static void radius_client_acct_failover(struct radius_client_data *radius) { struct hostapd_radius_servers *conf = radius->conf; struct hostapd_radius_server *next, *old; struct radius_msg_list *entry; char abuf[50]; old = conf->acct_server; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_NOTICE, "No response from Accounting server %s:%d - failover", hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)), old->port); for (entry = radius->msgs; entry; entry = entry->next) { if (entry->msg_type == RADIUS_ACCT || entry->msg_type == RADIUS_ACCT_INTERIM) old->timeouts++; } next = old + 1; if (next > &conf->acct_servers[conf->num_acct_servers - 1]) next = conf->acct_servers; conf->acct_server = next; radius_change_server(radius, next, old, radius->acct_serv_sock, radius->acct_serv_sock6, 0); }
static int radius_client_dump_auth_server(char *buf, size_t buflen, struct hostapd_radius_server *serv, struct radius_client_data *cli) { int pending = 0; struct radius_msg_list *msg; char abuf[50]; if (cli) { for (msg = cli->msgs; msg; msg = msg->next) { if (msg->msg_type == RADIUS_AUTH) pending++; } } return os_snprintf(buf, buflen, "radiusAuthServerIndex=%d\n" "radiusAuthServerAddress=%s\n" "radiusAuthClientServerPortNumber=%d\n" "radiusAuthClientRoundTripTime=%d\n" "radiusAuthClientAccessRequests=%u\n" "radiusAuthClientAccessRetransmissions=%u\n" "radiusAuthClientAccessAccepts=%u\n" "radiusAuthClientAccessRejects=%u\n" "radiusAuthClientAccessChallenges=%u\n" "radiusAuthClientMalformedAccessResponses=%u\n" "radiusAuthClientBadAuthenticators=%u\n" "radiusAuthClientPendingRequests=%u\n" "radiusAuthClientTimeouts=%u\n" "radiusAuthClientUnknownTypes=%u\n" "radiusAuthClientPacketsDropped=%u\n", serv->index, hostapd_ip_txt(&serv->addr, abuf, sizeof(abuf)), serv->port, serv->round_trip_time, serv->requests, serv->retransmissions, serv->access_accepts, serv->access_rejects, serv->access_challenges, serv->malformed_responses, serv->bad_authenticators, pending, serv->timeouts, serv->unknown_types, serv->packets_dropped); }
static int radius_change_server(struct radius_client_data *radius, struct hostapd_radius_server *nserv, struct hostapd_radius_server *oserv, int sock, int sock6, int auth) { struct sockaddr_in serv, claddr; #ifdef CONFIG_IPV6 struct sockaddr_in6 serv6, claddr6; #endif /* CONFIG_IPV6 */ struct sockaddr *addr, *cl_addr; socklen_t addrlen, claddrlen; char abuf[50]; int sel_sock; struct radius_msg_list *entry; struct hostapd_radius_servers *conf = radius->conf; struct sockaddr_in disconnect_addr = { .sin_family = AF_UNSPEC, }; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, "%s server %s:%d", auth ? "Authentication" : "Accounting", hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)), nserv->port); if (oserv && oserv == nserv) { /* Reconnect to same server, flush */ if (auth) radius_client_flush(radius, 1); } if (oserv && oserv != nserv && (nserv->shared_secret_len != oserv->shared_secret_len || os_memcmp(nserv->shared_secret, oserv->shared_secret, nserv->shared_secret_len) != 0)) { /* Pending RADIUS packets used different shared secret, so * they need to be modified. Update accounting message * authenticators here. Authentication messages are removed * since they would require more changes and the new RADIUS * server may not be prepared to receive them anyway due to * missing state information. Client will likely retry * authentication, so this should not be an issue. */ if (auth) radius_client_flush(radius, 1); else { radius_client_update_acct_msgs( radius, nserv->shared_secret, nserv->shared_secret_len); } } /* Reset retry counters for the new server */ for (entry = radius->msgs; oserv && oserv != nserv && entry; entry = entry->next) { if ((auth && entry->msg_type != RADIUS_AUTH) || (!auth && entry->msg_type != RADIUS_ACCT)) continue; entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT; entry->attempts = 0; entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2; } if (radius->msgs) { eloop_cancel_timeout(radius_client_timer, radius, NULL); eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0, radius_client_timer, radius, NULL); } switch (nserv->addr.af) { case AF_INET: os_memset(&serv, 0, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr; serv.sin_port = htons(nserv->port); addr = (struct sockaddr *) &serv; addrlen = sizeof(serv); sel_sock = sock; break; #ifdef CONFIG_IPV6 case AF_INET6: os_memset(&serv6, 0, sizeof(serv6)); serv6.sin6_family = AF_INET6; os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6, sizeof(struct in6_addr)); serv6.sin6_port = htons(nserv->port); addr = (struct sockaddr *) &serv6; addrlen = sizeof(serv6); sel_sock = sock6; break; #endif /* CONFIG_IPV6 */ default: return -1; } if (sel_sock < 0) { wpa_printf(MSG_INFO, "RADIUS: No server socket available (af=%d sock=%d sock6=%d auth=%d", nserv->addr.af, sock, sock6, auth); return -1; } if (conf->force_client_addr) { switch (conf->client_addr.af) { case AF_INET: os_memset(&claddr, 0, sizeof(claddr)); claddr.sin_family = AF_INET; claddr.sin_addr.s_addr = conf->client_addr.u.v4.s_addr; claddr.sin_port = htons(0); cl_addr = (struct sockaddr *) &claddr; claddrlen = sizeof(claddr); break; #ifdef CONFIG_IPV6 case AF_INET6: os_memset(&claddr6, 0, sizeof(claddr6)); claddr6.sin6_family = AF_INET6; os_memcpy(&claddr6.sin6_addr, &conf->client_addr.u.v6, sizeof(struct in6_addr)); claddr6.sin6_port = htons(0); cl_addr = (struct sockaddr *) &claddr6; claddrlen = sizeof(claddr6); break; #endif /* CONFIG_IPV6 */ default: return -1; } if (bind(sel_sock, cl_addr, claddrlen) < 0) { wpa_printf(MSG_INFO, "bind[radius]: %s", strerror(errno)); return -1; } } /* Force a reconnect by disconnecting the socket first */ if (connect(sel_sock, (struct sockaddr *) &disconnect_addr, sizeof(disconnect_addr)) < 0) wpa_printf(MSG_INFO, "disconnect[radius]: %s", strerror(errno)); if (connect(sel_sock, addr, addrlen) < 0) { wpa_printf(MSG_INFO, "connect[radius]: %s", strerror(errno)); return -1; } #ifndef CONFIG_NATIVE_WINDOWS switch (nserv->addr.af) { case AF_INET: claddrlen = sizeof(claddr); if (getsockname(sel_sock, (struct sockaddr *) &claddr, &claddrlen) == 0) { wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u", inet_ntoa(claddr.sin_addr), ntohs(claddr.sin_port)); } break; #ifdef CONFIG_IPV6 case AF_INET6: { claddrlen = sizeof(claddr6); if (getsockname(sel_sock, (struct sockaddr *) &claddr6, &claddrlen) == 0) { wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u", inet_ntop(AF_INET6, &claddr6.sin6_addr, abuf, sizeof(abuf)), ntohs(claddr6.sin6_port)); } break; } #endif /* CONFIG_IPV6 */ } #endif /* CONFIG_NATIVE_WINDOWS */ if (auth) radius->auth_sock = sel_sock; else radius->acct_sock = sel_sock; return 0; }
static void radius_client_timer(void *eloop_ctx, void *timeout_ctx) { struct radius_client_data *radius = eloop_ctx; struct hostapd_radius_servers *conf = radius->conf; struct os_time now; os_time_t first; struct radius_msg_list *entry, *prev, *tmp; int auth_failover = 0, acct_failover = 0; char abuf[50]; entry = radius->msgs; if (!entry) return; os_get_time(&now); first = 0; prev = NULL; while (entry) { if (now.sec >= entry->next_try && radius_client_retransmit(radius, entry, now.sec)) { if (prev) prev->next = entry->next; else radius->msgs = entry->next; tmp = entry; entry = entry->next; radius_client_msg_free(tmp); radius->num_msgs--; continue; } if (entry->attempts > RADIUS_CLIENT_NUM_FAILOVER) { if (entry->msg_type == RADIUS_ACCT || entry->msg_type == RADIUS_ACCT_INTERIM) acct_failover++; else auth_failover++; } if (first == 0 || entry->next_try < first) first = entry->next_try; prev = entry; entry = entry->next; } if (radius->msgs) { if (first < now.sec) first = now.sec; eloop_register_timeout(first - now.sec, 0, radius_client_timer, radius, NULL); hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_DEBUG, "Next RADIUS client " "retransmit in %ld seconds", (long int) (first - now.sec)); } if (auth_failover && conf->num_auth_servers > 1) { struct hostapd_radius_server *next, *old; old = conf->auth_server; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_NOTICE, "No response from Authentication server " "%s:%d - failover", hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)), old->port); for (entry = radius->msgs; entry; entry = entry->next) { if (entry->msg_type == RADIUS_AUTH) old->timeouts++; } next = old + 1; if (next > &(conf->auth_servers[conf->num_auth_servers - 1])) next = conf->auth_servers; conf->auth_server = next; radius_change_server(radius, next, old, radius->auth_serv_sock, radius->auth_serv_sock6, 1); } if (acct_failover && conf->num_acct_servers > 1) { struct hostapd_radius_server *next, *old; old = conf->acct_server; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_NOTICE, "No response from Accounting server " "%s:%d - failover", hostapd_ip_txt(&old->addr, abuf, sizeof(abuf)), old->port); for (entry = radius->msgs; entry; entry = entry->next) { if (entry->msg_type == RADIUS_ACCT || entry->msg_type == RADIUS_ACCT_INTERIM) old->timeouts++; } next = old + 1; if (next > &conf->acct_servers[conf->num_acct_servers - 1]) next = conf->acct_servers; conf->acct_server = next; radius_change_server(radius, next, old, radius->acct_serv_sock, radius->acct_serv_sock6, 0); } }
static int hostapd_ctrl_iface_status(struct hostapd_data *hapd, char *buf, size_t buflen) { char *pos, *end, tmp[150]; int res, ret; #ifdef EAP_WPS struct wps_config *wps = hapd->conf->wps; #endif /* EAP_WPS */ pos = buf; end = buf + buflen; ret = os_snprintf(pos, end - pos, "bssid=" MACSTR "\n", MAC2STR(hapd->own_addr)); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; if (hapd->conf) { struct hostapd_bss_config *bss = hapd->conf; struct hostapd_ssid *ssid = &bss->ssid; u8 *_ssid = (u8 *)ssid->ssid; size_t ssid_len = ssid->ssid_len; u8 ssid_buf[HOSTAPD_MAX_SSID_LEN]; if (ssid_len == 0) { res = hostapd_get_ssid(hapd, ssid_buf, sizeof(ssid_buf)); if (res < 0) ssid_len = 0; else ssid_len = res; _ssid = ssid_buf; } else { memcpy(ssid_buf, _ssid, ssid_len); } ssid_buf[ssid_len] = 0; ret = os_snprintf(pos, end - pos, "ssid=%s\n", ssid_buf); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; ret = os_snprintf(pos, end - pos, "encription="); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; if (bss->wpa) { if (bss->wpa_pairwise & WPA_CIPHER_CCMP) { ret = os_snprintf(pos, end - pos, "CCMP "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } if (bss->wpa_pairwise & WPA_CIPHER_TKIP) { ret = os_snprintf(pos, end - pos, "TKIP "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } } else { if (ssid->wep.keys_set) { ret = os_snprintf(pos, end - pos, "WEP "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } else { ret = os_snprintf(pos, end - pos, "NONE "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } } ret = os_snprintf(pos, end - pos, "\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; ret = os_snprintf(pos, end - pos, "key_mgmt="); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; if (bss->wpa) { if (bss->wpa & HOSTAPD_WPA_VERSION_WPA2) { ret = os_snprintf(pos, end - pos, "WPA2 "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } if (bss->wpa & HOSTAPD_WPA_VERSION_WPA) { ret = os_snprintf(pos, end - pos, "WPA "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } } else if (bss->auth_algs & HOSTAPD_AUTH_SHARED_KEY) { ret = os_snprintf(pos, end - pos, "SHARED "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } else { ret = os_snprintf(pos, end - pos, "OPEN "); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } ret = os_snprintf(pos, end - pos, "\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; #ifdef CONFIG_CTRL_IFACE_SHOW_KEY if (bss == NULL || bss->eap_user == NULL) { sprintf(tmp, "No eap user"); } else if (bss->eap_user->password_len > 64 || bss->eap_user->password_len <= 0 ) { sprintf(tmp, "invalid password_len %zu", bss->eap_user->password_len); } else { int i; for (i = 0; i < bss->eap_user->password_len; i++ ) { sprintf(tmp+i*2, "%02X", bss->eap_user->password[i]); } } ret = os_snprintf(pos, end - pos, "password=%s\n", tmp); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; if (bss->ssid.wpa_psk) { int i; for (i = 0; i < PMK_LEN; i++ ) { sprintf(tmp+i*2, "%02X", bss->ssid.wpa_psk->psk[i]); } ret = os_snprintf(pos, end - pos, "psk=%s\n", tmp); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } #endif /* CONFIG_CTRL_IFACE_SHOW_KEY */ ret = os_snprintf(pos, end - pos, "ip_address=%s\n", hostapd_ip_txt(&bss->own_ip_addr, tmp, sizeof(tmp))); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } #ifdef EAP_WPS if (wps) { if (WPS_WPSSTATE_UNCONFIGURED == wps->wps_state) { ret = os_snprintf(pos, end - pos, "wps_configured=Unconfigured\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } else if (WPS_WPSSTATE_CONFIGURED == wps->wps_state) { ret = os_snprintf(pos, end - pos, "wps_configured=Configured\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } if (!wps->selreg) { ret = os_snprintf(pos, end - pos, "selected_registrar=FALSE\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } else { ret = os_snprintf(pos, end - pos, "selected_registrar=TRUE\n"); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; tmp[0] = 0; switch (wps->dev_pwd_id) { case WPS_DEVICEPWDID_DEFAULT: os_snprintf(tmp, sizeof(tmp), "Default"); break; case WPS_DEVICEPWDID_USER_SPEC: os_snprintf(tmp, sizeof(tmp), "User-specified"); break; case WPS_DEVICEPWDID_MACHINE_SPEC: os_snprintf(tmp, sizeof(tmp), "Machine-specified"); break; case WPS_DEVICEPWDID_PUSH_BTN: os_snprintf(tmp, sizeof(tmp), "PushButton"); break; case WPS_DEVICEPWDID_REG_SPEC: os_snprintf(tmp, sizeof(tmp), "Registrar-specified"); break; default: os_snprintf(tmp, sizeof(tmp), "%04X", wps->dev_pwd_id); break; } ret = os_snprintf(pos, end - pos, "dev_pwd_id=%s\n", tmp); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; } } #endif /* EAP_WPS */ /* Track memory usage... useful to check for leaks (unix only) */ ret = os_snprintf(pos, end - pos, "sbrk(0)=%p\n", sbrk(0)); if (ret < 0 || ret >= end - pos) return pos - buf; pos += ret; return pos - buf; }
static int radius_change_server(struct radius_client_data *radius, struct hostapd_radius_server *nserv, struct hostapd_radius_server *oserv, int sock, int sock6, int auth) { struct sockaddr_in serv; #ifdef CONFIG_IPV6 struct sockaddr_in6 serv6; #endif /* CONFIG_IPV6 */ struct sockaddr *addr; socklen_t addrlen; char abuf[50]; int sel_sock; struct radius_msg_list *entry; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, "%s server %s:%d", auth ? "Authentication" : "Accounting", hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)), nserv->port); if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len || os_memcmp(nserv->shared_secret, oserv->shared_secret, nserv->shared_secret_len) != 0) { /* Pending RADIUS packets used different shared secret, so * they need to be modified. Update accounting message * authenticators here. Authentication messages are removed * since they would require more changes and the new RADIUS * server may not be prepared to receive them anyway due to * missing state information. Client will likely retry * authentication, so this should not be an issue. */ if (auth) radius_client_flush(radius, 1); else { radius_client_update_acct_msgs( radius, nserv->shared_secret, nserv->shared_secret_len); } } /* Reset retry counters for the new server */ for (entry = radius->msgs; entry; entry = entry->next) { if ((auth && entry->msg_type != RADIUS_AUTH) || (!auth && entry->msg_type != RADIUS_ACCT)) continue; entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT; entry->attempts = 0; entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2; } if (radius->msgs) { eloop_cancel_timeout(radius_client_timer, radius, NULL); eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0, radius_client_timer, radius, NULL); } switch (nserv->addr.af) { case AF_INET: os_memset(&serv, 0, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr; serv.sin_port = htons(nserv->port); addr = (struct sockaddr *) &serv; addrlen = sizeof(serv); sel_sock = sock; break; #ifdef CONFIG_IPV6 case AF_INET6: os_memset(&serv6, 0, sizeof(serv6)); serv6.sin6_family = AF_INET6; os_memcpy(&serv6.sin6_addr, &nserv->addr.u.v6, sizeof(struct in6_addr)); serv6.sin6_port = htons(nserv->port); addr = (struct sockaddr *) &serv6; addrlen = sizeof(serv6); sel_sock = sock6; break; #endif /* CONFIG_IPV6 */ default: return -1; } if (connect(sel_sock, addr, addrlen) < 0) { perror("connect[radius]"); return -1; } if (auth) radius->auth_sock = sel_sock; else radius->acct_sock = sel_sock; return 0; }
static int radius_change_server(struct radius_client_data *radius, struct hostapd_radius_server *nserv, struct hostapd_radius_server *oserv, int sock, int sock6, int auth) { struct sockaddr_in serv; #ifdef CONFIG_IPV6 struct sockaddr_in6 serv6; #endif /* CONFIG_IPV6 */ struct sockaddr *addr; socklen_t addrlen; char abuf[50]; int sel_sock; hostapd_logger(radius->ctx, NULL, HOSTAPD_MODULE_RADIUS, HOSTAPD_LEVEL_INFO, "%s server %s:%d", auth ? "Authentication" : "Accounting", hostapd_ip_txt(&nserv->addr, abuf, sizeof(abuf)), nserv->port); if (!oserv || nserv->shared_secret_len != oserv->shared_secret_len || memcmp(nserv->shared_secret, oserv->shared_secret, nserv->shared_secret_len) != 0) { /* Pending RADIUS packets used different shared * secret, so they would need to be modified. Could * update all message authenticators and * User-Passwords, etc. and retry with new server. For * now, just drop all pending packets. */ radius_client_flush(radius); } else { /* Reset retry counters for the new server */ struct radius_msg_list *entry; entry = radius->msgs; while (entry) { entry->next_try = entry->first_try + RADIUS_CLIENT_FIRST_WAIT; entry->attempts = 0; entry->next_wait = RADIUS_CLIENT_FIRST_WAIT * 2; entry = entry->next; } if (radius->msgs) { eloop_cancel_timeout(radius_client_timer, radius, NULL); eloop_register_timeout(RADIUS_CLIENT_FIRST_WAIT, 0, radius_client_timer, radius, NULL); } } switch (nserv->addr.af) { case AF_INET: memset(&serv, 0, sizeof(serv)); serv.sin_family = AF_INET; serv.sin_addr.s_addr = nserv->addr.u.v4.s_addr; serv.sin_port = htons(nserv->port); addr = (struct sockaddr *) &serv; addrlen = sizeof(serv); sel_sock = sock; break; #ifdef CONFIG_IPV6 case AF_INET6: memset(&serv6, 0, sizeof(serv6)); serv6.sin6_family = AF_INET6; memcpy(&serv6.sin6_addr, &nserv->addr.u.v6, sizeof(struct in6_addr)); serv6.sin6_port = htons(nserv->port); addr = (struct sockaddr *) &serv6; addrlen = sizeof(serv6); sel_sock = sock6; break; #endif /* CONFIG_IPV6 */ default: return -1; } if (connect(sel_sock, addr, addrlen) < 0) { perror("connect[radius]"); return -1; } if (auth) radius->auth_sock = sel_sock; else radius->acct_sock = sel_sock; return 0; }