contrib/wpa/src/ap/authsrv.c

   1 /*
   2  * Authentication server setup
   3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "utils/includes.h"
  16
  17 #include "utils/common.h"
  18 #include "crypto/tls.h"
  19 #include "eap_server/eap.h"
  20 #include "eap_server/eap_sim_db.h"
  21 #include "eapol_auth/eapol_auth_sm.h"
  22 #include "radius/radius_server.h"
  23 #include "hostapd.h"
  24 #include "ap_config.h"
  25 #include "sta_info.h"
  26 #include "authsrv.h"
  27
  28
  29 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
  30 #define EAP_SIM_DB
  31 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
  32
  33
  34 #ifdef EAP_SIM_DB
  35 static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
  36                                  struct sta_info *sta, void *ctx)
  37 {
  38         if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
  39                 return 1;
  40         return 0;
  41 }
  42
  43
  44 static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
  45 {
  46         struct hostapd_data *hapd = ctx;
  47         if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
  48 #ifdef RADIUS_SERVER
  49                 radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
  50 #endif /* RADIUS_SERVER */
  51         }
  52 }
  53 #endif /* EAP_SIM_DB */
  54
  55
  56 #ifdef RADIUS_SERVER
  57
  58 static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
  59                                        size_t identity_len, int phase2,
  60                                        struct eap_user *user)
  61 {
  62         const struct hostapd_eap_user *eap_user;
  63         int i, count;
  64
  65         eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
  66         if (eap_user == NULL)
  67                 return -1;
  68
  69         if (user == NULL)
  70                 return 0;
  71
  72         os_memset(user, 0, sizeof(*user));
  73         count = EAP_USER_MAX_METHODS;
  74         if (count > EAP_MAX_METHODS)
  75                 count = EAP_MAX_METHODS;
  76         for (i = 0; i < count; i++) {
  77                 user->methods[i].vendor = eap_user->methods[i].vendor;
  78                 user->methods[i].method = eap_user->methods[i].method;
  79         }
  80
  81         if (eap_user->password) {
  82                 user->password = os_malloc(eap_user->password_len);
  83                 if (user->password == NULL)
  84                         return -1;
  85                 os_memcpy(user->password, eap_user->password,
  86                           eap_user->password_len);
  87                 user->password_len = eap_user->password_len;
  88                 user->password_hash = eap_user->password_hash;
  89         }
  90         user->force_version = eap_user->force_version;
  91         user->ttls_auth = eap_user->ttls_auth;
  92
  93         return 0;
  94 }
  95
  96
  97 static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
  98 {
  99         struct radius_server_conf srv;
 100         struct hostapd_bss_config *conf = hapd->conf;
 101         os_memset(&srv, 0, sizeof(srv));
 102         srv.client_file = conf->radius_server_clients;
 103         srv.auth_port = conf->radius_server_auth_port;
 104         srv.conf_ctx = conf;
 105         srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
 106         srv.ssl_ctx = hapd->ssl_ctx;
 107         srv.msg_ctx = hapd->msg_ctx;
 108         srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
 109         srv.eap_fast_a_id = conf->eap_fast_a_id;
 110         srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
 111         srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
 112         srv.eap_fast_prov = conf->eap_fast_prov;
 113         srv.pac_key_lifetime = conf->pac_key_lifetime;
 114         srv.pac_key_refresh_time = conf->pac_key_refresh_time;
 115         srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
 116         srv.tnc = conf->tnc;
 117         srv.wps = hapd->wps;
 118         srv.ipv6 = conf->radius_server_ipv6;
 119         srv.get_eap_user = hostapd_radius_get_eap_user;
 120         srv.eap_req_id_text = conf->eap_req_id_text;
 121         srv.eap_req_id_text_len = conf->eap_req_id_text_len;
 122
 123         hapd->radius_srv = radius_server_init(&srv);
 124         if (hapd->radius_srv == NULL) {
 125                 wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
 126                 return -1;
 127         }
 128
 129         return 0;
 130 }
 131
 132 #endif /* RADIUS_SERVER */
 133
 134
 135 int authsrv_init(struct hostapd_data *hapd)
 136 {
 137 #ifdef EAP_TLS_FUNCS
 138         if (hapd->conf->eap_server &&
 139             (hapd->conf->ca_cert || hapd->conf->server_cert ||
 140              hapd->conf->dh_file)) {
 141                 struct tls_connection_params params;
 142
 143                 hapd->ssl_ctx = tls_init(NULL);
 144                 if (hapd->ssl_ctx == NULL) {
 145                         wpa_printf(MSG_ERROR, "Failed to initialize TLS");
 146                         authsrv_deinit(hapd);
 147                         return -1;
 148                 }
 149
 150                 os_memset(&params, 0, sizeof(params));
 151                 params.ca_cert = hapd->conf->ca_cert;
 152                 params.client_cert = hapd->conf->server_cert;
 153                 params.private_key = hapd->conf->private_key;
 154                 params.private_key_passwd = hapd->conf->private_key_passwd;
 155                 params.dh_file = hapd->conf->dh_file;
 156
 157                 if (tls_global_set_params(hapd->ssl_ctx, &params)) {
 158                         wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
 159                         authsrv_deinit(hapd);
 160                         return -1;
 161                 }
 162
 163                 if (tls_global_set_verify(hapd->ssl_ctx,
 164                                           hapd->conf->check_crl)) {
 165                         wpa_printf(MSG_ERROR, "Failed to enable check_crl");
 166                         authsrv_deinit(hapd);
 167                         return -1;
 168                 }
 169         }
 170 #endif /* EAP_TLS_FUNCS */
 171
 172 #ifdef EAP_SIM_DB
 173         if (hapd->conf->eap_sim_db) {
 174                 hapd->eap_sim_db_priv =
 175                         eap_sim_db_init(hapd->conf->eap_sim_db,
 176                                         hostapd_sim_db_cb, hapd);
 177                 if (hapd->eap_sim_db_priv == NULL) {
 178                         wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
 179                                    "database interface");
 180                         authsrv_deinit(hapd);
 181                         return -1;
 182                 }
 183         }
 184 #endif /* EAP_SIM_DB */
 185
 186 #ifdef RADIUS_SERVER
 187         if (hapd->conf->radius_server_clients &&
 188             hostapd_setup_radius_srv(hapd))
 189                 return -1;
 190 #endif /* RADIUS_SERVER */
 191
 192         return 0;
 193 }
 194
 195
 196 void authsrv_deinit(struct hostapd_data *hapd)
 197 {
 198 #ifdef RADIUS_SERVER
 199         radius_server_deinit(hapd->radius_srv);
 200         hapd->radius_srv = NULL;
 201 #endif /* RADIUS_SERVER */
 202
 203 #ifdef EAP_TLS_FUNCS
 204         if (hapd->ssl_ctx) {
 205                 tls_deinit(hapd->ssl_ctx);
 206                 hapd->ssl_ctx = NULL;
 207         }
 208 #endif /* EAP_TLS_FUNCS */
 209
 210 #ifdef EAP_SIM_DB
 211         if (hapd->eap_sim_db_priv) {
 212                 eap_sim_db_deinit(hapd->eap_sim_db_priv);
 213                 hapd->eap_sim_db_priv = NULL;
 214         }
 215 #endif /* EAP_SIM_DB */
 216 }