2 * hostapd / EAP user database
3 * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #endif /* CONFIG_SQLITE */
15 #include "eap_common/eap_wsc_common.h"
16 #include "eap_server/eap_methods.h"
17 #include "eap_server/eap.h"
18 #include "ap_config.h"
23 static void set_user_methods(struct hostapd_eap_user *user, const char *methods)
28 buf = os_strdup(methods);
32 os_memset(&user->methods, 0, sizeof(user->methods));
36 char *pos3 = os_strchr(start, ',');
39 user->methods[num_methods].method =
40 eap_server_get_type(start,
41 &user->methods[num_methods].vendor);
42 if (user->methods[num_methods].vendor == EAP_VENDOR_IETF &&
43 user->methods[num_methods].method == EAP_TYPE_NONE) {
44 if (os_strcmp(start, "TTLS-PAP") == 0) {
45 user->ttls_auth |= EAP_TTLS_AUTH_PAP;
48 if (os_strcmp(start, "TTLS-CHAP") == 0) {
49 user->ttls_auth |= EAP_TTLS_AUTH_CHAP;
52 if (os_strcmp(start, "TTLS-MSCHAP") == 0) {
53 user->ttls_auth |= EAP_TTLS_AUTH_MSCHAP;
56 if (os_strcmp(start, "TTLS-MSCHAPV2") == 0) {
57 user->ttls_auth |= EAP_TTLS_AUTH_MSCHAPV2;
60 wpa_printf(MSG_INFO, "DB: Unsupported EAP type '%s'",
67 if (num_methods >= EAP_MAX_METHODS)
79 static int get_user_cb(void *ctx, int argc, char *argv[], char *col[])
81 struct hostapd_eap_user *user = ctx;
84 for (i = 0; i < argc; i++) {
85 if (os_strcmp(col[i], "password") == 0 && argv[i]) {
86 bin_clear_free(user->password, user->password_len);
87 user->password_len = os_strlen(argv[i]);
88 user->password = (u8 *) os_strdup(argv[i]);
89 user->next = (void *) 1;
90 } else if (os_strcmp(col[i], "methods") == 0 && argv[i]) {
91 set_user_methods(user, argv[i]);
92 } else if (os_strcmp(col[i], "remediation") == 0 && argv[i]) {
93 user->remediation = strlen(argv[i]) > 0;
101 static int get_wildcard_cb(void *ctx, int argc, char *argv[], char *col[])
103 struct hostapd_eap_user *user = ctx;
104 int i, id = -1, methods = -1;
107 for (i = 0; i < argc; i++) {
108 if (os_strcmp(col[i], "identity") == 0 && argv[i])
110 else if (os_strcmp(col[i], "methods") == 0 && argv[i])
114 if (id < 0 || methods < 0)
117 len = os_strlen(argv[id]);
118 if (len <= user->identity_len &&
119 os_memcmp(argv[id], user->identity, len) == 0 &&
120 (user->password == NULL || len > user->password_len)) {
121 bin_clear_free(user->password, user->password_len);
122 user->password_len = os_strlen(argv[id]);
123 user->password = (u8 *) os_strdup(argv[id]);
124 user->next = (void *) 1;
125 set_user_methods(user, argv[methods]);
132 static const struct hostapd_eap_user *
133 eap_user_sqlite_get(struct hostapd_data *hapd, const u8 *identity,
134 size_t identity_len, int phase2)
137 struct hostapd_eap_user *user = NULL;
138 char id_str[256], cmd[300];
141 if (identity_len >= sizeof(id_str))
143 os_memcpy(id_str, identity, identity_len);
144 id_str[identity_len] = '\0';
145 for (i = 0; i < identity_len; i++) {
146 if (id_str[i] >= 'a' && id_str[i] <= 'z')
148 if (id_str[i] >= 'A' && id_str[i] <= 'Z')
150 if (id_str[i] >= '0' && id_str[i] <= '9')
152 if (id_str[i] == '-' || id_str[i] == '_' || id_str[i] == '.' ||
153 id_str[i] == ',' || id_str[i] == '@' || id_str[i] == '\\' ||
154 id_str[i] == '!' || id_str[i] == '#' || id_str[i] == '%' ||
155 id_str[i] == '=' || id_str[i] == ' ')
157 wpa_printf(MSG_INFO, "DB: Unsupported character in identity");
161 bin_clear_free(hapd->tmp_eap_user.identity,
162 hapd->tmp_eap_user.identity_len);
163 bin_clear_free(hapd->tmp_eap_user.password,
164 hapd->tmp_eap_user.password_len);
165 os_memset(&hapd->tmp_eap_user, 0, sizeof(hapd->tmp_eap_user));
166 hapd->tmp_eap_user.phase2 = phase2;
167 hapd->tmp_eap_user.identity = os_zalloc(identity_len + 1);
168 if (hapd->tmp_eap_user.identity == NULL)
170 os_memcpy(hapd->tmp_eap_user.identity, identity, identity_len);
172 if (sqlite3_open(hapd->conf->eap_user_sqlite, &db)) {
173 wpa_printf(MSG_INFO, "DB: Failed to open database %s: %s",
174 hapd->conf->eap_user_sqlite, sqlite3_errmsg(db));
179 os_snprintf(cmd, sizeof(cmd),
180 "SELECT * FROM users WHERE identity='%s' AND phase2=%d;",
182 wpa_printf(MSG_DEBUG, "DB: %s", cmd);
183 if (sqlite3_exec(db, cmd, get_user_cb, &hapd->tmp_eap_user, NULL) !=
185 wpa_printf(MSG_DEBUG, "DB: Failed to complete SQL operation");
186 } else if (hapd->tmp_eap_user.next)
187 user = &hapd->tmp_eap_user;
189 if (user == NULL && !phase2) {
190 os_snprintf(cmd, sizeof(cmd),
191 "SELECT identity,methods FROM wildcards;");
192 wpa_printf(MSG_DEBUG, "DB: %s", cmd);
193 if (sqlite3_exec(db, cmd, get_wildcard_cb, &hapd->tmp_eap_user,
194 NULL) != SQLITE_OK) {
195 wpa_printf(MSG_DEBUG, "DB: Failed to complete SQL "
197 } else if (hapd->tmp_eap_user.next) {
198 user = &hapd->tmp_eap_user;
199 os_free(user->identity);
200 user->identity = user->password;
201 user->identity_len = user->password_len;
202 user->password = NULL;
203 user->password_len = 0;
212 #endif /* CONFIG_SQLITE */
215 const struct hostapd_eap_user *
216 hostapd_get_eap_user(struct hostapd_data *hapd, const u8 *identity,
217 size_t identity_len, int phase2)
219 const struct hostapd_bss_config *conf = hapd->conf;
220 struct hostapd_eap_user *user = conf->eap_user;
223 if (conf->wps_state && identity_len == WSC_ID_ENROLLEE_LEN &&
224 os_memcmp(identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN) == 0) {
225 static struct hostapd_eap_user wsc_enrollee;
226 os_memset(&wsc_enrollee, 0, sizeof(wsc_enrollee));
227 wsc_enrollee.methods[0].method = eap_server_get_type(
228 "WSC", &wsc_enrollee.methods[0].vendor);
229 return &wsc_enrollee;
232 if (conf->wps_state && identity_len == WSC_ID_REGISTRAR_LEN &&
233 os_memcmp(identity, WSC_ID_REGISTRAR, WSC_ID_REGISTRAR_LEN) == 0) {
234 static struct hostapd_eap_user wsc_registrar;
235 os_memset(&wsc_registrar, 0, sizeof(wsc_registrar));
236 wsc_registrar.methods[0].method = eap_server_get_type(
237 "WSC", &wsc_registrar.methods[0].vendor);
238 wsc_registrar.password = (u8 *) conf->ap_pin;
239 wsc_registrar.password_len = conf->ap_pin ?
240 os_strlen(conf->ap_pin) : 0;
241 return &wsc_registrar;
243 #endif /* CONFIG_WPS */
246 if (!phase2 && user->identity == NULL) {
251 if (user->phase2 == !!phase2 && user->wildcard_prefix &&
252 identity_len >= user->identity_len &&
253 os_memcmp(user->identity, identity, user->identity_len) ==
255 /* Wildcard prefix match */
259 if (user->phase2 == !!phase2 &&
260 user->identity_len == identity_len &&
261 os_memcmp(user->identity, identity, identity_len) == 0)
267 if (user == NULL && conf->eap_user_sqlite) {
268 return eap_user_sqlite_get(hapd, identity, identity_len,
271 #endif /* CONFIG_SQLITE */