]>
Commit | Line | Data |
---|---|---|
2586bc64 JM |
1 | /* |
2 | * Authentication server setup | |
3 | * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #include "utils/includes.h" | |
16 | ||
17 | #include "utils/common.h" | |
18 | #include "crypto/tls.h" | |
19 | #include "eap_server/eap.h" | |
20 | #include "eap_server/eap_sim_db.h" | |
21 | #include "eapol_auth/eapol_auth_sm.h" | |
22 | #include "radius/radius_server.h" | |
23 | #include "hostapd.h" | |
6226e38d | 24 | #include "ap_config.h" |
2586bc64 JM |
25 | #include "sta_info.h" |
26 | #include "authsrv.h" | |
27 | ||
28 | ||
29 | #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) | |
30 | #define EAP_SIM_DB | |
31 | #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ | |
32 | ||
33 | ||
34 | #ifdef EAP_SIM_DB | |
35 | static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, | |
36 | struct sta_info *sta, void *ctx) | |
37 | { | |
38 | if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) | |
39 | return 1; | |
40 | return 0; | |
41 | } | |
42 | ||
43 | ||
44 | static void hostapd_sim_db_cb(void *ctx, void *session_ctx) | |
45 | { | |
46 | struct hostapd_data *hapd = ctx; | |
47 | if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { | |
48 | #ifdef RADIUS_SERVER | |
49 | radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); | |
50 | #endif /* RADIUS_SERVER */ | |
51 | } | |
52 | } | |
53 | #endif /* EAP_SIM_DB */ | |
54 | ||
55 | ||
56 | #ifdef RADIUS_SERVER | |
57 | ||
58 | static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, | |
59 | size_t identity_len, int phase2, | |
60 | struct eap_user *user) | |
61 | { | |
62 | const struct hostapd_eap_user *eap_user; | |
63 | int i, count; | |
64 | ||
65 | eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); | |
66 | if (eap_user == NULL) | |
67 | return -1; | |
68 | ||
69 | if (user == NULL) | |
70 | return 0; | |
71 | ||
72 | os_memset(user, 0, sizeof(*user)); | |
73 | count = EAP_USER_MAX_METHODS; | |
74 | if (count > EAP_MAX_METHODS) | |
75 | count = EAP_MAX_METHODS; | |
76 | for (i = 0; i < count; i++) { | |
77 | user->methods[i].vendor = eap_user->methods[i].vendor; | |
78 | user->methods[i].method = eap_user->methods[i].method; | |
79 | } | |
80 | ||
81 | if (eap_user->password) { | |
82 | user->password = os_malloc(eap_user->password_len); | |
83 | if (user->password == NULL) | |
84 | return -1; | |
85 | os_memcpy(user->password, eap_user->password, | |
86 | eap_user->password_len); | |
87 | user->password_len = eap_user->password_len; | |
88 | user->password_hash = eap_user->password_hash; | |
89 | } | |
90 | user->force_version = eap_user->force_version; | |
91 | user->ttls_auth = eap_user->ttls_auth; | |
92 | ||
93 | return 0; | |
94 | } | |
95 | ||
96 | ||
97 | static int hostapd_setup_radius_srv(struct hostapd_data *hapd) | |
98 | { | |
99 | struct radius_server_conf srv; | |
100 | struct hostapd_bss_config *conf = hapd->conf; | |
101 | os_memset(&srv, 0, sizeof(srv)); | |
102 | srv.client_file = conf->radius_server_clients; | |
103 | srv.auth_port = conf->radius_server_auth_port; | |
104 | srv.conf_ctx = conf; | |
105 | srv.eap_sim_db_priv = hapd->eap_sim_db_priv; | |
106 | srv.ssl_ctx = hapd->ssl_ctx; | |
bb437f28 | 107 | srv.msg_ctx = hapd->msg_ctx; |
2586bc64 JM |
108 | srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; |
109 | srv.eap_fast_a_id = conf->eap_fast_a_id; | |
110 | srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; | |
111 | srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; | |
112 | srv.eap_fast_prov = conf->eap_fast_prov; | |
113 | srv.pac_key_lifetime = conf->pac_key_lifetime; | |
114 | srv.pac_key_refresh_time = conf->pac_key_refresh_time; | |
115 | srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; | |
116 | srv.tnc = conf->tnc; | |
117 | srv.wps = hapd->wps; | |
118 | srv.ipv6 = conf->radius_server_ipv6; | |
119 | srv.get_eap_user = hostapd_radius_get_eap_user; | |
120 | srv.eap_req_id_text = conf->eap_req_id_text; | |
121 | srv.eap_req_id_text_len = conf->eap_req_id_text_len; | |
df684d82 | 122 | srv.pwd_group = conf->pwd_group; |
2586bc64 JM |
123 | |
124 | hapd->radius_srv = radius_server_init(&srv); | |
125 | if (hapd->radius_srv == NULL) { | |
126 | wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); | |
127 | return -1; | |
128 | } | |
129 | ||
130 | return 0; | |
131 | } | |
132 | ||
133 | #endif /* RADIUS_SERVER */ | |
134 | ||
135 | ||
136 | int authsrv_init(struct hostapd_data *hapd) | |
137 | { | |
138 | #ifdef EAP_TLS_FUNCS | |
139 | if (hapd->conf->eap_server && | |
140 | (hapd->conf->ca_cert || hapd->conf->server_cert || | |
141 | hapd->conf->dh_file)) { | |
142 | struct tls_connection_params params; | |
143 | ||
144 | hapd->ssl_ctx = tls_init(NULL); | |
145 | if (hapd->ssl_ctx == NULL) { | |
146 | wpa_printf(MSG_ERROR, "Failed to initialize TLS"); | |
147 | authsrv_deinit(hapd); | |
148 | return -1; | |
149 | } | |
150 | ||
151 | os_memset(¶ms, 0, sizeof(params)); | |
152 | params.ca_cert = hapd->conf->ca_cert; | |
153 | params.client_cert = hapd->conf->server_cert; | |
154 | params.private_key = hapd->conf->private_key; | |
155 | params.private_key_passwd = hapd->conf->private_key_passwd; | |
156 | params.dh_file = hapd->conf->dh_file; | |
157 | ||
158 | if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { | |
159 | wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); | |
160 | authsrv_deinit(hapd); | |
161 | return -1; | |
162 | } | |
163 | ||
164 | if (tls_global_set_verify(hapd->ssl_ctx, | |
165 | hapd->conf->check_crl)) { | |
166 | wpa_printf(MSG_ERROR, "Failed to enable check_crl"); | |
167 | authsrv_deinit(hapd); | |
168 | return -1; | |
169 | } | |
170 | } | |
171 | #endif /* EAP_TLS_FUNCS */ | |
172 | ||
173 | #ifdef EAP_SIM_DB | |
174 | if (hapd->conf->eap_sim_db) { | |
175 | hapd->eap_sim_db_priv = | |
176 | eap_sim_db_init(hapd->conf->eap_sim_db, | |
177 | hostapd_sim_db_cb, hapd); | |
178 | if (hapd->eap_sim_db_priv == NULL) { | |
179 | wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " | |
180 | "database interface"); | |
181 | authsrv_deinit(hapd); | |
182 | return -1; | |
183 | } | |
184 | } | |
185 | #endif /* EAP_SIM_DB */ | |
186 | ||
187 | #ifdef RADIUS_SERVER | |
188 | if (hapd->conf->radius_server_clients && | |
189 | hostapd_setup_radius_srv(hapd)) | |
190 | return -1; | |
191 | #endif /* RADIUS_SERVER */ | |
192 | ||
193 | return 0; | |
194 | } | |
195 | ||
196 | ||
197 | void authsrv_deinit(struct hostapd_data *hapd) | |
198 | { | |
199 | #ifdef RADIUS_SERVER | |
200 | radius_server_deinit(hapd->radius_srv); | |
201 | hapd->radius_srv = NULL; | |
202 | #endif /* RADIUS_SERVER */ | |
203 | ||
204 | #ifdef EAP_TLS_FUNCS | |
205 | if (hapd->ssl_ctx) { | |
206 | tls_deinit(hapd->ssl_ctx); | |
207 | hapd->ssl_ctx = NULL; | |
208 | } | |
209 | #endif /* EAP_TLS_FUNCS */ | |
210 | ||
211 | #ifdef EAP_SIM_DB | |
212 | if (hapd->eap_sim_db_priv) { | |
213 | eap_sim_db_deinit(hapd->eap_sim_db_priv); | |
214 | hapd->eap_sim_db_priv = NULL; | |
215 | } | |
216 | #endif /* EAP_SIM_DB */ | |
217 | } |