src/ap/authsrv.c

   1 /*
   2  * Authentication server setup
   3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "utils/includes.h"
  16
  17 #include "utils/common.h"
  18 #include "crypto/tls.h"
  19 #include "eap_server/eap.h"
  20 #include "eap_server/eap_sim_db.h"
  21 #include "eapol_auth/eapol_auth_sm.h"
  22 #include "radius/radius_server.h"
  23 #include "hostapd.h"
  24 #include "ap_config.h"
  25 #include "sta_info.h"
  26 #include "authsrv.h"
  27
  28
  29 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
  30 #define EAP_SIM_DB
  31 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
  32
  33
  34 #ifdef EAP_SIM_DB
  35 static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
  36                                  struct sta_info *sta, void *ctx)
  37 {
  38         if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
  39                 return 1;
  40         return 0;
  41 }
  42
  43
  44 static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
  45 {
  46         struct hostapd_data *hapd = ctx;
  47         if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
  48 #ifdef RADIUS_SERVER
  49                 radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
  50 #endif /* RADIUS_SERVER */
  51         }
  52 }
  53 #endif /* EAP_SIM_DB */
  54
  55
  56 #ifdef RADIUS_SERVER
  57
  58 static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
  59                                        size_t identity_len, int phase2,
  60                                        struct eap_user *user)
  61 {
  62         const struct hostapd_eap_user *eap_user;
  63         int i, count;
  64
  65         eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
  66         if (eap_user == NULL)
  67                 return -1;
  68
  69         if (user == NULL)
  70                 return 0;
  71
  72         os_memset(user, 0, sizeof(*user));
  73         count = EAP_USER_MAX_METHODS;
  74         if (count > EAP_MAX_METHODS)
  75                 count = EAP_MAX_METHODS;
  76         for (i = 0; i < count; i++) {
  77                 user->methods[i].vendor = eap_user->methods[i].vendor;
  78                 user->methods[i].method = eap_user->methods[i].method;
  79         }
  80
  81         if (eap_user->password) {
  82                 user->password = os_malloc(eap_user->password_len);
  83                 if (user->password == NULL)
  84                         return -1;
  85                 os_memcpy(user->password, eap_user->password,
  86                           eap_user->password_len);
  87                 user->password_len = eap_user->password_len;
  88                 user->password_hash = eap_user->password_hash;
  89         }
  90         user->force_version = eap_user->force_version;
  91         user->ttls_auth = eap_user->ttls_auth;
  92
  93         return 0;
  94 }
  95
  96
  97 static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
  98 {
  99         struct radius_server_conf srv;
 100         struct hostapd_bss_config *conf = hapd->conf;
 101         os_memset(&srv, 0, sizeof(srv));
 102         srv.client_file = conf->radius_server_clients;
 103         srv.auth_port = conf->radius_server_auth_port;
 104         srv.conf_ctx = conf;
 105         srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
 106         srv.ssl_ctx = hapd->ssl_ctx;
 107         srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
 108         srv.eap_fast_a_id = conf->eap_fast_a_id;
 109         srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
 110         srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
 111         srv.eap_fast_prov = conf->eap_fast_prov;
 112         srv.pac_key_lifetime = conf->pac_key_lifetime;
 113         srv.pac_key_refresh_time = conf->pac_key_refresh_time;
 114         srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 115         srv.tnc = conf->tnc;
 116         srv.wps = hapd->wps;
 117         srv.ipv6 = conf->radius_server_ipv6;
 118         srv.get_eap_user = hostapd_radius_get_eap_user;
 119         srv.eap_req_id_text = conf->eap_req_id_text;
 120         srv.eap_req_id_text_len = conf->eap_req_id_text_len;
 121
 122         hapd->radius_srv = radius_server_init(&srv);
 123         if (hapd->radius_srv == NULL) {
 124                 wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
 125                 return -1;
 126         }
 127
 128         return 0;
 129 }
 130
 131 #endif /* RADIUS_SERVER */
 132
 133
 134 int authsrv_init(struct hostapd_data *hapd)
 135 {
 136 #ifdef EAP_TLS_FUNCS
 137         if (hapd->conf->eap_server &&
 138             (hapd->conf->ca_cert || hapd->conf->server_cert ||
 139              hapd->conf->dh_file)) {
 140                 struct tls_connection_params params;
 141
 142                 hapd->ssl_ctx = tls_init(NULL);
 143                 if (hapd->ssl_ctx == NULL) {
 144                         wpa_printf(MSG_ERROR, "Failed to initialize TLS");
 145                         authsrv_deinit(hapd);
 146                         return -1;
 147                 }
 148
 149                 os_memset(&params, 0, sizeof(params));
 150                 params.ca_cert = hapd->conf->ca_cert;
 151                 params.client_cert = hapd->conf->server_cert;
 152                 params.private_key = hapd->conf->private_key;
 153                 params.private_key_passwd = hapd->conf->private_key_passwd;
 154                 params.dh_file = hapd->conf->dh_file;
 155
 156                 if (tls_global_set_params(hapd->ssl_ctx, &params)) {
 157                         wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
 158                         authsrv_deinit(hapd);
 159                         return -1;
 160                 }
 161
 162                 if (tls_global_set_verify(hapd->ssl_ctx,
 163                                           hapd->conf->check_crl)) {
 164                         wpa_printf(MSG_ERROR, "Failed to enable check_crl");
 165                         authsrv_deinit(hapd);
 166                         return -1;
 167                 }
 168         }
 169 #endif /* EAP_TLS_FUNCS */
 170
 171 #ifdef EAP_SIM_DB
 172         if (hapd->conf->eap_sim_db) {
 173                 hapd->eap_sim_db_priv =
 174                         eap_sim_db_init(hapd->conf->eap_sim_db,
 175                                         hostapd_sim_db_cb, hapd);
 176                 if (hapd->eap_sim_db_priv == NULL) {
 177                         wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
 178                                    "database interface");
 179                         authsrv_deinit(hapd);
 180                         return -1;
 181                 }
 182         }
 183 #endif /* EAP_SIM_DB */
 184
 185 #ifdef RADIUS_SERVER
 186         if (hapd->conf->radius_server_clients &&
 187             hostapd_setup_radius_srv(hapd))
 188                 return -1;
 189 #endif /* RADIUS_SERVER */
 190
 191         return 0;
 192 }
 193
 194
 195 void authsrv_deinit(struct hostapd_data *hapd)
 196 {
 197 #ifdef RADIUS_SERVER
 198         radius_server_deinit(hapd->radius_srv);
 199         hapd->radius_srv = NULL;
 200 #endif /* RADIUS_SERVER */
 201
 202 #ifdef EAP_TLS_FUNCS
 203         if (hapd->ssl_ctx) {
 204                 tls_deinit(hapd->ssl_ctx);
 205                 hapd->ssl_ctx = NULL;
 206         }
 207 #endif /* EAP_TLS_FUNCS */
 208
 209 #ifdef EAP_SIM_DB
 210         if (hapd->eap_sim_db_priv) {
 211                 eap_sim_db_deinit(hapd->eap_sim_db_priv);
 212                 hapd->eap_sim_db_priv = NULL;
 213         }
 214 #endif /* EAP_SIM_DB */
 215 }