| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Authentication server setup |
| 3 | * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | */ |
| 14 | |
| 15 | #include "utils/includes.h" |
| 16 | |
| 17 | #include "utils/common.h" |
| 18 | #include "crypto/tls.h" |
| 19 | #include "eap_server/eap.h" |
| 20 | #include "eap_server/eap_sim_db.h" |
| 21 | #include "eapol_auth/eapol_auth_sm.h" |
| 22 | #include "radius/radius_server.h" |
| 23 | #include "hostapd.h" |
| 24 | #include "ap_config.h" |
| 25 | #include "sta_info.h" |
| 26 | #include "authsrv.h" |
| 27 | |
| 28 | |
| 29 | #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) |
| 30 | #define EAP_SIM_DB |
| 31 | #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ |
| 32 | |
| 33 | |
| 34 | #ifdef EAP_SIM_DB |
| 35 | static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, |
| 36 | struct sta_info *sta, void *ctx) |
| 37 | { |
| 38 | if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) |
| 39 | return 1; |
| 40 | return 0; |
| 41 | } |
| 42 | |
| 43 | |
| 44 | static void hostapd_sim_db_cb(void *ctx, void *session_ctx) |
| 45 | { |
| 46 | struct hostapd_data *hapd = ctx; |
| 47 | if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { |
| 48 | #ifdef RADIUS_SERVER |
| 49 | radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); |
| 50 | #endif /* RADIUS_SERVER */ |
| 51 | } |
| 52 | } |
| 53 | #endif /* EAP_SIM_DB */ |
| 54 | |
| 55 | |
| 56 | #ifdef RADIUS_SERVER |
| 57 | |
| 58 | static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, |
| 59 | size_t identity_len, int phase2, |
| 60 | struct eap_user *user) |
| 61 | { |
| 62 | const struct hostapd_eap_user *eap_user; |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame^] | 63 | int i; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 64 | |
| 65 | eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); |
| 66 | if (eap_user == NULL) |
| 67 | return -1; |
| 68 | |
| 69 | if (user == NULL) |
| 70 | return 0; |
| 71 | |
| 72 | os_memset(user, 0, sizeof(*user)); |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame^] | 73 | for (i = 0; i < EAP_MAX_METHODS; i++) { |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 74 | user->methods[i].vendor = eap_user->methods[i].vendor; |
| 75 | user->methods[i].method = eap_user->methods[i].method; |
| 76 | } |
| 77 | |
| 78 | if (eap_user->password) { |
| 79 | user->password = os_malloc(eap_user->password_len); |
| 80 | if (user->password == NULL) |
| 81 | return -1; |
| 82 | os_memcpy(user->password, eap_user->password, |
| 83 | eap_user->password_len); |
| 84 | user->password_len = eap_user->password_len; |
| 85 | user->password_hash = eap_user->password_hash; |
| 86 | } |
| 87 | user->force_version = eap_user->force_version; |
| 88 | user->ttls_auth = eap_user->ttls_auth; |
| 89 | |
| 90 | return 0; |
| 91 | } |
| 92 | |
| 93 | |
| 94 | static int hostapd_setup_radius_srv(struct hostapd_data *hapd) |
| 95 | { |
| 96 | struct radius_server_conf srv; |
| 97 | struct hostapd_bss_config *conf = hapd->conf; |
| 98 | os_memset(&srv, 0, sizeof(srv)); |
| 99 | srv.client_file = conf->radius_server_clients; |
| 100 | srv.auth_port = conf->radius_server_auth_port; |
| 101 | srv.conf_ctx = conf; |
| 102 | srv.eap_sim_db_priv = hapd->eap_sim_db_priv; |
| 103 | srv.ssl_ctx = hapd->ssl_ctx; |
| 104 | srv.msg_ctx = hapd->msg_ctx; |
| 105 | srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; |
| 106 | srv.eap_fast_a_id = conf->eap_fast_a_id; |
| 107 | srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; |
| 108 | srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; |
| 109 | srv.eap_fast_prov = conf->eap_fast_prov; |
| 110 | srv.pac_key_lifetime = conf->pac_key_lifetime; |
| 111 | srv.pac_key_refresh_time = conf->pac_key_refresh_time; |
| 112 | srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; |
| 113 | srv.tnc = conf->tnc; |
| 114 | srv.wps = hapd->wps; |
| 115 | srv.ipv6 = conf->radius_server_ipv6; |
| 116 | srv.get_eap_user = hostapd_radius_get_eap_user; |
| 117 | srv.eap_req_id_text = conf->eap_req_id_text; |
| 118 | srv.eap_req_id_text_len = conf->eap_req_id_text_len; |
| 119 | srv.pwd_group = conf->pwd_group; |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame^] | 120 | #ifdef CONFIG_RADIUS_TEST |
| 121 | srv.dump_msk_file = conf->dump_msk_file; |
| 122 | #endif /* CONFIG_RADIUS_TEST */ |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 123 | |
| 124 | hapd->radius_srv = radius_server_init(&srv); |
| 125 | if (hapd->radius_srv == NULL) { |
| 126 | wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); |
| 127 | return -1; |
| 128 | } |
| 129 | |
| 130 | return 0; |
| 131 | } |
| 132 | |
| 133 | #endif /* RADIUS_SERVER */ |
| 134 | |
| 135 | |
| 136 | int authsrv_init(struct hostapd_data *hapd) |
| 137 | { |
| 138 | #ifdef EAP_TLS_FUNCS |
| 139 | if (hapd->conf->eap_server && |
| 140 | (hapd->conf->ca_cert || hapd->conf->server_cert || |
| 141 | hapd->conf->dh_file)) { |
| 142 | struct tls_connection_params params; |
| 143 | |
| 144 | hapd->ssl_ctx = tls_init(NULL); |
| 145 | if (hapd->ssl_ctx == NULL) { |
| 146 | wpa_printf(MSG_ERROR, "Failed to initialize TLS"); |
| 147 | authsrv_deinit(hapd); |
| 148 | return -1; |
| 149 | } |
| 150 | |
| 151 | os_memset(¶ms, 0, sizeof(params)); |
| 152 | params.ca_cert = hapd->conf->ca_cert; |
| 153 | params.client_cert = hapd->conf->server_cert; |
| 154 | params.private_key = hapd->conf->private_key; |
| 155 | params.private_key_passwd = hapd->conf->private_key_passwd; |
| 156 | params.dh_file = hapd->conf->dh_file; |
| 157 | |
| 158 | if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { |
| 159 | wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); |
| 160 | authsrv_deinit(hapd); |
| 161 | return -1; |
| 162 | } |
| 163 | |
| 164 | if (tls_global_set_verify(hapd->ssl_ctx, |
| 165 | hapd->conf->check_crl)) { |
| 166 | wpa_printf(MSG_ERROR, "Failed to enable check_crl"); |
| 167 | authsrv_deinit(hapd); |
| 168 | return -1; |
| 169 | } |
| 170 | } |
| 171 | #endif /* EAP_TLS_FUNCS */ |
| 172 | |
| 173 | #ifdef EAP_SIM_DB |
| 174 | if (hapd->conf->eap_sim_db) { |
| 175 | hapd->eap_sim_db_priv = |
| 176 | eap_sim_db_init(hapd->conf->eap_sim_db, |
| 177 | hostapd_sim_db_cb, hapd); |
| 178 | if (hapd->eap_sim_db_priv == NULL) { |
| 179 | wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " |
| 180 | "database interface"); |
| 181 | authsrv_deinit(hapd); |
| 182 | return -1; |
| 183 | } |
| 184 | } |
| 185 | #endif /* EAP_SIM_DB */ |
| 186 | |
| 187 | #ifdef RADIUS_SERVER |
| 188 | if (hapd->conf->radius_server_clients && |
| 189 | hostapd_setup_radius_srv(hapd)) |
| 190 | return -1; |
| 191 | #endif /* RADIUS_SERVER */ |
| 192 | |
| 193 | return 0; |
| 194 | } |
| 195 | |
| 196 | |
| 197 | void authsrv_deinit(struct hostapd_data *hapd) |
| 198 | { |
| 199 | #ifdef RADIUS_SERVER |
| 200 | radius_server_deinit(hapd->radius_srv); |
| 201 | hapd->radius_srv = NULL; |
| 202 | #endif /* RADIUS_SERVER */ |
| 203 | |
| 204 | #ifdef EAP_TLS_FUNCS |
| 205 | if (hapd->ssl_ctx) { |
| 206 | tls_deinit(hapd->ssl_ctx); |
| 207 | hapd->ssl_ctx = NULL; |
| 208 | } |
| 209 | #endif /* EAP_TLS_FUNCS */ |
| 210 | |
| 211 | #ifdef EAP_SIM_DB |
| 212 | if (hapd->eap_sim_db_priv) { |
| 213 | eap_sim_db_deinit(hapd->eap_sim_db_priv); |
| 214 | hapd->eap_sim_db_priv = NULL; |
| 215 | } |
| 216 | #endif /* EAP_SIM_DB */ |
| 217 | } |