Home | History | Annotate | Download | only in ap 
      1 /*
      2  * Authentication server setup
      3  * Copyright (c) 2002-2009, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  */
      8 
      9 #include "utils/includes.h"
     10 
     11 #include "utils/common.h"
     12 #include "crypto/tls.h"
     13 #include "eap_server/eap.h"
     14 #include "eap_server/eap_sim_db.h"
     15 #include "eapol_auth/eapol_auth_sm.h"
     16 #include "radius/radius_server.h"
     17 #include "hostapd.h"
     18 #include "ap_config.h"
     19 #include "sta_info.h"
     20 #include "authsrv.h"
     21 
     22 
     23 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
     24 #define EAP_SIM_DB
     25 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
     26 
     27 
     28 #ifdef EAP_SIM_DB
     29 static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
     30 				 struct sta_info *sta, void *ctx)
     31 {
     32 	if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
     33 		return 1;
     34 	return 0;
     35 }
     36 
     37 
     38 static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
     39 {
     40 	struct hostapd_data *hapd = ctx;
     41 	if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
     42 #ifdef RADIUS_SERVER
     43 		radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
     44 #endif /* RADIUS_SERVER */
     45 	}
     46 }
     47 #endif /* EAP_SIM_DB */
     48 
     49 
     50 #ifdef RADIUS_SERVER
     51 
     52 static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
     53 				       size_t identity_len, int phase2,
     54 				       struct eap_user *user)
     55 {
     56 	const struct hostapd_eap_user *eap_user;
     57 	int i;
     58 	int rv = -1;
     59 
     60 	eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
     61 	if (eap_user == NULL)
     62 		goto out;
     63 
     64 	if (user == NULL)
     65 		return 0;
     66 
     67 	os_memset(user, 0, sizeof(*user));
     68 	for (i = 0; i < EAP_MAX_METHODS; i++) {
     69 		user->methods[i].vendor = eap_user->methods[i].vendor;
     70 		user->methods[i].method = eap_user->methods[i].method;
     71 	}
     72 
     73 	if (eap_user->password) {
     74 		user->password = os_malloc(eap_user->password_len);
     75 		if (user->password == NULL)
     76 			goto out;
     77 		os_memcpy(user->password, eap_user->password,
     78 			  eap_user->password_len);
     79 		user->password_len = eap_user->password_len;
     80 		user->password_hash = eap_user->password_hash;
     81 	}
     82 	user->force_version = eap_user->force_version;
     83 	user->macacl = eap_user->macacl;
     84 	user->ttls_auth = eap_user->ttls_auth;
     85 	user->remediation = eap_user->remediation;
     86 	user->accept_attr = eap_user->accept_attr;
     87 	rv = 0;
     88 
     89 out:
     90 	if (rv)
     91 		wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__);
     92 
     93 	return rv;
     94 }
     95 
     96 
     97 static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
     98 {
     99 	struct radius_server_conf srv;
    100 	struct hostapd_bss_config *conf = hapd->conf;
    101 	os_memset(&srv, 0, sizeof(srv));
    102 	srv.client_file = conf->radius_server_clients;
    103 	srv.auth_port = conf->radius_server_auth_port;
    104 	srv.acct_port = conf->radius_server_acct_port;
    105 	srv.conf_ctx = hapd;
    106 	srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
    107 	srv.ssl_ctx = hapd->ssl_ctx;
    108 	srv.msg_ctx = hapd->msg_ctx;
    109 	srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
    110 	srv.eap_fast_a_id = conf->eap_fast_a_id;
    111 	srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
    112 	srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
    113 	srv.eap_fast_prov = conf->eap_fast_prov;
    114 	srv.pac_key_lifetime = conf->pac_key_lifetime;
    115 	srv.pac_key_refresh_time = conf->pac_key_refresh_time;
    116 	srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
    117 	srv.tnc = conf->tnc;
    118 	srv.wps = hapd->wps;
    119 	srv.ipv6 = conf->radius_server_ipv6;
    120 	srv.get_eap_user = hostapd_radius_get_eap_user;
    121 	srv.eap_req_id_text = conf->eap_req_id_text;
    122 	srv.eap_req_id_text_len = conf->eap_req_id_text_len;
    123 	srv.pwd_group = conf->pwd_group;
    124 	srv.server_id = conf->server_id ? conf->server_id : "hostapd";
    125 	srv.sqlite_file = conf->eap_user_sqlite;
    126 #ifdef CONFIG_RADIUS_TEST
    127 	srv.dump_msk_file = conf->dump_msk_file;
    128 #endif /* CONFIG_RADIUS_TEST */
    129 #ifdef CONFIG_HS20
    130 	srv.subscr_remediation_url = conf->subscr_remediation_url;
    131 	srv.subscr_remediation_method = conf->subscr_remediation_method;
    132 #endif /* CONFIG_HS20 */
    133 	srv.erp = conf->eap_server_erp;
    134 	srv.erp_domain = conf->erp_domain;
    135 
    136 	hapd->radius_srv = radius_server_init(&srv);
    137 	if (hapd->radius_srv == NULL) {
    138 		wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
    139 		return -1;
    140 	}
    141 
    142 	return 0;
    143 }
    144 
    145 #endif /* RADIUS_SERVER */
    146 
    147 
    148 int authsrv_init(struct hostapd_data *hapd)
    149 {
    150 #ifdef EAP_TLS_FUNCS
    151 	if (hapd->conf->eap_server &&
    152 	    (hapd->conf->ca_cert || hapd->conf->server_cert ||
    153 	     hapd->conf->private_key || hapd->conf->dh_file)) {
    154 		struct tls_connection_params params;
    155 
    156 		hapd->ssl_ctx = tls_init(NULL);
    157 		if (hapd->ssl_ctx == NULL) {
    158 			wpa_printf(MSG_ERROR, "Failed to initialize TLS");
    159 			authsrv_deinit(hapd);
    160 			return -1;
    161 		}
    162 
    163 		os_memset(&params, 0, sizeof(params));
    164 		params.ca_cert = hapd->conf->ca_cert;
    165 		params.client_cert = hapd->conf->server_cert;
    166 		params.private_key = hapd->conf->private_key;
    167 		params.private_key_passwd = hapd->conf->private_key_passwd;
    168 		params.dh_file = hapd->conf->dh_file;
    169 		params.openssl_ciphers = hapd->conf->openssl_ciphers;
    170 		params.ocsp_stapling_response =
    171 			hapd->conf->ocsp_stapling_response;
    172 
    173 		if (tls_global_set_params(hapd->ssl_ctx, &params)) {
    174 			wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
    175 			authsrv_deinit(hapd);
    176 			return -1;
    177 		}
    178 
    179 		if (tls_global_set_verify(hapd->ssl_ctx,
    180 					  hapd->conf->check_crl)) {
    181 			wpa_printf(MSG_ERROR, "Failed to enable check_crl");
    182 			authsrv_deinit(hapd);
    183 			return -1;
    184 		}
    185 	}
    186 #endif /* EAP_TLS_FUNCS */
    187 
    188 #ifdef EAP_SIM_DB
    189 	if (hapd->conf->eap_sim_db) {
    190 		hapd->eap_sim_db_priv =
    191 			eap_sim_db_init(hapd->conf->eap_sim_db,
    192 					hostapd_sim_db_cb, hapd);
    193 		if (hapd->eap_sim_db_priv == NULL) {
    194 			wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
    195 				   "database interface");
    196 			authsrv_deinit(hapd);
    197 			return -1;
    198 		}
    199 	}
    200 #endif /* EAP_SIM_DB */
    201 
    202 #ifdef RADIUS_SERVER
    203 	if (hapd->conf->radius_server_clients &&
    204 	    hostapd_setup_radius_srv(hapd))
    205 		return -1;
    206 #endif /* RADIUS_SERVER */
    207 
    208 	return 0;
    209 }
    210 
    211 
    212 void authsrv_deinit(struct hostapd_data *hapd)
    213 {
    214 #ifdef RADIUS_SERVER
    215 	radius_server_deinit(hapd->radius_srv);
    216 	hapd->radius_srv = NULL;
    217 #endif /* RADIUS_SERVER */
    218 
    219 #ifdef EAP_TLS_FUNCS
    220 	if (hapd->ssl_ctx) {
    221 		tls_deinit(hapd->ssl_ctx);
    222 		hapd->ssl_ctx = NULL;
    223 	}
    224 #endif /* EAP_TLS_FUNCS */
    225 
    226 #ifdef EAP_SIM_DB
    227 	if (hapd->eap_sim_db_priv) {
    228 		eap_sim_db_deinit(hapd->eap_sim_db_priv);
    229 		hapd->eap_sim_db_priv = NULL;
    230 	}
    231 #endif /* EAP_SIM_DB */
    232 }
    233