; case RADIUS_DAS_SUCCESS: error = 0; break; } fail: reply = radius_msg_new(error ? RADIUS_CODE_COA_NAK : RADIUS_CODE_COA_ACK, hdr->identifier); if (!reply) return NULL; if (error && !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { radius_msg_free(reply); return NULL; } return reply; } static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx) { struct radius_das_data *das = eloop_ctx; u8 buf[1500]; union { struct sockaddr_storage ss; struct sockaddr_in sin; #ifdef CONFIG_IPV6 struct sockaddr_in6 sin6; #endif /* CONFIG_IPV6 */ } from; char abuf[50]; int from_port = 0; socklen_t fromlen; int len; struct radius_msg *msg, *reply = NULL; struct radius_hdr *hdr; struct wpabuf *rbuf; u32 val; int res; struct os_time now; fromlen = sizeof(from); len = recvfrom(sock, buf, sizeof(buf), 0, (struct sockaddr *) &from.ss, &fromlen); if (len < 0) { wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno)); return; } os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf)); from_port = ntohs(from.sin.sin_port); wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d", len, abuf, from_port); if (das->client_addr.u.v4.s_addr && das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) { wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client"); return; } msg = radius_msg_parse(buf, len); if (msg == NULL) { wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet " "from %s:%d failed", abuf, from_port); return; } if (wpa_debug_level <= MSG_MSGDUMP) radius_msg_dump(msg); if (radius_msg_verify_das_req(msg, das->shared_secret, das->shared_secret_len, das->require_message_authenticator)) { wpa_printf(MSG_DEBUG, "DAS: Invalid authenticator or Message-Authenticator in packet from %s:%d - drop", abuf, from_port); goto fail; } os_get_time(&now); res = radius_msg_get_attr(msg, RADIUS_ATTR_EVENT_TIMESTAMP, (u8 *) &val, 4); if (res == 4) { u32 timestamp = ntohl(val); if ((unsigned int) abs((int) (now.sec - timestamp)) > das->time_window) { wpa_printf(MSG_DEBUG, "DAS: Unacceptable " "Event-Timestamp (%u; local time %u) in " "packet from %s:%d - drop", timestamp, (unsigned int) now.sec, abuf, from_port); goto fail; } } else if (das->require_event_timestamp) { wpa_printf(MSG_DEBUG, "DAS: Missing Event-Timestamp in packet " "from %s:%d - drop", abuf, from_port); goto fail; } hdr = radius_msg_get_hdr(msg); switch (hdr->code) { case RADIUS_CODE_DISCONNECT_REQUEST: reply = radius_das_disconnect(das, msg, abuf, from_port); break; case RADIUS_CODE_COA_REQUEST: reply = radius_das_coa(das, msg, abuf, from_port); break; default: wpa_printf(MSG_DEBUG, "DAS: Unexpected RADIUS code %u in " "packet from %s:%d", hdr->code, abuf, from_port); } if (reply) { wpa_printf(MSG_DEBUG, "DAS: Reply to %s:%d", abuf, from_port); if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_EVENT_TIMESTAMP, now.sec)) { wpa_printf(MSG_DEBUG, "DAS: Failed to add " "Event-Timestamp attribute"); } if (radius_msg_finish_das_resp(reply, das->shared_secret, das->shared_secret_len, hdr) < 0) { wpa_printf(MSG_DEBUG, "DAS: Failed to add " "Message-Authenticator attribute"); } if (wpa_debug_level <= MSG_MSGDUMP) radius_msg_dump(reply); rbuf = radius_msg_get_buf(reply); res = sendto(das->sock, wpabuf_head(rbuf), wpabuf_len(rbuf), 0, (struct sockaddr *) &from.ss, fromlen); if (res < 0) { wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s", abuf, from_port, strerror(errno)); } } fail: radius_msg_free(msg); radius_msg_free(reply); } static int radius_das_open_socket(int port) { int s; struct sockaddr_in addr; s = socket(PF_INET, SOCK_DGRAM, 0); if (s < 0) { wpa_printf(MSG_INFO, "RADIUS DAS: socket: %s", strerror(errno)); return -1; } os_memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { wpa_printf(MSG_INFO, "RADIUS DAS: bind: %s", strerror(errno)); close(s); return -1; } return s; } struct radius_das_data * radius_das_init(struct radius_das_conf *conf) { struct radius_das_data *das; if (conf->port == 0 || conf->shared_secret == NULL || conf->client_addr == NULL) return NULL; das = os_zalloc(sizeof(*das)); if (das == NULL) return NULL; das->time_window = conf->time_window; das->require_event_timestamp = conf->require_event_timestamp; das->require_message_authenticator = conf->require_message_authenticator; das->ctx = conf->ctx; das->disconnect = conf->disconnect; das->coa = conf->coa; os_memcpy(&das->client_addr, conf->client_addr, sizeof(das->client_addr)); das->shared_secret = os_memdup(conf->shared_secret, conf->shared_secret_len); if (das->shared_secret == NULL) { radius_das_deinit(das); return NULL; } das->shared_secret_len = conf->shared_secret_len; das->sock = radius_das_open_socket(conf->port); if (das->sock < 0) { wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS " "DAS"); radius_das_deinit(das); return NULL; } if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL)) { radius_das_deinit(das); return NULL; } return das; } void radius_das_deinit(struct radius_das_data *das) { if (das == NULL) return; if (das->sock >= 0) { eloop_unregister_read_sock(das->sock); close(das->sock); } os_free(das->shared_secret); os_free(das); }