2 * Authentication server setup
3 * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
9 #include "utils/includes.h"
11 #include "utils/common.h"
12 #include "crypto/tls.h"
13 #include "eap_server/eap.h"
14 #include "eap_server/eap_sim_db.h"
15 #include "eapol_auth/eapol_auth_sm.h"
16 #include "radius/radius_server.h"
18 #include "ap_config.h"
23 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
25 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
29 static int hostapd_sim_db_cb_sta(struct hostapd_data
*hapd
,
30 struct sta_info
*sta
, void *ctx
)
32 if (eapol_auth_eap_pending_cb(sta
->eapol_sm
, ctx
) == 0)
38 static void hostapd_sim_db_cb(void *ctx
, void *session_ctx
)
40 struct hostapd_data
*hapd
= ctx
;
41 if (ap_for_each_sta(hapd
, hostapd_sim_db_cb_sta
, session_ctx
) == 0) {
43 radius_server_eap_pending_cb(hapd
->radius_srv
, session_ctx
);
44 #endif /* RADIUS_SERVER */
47 #endif /* EAP_SIM_DB */
52 static int hostapd_radius_get_eap_user(void *ctx
, const u8
*identity
,
53 size_t identity_len
, int phase2
,
54 struct eap_user
*user
)
56 const struct hostapd_eap_user
*eap_user
;
60 eap_user
= hostapd_get_eap_user(ctx
, identity
, identity_len
, phase2
);
67 os_memset(user
, 0, sizeof(*user
));
68 for (i
= 0; i
< EAP_MAX_METHODS
; i
++) {
69 user
->methods
[i
].vendor
= eap_user
->methods
[i
].vendor
;
70 user
->methods
[i
].method
= eap_user
->methods
[i
].method
;
73 if (eap_user
->password
) {
74 user
->password
= os_memdup(eap_user
->password
,
75 eap_user
->password_len
);
76 if (user
->password
== NULL
)
78 user
->password_len
= eap_user
->password_len
;
79 user
->password_hash
= eap_user
->password_hash
;
80 if (eap_user
->salt
&& eap_user
->salt_len
) {
81 user
->salt
= os_memdup(eap_user
->salt
,
85 user
->salt_len
= eap_user
->salt_len
;
88 user
->force_version
= eap_user
->force_version
;
89 user
->macacl
= eap_user
->macacl
;
90 user
->ttls_auth
= eap_user
->ttls_auth
;
91 user
->remediation
= eap_user
->remediation
;
92 user
->accept_attr
= eap_user
->accept_attr
;
93 user
->t_c_timestamp
= eap_user
->t_c_timestamp
;
98 wpa_printf(MSG_DEBUG
, "%s: Failed to find user", __func__
);
104 static int hostapd_setup_radius_srv(struct hostapd_data
*hapd
)
106 struct radius_server_conf srv
;
107 struct hostapd_bss_config
*conf
= hapd
->conf
;
108 os_memset(&srv
, 0, sizeof(srv
));
109 srv
.client_file
= conf
->radius_server_clients
;
110 srv
.auth_port
= conf
->radius_server_auth_port
;
111 srv
.acct_port
= conf
->radius_server_acct_port
;
113 srv
.eap_sim_db_priv
= hapd
->eap_sim_db_priv
;
114 srv
.ssl_ctx
= hapd
->ssl_ctx
;
115 srv
.msg_ctx
= hapd
->msg_ctx
;
116 srv
.pac_opaque_encr_key
= conf
->pac_opaque_encr_key
;
117 srv
.eap_fast_a_id
= conf
->eap_fast_a_id
;
118 srv
.eap_fast_a_id_len
= conf
->eap_fast_a_id_len
;
119 srv
.eap_fast_a_id_info
= conf
->eap_fast_a_id_info
;
120 srv
.eap_fast_prov
= conf
->eap_fast_prov
;
121 srv
.pac_key_lifetime
= conf
->pac_key_lifetime
;
122 srv
.pac_key_refresh_time
= conf
->pac_key_refresh_time
;
123 srv
.eap_teap_auth
= conf
->eap_teap_auth
;
124 srv
.eap_teap_pac_no_inner
= conf
->eap_teap_pac_no_inner
;
125 srv
.eap_teap_separate_result
= conf
->eap_teap_separate_result
;
126 srv
.eap_sim_aka_result_ind
= conf
->eap_sim_aka_result_ind
;
127 srv
.eap_sim_id
= conf
->eap_sim_id
;
130 srv
.ipv6
= conf
->radius_server_ipv6
;
131 srv
.get_eap_user
= hostapd_radius_get_eap_user
;
132 srv
.eap_req_id_text
= conf
->eap_req_id_text
;
133 srv
.eap_req_id_text_len
= conf
->eap_req_id_text_len
;
134 srv
.pwd_group
= conf
->pwd_group
;
135 srv
.server_id
= conf
->server_id
? conf
->server_id
: "hostapd";
136 srv
.sqlite_file
= conf
->eap_user_sqlite
;
137 #ifdef CONFIG_RADIUS_TEST
138 srv
.dump_msk_file
= conf
->dump_msk_file
;
139 #endif /* CONFIG_RADIUS_TEST */
141 srv
.subscr_remediation_url
= conf
->subscr_remediation_url
;
142 srv
.subscr_remediation_method
= conf
->subscr_remediation_method
;
143 srv
.hs20_sim_provisioning_url
= conf
->hs20_sim_provisioning_url
;
144 srv
.t_c_server_url
= conf
->t_c_server_url
;
145 #endif /* CONFIG_HS20 */
146 srv
.erp
= conf
->eap_server_erp
;
147 srv
.erp_domain
= conf
->erp_domain
;
148 srv
.tls_session_lifetime
= conf
->tls_session_lifetime
;
149 srv
.tls_flags
= conf
->tls_flags
;
151 hapd
->radius_srv
= radius_server_init(&srv
);
152 if (hapd
->radius_srv
== NULL
) {
153 wpa_printf(MSG_ERROR
, "RADIUS server initialization failed.");
160 #endif /* RADIUS_SERVER */
164 static void authsrv_tls_event(void *ctx
, enum tls_event ev
,
165 union tls_event_data
*data
)
168 case TLS_CERT_CHAIN_SUCCESS
:
169 wpa_printf(MSG_DEBUG
, "authsrv: remote certificate verification success");
171 case TLS_CERT_CHAIN_FAILURE
:
172 wpa_printf(MSG_INFO
, "authsrv: certificate chain failure: reason=%d depth=%d subject='%s' err='%s'",
173 data
->cert_fail
.reason
,
174 data
->cert_fail
.depth
,
175 data
->cert_fail
.subject
,
176 data
->cert_fail
.reason_txt
);
178 case TLS_PEER_CERTIFICATE
:
179 wpa_printf(MSG_DEBUG
, "authsrv: peer certificate: depth=%d serial_num=%s subject=%s",
180 data
->peer_cert
.depth
,
181 data
->peer_cert
.serial_num
? data
->peer_cert
.serial_num
: "N/A",
182 data
->peer_cert
.subject
);
185 if (data
->alert
.is_local
)
186 wpa_printf(MSG_DEBUG
, "authsrv: local TLS alert: %s",
187 data
->alert
.description
);
189 wpa_printf(MSG_DEBUG
, "authsrv: remote TLS alert: %s",
190 data
->alert
.description
);
194 #endif /* EAP_TLS_FUNCS */
197 int authsrv_init(struct hostapd_data
*hapd
)
200 if (hapd
->conf
->eap_server
&&
201 (hapd
->conf
->ca_cert
|| hapd
->conf
->server_cert
||
202 hapd
->conf
->private_key
|| hapd
->conf
->dh_file
||
203 hapd
->conf
->server_cert2
|| hapd
->conf
->private_key2
)) {
204 struct tls_config conf
;
205 struct tls_connection_params params
;
207 os_memset(&conf
, 0, sizeof(conf
));
208 conf
.tls_session_lifetime
= hapd
->conf
->tls_session_lifetime
;
209 if (hapd
->conf
->crl_reload_interval
> 0 &&
210 hapd
->conf
->check_crl
<= 0) {
212 "Cannot enable CRL reload functionality - it depends on check_crl being set");
213 } else if (hapd
->conf
->crl_reload_interval
> 0) {
214 conf
.crl_reload_interval
=
215 hapd
->conf
->crl_reload_interval
;
217 "Enabled CRL reload functionality");
219 conf
.tls_flags
= hapd
->conf
->tls_flags
;
220 conf
.event_cb
= authsrv_tls_event
;
222 hapd
->ssl_ctx
= tls_init(&conf
);
223 if (hapd
->ssl_ctx
== NULL
) {
224 wpa_printf(MSG_ERROR
, "Failed to initialize TLS");
225 authsrv_deinit(hapd
);
229 os_memset(¶ms
, 0, sizeof(params
));
230 params
.ca_cert
= hapd
->conf
->ca_cert
;
231 params
.client_cert
= hapd
->conf
->server_cert
;
232 params
.client_cert2
= hapd
->conf
->server_cert2
;
233 params
.private_key
= hapd
->conf
->private_key
;
234 params
.private_key2
= hapd
->conf
->private_key2
;
235 params
.private_key_passwd
= hapd
->conf
->private_key_passwd
;
236 params
.private_key_passwd2
= hapd
->conf
->private_key_passwd2
;
237 params
.dh_file
= hapd
->conf
->dh_file
;
238 params
.openssl_ciphers
= hapd
->conf
->openssl_ciphers
;
239 params
.openssl_ecdh_curves
= hapd
->conf
->openssl_ecdh_curves
;
240 params
.ocsp_stapling_response
=
241 hapd
->conf
->ocsp_stapling_response
;
242 params
.ocsp_stapling_response_multi
=
243 hapd
->conf
->ocsp_stapling_response_multi
;
244 params
.check_cert_subject
= hapd
->conf
->check_cert_subject
;
246 if (tls_global_set_params(hapd
->ssl_ctx
, ¶ms
)) {
247 wpa_printf(MSG_ERROR
, "Failed to set TLS parameters");
248 authsrv_deinit(hapd
);
252 if (tls_global_set_verify(hapd
->ssl_ctx
,
253 hapd
->conf
->check_crl
,
254 hapd
->conf
->check_crl_strict
)) {
255 wpa_printf(MSG_ERROR
, "Failed to enable check_crl");
256 authsrv_deinit(hapd
);
260 #endif /* EAP_TLS_FUNCS */
263 if (hapd
->conf
->eap_sim_db
) {
264 hapd
->eap_sim_db_priv
=
265 eap_sim_db_init(hapd
->conf
->eap_sim_db
,
266 hapd
->conf
->eap_sim_db_timeout
,
267 hostapd_sim_db_cb
, hapd
);
268 if (hapd
->eap_sim_db_priv
== NULL
) {
269 wpa_printf(MSG_ERROR
, "Failed to initialize EAP-SIM "
270 "database interface");
271 authsrv_deinit(hapd
);
275 #endif /* EAP_SIM_DB */
278 if (hapd
->conf
->radius_server_clients
&&
279 hostapd_setup_radius_srv(hapd
))
281 #endif /* RADIUS_SERVER */
287 void authsrv_deinit(struct hostapd_data
*hapd
)
290 radius_server_deinit(hapd
->radius_srv
);
291 hapd
->radius_srv
= NULL
;
292 #endif /* RADIUS_SERVER */
296 tls_deinit(hapd
->ssl_ctx
);
297 hapd
->ssl_ctx
= NULL
;
299 #endif /* EAP_TLS_FUNCS */
302 if (hapd
->eap_sim_db_priv
) {
303 eap_sim_db_deinit(hapd
->eap_sim_db_priv
);
304 hapd
->eap_sim_db_priv
= NULL
;
306 #endif /* EAP_SIM_DB */