]>
Commit | Line | Data |
---|---|---|
2586bc64 JM |
1 | /* |
2 | * Authentication server setup | |
3 | * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #include "utils/includes.h" | |
16 | ||
17 | #include "utils/common.h" | |
18 | #include "crypto/tls.h" | |
19 | #include "eap_server/eap.h" | |
20 | #include "eap_server/eap_sim_db.h" | |
21 | #include "eapol_auth/eapol_auth_sm.h" | |
22 | #include "radius/radius_server.h" | |
23 | #include "hostapd.h" | |
6226e38d | 24 | #include "ap_config.h" |
2586bc64 JM |
25 | #include "sta_info.h" |
26 | #include "authsrv.h" | |
27 | ||
28 | ||
29 | #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) | |
30 | #define EAP_SIM_DB | |
31 | #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ | |
32 | ||
33 | ||
34 | #ifdef EAP_SIM_DB | |
35 | static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, | |
36 | struct sta_info *sta, void *ctx) | |
37 | { | |
38 | if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) | |
39 | return 1; | |
40 | return 0; | |
41 | } | |
42 | ||
43 | ||
44 | static void hostapd_sim_db_cb(void *ctx, void *session_ctx) | |
45 | { | |
46 | struct hostapd_data *hapd = ctx; | |
47 | if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { | |
48 | #ifdef RADIUS_SERVER | |
49 | radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); | |
50 | #endif /* RADIUS_SERVER */ | |
51 | } | |
52 | } | |
53 | #endif /* EAP_SIM_DB */ | |
54 | ||
55 | ||
56 | #ifdef RADIUS_SERVER | |
57 | ||
58 | static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, | |
59 | size_t identity_len, int phase2, | |
60 | struct eap_user *user) | |
61 | { | |
62 | const struct hostapd_eap_user *eap_user; | |
63 | int i, count; | |
64 | ||
65 | eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); | |
66 | if (eap_user == NULL) | |
67 | return -1; | |
68 | ||
69 | if (user == NULL) | |
70 | return 0; | |
71 | ||
72 | os_memset(user, 0, sizeof(*user)); | |
73 | count = EAP_USER_MAX_METHODS; | |
74 | if (count > EAP_MAX_METHODS) | |
75 | count = EAP_MAX_METHODS; | |
76 | for (i = 0; i < count; i++) { | |
77 | user->methods[i].vendor = eap_user->methods[i].vendor; | |
78 | user->methods[i].method = eap_user->methods[i].method; | |
79 | } | |
80 | ||
81 | if (eap_user->password) { | |
82 | user->password = os_malloc(eap_user->password_len); | |
83 | if (user->password == NULL) | |
84 | return -1; | |
85 | os_memcpy(user->password, eap_user->password, | |
86 | eap_user->password_len); | |
87 | user->password_len = eap_user->password_len; | |
88 | user->password_hash = eap_user->password_hash; | |
89 | } | |
90 | user->force_version = eap_user->force_version; | |
91 | user->ttls_auth = eap_user->ttls_auth; | |
92 | ||
93 | return 0; | |
94 | } | |
95 | ||
96 | ||
97 | static int hostapd_setup_radius_srv(struct hostapd_data *hapd) | |
98 | { | |
99 | struct radius_server_conf srv; | |
100 | struct hostapd_bss_config *conf = hapd->conf; | |
101 | os_memset(&srv, 0, sizeof(srv)); | |
102 | srv.client_file = conf->radius_server_clients; | |
103 | srv.auth_port = conf->radius_server_auth_port; | |
104 | srv.conf_ctx = conf; | |
105 | srv.eap_sim_db_priv = hapd->eap_sim_db_priv; | |
106 | srv.ssl_ctx = hapd->ssl_ctx; | |
107 | srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; | |
108 | srv.eap_fast_a_id = conf->eap_fast_a_id; | |
109 | srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; | |
110 | srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; | |
111 | srv.eap_fast_prov = conf->eap_fast_prov; | |
112 | srv.pac_key_lifetime = conf->pac_key_lifetime; | |
113 | srv.pac_key_refresh_time = conf->pac_key_refresh_time; | |
114 | srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; | |
115 | srv.tnc = conf->tnc; | |
116 | srv.wps = hapd->wps; | |
117 | srv.ipv6 = conf->radius_server_ipv6; | |
118 | srv.get_eap_user = hostapd_radius_get_eap_user; | |
119 | srv.eap_req_id_text = conf->eap_req_id_text; | |
120 | srv.eap_req_id_text_len = conf->eap_req_id_text_len; | |
121 | ||
122 | hapd->radius_srv = radius_server_init(&srv); | |
123 | if (hapd->radius_srv == NULL) { | |
124 | wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); | |
125 | return -1; | |
126 | } | |
127 | ||
128 | return 0; | |
129 | } | |
130 | ||
131 | #endif /* RADIUS_SERVER */ | |
132 | ||
133 | ||
134 | int authsrv_init(struct hostapd_data *hapd) | |
135 | { | |
136 | #ifdef EAP_TLS_FUNCS | |
137 | if (hapd->conf->eap_server && | |
138 | (hapd->conf->ca_cert || hapd->conf->server_cert || | |
139 | hapd->conf->dh_file)) { | |
140 | struct tls_connection_params params; | |
141 | ||
142 | hapd->ssl_ctx = tls_init(NULL); | |
143 | if (hapd->ssl_ctx == NULL) { | |
144 | wpa_printf(MSG_ERROR, "Failed to initialize TLS"); | |
145 | authsrv_deinit(hapd); | |
146 | return -1; | |
147 | } | |
148 | ||
149 | os_memset(¶ms, 0, sizeof(params)); | |
150 | params.ca_cert = hapd->conf->ca_cert; | |
151 | params.client_cert = hapd->conf->server_cert; | |
152 | params.private_key = hapd->conf->private_key; | |
153 | params.private_key_passwd = hapd->conf->private_key_passwd; | |
154 | params.dh_file = hapd->conf->dh_file; | |
155 | ||
156 | if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { | |
157 | wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); | |
158 | authsrv_deinit(hapd); | |
159 | return -1; | |
160 | } | |
161 | ||
162 | if (tls_global_set_verify(hapd->ssl_ctx, | |
163 | hapd->conf->check_crl)) { | |
164 | wpa_printf(MSG_ERROR, "Failed to enable check_crl"); | |
165 | authsrv_deinit(hapd); | |
166 | return -1; | |
167 | } | |
168 | } | |
169 | #endif /* EAP_TLS_FUNCS */ | |
170 | ||
171 | #ifdef EAP_SIM_DB | |
172 | if (hapd->conf->eap_sim_db) { | |
173 | hapd->eap_sim_db_priv = | |
174 | eap_sim_db_init(hapd->conf->eap_sim_db, | |
175 | hostapd_sim_db_cb, hapd); | |
176 | if (hapd->eap_sim_db_priv == NULL) { | |
177 | wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " | |
178 | "database interface"); | |
179 | authsrv_deinit(hapd); | |
180 | return -1; | |
181 | } | |
182 | } | |
183 | #endif /* EAP_SIM_DB */ | |
184 | ||
185 | #ifdef RADIUS_SERVER | |
186 | if (hapd->conf->radius_server_clients && | |
187 | hostapd_setup_radius_srv(hapd)) | |
188 | return -1; | |
189 | #endif /* RADIUS_SERVER */ | |
190 | ||
191 | return 0; | |
192 | } | |
193 | ||
194 | ||
195 | void authsrv_deinit(struct hostapd_data *hapd) | |
196 | { | |
197 | #ifdef RADIUS_SERVER | |
198 | radius_server_deinit(hapd->radius_srv); | |
199 | hapd->radius_srv = NULL; | |
200 | #endif /* RADIUS_SERVER */ | |
201 | ||
202 | #ifdef EAP_TLS_FUNCS | |
203 | if (hapd->ssl_ctx) { | |
204 | tls_deinit(hapd->ssl_ctx); | |
205 | hapd->ssl_ctx = NULL; | |
206 | } | |
207 | #endif /* EAP_TLS_FUNCS */ | |
208 | ||
209 | #ifdef EAP_SIM_DB | |
210 | if (hapd->eap_sim_db_priv) { | |
211 | eap_sim_db_deinit(hapd->eap_sim_db_priv); | |
212 | hapd->eap_sim_db_priv = NULL; | |
213 | } | |
214 | #endif /* EAP_SIM_DB */ | |
215 | } |