| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Authentication server setup |
| 3 | * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> |
| 4 | * |
| Dmitry Shmidt | c5ec7f5 | 2012-03-06 16:33:24 -0800 | [diff] [blame] | 5 | * This software may be distributed under the terms of the BSD license. |
| 6 | * See README for more details. |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 7 | */ |
| 8 | |
| 9 | #include "utils/includes.h" |
| 10 | |
| 11 | #include "utils/common.h" |
| 12 | #include "crypto/tls.h" |
| 13 | #include "eap_server/eap.h" |
| 14 | #include "eap_server/eap_sim_db.h" |
| 15 | #include "eapol_auth/eapol_auth_sm.h" |
| 16 | #include "radius/radius_server.h" |
| 17 | #include "hostapd.h" |
| 18 | #include "ap_config.h" |
| 19 | #include "sta_info.h" |
| 20 | #include "authsrv.h" |
| 21 | |
| 22 | |
| 23 | #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) |
| 24 | #define EAP_SIM_DB |
| 25 | #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ |
| 26 | |
| 27 | |
| 28 | #ifdef EAP_SIM_DB |
| 29 | static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, |
| 30 | struct sta_info *sta, void *ctx) |
| 31 | { |
| 32 | if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) |
| 33 | return 1; |
| 34 | return 0; |
| 35 | } |
| 36 | |
| 37 | |
| 38 | static void hostapd_sim_db_cb(void *ctx, void *session_ctx) |
| 39 | { |
| 40 | struct hostapd_data *hapd = ctx; |
| 41 | if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { |
| 42 | #ifdef RADIUS_SERVER |
| 43 | radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); |
| 44 | #endif /* RADIUS_SERVER */ |
| 45 | } |
| 46 | } |
| 47 | #endif /* EAP_SIM_DB */ |
| 48 | |
| 49 | |
| 50 | #ifdef RADIUS_SERVER |
| 51 | |
| 52 | static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, |
| 53 | size_t identity_len, int phase2, |
| 54 | struct eap_user *user) |
| 55 | { |
| 56 | const struct hostapd_eap_user *eap_user; |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame] | 57 | int i; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 58 | |
| 59 | eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); |
| 60 | if (eap_user == NULL) |
| 61 | return -1; |
| 62 | |
| 63 | if (user == NULL) |
| 64 | return 0; |
| 65 | |
| 66 | os_memset(user, 0, sizeof(*user)); |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame] | 67 | for (i = 0; i < EAP_MAX_METHODS; i++) { |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 68 | user->methods[i].vendor = eap_user->methods[i].vendor; |
| 69 | user->methods[i].method = eap_user->methods[i].method; |
| 70 | } |
| 71 | |
| 72 | if (eap_user->password) { |
| 73 | user->password = os_malloc(eap_user->password_len); |
| 74 | if (user->password == NULL) |
| 75 | return -1; |
| 76 | os_memcpy(user->password, eap_user->password, |
| 77 | eap_user->password_len); |
| 78 | user->password_len = eap_user->password_len; |
| 79 | user->password_hash = eap_user->password_hash; |
| 80 | } |
| 81 | user->force_version = eap_user->force_version; |
| Dmitry Shmidt | df5a7e4 | 2014-04-02 12:59:59 -0700 | [diff] [blame] | 82 | user->macacl = eap_user->macacl; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 83 | user->ttls_auth = eap_user->ttls_auth; |
| Dmitry Shmidt | f21452a | 2014-02-26 10:55:25 -0800 | [diff] [blame] | 84 | user->remediation = eap_user->remediation; |
| Dmitry Shmidt | 818ea48 | 2014-03-10 13:15:21 -0700 | [diff] [blame] | 85 | user->accept_attr = eap_user->accept_attr; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 86 | |
| 87 | return 0; |
| 88 | } |
| 89 | |
| 90 | |
| 91 | static int hostapd_setup_radius_srv(struct hostapd_data *hapd) |
| 92 | { |
| 93 | struct radius_server_conf srv; |
| 94 | struct hostapd_bss_config *conf = hapd->conf; |
| 95 | os_memset(&srv, 0, sizeof(srv)); |
| 96 | srv.client_file = conf->radius_server_clients; |
| 97 | srv.auth_port = conf->radius_server_auth_port; |
| Dmitry Shmidt | bd14a57 | 2014-02-18 10:33:49 -0800 | [diff] [blame] | 98 | srv.acct_port = conf->radius_server_acct_port; |
| Dmitry Shmidt | d5e4923 | 2012-12-03 15:08:10 -0800 | [diff] [blame] | 99 | srv.conf_ctx = hapd; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 100 | srv.eap_sim_db_priv = hapd->eap_sim_db_priv; |
| 101 | srv.ssl_ctx = hapd->ssl_ctx; |
| 102 | srv.msg_ctx = hapd->msg_ctx; |
| 103 | srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; |
| 104 | srv.eap_fast_a_id = conf->eap_fast_a_id; |
| 105 | srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; |
| 106 | srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; |
| 107 | srv.eap_fast_prov = conf->eap_fast_prov; |
| 108 | srv.pac_key_lifetime = conf->pac_key_lifetime; |
| 109 | srv.pac_key_refresh_time = conf->pac_key_refresh_time; |
| 110 | srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; |
| 111 | srv.tnc = conf->tnc; |
| 112 | srv.wps = hapd->wps; |
| 113 | srv.ipv6 = conf->radius_server_ipv6; |
| 114 | srv.get_eap_user = hostapd_radius_get_eap_user; |
| 115 | srv.eap_req_id_text = conf->eap_req_id_text; |
| 116 | srv.eap_req_id_text_len = conf->eap_req_id_text_len; |
| 117 | srv.pwd_group = conf->pwd_group; |
| Dmitry Shmidt | 34af306 | 2013-07-11 10:46:32 -0700 | [diff] [blame] | 118 | srv.server_id = conf->server_id ? conf->server_id : "hostapd"; |
| Dmitry Shmidt | 818ea48 | 2014-03-10 13:15:21 -0700 | [diff] [blame] | 119 | srv.sqlite_file = conf->eap_user_sqlite; |
| Dmitry Shmidt | 1f69aa5 | 2012-01-24 16:10:04 -0800 | [diff] [blame] | 120 | #ifdef CONFIG_RADIUS_TEST |
| 121 | srv.dump_msk_file = conf->dump_msk_file; |
| 122 | #endif /* CONFIG_RADIUS_TEST */ |
| Dmitry Shmidt | f21452a | 2014-02-26 10:55:25 -0800 | [diff] [blame] | 123 | #ifdef CONFIG_HS20 |
| 124 | srv.subscr_remediation_url = conf->subscr_remediation_url; |
| 125 | srv.subscr_remediation_method = conf->subscr_remediation_method; |
| 126 | #endif /* CONFIG_HS20 */ |
| Dmitry Shmidt | 6c0da2b | 2015-01-05 13:08:17 -0800 | [diff] [blame^] | 127 | srv.erp = conf->eap_server_erp; |
| 128 | srv.erp_domain = conf->erp_domain; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 129 | |
| 130 | hapd->radius_srv = radius_server_init(&srv); |
| 131 | if (hapd->radius_srv == NULL) { |
| 132 | wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); |
| 133 | return -1; |
| 134 | } |
| 135 | |
| 136 | return 0; |
| 137 | } |
| 138 | |
| 139 | #endif /* RADIUS_SERVER */ |
| 140 | |
| 141 | |
| 142 | int authsrv_init(struct hostapd_data *hapd) |
| 143 | { |
| 144 | #ifdef EAP_TLS_FUNCS |
| 145 | if (hapd->conf->eap_server && |
| 146 | (hapd->conf->ca_cert || hapd->conf->server_cert || |
| Dmitry Shmidt | 01904cf | 2013-12-05 11:08:35 -0800 | [diff] [blame] | 147 | hapd->conf->private_key || hapd->conf->dh_file)) { |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 148 | struct tls_connection_params params; |
| 149 | |
| 150 | hapd->ssl_ctx = tls_init(NULL); |
| 151 | if (hapd->ssl_ctx == NULL) { |
| 152 | wpa_printf(MSG_ERROR, "Failed to initialize TLS"); |
| 153 | authsrv_deinit(hapd); |
| 154 | return -1; |
| 155 | } |
| 156 | |
| 157 | os_memset(¶ms, 0, sizeof(params)); |
| 158 | params.ca_cert = hapd->conf->ca_cert; |
| 159 | params.client_cert = hapd->conf->server_cert; |
| 160 | params.private_key = hapd->conf->private_key; |
| 161 | params.private_key_passwd = hapd->conf->private_key_passwd; |
| 162 | params.dh_file = hapd->conf->dh_file; |
| Dmitry Shmidt | 6c0da2b | 2015-01-05 13:08:17 -0800 | [diff] [blame^] | 163 | params.openssl_ciphers = hapd->conf->openssl_ciphers; |
| Dmitry Shmidt | 34af306 | 2013-07-11 10:46:32 -0700 | [diff] [blame] | 164 | params.ocsp_stapling_response = |
| 165 | hapd->conf->ocsp_stapling_response; |
| Dmitry Shmidt | 8d520ff | 2011-05-09 14:06:53 -0700 | [diff] [blame] | 166 | |
| 167 | if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { |
| 168 | wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); |
| 169 | authsrv_deinit(hapd); |
| 170 | return -1; |
| 171 | } |
| 172 | |
| 173 | if (tls_global_set_verify(hapd->ssl_ctx, |
| 174 | hapd->conf->check_crl)) { |
| 175 | wpa_printf(MSG_ERROR, "Failed to enable check_crl"); |
| 176 | authsrv_deinit(hapd); |
| 177 | return -1; |
| 178 | } |
| 179 | } |
| 180 | #endif /* EAP_TLS_FUNCS */ |
| 181 | |
| 182 | #ifdef EAP_SIM_DB |
| 183 | if (hapd->conf->eap_sim_db) { |
| 184 | hapd->eap_sim_db_priv = |
| 185 | eap_sim_db_init(hapd->conf->eap_sim_db, |
| 186 | hostapd_sim_db_cb, hapd); |
| 187 | if (hapd->eap_sim_db_priv == NULL) { |
| 188 | wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " |
| 189 | "database interface"); |
| 190 | authsrv_deinit(hapd); |
| 191 | return -1; |
| 192 | } |
| 193 | } |
| 194 | #endif /* EAP_SIM_DB */ |
| 195 | |
| 196 | #ifdef RADIUS_SERVER |
| 197 | if (hapd->conf->radius_server_clients && |
| 198 | hostapd_setup_radius_srv(hapd)) |
| 199 | return -1; |
| 200 | #endif /* RADIUS_SERVER */ |
| 201 | |
| 202 | return 0; |
| 203 | } |
| 204 | |
| 205 | |
| 206 | void authsrv_deinit(struct hostapd_data *hapd) |
| 207 | { |
| 208 | #ifdef RADIUS_SERVER |
| 209 | radius_server_deinit(hapd->radius_srv); |
| 210 | hapd->radius_srv = NULL; |
| 211 | #endif /* RADIUS_SERVER */ |
| 212 | |
| 213 | #ifdef EAP_TLS_FUNCS |
| 214 | if (hapd->ssl_ctx) { |
| 215 | tls_deinit(hapd->ssl_ctx); |
| 216 | hapd->ssl_ctx = NULL; |
| 217 | } |
| 218 | #endif /* EAP_TLS_FUNCS */ |
| 219 | |
| 220 | #ifdef EAP_SIM_DB |
| 221 | if (hapd->eap_sim_db_priv) { |
| 222 | eap_sim_db_deinit(hapd->eap_sim_db_priv); |
| 223 | hapd->eap_sim_db_priv = NULL; |
| 224 | } |
| 225 | #endif /* EAP_SIM_DB */ |
| 226 | } |