git.maemo.org Git - wpasupplicant/blob - hostapd/ieee802_11_auth.c

   1 /*
   2  * hostapd / IEEE 802.11 authentication (ACL)
   3  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  *
  14  * Access control list for IEEE 802.11 authentication can uses statically
  15  * configured ACL from configuration files or an external RADIUS server.
  16  * Results from external RADIUS queries are cached to allow faster
  17  * authentication frame processing.
  18  */
  19
  20 #include "includes.h"
  21
  22 #ifndef CONFIG_NATIVE_WINDOWS
  23
  24 #include "hostapd.h"
  25 #include "ieee802_11.h"
  26 #include "ieee802_11_auth.h"
  27 #include "radius/radius.h"
  28 #include "radius/radius_client.h"
  29 #include "eloop.h"
  30 #ifdef CONFIG_DRIVER_RADIUS_ACL
  31 #include "driver_i.h"
  32 #endif /* CONFIG_DRIVER_RADIUS_ACL */
  33
  34 #define RADIUS_ACL_TIMEOUT 30
  35
  36
  37 struct hostapd_cached_radius_acl {
  38         time_t timestamp;
  39         macaddr addr;
  40         int accepted; /* HOSTAPD_ACL_* */
  41         struct hostapd_cached_radius_acl *next;
  42         u32 session_timeout;
  43         u32 acct_interim_interval;
  44         int vlan_id;
  45 };
  46
  47
  48 struct hostapd_acl_query_data {
  49         time_t timestamp;
  50         u8 radius_id;
  51         macaddr addr;
  52         u8 *auth_msg; /* IEEE 802.11 authentication frame from station */
  53         size_t auth_msg_len;
  54         struct hostapd_acl_query_data *next;
  55 };
  56
  57
  58 #ifndef CONFIG_NO_RADIUS
  59 static void hostapd_acl_cache_free(struct hostapd_cached_radius_acl *acl_cache)
  60 {
  61         struct hostapd_cached_radius_acl *prev;
  62
  63         while (acl_cache) {
  64                 prev = acl_cache;
  65                 acl_cache = acl_cache->next;
  66                 os_free(prev);
  67         }
  68 }
  69
  70
  71 static int hostapd_acl_cache_get(struct hostapd_data *hapd, const u8 *addr,
  72                                  u32 *session_timeout,
  73                                  u32 *acct_interim_interval, int *vlan_id)
  74 {
  75         struct hostapd_cached_radius_acl *entry;
  76         time_t now;
  77
  78         time(&now);
  79         entry = hapd->acl_cache;
  80
  81         while (entry) {
  82                 if (os_memcmp(entry->addr, addr, ETH_ALEN) == 0) {
  83                         if (now - entry->timestamp > RADIUS_ACL_TIMEOUT)
  84                                 return -1; /* entry has expired */
  85                         if (entry->accepted == HOSTAPD_ACL_ACCEPT_TIMEOUT)
  86                                 if (session_timeout)
  87                                         *session_timeout =
  88                                                 entry->session_timeout;
  89                         if (acct_interim_interval)
  90                                 *acct_interim_interval =
  91                                         entry->acct_interim_interval;
  92                         if (vlan_id)
  93                                 *vlan_id = entry->vlan_id;
  94                         return entry->accepted;
  95                 }
  96
  97                 entry = entry->next;
  98         }
  99
 100         return -1;
 101 }
 102 #endif /* CONFIG_NO_RADIUS */
 103
 104
 105 static void hostapd_acl_query_free(struct hostapd_acl_query_data *query)
 106 {
 107         if (query == NULL)
 108                 return;
 109         os_free(query->auth_msg);
 110         os_free(query);
 111 }
 112
 113
 114 #ifndef CONFIG_NO_RADIUS
 115 static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr,
 116                                     struct hostapd_acl_query_data *query)
 117 {
 118         struct radius_msg *msg;
 119         char buf[128];
 120
 121         query->radius_id = radius_client_get_id(hapd->radius);
 122         msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST, query->radius_id);
 123         if (msg == NULL)
 124                 return -1;
 125
 126         radius_msg_make_authenticator(msg, addr, ETH_ALEN);
 127
 128         os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr));
 129         if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf,
 130                                  os_strlen(buf))) {
 131                 wpa_printf(MSG_DEBUG, "Could not add User-Name");
 132                 goto fail;
 133         }
 134
 135         if (!radius_msg_add_attr_user_password(
 136                     msg, (u8 *) buf, os_strlen(buf),
 137                     hapd->conf->radius->auth_server->shared_secret,
 138                     hapd->conf->radius->auth_server->shared_secret_len)) {
 139                 wpa_printf(MSG_DEBUG, "Could not add User-Password");
 140                 goto fail;
 141         }
 142
 143         if (hapd->conf->own_ip_addr.af == AF_INET &&
 144             !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
 145                                  (u8 *) &hapd->conf->own_ip_addr.u.v4, 4)) {
 146                 wpa_printf(MSG_DEBUG, "Could not add NAS-IP-Address");
 147                 goto fail;
 148         }
 149
 150 #ifdef CONFIG_IPV6
 151         if (hapd->conf->own_ip_addr.af == AF_INET6 &&
 152             !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IPV6_ADDRESS,
 153                                  (u8 *) &hapd->conf->own_ip_addr.u.v6, 16)) {
 154                 wpa_printf(MSG_DEBUG, "Could not add NAS-IPv6-Address");
 155                 goto fail;
 156         }
 157 #endif /* CONFIG_IPV6 */
 158
 159         if (hapd->conf->nas_identifier &&
 160             !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
 161                                  (u8 *) hapd->conf->nas_identifier,
 162                                  os_strlen(hapd->conf->nas_identifier))) {
 163                 wpa_printf(MSG_DEBUG, "Could not add NAS-Identifier");
 164                 goto fail;
 165         }
 166
 167         os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT ":%s",
 168                     MAC2STR(hapd->own_addr), hapd->conf->ssid.ssid);
 169         if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLED_STATION_ID,
 170                                  (u8 *) buf, os_strlen(buf))) {
 171                 wpa_printf(MSG_DEBUG, "Could not add Called-Station-Id");
 172                 goto fail;
 173         }
 174
 175         os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
 176                     MAC2STR(addr));
 177         if (!radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
 178                                  (u8 *) buf, os_strlen(buf))) {
 179                 wpa_printf(MSG_DEBUG, "Could not add Calling-Station-Id");
 180                 goto fail;
 181         }
 182
 183         if (!radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
 184                                        RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
 185                 wpa_printf(MSG_DEBUG, "Could not add NAS-Port-Type");
 186                 goto fail;
 187         }
 188
 189         os_snprintf(buf, sizeof(buf), "CONNECT 11Mbps 802.11b");
 190         if (!radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
 191                                  (u8 *) buf, os_strlen(buf))) {
 192                 wpa_printf(MSG_DEBUG, "Could not add Connect-Info");
 193                 goto fail;
 194         }
 195
 196         radius_client_send(hapd->radius, msg, RADIUS_AUTH, addr);
 197         return 0;
 198
 199  fail:
 200         radius_msg_free(msg);
 201         os_free(msg);
 202         return -1;
 203 }
 204 #endif /* CONFIG_NO_RADIUS */
 205
 206
 207 /**
 208  * hostapd_allowed_address - Check whether a specified STA can be authenticated
 209  * @hapd: hostapd BSS data
 210  * @addr: MAC address of the STA
 211  * @msg: Authentication message
 212  * @len: Length of msg in octets
 213  * @session_timeout: Buffer for returning session timeout (from RADIUS)
 214  * @acct_interim_interval: Buffer for returning account interval (from RADIUS)
 215  * @vlan_id: Buffer for returning VLAN ID
 216  * Returns: HOSTAPD_ACL_ACCEPT, HOSTAPD_ACL_REJECT, or HOSTAPD_ACL_PENDING
 217  */
 218 int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr,
 219                             const u8 *msg, size_t len, u32 *session_timeout,
 220                             u32 *acct_interim_interval, int *vlan_id)
 221 {
 222         if (session_timeout)
 223                 *session_timeout = 0;
 224         if (acct_interim_interval)
 225                 *acct_interim_interval = 0;
 226         if (vlan_id)
 227                 *vlan_id = 0;
 228
 229         if (hostapd_maclist_found(hapd->conf->accept_mac,
 230                                   hapd->conf->num_accept_mac, addr, vlan_id))
 231                 return HOSTAPD_ACL_ACCEPT;
 232
 233         if (hostapd_maclist_found(hapd->conf->deny_mac,
 234                                   hapd->conf->num_deny_mac, addr, vlan_id))
 235                 return HOSTAPD_ACL_REJECT;
 236
 237         if (hapd->conf->macaddr_acl == ACCEPT_UNLESS_DENIED)
 238                 return HOSTAPD_ACL_ACCEPT;
 239         if (hapd->conf->macaddr_acl == DENY_UNLESS_ACCEPTED)
 240                 return HOSTAPD_ACL_REJECT;
 241
 242         if (hapd->conf->macaddr_acl == USE_EXTERNAL_RADIUS_AUTH) {
 243 #ifdef CONFIG_NO_RADIUS
 244                 return HOSTAPD_ACL_REJECT;
 245 #else /* CONFIG_NO_RADIUS */
 246                 struct hostapd_acl_query_data *query;
 247
 248                 /* Check whether ACL cache has an entry for this station */
 249                 int res = hostapd_acl_cache_get(hapd, addr, session_timeout,
 250                                                 acct_interim_interval,
 251                                                 vlan_id);
 252                 if (res == HOSTAPD_ACL_ACCEPT ||
 253                     res == HOSTAPD_ACL_ACCEPT_TIMEOUT)
 254                         return res;
 255                 if (res == HOSTAPD_ACL_REJECT)
 256                         return HOSTAPD_ACL_REJECT;
 257
 258                 query = hapd->acl_queries;
 259                 while (query) {
 260                         if (os_memcmp(query->addr, addr, ETH_ALEN) == 0) {
 261                                 /* pending query in RADIUS retransmit queue;
 262                                  * do not generate a new one */
 263                                 return HOSTAPD_ACL_PENDING;
 264                         }
 265                         query = query->next;
 266                 }
 267
 268                 if (!hapd->conf->radius->auth_server)
 269                         return HOSTAPD_ACL_REJECT;
 270
 271                 /* No entry in the cache - query external RADIUS server */
 272                 query = os_zalloc(sizeof(*query));
 273                 if (query == NULL) {
 274                         wpa_printf(MSG_ERROR, "malloc for query data failed");
 275                         return HOSTAPD_ACL_REJECT;
 276                 }
 277                 time(&query->timestamp);
 278                 os_memcpy(query->addr, addr, ETH_ALEN);
 279                 if (hostapd_radius_acl_query(hapd, addr, query)) {
 280                         wpa_printf(MSG_DEBUG, "Failed to send Access-Request "
 281                                    "for ACL query.");
 282                         hostapd_acl_query_free(query);
 283                         return HOSTAPD_ACL_REJECT;
 284                 }
 285
 286                 query->auth_msg = os_malloc(len);
 287                 if (query->auth_msg == NULL) {
 288                         wpa_printf(MSG_ERROR, "Failed to allocate memory for "
 289                                    "auth frame.");
 290                         hostapd_acl_query_free(query);
 291                         return HOSTAPD_ACL_REJECT;
 292                 }
 293                 os_memcpy(query->auth_msg, msg, len);
 294                 query->auth_msg_len = len;
 295                 query->next = hapd->acl_queries;
 296                 hapd->acl_queries = query;
 297
 298                 /* Queued data will be processed in hostapd_acl_recv_radius()
 299                  * when RADIUS server replies to the sent Access-Request. */
 300                 return HOSTAPD_ACL_PENDING;
 301 #endif /* CONFIG_NO_RADIUS */
 302         }
 303
 304         return HOSTAPD_ACL_REJECT;
 305 }
 306
 307
 308 #ifndef CONFIG_NO_RADIUS
 309 static void hostapd_acl_expire_cache(struct hostapd_data *hapd, time_t now)
 310 {
 311         struct hostapd_cached_radius_acl *prev, *entry, *tmp;
 312
 313         prev = NULL;
 314         entry = hapd->acl_cache;
 315
 316         while (entry) {
 317                 if (now - entry->timestamp > RADIUS_ACL_TIMEOUT) {
 318                         wpa_printf(MSG_DEBUG, "Cached ACL entry for " MACSTR
 319                                    " has expired.", MAC2STR(entry->addr));
 320                         if (prev)
 321                                 prev->next = entry->next;
 322                         else
 323                                 hapd->acl_cache = entry->next;
 324 #ifdef CONFIG_DRIVER_RADIUS_ACL
 325                         hostapd_set_radius_acl_expire(hapd, entry->addr);
 326 #endif /* CONFIG_DRIVER_RADIUS_ACL */
 327                         tmp = entry;
 328                         entry = entry->next;
 329                         os_free(tmp);
 330                         continue;
 331                 }
 332
 333                 prev = entry;
 334                 entry = entry->next;
 335         }
 336 }
 337
 338
 339 static void hostapd_acl_expire_queries(struct hostapd_data *hapd, time_t now)
 340 {
 341         struct hostapd_acl_query_data *prev, *entry, *tmp;
 342
 343         prev = NULL;
 344         entry = hapd->acl_queries;
 345
 346         while (entry) {
 347                 if (now - entry->timestamp > RADIUS_ACL_TIMEOUT) {
 348                         wpa_printf(MSG_DEBUG, "ACL query for " MACSTR
 349                                    " has expired.", MAC2STR(entry->addr));
 350                         if (prev)
 351                                 prev->next = entry->next;
 352                         else
 353                                 hapd->acl_queries = entry->next;
 354
 355                         tmp = entry;
 356                         entry = entry->next;
 357                         hostapd_acl_query_free(tmp);
 358                         continue;
 359                 }
 360
 361                 prev = entry;
 362                 entry = entry->next;
 363         }
 364 }
 365
 366
 367 /**
 368  * hostapd_acl_expire - ACL cache expiration callback
 369  * @eloop_ctx: struct hostapd_data *
 370  * @timeout_ctx: Not used
 371  */
 372 static void hostapd_acl_expire(void *eloop_ctx, void *timeout_ctx)
 373 {
 374         struct hostapd_data *hapd = eloop_ctx;
 375         time_t now;
 376
 377         time(&now);
 378         hostapd_acl_expire_cache(hapd, now);
 379         hostapd_acl_expire_queries(hapd, now);
 380
 381         eloop_register_timeout(10, 0, hostapd_acl_expire, hapd, NULL);
 382 }
 383
 384
 385 /**
 386  * hostapd_acl_recv_radius - Process incoming RADIUS Authentication messages
 387  * @msg: RADIUS response message
 388  * @req: RADIUS request message
 389  * @shared_secret: RADIUS shared secret
 390  * @shared_secret_len: Length of shared_secret in octets
 391  * @data: Context data (struct hostapd_data *)
 392  * Returns: RADIUS_RX_PROCESSED if RADIUS message was a reply to ACL query (and
 393  * was processed here) or RADIUS_RX_UNKNOWN if not.
 394  */
 395 static RadiusRxResult
 396 hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
 397                         const u8 *shared_secret, size_t shared_secret_len,
 398                         void *data)
 399 {
 400         struct hostapd_data *hapd = data;
 401         struct hostapd_acl_query_data *query, *prev;
 402         struct hostapd_cached_radius_acl *cache;
 403
 404         query = hapd->acl_queries;
 405         prev = NULL;
 406         while (query) {
 407                 if (query->radius_id == msg->hdr->identifier)
 408                         break;
 409                 prev = query;
 410                 query = query->next;
 411         }
 412         if (query == NULL)
 413                 return RADIUS_RX_UNKNOWN;
 414
 415         wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS "
 416                    "message (id=%d)", query->radius_id);
 417
 418         if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
 419                 wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have "
 420                            "correct authenticator - dropped\n");
 421                 return RADIUS_RX_INVALID_AUTHENTICATOR;
 422         }
 423
 424         if (msg->hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
 425             msg->hdr->code != RADIUS_CODE_ACCESS_REJECT) {
 426                 wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL "
 427                            "query", msg->hdr->code);
 428                 return RADIUS_RX_UNKNOWN;
 429         }
 430
 431         /* Insert Accept/Reject info into ACL cache */
 432         cache = os_zalloc(sizeof(*cache));
 433         if (cache == NULL) {
 434                 wpa_printf(MSG_DEBUG, "Failed to add ACL cache entry");
 435                 goto done;
 436         }
 437         time(&cache->timestamp);
 438         os_memcpy(cache->addr, query->addr, sizeof(cache->addr));
 439         if (msg->hdr->code == RADIUS_CODE_ACCESS_ACCEPT) {
 440                 if (radius_msg_get_attr_int32(msg, RADIUS_ATTR_SESSION_TIMEOUT,
 441                                               &cache->session_timeout) == 0)
 442                         cache->accepted = HOSTAPD_ACL_ACCEPT_TIMEOUT;
 443                 else
 444                         cache->accepted = HOSTAPD_ACL_ACCEPT;
 445
 446                 if (radius_msg_get_attr_int32(
 447                             msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL,
 448                             &cache->acct_interim_interval) == 0 &&
 449                     cache->acct_interim_interval < 60) {
 450                         wpa_printf(MSG_DEBUG, "Ignored too small "
 451                                    "Acct-Interim-Interval %d for STA " MACSTR,
 452                                    cache->acct_interim_interval,
 453                                    MAC2STR(query->addr));
 454                         cache->acct_interim_interval = 0;
 455                 }
 456
 457                 cache->vlan_id = radius_msg_get_vlanid(msg);
 458         } else
 459                 cache->accepted = HOSTAPD_ACL_REJECT;
 460         cache->next = hapd->acl_cache;
 461         hapd->acl_cache = cache;
 462
 463 #ifdef CONFIG_DRIVER_RADIUS_ACL
 464         hostapd_set_radius_acl_auth(hapd, query->addr, cache->accepted,
 465                                     cache->session_timeout);
 466 #else /* CONFIG_DRIVER_RADIUS_ACL */
 467 #ifdef NEED_MLME
 468         /* Re-send original authentication frame for 802.11 processing */
 469         wpa_printf(MSG_DEBUG, "Re-sending authentication frame after "
 470                    "successful RADIUS ACL query");
 471         ieee802_11_mgmt(hapd, query->auth_msg, query->auth_msg_len,
 472                         WLAN_FC_STYPE_AUTH, NULL);
 473 #endif /* NEED_MLME */
 474 #endif /* CONFIG_DRIVER_RADIUS_ACL */
 475
 476  done:
 477         if (prev == NULL)
 478                 hapd->acl_queries = query->next;
 479         else
 480                 prev->next = query->next;
 481
 482         hostapd_acl_query_free(query);
 483
 484         return RADIUS_RX_PROCESSED;
 485 }
 486 #endif /* CONFIG_NO_RADIUS */
 487
 488
 489 /**
 490  * hostapd_acl_init: Initialize IEEE 802.11 ACL
 491  * @hapd: hostapd BSS data
 492  * Returns: 0 on success, -1 on failure
 493  */
 494 int hostapd_acl_init(struct hostapd_data *hapd)
 495 {
 496 #ifndef CONFIG_NO_RADIUS
 497         if (radius_client_register(hapd->radius, RADIUS_AUTH,
 498                                    hostapd_acl_recv_radius, hapd))
 499                 return -1;
 500
 501         eloop_register_timeout(10, 0, hostapd_acl_expire, hapd, NULL);
 502 #endif /* CONFIG_NO_RADIUS */
 503
 504         return 0;
 505 }
 506
 507
 508 /**
 509  * hostapd_acl_deinit - Deinitialize IEEE 802.11 ACL
 510  * @hapd: hostapd BSS data
 511  */
 512 void hostapd_acl_deinit(struct hostapd_data *hapd)
 513 {
 514         struct hostapd_acl_query_data *query, *prev;
 515
 516 #ifndef CONFIG_NO_RADIUS
 517         eloop_cancel_timeout(hostapd_acl_expire, hapd, NULL);
 518
 519         hostapd_acl_cache_free(hapd->acl_cache);
 520 #endif /* CONFIG_NO_RADIUS */
 521
 522         query = hapd->acl_queries;
 523         while (query) {
 524                 prev = query;
 525                 query = query->next;
 526                 hostapd_acl_query_free(prev);
 527         }
 528 }
 529
 530
 531 int hostapd_acl_reconfig(struct hostapd_data *hapd,
 532                          struct hostapd_config *oldconf)
 533 {
 534         if (!hapd->radius_client_reconfigured)
 535                 return 0;
 536
 537         hostapd_acl_deinit(hapd);
 538         return hostapd_acl_init(hapd);
 539 }
 540
 541 #endif /* CONFIG_NATIVE_WINDOWS */