contrib/wpa/src/ap/authsrv.c

   1 /*
   2  * Authentication server setup
   3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "utils/includes.h"
  10
  11 #include "utils/common.h"
  12 #include "crypto/tls.h"
  13 #include "eap_server/eap.h"
  14 #include "eap_server/eap_sim_db.h"
  15 #include "eapol_auth/eapol_auth_sm.h"
  16 #include "radius/radius_server.h"
  17 #include "hostapd.h"
  18 #include "ap_config.h"
  19 #include "sta_info.h"
  20 #include "authsrv.h"
  21
  22
  23 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
  24 #define EAP_SIM_DB
  25 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
  26
  27
  28 #ifdef EAP_SIM_DB
  29 static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
  30                                  struct sta_info *sta, void *ctx)
  31 {
  32         if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
  33                 return 1;
  34         return 0;
  35 }
  36
  37
  38 static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
  39 {
  40         struct hostapd_data *hapd = ctx;
  41         if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
  42 #ifdef RADIUS_SERVER
  43                 radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
  44 #endif /* RADIUS_SERVER */
  45         }
  46 }
  47 #endif /* EAP_SIM_DB */
  48
  49
  50 #ifdef RADIUS_SERVER
  51
  52 static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
  53                                        size_t identity_len, int phase2,
  54                                        struct eap_user *user)
  55 {
  56         const struct hostapd_eap_user *eap_user;
  57         int i;
  58         int rv = -1;
  59
  60         eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
  61         if (eap_user == NULL)
  62                 goto out;
  63
  64         if (user == NULL)
  65                 return 0;
  66
  67         os_memset(user, 0, sizeof(*user));
  68         for (i = 0; i < EAP_MAX_METHODS; i++) {
  69                 user->methods[i].vendor = eap_user->methods[i].vendor;
  70                 user->methods[i].method = eap_user->methods[i].method;
  71         }
  72
  73         if (eap_user->password) {
  74                 user->password = os_memdup(eap_user->password,
  75                                            eap_user->password_len);
  76                 if (user->password == NULL)
  77                         goto out;
  78                 user->password_len = eap_user->password_len;
  79                 user->password_hash = eap_user->password_hash;
  80                 if (eap_user->salt && eap_user->salt_len) {
  81                         user->salt = os_memdup(eap_user->salt,
  82                                                eap_user->salt_len);
  83                         if (!user->salt)
  84                                 goto out;
  85                         user->salt_len = eap_user->salt_len;
  86                 }
  87         }
  88         user->force_version = eap_user->force_version;
  89         user->macacl = eap_user->macacl;
  90         user->ttls_auth = eap_user->ttls_auth;
  91         user->remediation = eap_user->remediation;
  92         user->accept_attr = eap_user->accept_attr;
  93         user->t_c_timestamp = eap_user->t_c_timestamp;
  94         rv = 0;
  95
  96 out:
  97         if (rv)
  98                 wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__);
  99
 100         return rv;
 101 }
 102
 103
 104 static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
 105 {
 106         struct radius_server_conf srv;
 107         struct hostapd_bss_config *conf = hapd->conf;
 108         os_memset(&srv, 0, sizeof(srv));
 109         srv.client_file = conf->radius_server_clients;
 110         srv.auth_port = conf->radius_server_auth_port;
 111         srv.acct_port = conf->radius_server_acct_port;
 112         srv.conf_ctx = hapd;
 113         srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
 114         srv.ssl_ctx = hapd->ssl_ctx;
 115         srv.msg_ctx = hapd->msg_ctx;
 116         srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
 117         srv.eap_fast_a_id = conf->eap_fast_a_id;
 118         srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
 119         srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
 120         srv.eap_fast_prov = conf->eap_fast_prov;
 121         srv.pac_key_lifetime = conf->pac_key_lifetime;
 122         srv.pac_key_refresh_time = conf->pac_key_refresh_time;
 123         srv.eap_teap_auth = conf->eap_teap_auth;
 124         srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
 125         srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 126         srv.eap_sim_id = conf->eap_sim_id;
 127         srv.tnc = conf->tnc;
 128         srv.wps = hapd->wps;
 129         srv.ipv6 = conf->radius_server_ipv6;
 130         srv.get_eap_user = hostapd_radius_get_eap_user;
 131         srv.eap_req_id_text = conf->eap_req_id_text;
 132         srv.eap_req_id_text_len = conf->eap_req_id_text_len;
 133         srv.pwd_group = conf->pwd_group;
 134         srv.server_id = conf->server_id ? conf->server_id : "hostapd";
 135         srv.sqlite_file = conf->eap_user_sqlite;
 136 #ifdef CONFIG_RADIUS_TEST
 137         srv.dump_msk_file = conf->dump_msk_file;
 138 #endif /* CONFIG_RADIUS_TEST */
 139 #ifdef CONFIG_HS20
 140         srv.subscr_remediation_url = conf->subscr_remediation_url;
 141         srv.subscr_remediation_method = conf->subscr_remediation_method;
 142         srv.hs20_sim_provisioning_url = conf->hs20_sim_provisioning_url;
 143         srv.t_c_server_url = conf->t_c_server_url;
 144 #endif /* CONFIG_HS20 */
 145         srv.erp = conf->eap_server_erp;
 146         srv.erp_domain = conf->erp_domain;
 147         srv.tls_session_lifetime = conf->tls_session_lifetime;
 148         srv.tls_flags = conf->tls_flags;
 149
 150         hapd->radius_srv = radius_server_init(&srv);
 151         if (hapd->radius_srv == NULL) {
 152                 wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
 153                 return -1;
 154         }
 155
 156         return 0;
 157 }
 158
 159 #endif /* RADIUS_SERVER */
 160
 161
 162 #ifdef EAP_TLS_FUNCS
 163 static void authsrv_tls_event(void *ctx, enum tls_event ev,
 164                               union tls_event_data *data)
 165 {
 166         switch (ev) {
 167         case TLS_CERT_CHAIN_SUCCESS:
 168                 wpa_printf(MSG_DEBUG, "authsrv: remote certificate verification success");
 169                 break;
 170         case TLS_CERT_CHAIN_FAILURE:
 171                 wpa_printf(MSG_INFO, "authsrv: certificate chain failure: reason=%d depth=%d subject='%s' err='%s'",
 172                            data->cert_fail.reason,
 173                            data->cert_fail.depth,
 174                            data->cert_fail.subject,
 175                            data->cert_fail.reason_txt);
 176                 break;
 177         case TLS_PEER_CERTIFICATE:
 178                 wpa_printf(MSG_DEBUG, "authsrv: peer certificate: depth=%d serial_num=%s subject=%s",
 179                            data->peer_cert.depth,
 180                            data->peer_cert.serial_num ? data->peer_cert.serial_num : "N/A",
 181                            data->peer_cert.subject);
 182                 break;
 183         case TLS_ALERT:
 184                 if (data->alert.is_local)
 185                         wpa_printf(MSG_DEBUG, "authsrv: local TLS alert: %s",
 186                                    data->alert.description);
 187                 else
 188                         wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
 189                                    data->alert.description);
 190                 break;
 191         }
 192 }
 193 #endif /* EAP_TLS_FUNCS */
 194
 195
 196 int authsrv_init(struct hostapd_data *hapd)
 197 {
 198 #ifdef EAP_TLS_FUNCS
 199         if (hapd->conf->eap_server &&
 200             (hapd->conf->ca_cert || hapd->conf->server_cert ||
 201              hapd->conf->private_key || hapd->conf->dh_file ||
 202              hapd->conf->server_cert2 || hapd->conf->private_key2)) {
 203                 struct tls_config conf;
 204                 struct tls_connection_params params;
 205
 206                 os_memset(&conf, 0, sizeof(conf));
 207                 conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
 208                 if (hapd->conf->crl_reload_interval > 0 &&
 209                     hapd->conf->check_crl <= 0) {
 210                         wpa_printf(MSG_INFO,
 211                                    "Cannot enable CRL reload functionality - it depends on check_crl being set");
 212                 } else if (hapd->conf->crl_reload_interval > 0) {
 213                         conf.crl_reload_interval =
 214                                 hapd->conf->crl_reload_interval;
 215                         wpa_printf(MSG_INFO,
 216                                    "Enabled CRL reload functionality");
 217                 }
 218                 conf.tls_flags = hapd->conf->tls_flags;
 219                 conf.event_cb = authsrv_tls_event;
 220                 conf.cb_ctx = hapd;
 221                 hapd->ssl_ctx = tls_init(&conf);
 222                 if (hapd->ssl_ctx == NULL) {
 223                         wpa_printf(MSG_ERROR, "Failed to initialize TLS");
 224                         authsrv_deinit(hapd);
 225                         return -1;
 226                 }
 227
 228                 os_memset(&params, 0, sizeof(params));
 229                 params.ca_cert = hapd->conf->ca_cert;
 230                 params.client_cert = hapd->conf->server_cert;
 231                 params.client_cert2 = hapd->conf->server_cert2;
 232                 params.private_key = hapd->conf->private_key;
 233                 params.private_key2 = hapd->conf->private_key2;
 234                 params.private_key_passwd = hapd->conf->private_key_passwd;
 235                 params.private_key_passwd2 = hapd->conf->private_key_passwd2;
 236                 params.dh_file = hapd->conf->dh_file;
 237                 params.openssl_ciphers = hapd->conf->openssl_ciphers;
 238                 params.openssl_ecdh_curves = hapd->conf->openssl_ecdh_curves;
 239                 params.ocsp_stapling_response =
 240                         hapd->conf->ocsp_stapling_response;
 241                 params.ocsp_stapling_response_multi =
 242                         hapd->conf->ocsp_stapling_response_multi;
 243                 params.check_cert_subject = hapd->conf->check_cert_subject;
 244
 245                 if (tls_global_set_params(hapd->ssl_ctx, &params)) {
 246                         wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
 247                         authsrv_deinit(hapd);
 248                         return -1;
 249                 }
 250
 251                 if (tls_global_set_verify(hapd->ssl_ctx,
 252                                           hapd->conf->check_crl,
 253                                           hapd->conf->check_crl_strict)) {
 254                         wpa_printf(MSG_ERROR, "Failed to enable check_crl");
 255                         authsrv_deinit(hapd);
 256                         return -1;
 257                 }
 258         }
 259 #endif /* EAP_TLS_FUNCS */
 260
 261 #ifdef EAP_SIM_DB
 262         if (hapd->conf->eap_sim_db) {
 263                 hapd->eap_sim_db_priv =
 264                         eap_sim_db_init(hapd->conf->eap_sim_db,
 265                                         hapd->conf->eap_sim_db_timeout,
 266                                         hostapd_sim_db_cb, hapd);
 267                 if (hapd->eap_sim_db_priv == NULL) {
 268                         wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
 269                                    "database interface");
 270                         authsrv_deinit(hapd);
 271                         return -1;
 272                 }
 273         }
 274 #endif /* EAP_SIM_DB */
 275
 276 #ifdef RADIUS_SERVER
 277         if (hapd->conf->radius_server_clients &&
 278             hostapd_setup_radius_srv(hapd))
 279                 return -1;
 280 #endif /* RADIUS_SERVER */
 281
 282         return 0;
 283 }
 284
 285
 286 void authsrv_deinit(struct hostapd_data *hapd)
 287 {
 288 #ifdef RADIUS_SERVER
 289         radius_server_deinit(hapd->radius_srv);
 290         hapd->radius_srv = NULL;
 291 #endif /* RADIUS_SERVER */
 292
 293 #ifdef EAP_TLS_FUNCS
 294         if (hapd->ssl_ctx) {
 295                 tls_deinit(hapd->ssl_ctx);
 296                 hapd->ssl_ctx = NULL;
 297         }
 298 #endif /* EAP_TLS_FUNCS */
 299
 300 #ifdef EAP_SIM_DB
 301         if (hapd->eap_sim_db_priv) {
 302                 eap_sim_db_deinit(hapd->eap_sim_db_priv);
 303                 hapd->eap_sim_db_priv = NULL;
 304         }
 305 #endif /* EAP_SIM_DB */
 306 }