427 void srv_log(struct radius_session *sess, const char *fmt, ...)
430 void srv_log(struct radius_session *sess, const char *fmt, ...)
447 	RADIUS_DEBUG("[0x%x %s] %s", sess->sess_id, sess->nas_ip, buf);
450 	if (sess->server->db) {
457 				      sess->sess_id, sess->nas_ip,
458 				      sess->username, buf);
460 			if (sqlite3_exec(sess->server->db, sql, NULL, NULL,
463 					     sqlite3_errmsg(sess->server->db));
516 	struct radius_session *sess = client->sessions;
518 	while (sess) {
519 		if (sess->sess_id == sess_id) {
522 		sess = sess->next;
525 	return sess;
530 				       struct radius_session *sess)
532 	eloop_cancel_timeout(radius_server_session_timeout, data, sess);
533 	eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess);
534 	eap_server_sm_deinit(sess->eap);
535 	radius_msg_free(sess->last_msg);
536 	os_free(sess->last_from_addr);
537 	radius_msg_free(sess->last_reply);
538 	os_free(sess->username);
539 	os_free(sess->nas_ip);
540 	os_free(sess);
546 					 struct radius_session *sess)
548 	struct radius_client *client = sess->client;
551 	eloop_cancel_timeout(radius_server_session_remove_timeout, data, sess);
556 		if (session == sess) {
558 				client->sessions = sess->next;
560 				prev->next = sess->next;
562 			radius_server_session_free(data, sess);
575 	struct radius_session *sess = timeout_ctx;
576 	RADIUS_DEBUG("Removing completed session 0x%x", sess->sess_id);
577 	radius_server_session_remove(data, sess);
584 	struct radius_session *sess = timeout_ctx;
586 	RADIUS_DEBUG("Timing out authentication session 0x%x", sess->sess_id);
587 	radius_server_session_remove(data, sess);
595 	struct radius_session *sess;
603 	sess = os_zalloc(sizeof(*sess));
604 	if (sess == NULL)
607 	sess->server = data;
608 	sess->client = client;
609 	sess->sess_id = data->next_sess_id++;
610 	sess->next = client->sessions;
611 	client->sessions = sess;
613 			       radius_server_session_timeout, data, sess);
615 	return sess;
620 static void radius_server_testing_options_tls(struct radius_session *sess,
628 		srv_log(sess, "TLS test - break VerifyData");
632 		srv_log(sess, "TLS test - break ServerKeyExchange ServerParams hash");
636 		srv_log(sess, "TLS test - break ServerKeyExchange ServerParams Signature");
640 		srv_log(sess, "TLS test - RSA-DHE using a short 511-bit prime");
644 		srv_log(sess, "TLS test - RSA-DHE using a short 767-bit prime");
648 		srv_log(sess, "TLS test - RSA-DHE using a bogus 15 \"prime\"");
652 		srv_log(sess, "TLS test - RSA-DHE using a short 58-bit prime in long container");
656 		srv_log(sess, "TLS test - RSA-DHE using a non-prime");
660 		srv_log(sess, "Unrecognized TLS test");
666 static void radius_server_testing_options(struct radius_session *sess,
672 	pos = os_strstr(sess->username, "@test-");
677 		radius_server_testing_options_tls(sess, pos + 4, eap_conf);
679 		srv_log(sess, "Unrecognized test: %s", pos);
709 	struct radius_session *sess;
747 	sess = radius_server_new_session(data, client);
748 	if (sess == NULL) {
753 	sess->accept_attr = tmp->accept_attr;
754 	sess->macacl = tmp->macacl;
757 	sess->username = os_malloc(user_len * 4 + 1);
758 	if (sess->username == NULL) {
759 		radius_server_session_remove(data, sess);
762 	printf_encode(sess->username, user_len * 4 + 1, user, user_len);
764 	sess->nas_ip = os_strdup(from_addr);
765 	if (sess->nas_ip == NULL) {
766 		radius_server_session_remove(data, sess);
778 		if (hwaddr_aton2(buf, sess->mac_addr) < 0)
779 			os_memset(sess->mac_addr, 0, ETH_ALEN);
782 				     MAC2STR(sess->mac_addr));
785 	srv_log(sess, "New session created");
812 	radius_server_testing_options(sess, &eap_conf);
813 	sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
815 	if (sess->eap == NULL) {
818 		radius_server_session_remove(data, sess);
821 	sess->eap_if = eap_get_interface(sess->eap);
822 	sess->eap_if->eapRestart = TRUE;
823 	sess->eap_if->portEnabled = TRUE;
825 	RADIUS_DEBUG("New session 0x%x initialized", sess->sess_id);
827 	return sess;
832 static void radius_srv_hs20_t_c_pending(struct radius_session *sess)
840 	if (!sess->server->db || !sess->eap ||
841 	    is_zero_ether_addr(sess->mac_addr))
844 	os_snprintf(addr, sizeof(addr), MACSTR, MAC2STR(sess->mac_addr));
846 	id = eap_get_identity(sess->eap, &id_len);
861 	if (sqlite3_exec(sess->server->db, sql, NULL, NULL, NULL) !=
864 			     sqlite3_errmsg(sess->server->db));
872 static void radius_server_add_session(struct radius_session *sess)
879 	if (!sess->server->db)
884 		    MAC2STR(sess->mac_addr));
888 			      addr_txt, sess->username, now.sec,
889 			      sess->nas_ip, sess->t_c_filtering);
891 			if (sqlite3_exec(sess->server->db, sql, NULL, NULL,
894 					     sqlite3_errmsg(sess->server->db));
902 static void db_update_last_msk(struct radius_session *sess, const char *msk)
912 	if (!sess->server->db)
915 	serial_num = eap_get_serial_num(sess->eap);
923 		id = eap_get_identity(sess->eap, &id_len);
939 	if (sqlite3_exec(sess->server->db, sql, NULL, NULL, NULL) !=
942 			     sqlite3_errmsg(sess->server->db));
952 static int radius_server_is_sim_method(struct radius_session *sess)
956 	name = eap_get_method(sess->eap);
1009 static int radius_server_sim_provisioning_session(struct radius_session *sess,
1020 	if (!sess->server->db ||
1021 	    (!db_table_exists(sess->server->db, "sim_provisioning") &&
1022 	     db_table_create_sim_provisioning(sess->server->db) < 0))
1025 	imsi = eap_get_imsi(sess->eap);
1029 	eap_method = eap_get_method(sess->eap);
1034 		    MAC2STR(sess->mac_addr));
1044 	if (sqlite3_exec(sess->server->db, sql, NULL, NULL, NULL) !=
1047 			     sqlite3_errmsg(sess->server->db));
1064 			      struct radius_session *sess,
1073 	if (sess->eap_if->eapFail) {
1074 		sess->eap_if->eapFail = FALSE;
1076 	} else if (sess->eap_if->eapSuccess) {
1077 		sess->eap_if->eapSuccess = FALSE;
1080 		sess->eap_if->eapReq = FALSE;
1090 	sess_id = htonl(sess->sess_id);
1097 	if (sess->eap_if->eapReqData &&
1098 	    !radius_msg_add_eap(msg, wpabuf_head(sess->eap_if->eapReqData),
1099 				wpabuf_len(sess->eap_if->eapReqData))) {
1103 	if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->eap_if->eapKeyData) {
1108 		len = sess->eap_if->eapKeyDataLen;
1112 				       sess->eap_if->eapKeyData, len);
1120 				len = sess->eap_if->eapKeyDataLen;
1125 					sess->eap_if->eapKeyData, len);
1132 		db_update_last_msk(sess, buf);
1134 		if (sess->eap_if->eapKeyDataLen > 64) {
1137 			len = sess->eap_if->eapKeyDataLen / 2;
1142 					      sess->eap_if->eapKeyData + len,
1143 					      len, sess->eap_if->eapKeyData,
1148 		if (sess->eap_if->eapSessionId &&
1150 					 sess->eap_if->eapSessionId,
1151 					 sess->eap_if->eapSessionIdLen)) {
1157 	if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation &&
1174 	} else if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->remediation) {
1183 		   radius_server_is_sim_method(sess) &&
1197 		if (radius_server_sim_provisioning_session(sess, hash) < 0) {
1225 	if (code == RADIUS_CODE_ACCESS_ACCEPT && sess->t_c_filtering) {
1264 		os_snprintf(pos2, end2 - pos2, MACSTR, MAC2STR(sess->mac_addr));
1277 		radius_srv_hs20_t_c_pending(sess);
1289 		for (attr = sess->accept_attr; attr; attr = attr->next) {
1316 		radius_server_add_session(sess);
1325 		     struct radius_session *sess,
1345 		res = data->get_eap_user(data->conf_ctx, (u8 *) sess->username,
1346 					 os_strlen(sess->username), 0, &tmp);
1382 		for (attr = sess->accept_attr; attr; attr = attr->next) {
1464 static void radius_server_hs20_t_c_check(struct radius_session *sess,
1501 	if (sess->t_c_timestamp != WPA_GET_BE32(timestamp)) {
1503 		sess->t_c_filtering = 1;
1520 	struct radius_session *sess;
1525 		sess = force_sess;
1532 			sess = radius_server_get_session(client, state);
1534 			sess = NULL;
1538 	if (sess) {
1539 		RADIUS_DEBUG("Request for session 0x%x", sess->sess_id);
1546 		sess = radius_server_get_new_session(data, client, msg,
1548 		if (sess == NULL) {
1556 	if (sess->last_from_port == from_port &&
1557 	    sess->last_identifier == radius_msg_get_hdr(msg)->identifier &&
1558 	    os_memcmp(sess->last_authenticator,
1564 		if (sess->last_reply) {
1566 			buf = radius_msg_get_buf(sess->last_reply);
1583 	if (eap == NULL && sess->macacl) {
1584 		reply = radius_server_macacl(data, client, sess, msg);
1606 	wpabuf_free(sess->eap_if->eapRespData);
1607 	sess->eap_if->eapRespData = eap;
1608 	sess->eap_if->eapResp = TRUE;
1609 	eap_server_sm_step(sess->eap);
1611 	if ((sess->eap_if->eapReq || sess->eap_if->eapSuccess ||
1612 	     sess->eap_if->eapFail) && sess->eap_if->eapReqData) {
1614 			    wpabuf_head(sess->eap_if->eapReqData),
1615 			    wpabuf_len(sess->eap_if->eapReqData));
1616 	} else if (sess->eap_if->eapFail) {
1619 	} else if (eap_sm_method_pending(sess->eap)) {
1620 		radius_msg_free(sess->last_msg);
1621 		sess->last_msg = msg;
1622 		sess->last_from_port = from_port;
1623 		os_free(sess->last_from_addr);
1624 		sess->last_from_addr = os_strdup(from_addr);
1625 		sess->last_fromlen = fromlen;
1626 		os_memcpy(&sess->last_from, from, fromlen);
1637 	if (sess->eap_if->eapSuccess || sess->eap_if->eapFail)
1639 	if (sess->eap_if->eapFail) {
1640 		srv_log(sess, "EAP authentication failed");
1641 		db_update_last_msk(sess, "FAIL");
1642 	} else if (sess->eap_if->eapSuccess) {
1643 		srv_log(sess, "EAP authentication succeeded");
1646 	if (sess->eap_if->eapSuccess)
1647 		radius_server_hs20_t_c_check(sess, msg);
1649 	reply = radius_server_encapsulate_eap(data, client, sess, msg);
1663 			srv_log(sess, "Sending Access-Accept");
1668 			srv_log(sess, "Sending Access-Reject");
1685 		radius_msg_free(sess->last_reply);
1686 		sess->last_reply = reply;
1687 		sess->last_from_port = from_port;
1689 		sess->last_identifier = hdr->identifier;
1690 		os_memcpy(sess->last_authenticator, hdr->authenticator, 16);
1698 			     sess->sess_id);
1700 				     data, sess);
1703 				       data, sess);
2705 	struct radius_session *sess = ctx;
2706 	struct radius_server_data *data = sess->server;
2712 		sess->accept_attr = user->accept_attr;
2713 		sess->remediation = user->remediation;
2714 		sess->macacl = user->macacl;
2715 		sess->t_c_timestamp = user->t_c_timestamp;
2729 	struct radius_session *sess = ctx;
2730 	struct radius_server_data *data = sess->server;
2738 	struct radius_session *sess = ctx;
2739 	srv_log(sess, "EAP: %s", msg);
2747 	struct radius_session *sess = ctx;
2748 	struct radius_server_data *data = sess->server;
2757 	struct radius_session *sess = ctx;
2758 	struct radius_server_data *data = sess->server;
2766 	struct radius_session *sess = ctx;
2767 	struct radius_server_data *data = sess->server;
2801 	struct radius_session *s, *sess = NULL;
2810 				sess = s;
2814 		if (sess)
2818 	if (sess == NULL) {
2823 	msg = sess->last_msg;
2824 	sess->last_msg = NULL;
2825 	eap_sm_pending_cb(sess->eap);
2827 				  (struct sockaddr *) &sess->last_from,
2828 				  sess->last_fromlen, cli,
2829 				  sess->last_from_addr,
2830 				  sess->last_from_port, sess) == -2)

Indexes created Fri Jul 05 22:58:02 MDT 2024