]>
Commit | Line | Data |
---|---|---|
2586bc64 JM |
1 | /* |
2 | * Authentication server setup | |
3 | * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> | |
4 | * | |
0f3d578e JM |
5 | * This software may be distributed under the terms of the BSD license. |
6 | * See README for more details. | |
2586bc64 JM |
7 | */ |
8 | ||
9 | #include "utils/includes.h" | |
10 | ||
11 | #include "utils/common.h" | |
12 | #include "crypto/tls.h" | |
13 | #include "eap_server/eap.h" | |
14 | #include "eap_server/eap_sim_db.h" | |
15 | #include "eapol_auth/eapol_auth_sm.h" | |
16 | #include "radius/radius_server.h" | |
17 | #include "hostapd.h" | |
6226e38d | 18 | #include "ap_config.h" |
2586bc64 JM |
19 | #include "sta_info.h" |
20 | #include "authsrv.h" | |
21 | ||
22 | ||
23 | #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) | |
24 | #define EAP_SIM_DB | |
25 | #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ | |
26 | ||
27 | ||
28 | #ifdef EAP_SIM_DB | |
29 | static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, | |
30 | struct sta_info *sta, void *ctx) | |
31 | { | |
32 | if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) | |
33 | return 1; | |
34 | return 0; | |
35 | } | |
36 | ||
37 | ||
38 | static void hostapd_sim_db_cb(void *ctx, void *session_ctx) | |
39 | { | |
40 | struct hostapd_data *hapd = ctx; | |
41 | if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { | |
42 | #ifdef RADIUS_SERVER | |
43 | radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); | |
44 | #endif /* RADIUS_SERVER */ | |
45 | } | |
46 | } | |
47 | #endif /* EAP_SIM_DB */ | |
48 | ||
49 | ||
50 | #ifdef RADIUS_SERVER | |
51 | ||
52 | static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, | |
53 | size_t identity_len, int phase2, | |
54 | struct eap_user *user) | |
55 | { | |
56 | const struct hostapd_eap_user *eap_user; | |
e9447a94 | 57 | int i; |
2586bc64 JM |
58 | |
59 | eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); | |
60 | if (eap_user == NULL) | |
61 | return -1; | |
62 | ||
63 | if (user == NULL) | |
64 | return 0; | |
65 | ||
66 | os_memset(user, 0, sizeof(*user)); | |
e9447a94 | 67 | for (i = 0; i < EAP_MAX_METHODS; i++) { |
2586bc64 JM |
68 | user->methods[i].vendor = eap_user->methods[i].vendor; |
69 | user->methods[i].method = eap_user->methods[i].method; | |
70 | } | |
71 | ||
72 | if (eap_user->password) { | |
73 | user->password = os_malloc(eap_user->password_len); | |
74 | if (user->password == NULL) | |
75 | return -1; | |
76 | os_memcpy(user->password, eap_user->password, | |
77 | eap_user->password_len); | |
78 | user->password_len = eap_user->password_len; | |
79 | user->password_hash = eap_user->password_hash; | |
80 | } | |
81 | user->force_version = eap_user->force_version; | |
82 | user->ttls_auth = eap_user->ttls_auth; | |
83 | ||
84 | return 0; | |
85 | } | |
86 | ||
87 | ||
88 | static int hostapd_setup_radius_srv(struct hostapd_data *hapd) | |
89 | { | |
90 | struct radius_server_conf srv; | |
91 | struct hostapd_bss_config *conf = hapd->conf; | |
92 | os_memset(&srv, 0, sizeof(srv)); | |
93 | srv.client_file = conf->radius_server_clients; | |
94 | srv.auth_port = conf->radius_server_auth_port; | |
ee431d77 | 95 | srv.conf_ctx = hapd; |
2586bc64 JM |
96 | srv.eap_sim_db_priv = hapd->eap_sim_db_priv; |
97 | srv.ssl_ctx = hapd->ssl_ctx; | |
bb437f28 | 98 | srv.msg_ctx = hapd->msg_ctx; |
2586bc64 JM |
99 | srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; |
100 | srv.eap_fast_a_id = conf->eap_fast_a_id; | |
101 | srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; | |
102 | srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; | |
103 | srv.eap_fast_prov = conf->eap_fast_prov; | |
104 | srv.pac_key_lifetime = conf->pac_key_lifetime; | |
105 | srv.pac_key_refresh_time = conf->pac_key_refresh_time; | |
106 | srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; | |
107 | srv.tnc = conf->tnc; | |
108 | srv.wps = hapd->wps; | |
109 | srv.ipv6 = conf->radius_server_ipv6; | |
110 | srv.get_eap_user = hostapd_radius_get_eap_user; | |
111 | srv.eap_req_id_text = conf->eap_req_id_text; | |
112 | srv.eap_req_id_text_len = conf->eap_req_id_text_len; | |
df684d82 | 113 | srv.pwd_group = conf->pwd_group; |
505a3694 JM |
114 | #ifdef CONFIG_RADIUS_TEST |
115 | srv.dump_msk_file = conf->dump_msk_file; | |
116 | #endif /* CONFIG_RADIUS_TEST */ | |
2586bc64 JM |
117 | |
118 | hapd->radius_srv = radius_server_init(&srv); | |
119 | if (hapd->radius_srv == NULL) { | |
120 | wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); | |
121 | return -1; | |
122 | } | |
123 | ||
124 | return 0; | |
125 | } | |
126 | ||
127 | #endif /* RADIUS_SERVER */ | |
128 | ||
129 | ||
130 | int authsrv_init(struct hostapd_data *hapd) | |
131 | { | |
132 | #ifdef EAP_TLS_FUNCS | |
133 | if (hapd->conf->eap_server && | |
134 | (hapd->conf->ca_cert || hapd->conf->server_cert || | |
135 | hapd->conf->dh_file)) { | |
136 | struct tls_connection_params params; | |
137 | ||
138 | hapd->ssl_ctx = tls_init(NULL); | |
139 | if (hapd->ssl_ctx == NULL) { | |
140 | wpa_printf(MSG_ERROR, "Failed to initialize TLS"); | |
141 | authsrv_deinit(hapd); | |
142 | return -1; | |
143 | } | |
144 | ||
145 | os_memset(¶ms, 0, sizeof(params)); | |
146 | params.ca_cert = hapd->conf->ca_cert; | |
147 | params.client_cert = hapd->conf->server_cert; | |
148 | params.private_key = hapd->conf->private_key; | |
149 | params.private_key_passwd = hapd->conf->private_key_passwd; | |
150 | params.dh_file = hapd->conf->dh_file; | |
151 | ||
152 | if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { | |
153 | wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); | |
154 | authsrv_deinit(hapd); | |
155 | return -1; | |
156 | } | |
157 | ||
158 | if (tls_global_set_verify(hapd->ssl_ctx, | |
159 | hapd->conf->check_crl)) { | |
160 | wpa_printf(MSG_ERROR, "Failed to enable check_crl"); | |
161 | authsrv_deinit(hapd); | |
162 | return -1; | |
163 | } | |
164 | } | |
165 | #endif /* EAP_TLS_FUNCS */ | |
166 | ||
167 | #ifdef EAP_SIM_DB | |
168 | if (hapd->conf->eap_sim_db) { | |
169 | hapd->eap_sim_db_priv = | |
170 | eap_sim_db_init(hapd->conf->eap_sim_db, | |
171 | hostapd_sim_db_cb, hapd); | |
172 | if (hapd->eap_sim_db_priv == NULL) { | |
173 | wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " | |
174 | "database interface"); | |
175 | authsrv_deinit(hapd); | |
176 | return -1; | |
177 | } | |
178 | } | |
179 | #endif /* EAP_SIM_DB */ | |
180 | ||
181 | #ifdef RADIUS_SERVER | |
182 | if (hapd->conf->radius_server_clients && | |
183 | hostapd_setup_radius_srv(hapd)) | |
184 | return -1; | |
185 | #endif /* RADIUS_SERVER */ | |
186 | ||
187 | return 0; | |
188 | } | |
189 | ||
190 | ||
191 | void authsrv_deinit(struct hostapd_data *hapd) | |
192 | { | |
193 | #ifdef RADIUS_SERVER | |
194 | radius_server_deinit(hapd->radius_srv); | |
195 | hapd->radius_srv = NULL; | |
196 | #endif /* RADIUS_SERVER */ | |
197 | ||
198 | #ifdef EAP_TLS_FUNCS | |
199 | if (hapd->ssl_ctx) { | |
200 | tls_deinit(hapd->ssl_ctx); | |
201 | hapd->ssl_ctx = NULL; | |
202 | } | |
203 | #endif /* EAP_TLS_FUNCS */ | |
204 | ||
205 | #ifdef EAP_SIM_DB | |
206 | if (hapd->eap_sim_db_priv) { | |
207 | eap_sim_db_deinit(hapd->eap_sim_db_priv); | |
208 | hapd->eap_sim_db_priv = NULL; | |
209 | } | |
210 | #endif /* EAP_SIM_DB */ | |
211 | } |