xref: /freebsd/contrib/wpa/src/ap/authsrv.c (revision 9a14aa017b21c292740c00ee098195cd46642730)
1 /*
2  * Authentication server setup
3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "utils/includes.h"
16 
17 #include "utils/common.h"
18 #include "crypto/tls.h"
19 #include "eap_server/eap.h"
20 #include "eap_server/eap_sim_db.h"
21 #include "eapol_auth/eapol_auth_sm.h"
22 #include "radius/radius_server.h"
23 #include "hostapd.h"
24 #include "ap_config.h"
25 #include "sta_info.h"
26 #include "authsrv.h"
27 
28 
29 #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
30 #define EAP_SIM_DB
31 #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
32 
33 
34 #ifdef EAP_SIM_DB
35 static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
36 				 struct sta_info *sta, void *ctx)
37 {
38 	if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
39 		return 1;
40 	return 0;
41 }
42 
43 
44 static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
45 {
46 	struct hostapd_data *hapd = ctx;
47 	if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
48 #ifdef RADIUS_SERVER
49 		radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
50 #endif /* RADIUS_SERVER */
51 	}
52 }
53 #endif /* EAP_SIM_DB */
54 
55 
56 #ifdef RADIUS_SERVER
57 
58 static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
59 				       size_t identity_len, int phase2,
60 				       struct eap_user *user)
61 {
62 	const struct hostapd_eap_user *eap_user;
63 	int i, count;
64 
65 	eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
66 	if (eap_user == NULL)
67 		return -1;
68 
69 	if (user == NULL)
70 		return 0;
71 
72 	os_memset(user, 0, sizeof(*user));
73 	count = EAP_USER_MAX_METHODS;
74 	if (count > EAP_MAX_METHODS)
75 		count = EAP_MAX_METHODS;
76 	for (i = 0; i < count; i++) {
77 		user->methods[i].vendor = eap_user->methods[i].vendor;
78 		user->methods[i].method = eap_user->methods[i].method;
79 	}
80 
81 	if (eap_user->password) {
82 		user->password = os_malloc(eap_user->password_len);
83 		if (user->password == NULL)
84 			return -1;
85 		os_memcpy(user->password, eap_user->password,
86 			  eap_user->password_len);
87 		user->password_len = eap_user->password_len;
88 		user->password_hash = eap_user->password_hash;
89 	}
90 	user->force_version = eap_user->force_version;
91 	user->ttls_auth = eap_user->ttls_auth;
92 
93 	return 0;
94 }
95 
96 
97 static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
98 {
99 	struct radius_server_conf srv;
100 	struct hostapd_bss_config *conf = hapd->conf;
101 	os_memset(&srv, 0, sizeof(srv));
102 	srv.client_file = conf->radius_server_clients;
103 	srv.auth_port = conf->radius_server_auth_port;
104 	srv.conf_ctx = conf;
105 	srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
106 	srv.ssl_ctx = hapd->ssl_ctx;
107 	srv.msg_ctx = hapd->msg_ctx;
108 	srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
109 	srv.eap_fast_a_id = conf->eap_fast_a_id;
110 	srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
111 	srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
112 	srv.eap_fast_prov = conf->eap_fast_prov;
113 	srv.pac_key_lifetime = conf->pac_key_lifetime;
114 	srv.pac_key_refresh_time = conf->pac_key_refresh_time;
115 	srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
116 	srv.tnc = conf->tnc;
117 	srv.wps = hapd->wps;
118 	srv.ipv6 = conf->radius_server_ipv6;
119 	srv.get_eap_user = hostapd_radius_get_eap_user;
120 	srv.eap_req_id_text = conf->eap_req_id_text;
121 	srv.eap_req_id_text_len = conf->eap_req_id_text_len;
122 
123 	hapd->radius_srv = radius_server_init(&srv);
124 	if (hapd->radius_srv == NULL) {
125 		wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
126 		return -1;
127 	}
128 
129 	return 0;
130 }
131 
132 #endif /* RADIUS_SERVER */
133 
134 
135 int authsrv_init(struct hostapd_data *hapd)
136 {
137 #ifdef EAP_TLS_FUNCS
138 	if (hapd->conf->eap_server &&
139 	    (hapd->conf->ca_cert || hapd->conf->server_cert ||
140 	     hapd->conf->dh_file)) {
141 		struct tls_connection_params params;
142 
143 		hapd->ssl_ctx = tls_init(NULL);
144 		if (hapd->ssl_ctx == NULL) {
145 			wpa_printf(MSG_ERROR, "Failed to initialize TLS");
146 			authsrv_deinit(hapd);
147 			return -1;
148 		}
149 
150 		os_memset(&params, 0, sizeof(params));
151 		params.ca_cert = hapd->conf->ca_cert;
152 		params.client_cert = hapd->conf->server_cert;
153 		params.private_key = hapd->conf->private_key;
154 		params.private_key_passwd = hapd->conf->private_key_passwd;
155 		params.dh_file = hapd->conf->dh_file;
156 
157 		if (tls_global_set_params(hapd->ssl_ctx, &params)) {
158 			wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
159 			authsrv_deinit(hapd);
160 			return -1;
161 		}
162 
163 		if (tls_global_set_verify(hapd->ssl_ctx,
164 					  hapd->conf->check_crl)) {
165 			wpa_printf(MSG_ERROR, "Failed to enable check_crl");
166 			authsrv_deinit(hapd);
167 			return -1;
168 		}
169 	}
170 #endif /* EAP_TLS_FUNCS */
171 
172 #ifdef EAP_SIM_DB
173 	if (hapd->conf->eap_sim_db) {
174 		hapd->eap_sim_db_priv =
175 			eap_sim_db_init(hapd->conf->eap_sim_db,
176 					hostapd_sim_db_cb, hapd);
177 		if (hapd->eap_sim_db_priv == NULL) {
178 			wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
179 				   "database interface");
180 			authsrv_deinit(hapd);
181 			return -1;
182 		}
183 	}
184 #endif /* EAP_SIM_DB */
185 
186 #ifdef RADIUS_SERVER
187 	if (hapd->conf->radius_server_clients &&
188 	    hostapd_setup_radius_srv(hapd))
189 		return -1;
190 #endif /* RADIUS_SERVER */
191 
192 	return 0;
193 }
194 
195 
196 void authsrv_deinit(struct hostapd_data *hapd)
197 {
198 #ifdef RADIUS_SERVER
199 	radius_server_deinit(hapd->radius_srv);
200 	hapd->radius_srv = NULL;
201 #endif /* RADIUS_SERVER */
202 
203 #ifdef EAP_TLS_FUNCS
204 	if (hapd->ssl_ctx) {
205 		tls_deinit(hapd->ssl_ctx);
206 		hapd->ssl_ctx = NULL;
207 	}
208 #endif /* EAP_TLS_FUNCS */
209 
210 #ifdef EAP_SIM_DB
211 	if (hapd->eap_sim_db_priv) {
212 		eap_sim_db_deinit(hapd->eap_sim_db_priv);
213 		hapd->eap_sim_db_priv = NULL;
214 	}
215 #endif /* EAP_SIM_DB */
216 }
217