contrib/wpa/src/ap/eap_user_db.c

   1 /*
   2  * hostapd / EAP user database
   3  * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10 #ifdef CONFIG_SQLITE
  11 #include <sqlite3.h>
  12 #endif /* CONFIG_SQLITE */
  13
  14 #include "common.h"
  15 #include "eap_common/eap_wsc_common.h"
  16 #include "eap_server/eap_methods.h"
  17 #include "eap_server/eap.h"
  18 #include "ap_config.h"
  19 #include "hostapd.h"
  20
  21 #ifdef CONFIG_SQLITE
  22
  23 static void set_user_methods(struct hostapd_eap_user *user, const char *methods)
  24 {
  25         char *buf, *start;
  26         int num_methods;
  27
  28         buf = os_strdup(methods);
  29         if (buf == NULL)
  30                 return;
  31
  32         os_memset(&user->methods, 0, sizeof(user->methods));
  33         num_methods = 0;
  34         start = buf;
  35         while (*start) {
  36                 char *pos3 = os_strchr(start, ',');
  37                 if (pos3)
  38                         *pos3++ = '\0';
  39                 user->methods[num_methods].method =
  40                         eap_server_get_type(start,
  41                                             &user->methods[num_methods].vendor);
  42                 if (user->methods[num_methods].vendor == EAP_VENDOR_IETF &&
  43                     user->methods[num_methods].method == EAP_TYPE_NONE) {
  44                         if (os_strcmp(start, "TTLS-PAP") == 0) {
  45                                 user->ttls_auth |= EAP_TTLS_AUTH_PAP;
  46                                 goto skip_eap;
  47                         }
  48                         if (os_strcmp(start, "TTLS-CHAP") == 0) {
  49                                 user->ttls_auth |= EAP_TTLS_AUTH_CHAP;
  50                                 goto skip_eap;
  51                         }
  52                         if (os_strcmp(start, "TTLS-MSCHAP") == 0) {
  53                                 user->ttls_auth |= EAP_TTLS_AUTH_MSCHAP;
  54                                 goto skip_eap;
  55                         }
  56                         if (os_strcmp(start, "TTLS-MSCHAPV2") == 0) {
  57                                 user->ttls_auth |= EAP_TTLS_AUTH_MSCHAPV2;
  58                                 goto skip_eap;
  59                         }
  60                         wpa_printf(MSG_INFO, "DB: Unsupported EAP type '%s'",
  61                                    start);
  62                         os_free(buf);
  63                         return;
  64                 }
  65
  66                 num_methods++;
  67                 if (num_methods >= EAP_MAX_METHODS)
  68                         break;
  69         skip_eap:
  70                 if (pos3 == NULL)
  71                         break;
  72                 start = pos3;
  73         }
  74
  75         os_free(buf);
  76 }
  77
  78
  79 static int get_user_cb(void *ctx, int argc, char *argv[], char *col[])
  80 {
  81         struct hostapd_eap_user *user = ctx;
  82         int i;
  83
  84         for (i = 0; i < argc; i++) {
  85                 if (os_strcmp(col[i], "password") == 0 && argv[i]) {
  86                         bin_clear_free(user->password, user->password_len);
  87                         user->password_len = os_strlen(argv[i]);
  88                         user->password = (u8 *) os_strdup(argv[i]);
  89                         user->next = (void *) 1;
  90                 } else if (os_strcmp(col[i], "methods") == 0 && argv[i]) {
  91                         set_user_methods(user, argv[i]);
  92                 } else if (os_strcmp(col[i], "remediation") == 0 && argv[i]) {
  93                         user->remediation = strlen(argv[i]) > 0;
  94                 } else if (os_strcmp(col[i], "t_c_timestamp") == 0 && argv[i]) {
  95                         user->t_c_timestamp = strtol(argv[i], NULL, 10);
  96                 }
  97         }
  98
  99         return 0;
 100 }
 101
 102
 103 static int get_wildcard_cb(void *ctx, int argc, char *argv[], char *col[])
 104 {
 105         struct hostapd_eap_user *user = ctx;
 106         int i, id = -1, methods = -1;
 107         size_t len;
 108
 109         for (i = 0; i < argc; i++) {
 110                 if (os_strcmp(col[i], "identity") == 0 && argv[i])
 111                         id = i;
 112                 else if (os_strcmp(col[i], "methods") == 0 && argv[i])
 113                         methods = i;
 114         }
 115
 116         if (id < 0 || methods < 0)
 117                 return 0;
 118
 119         len = os_strlen(argv[id]);
 120         if (len <= user->identity_len &&
 121             os_memcmp(argv[id], user->identity, len) == 0 &&
 122             (user->password == NULL || len > user->password_len)) {
 123                 bin_clear_free(user->password, user->password_len);
 124                 user->password_len = os_strlen(argv[id]);
 125                 user->password = (u8 *) os_strdup(argv[id]);
 126                 user->next = (void *) 1;
 127                 set_user_methods(user, argv[methods]);
 128         }
 129
 130         return 0;
 131 }
 132
 133
 134 static const struct hostapd_eap_user *
 135 eap_user_sqlite_get(struct hostapd_data *hapd, const u8 *identity,
 136                     size_t identity_len, int phase2)
 137 {
 138         sqlite3 *db;
 139         struct hostapd_eap_user *user = NULL;
 140         char id_str[256], cmd[300];
 141         size_t i;
 142
 143         if (identity_len >= sizeof(id_str)) {
 144                 wpa_printf(MSG_DEBUG, "%s: identity len too big: %d >= %d",
 145                            __func__, (int) identity_len,
 146                            (int) (sizeof(id_str)));
 147                 return NULL;
 148         }
 149         os_memcpy(id_str, identity, identity_len);
 150         id_str[identity_len] = '\0';
 151         for (i = 0; i < identity_len; i++) {
 152                 if (id_str[i] >= 'a' && id_str[i] <= 'z')
 153                         continue;
 154                 if (id_str[i] >= 'A' && id_str[i] <= 'Z')
 155                         continue;
 156                 if (id_str[i] >= '0' && id_str[i] <= '9')
 157                         continue;
 158                 if (id_str[i] == '-' || id_str[i] == '_' || id_str[i] == '.' ||
 159                     id_str[i] == ',' || id_str[i] == '@' || id_str[i] == '\\' ||
 160                     id_str[i] == '!' || id_str[i] == '#' || id_str[i] == '%' ||
 161                     id_str[i] == '=' || id_str[i] == ' ')
 162                         continue;
 163                 wpa_printf(MSG_INFO, "DB: Unsupported character in identity");
 164                 return NULL;
 165         }
 166
 167         bin_clear_free(hapd->tmp_eap_user.identity,
 168                        hapd->tmp_eap_user.identity_len);
 169         bin_clear_free(hapd->tmp_eap_user.password,
 170                        hapd->tmp_eap_user.password_len);
 171         os_memset(&hapd->tmp_eap_user, 0, sizeof(hapd->tmp_eap_user));
 172         hapd->tmp_eap_user.phase2 = phase2;
 173         hapd->tmp_eap_user.identity = os_zalloc(identity_len + 1);
 174         if (hapd->tmp_eap_user.identity == NULL)
 175                 return NULL;
 176         os_memcpy(hapd->tmp_eap_user.identity, identity, identity_len);
 177
 178         if (sqlite3_open(hapd->conf->eap_user_sqlite, &db)) {
 179                 wpa_printf(MSG_INFO, "DB: Failed to open database %s: %s",
 180                            hapd->conf->eap_user_sqlite, sqlite3_errmsg(db));
 181                 sqlite3_close(db);
 182                 return NULL;
 183         }
 184
 185         os_snprintf(cmd, sizeof(cmd),
 186                     "SELECT * FROM users WHERE identity='%s' AND phase2=%d;",
 187                     id_str, phase2);
 188         wpa_printf(MSG_DEBUG, "DB: %s", cmd);
 189         if (sqlite3_exec(db, cmd, get_user_cb, &hapd->tmp_eap_user, NULL) !=
 190             SQLITE_OK) {
 191                 wpa_printf(MSG_DEBUG,
 192                            "DB: Failed to complete SQL operation: %s  db: %s",
 193                            sqlite3_errmsg(db), hapd->conf->eap_user_sqlite);
 194         } else if (hapd->tmp_eap_user.next)
 195                 user = &hapd->tmp_eap_user;
 196
 197         if (user == NULL && !phase2) {
 198                 os_snprintf(cmd, sizeof(cmd),
 199                             "SELECT identity,methods FROM wildcards;");
 200                 wpa_printf(MSG_DEBUG, "DB: %s", cmd);
 201                 if (sqlite3_exec(db, cmd, get_wildcard_cb, &hapd->tmp_eap_user,
 202                                  NULL) != SQLITE_OK) {
 203                         wpa_printf(MSG_DEBUG,
 204                                    "DB: Failed to complete SQL operation: %s  db: %s",
 205                                    sqlite3_errmsg(db),
 206                                    hapd->conf->eap_user_sqlite);
 207                 } else if (hapd->tmp_eap_user.next) {
 208                         user = &hapd->tmp_eap_user;
 209                         os_free(user->identity);
 210                         user->identity = user->password;
 211                         user->identity_len = user->password_len;
 212                         user->password = NULL;
 213                         user->password_len = 0;
 214                 }
 215         }
 216
 217         sqlite3_close(db);
 218
 219         return user;
 220 }
 221
 222 #endif /* CONFIG_SQLITE */
 223
 224
 225 const struct hostapd_eap_user *
 226 hostapd_get_eap_user(struct hostapd_data *hapd, const u8 *identity,
 227                      size_t identity_len, int phase2)
 228 {
 229         const struct hostapd_bss_config *conf = hapd->conf;
 230         struct hostapd_eap_user *user = conf->eap_user;
 231
 232 #ifdef CONFIG_WPS
 233         if (conf->wps_state && identity_len == WSC_ID_ENROLLEE_LEN &&
 234             os_memcmp(identity, WSC_ID_ENROLLEE, WSC_ID_ENROLLEE_LEN) == 0) {
 235                 static struct hostapd_eap_user wsc_enrollee;
 236                 os_memset(&wsc_enrollee, 0, sizeof(wsc_enrollee));
 237                 wsc_enrollee.methods[0].method = eap_server_get_type(
 238                         "WSC", &wsc_enrollee.methods[0].vendor);
 239                 return &wsc_enrollee;
 240         }
 241
 242         if (conf->wps_state && identity_len == WSC_ID_REGISTRAR_LEN &&
 243             os_memcmp(identity, WSC_ID_REGISTRAR, WSC_ID_REGISTRAR_LEN) == 0) {
 244                 static struct hostapd_eap_user wsc_registrar;
 245                 os_memset(&wsc_registrar, 0, sizeof(wsc_registrar));
 246                 wsc_registrar.methods[0].method = eap_server_get_type(
 247                         "WSC", &wsc_registrar.methods[0].vendor);
 248                 wsc_registrar.password = (u8 *) conf->ap_pin;
 249                 wsc_registrar.password_len = conf->ap_pin ?
 250                         os_strlen(conf->ap_pin) : 0;
 251                 return &wsc_registrar;
 252         }
 253 #endif /* CONFIG_WPS */
 254
 255         while (user) {
 256                 if (!phase2 && user->identity == NULL) {
 257                         /* Wildcard match */
 258                         break;
 259                 }
 260
 261                 if (user->phase2 == !!phase2 && user->wildcard_prefix &&
 262                     identity_len >= user->identity_len &&
 263                     os_memcmp(user->identity, identity, user->identity_len) ==
 264                     0) {
 265                         /* Wildcard prefix match */
 266                         break;
 267                 }
 268
 269                 if (user->phase2 == !!phase2 &&
 270                     user->identity_len == identity_len &&
 271                     os_memcmp(user->identity, identity, identity_len) == 0)
 272                         break;
 273                 user = user->next;
 274         }
 275
 276 #ifdef CONFIG_SQLITE
 277         if (user == NULL && conf->eap_user_sqlite) {
 278                 return eap_user_sqlite_get(hapd, identity, identity_len,
 279                                            phase2);
 280         }
 281 #endif /* CONFIG_SQLITE */
 282
 283         return user;
 284 }