2009-12-25 12:43:43 +01:00
|
|
|
/*
|
|
|
|
* Authentication server setup
|
|
|
|
* Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
|
|
|
|
*
|
2012-02-11 15:46:35 +01:00
|
|
|
* This software may be distributed under the terms of the BSD license.
|
|
|
|
* See README for more details.
|
2009-12-25 12:43:43 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "utils/includes.h"
|
|
|
|
|
|
|
|
#include "utils/common.h"
|
|
|
|
#include "crypto/tls.h"
|
|
|
|
#include "eap_server/eap.h"
|
|
|
|
#include "eap_server/eap_sim_db.h"
|
|
|
|
#include "eapol_auth/eapol_auth_sm.h"
|
|
|
|
#include "radius/radius_server.h"
|
|
|
|
#include "hostapd.h"
|
2009-12-25 23:05:40 +01:00
|
|
|
#include "ap_config.h"
|
2009-12-25 12:43:43 +01:00
|
|
|
#include "sta_info.h"
|
|
|
|
#include "authsrv.h"
|
|
|
|
|
|
|
|
|
|
|
|
#if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA)
|
|
|
|
#define EAP_SIM_DB
|
|
|
|
#endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef EAP_SIM_DB
|
|
|
|
static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd,
|
|
|
|
struct sta_info *sta, void *ctx)
|
|
|
|
{
|
|
|
|
if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0)
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void hostapd_sim_db_cb(void *ctx, void *session_ctx)
|
|
|
|
{
|
|
|
|
struct hostapd_data *hapd = ctx;
|
|
|
|
if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) {
|
|
|
|
#ifdef RADIUS_SERVER
|
|
|
|
radius_server_eap_pending_cb(hapd->radius_srv, session_ctx);
|
|
|
|
#endif /* RADIUS_SERVER */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* EAP_SIM_DB */
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef RADIUS_SERVER
|
|
|
|
|
|
|
|
static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity,
|
|
|
|
size_t identity_len, int phase2,
|
|
|
|
struct eap_user *user)
|
|
|
|
{
|
|
|
|
const struct hostapd_eap_user *eap_user;
|
2011-11-17 19:06:33 +01:00
|
|
|
int i;
|
2015-03-26 22:39:57 +01:00
|
|
|
int rv = -1;
|
2009-12-25 12:43:43 +01:00
|
|
|
|
|
|
|
eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2);
|
|
|
|
if (eap_user == NULL)
|
2015-03-26 22:39:57 +01:00
|
|
|
goto out;
|
2009-12-25 12:43:43 +01:00
|
|
|
|
|
|
|
if (user == NULL)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
os_memset(user, 0, sizeof(*user));
|
2011-11-17 19:06:33 +01:00
|
|
|
for (i = 0; i < EAP_MAX_METHODS; i++) {
|
2009-12-25 12:43:43 +01:00
|
|
|
user->methods[i].vendor = eap_user->methods[i].vendor;
|
|
|
|
user->methods[i].method = eap_user->methods[i].method;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (eap_user->password) {
|
2017-03-07 10:17:23 +01:00
|
|
|
user->password = os_memdup(eap_user->password,
|
|
|
|
eap_user->password_len);
|
2009-12-25 12:43:43 +01:00
|
|
|
if (user->password == NULL)
|
2015-03-26 22:39:57 +01:00
|
|
|
goto out;
|
2009-12-25 12:43:43 +01:00
|
|
|
user->password_len = eap_user->password_len;
|
|
|
|
user->password_hash = eap_user->password_hash;
|
2018-05-25 20:40:04 +02:00
|
|
|
if (eap_user->salt && eap_user->salt_len) {
|
|
|
|
user->salt = os_memdup(eap_user->salt,
|
|
|
|
eap_user->salt_len);
|
|
|
|
if (!user->salt)
|
|
|
|
goto out;
|
|
|
|
user->salt_len = eap_user->salt_len;
|
|
|
|
}
|
2009-12-25 12:43:43 +01:00
|
|
|
}
|
|
|
|
user->force_version = eap_user->force_version;
|
2014-03-29 18:31:56 +01:00
|
|
|
user->macacl = eap_user->macacl;
|
2009-12-25 12:43:43 +01:00
|
|
|
user->ttls_auth = eap_user->ttls_auth;
|
2012-11-21 16:04:21 +01:00
|
|
|
user->remediation = eap_user->remediation;
|
2014-03-07 22:19:52 +01:00
|
|
|
user->accept_attr = eap_user->accept_attr;
|
2018-04-25 23:57:44 +02:00
|
|
|
user->t_c_timestamp = eap_user->t_c_timestamp;
|
2015-03-26 22:39:57 +01:00
|
|
|
rv = 0;
|
2009-12-25 12:43:43 +01:00
|
|
|
|
2015-03-26 22:39:57 +01:00
|
|
|
out:
|
|
|
|
if (rv)
|
|
|
|
wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__);
|
|
|
|
|
|
|
|
return rv;
|
2009-12-25 12:43:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int hostapd_setup_radius_srv(struct hostapd_data *hapd)
|
|
|
|
{
|
|
|
|
struct radius_server_conf srv;
|
|
|
|
struct hostapd_bss_config *conf = hapd->conf;
|
|
|
|
os_memset(&srv, 0, sizeof(srv));
|
|
|
|
srv.client_file = conf->radius_server_clients;
|
|
|
|
srv.auth_port = conf->radius_server_auth_port;
|
2014-02-15 14:37:53 +01:00
|
|
|
srv.acct_port = conf->radius_server_acct_port;
|
2012-11-20 23:47:47 +01:00
|
|
|
srv.conf_ctx = hapd;
|
2009-12-25 12:43:43 +01:00
|
|
|
srv.eap_sim_db_priv = hapd->eap_sim_db_priv;
|
|
|
|
srv.ssl_ctx = hapd->ssl_ctx;
|
2010-04-07 10:13:14 +02:00
|
|
|
srv.msg_ctx = hapd->msg_ctx;
|
2009-12-25 12:43:43 +01:00
|
|
|
srv.pac_opaque_encr_key = conf->pac_opaque_encr_key;
|
|
|
|
srv.eap_fast_a_id = conf->eap_fast_a_id;
|
|
|
|
srv.eap_fast_a_id_len = conf->eap_fast_a_id_len;
|
|
|
|
srv.eap_fast_a_id_info = conf->eap_fast_a_id_info;
|
|
|
|
srv.eap_fast_prov = conf->eap_fast_prov;
|
|
|
|
srv.pac_key_lifetime = conf->pac_key_lifetime;
|
|
|
|
srv.pac_key_refresh_time = conf->pac_key_refresh_time;
|
2019-07-09 15:56:02 +02:00
|
|
|
srv.eap_teap_auth = conf->eap_teap_auth;
|
|
|
|
srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
|
2019-08-16 22:54:51 +02:00
|
|
|
srv.eap_teap_separate_result = conf->eap_teap_separate_result;
|
2019-08-20 00:37:31 +02:00
|
|
|
srv.eap_teap_id = conf->eap_teap_id;
|
2009-12-25 12:43:43 +01:00
|
|
|
srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
|
2019-07-31 23:02:02 +02:00
|
|
|
srv.eap_sim_id = conf->eap_sim_id;
|
2009-12-25 12:43:43 +01:00
|
|
|
srv.tnc = conf->tnc;
|
|
|
|
srv.wps = hapd->wps;
|
|
|
|
srv.ipv6 = conf->radius_server_ipv6;
|
|
|
|
srv.get_eap_user = hostapd_radius_get_eap_user;
|
|
|
|
srv.eap_req_id_text = conf->eap_req_id_text;
|
|
|
|
srv.eap_req_id_text_len = conf->eap_req_id_text_len;
|
2010-09-15 09:51:40 +02:00
|
|
|
srv.pwd_group = conf->pwd_group;
|
2013-07-06 17:17:15 +02:00
|
|
|
srv.server_id = conf->server_id ? conf->server_id : "hostapd";
|
2014-02-28 13:11:13 +01:00
|
|
|
srv.sqlite_file = conf->eap_user_sqlite;
|
2011-12-08 23:15:04 +01:00
|
|
|
#ifdef CONFIG_RADIUS_TEST
|
|
|
|
srv.dump_msk_file = conf->dump_msk_file;
|
|
|
|
#endif /* CONFIG_RADIUS_TEST */
|
2012-11-21 16:04:21 +01:00
|
|
|
#ifdef CONFIG_HS20
|
|
|
|
srv.subscr_remediation_url = conf->subscr_remediation_url;
|
|
|
|
srv.subscr_remediation_method = conf->subscr_remediation_method;
|
2018-12-14 14:58:13 +01:00
|
|
|
srv.hs20_sim_provisioning_url = conf->hs20_sim_provisioning_url;
|
2018-06-21 19:50:54 +02:00
|
|
|
srv.t_c_server_url = conf->t_c_server_url;
|
2012-11-21 16:04:21 +01:00
|
|
|
#endif /* CONFIG_HS20 */
|
2014-11-29 20:28:24 +01:00
|
|
|
srv.erp = conf->eap_server_erp;
|
|
|
|
srv.erp_domain = conf->erp_domain;
|
2015-08-23 20:26:39 +02:00
|
|
|
srv.tls_session_lifetime = conf->tls_session_lifetime;
|
2017-09-16 23:11:37 +02:00
|
|
|
srv.tls_flags = conf->tls_flags;
|
2009-12-25 12:43:43 +01:00
|
|
|
|
|
|
|
hapd->radius_srv = radius_server_init(&srv);
|
|
|
|
if (hapd->radius_srv == NULL) {
|
|
|
|
wpa_printf(MSG_ERROR, "RADIUS server initialization failed.");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* RADIUS_SERVER */
|
|
|
|
|
|
|
|
|
2018-10-07 15:01:30 +02:00
|
|
|
#ifdef EAP_TLS_FUNCS
|
|
|
|
static void authsrv_tls_event(void *ctx, enum tls_event ev,
|
|
|
|
union tls_event_data *data)
|
|
|
|
{
|
|
|
|
switch (ev) {
|
|
|
|
case TLS_CERT_CHAIN_SUCCESS:
|
|
|
|
wpa_printf(MSG_DEBUG, "authsrv: remote certificate verification success");
|
|
|
|
break;
|
|
|
|
case TLS_CERT_CHAIN_FAILURE:
|
|
|
|
wpa_printf(MSG_INFO, "authsrv: certificate chain failure: reason=%d depth=%d subject='%s' err='%s'",
|
|
|
|
data->cert_fail.reason,
|
|
|
|
data->cert_fail.depth,
|
|
|
|
data->cert_fail.subject,
|
|
|
|
data->cert_fail.reason_txt);
|
|
|
|
break;
|
|
|
|
case TLS_PEER_CERTIFICATE:
|
|
|
|
wpa_printf(MSG_DEBUG, "authsrv: peer certificate: depth=%d serial_num=%s subject=%s",
|
|
|
|
data->peer_cert.depth,
|
|
|
|
data->peer_cert.serial_num ? data->peer_cert.serial_num : "N/A",
|
|
|
|
data->peer_cert.subject);
|
|
|
|
break;
|
|
|
|
case TLS_ALERT:
|
|
|
|
if (data->alert.is_local)
|
|
|
|
wpa_printf(MSG_DEBUG, "authsrv: local TLS alert: %s",
|
|
|
|
data->alert.description);
|
|
|
|
else
|
|
|
|
wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
|
|
|
|
data->alert.description);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* EAP_TLS_FUNCS */
|
|
|
|
|
|
|
|
|
2009-12-25 12:43:43 +01:00
|
|
|
int authsrv_init(struct hostapd_data *hapd)
|
|
|
|
{
|
|
|
|
#ifdef EAP_TLS_FUNCS
|
|
|
|
if (hapd->conf->eap_server &&
|
|
|
|
(hapd->conf->ca_cert || hapd->conf->server_cert ||
|
2019-07-12 17:11:53 +02:00
|
|
|
hapd->conf->private_key || hapd->conf->dh_file ||
|
|
|
|
hapd->conf->server_cert2 || hapd->conf->private_key2)) {
|
2015-08-23 20:26:39 +02:00
|
|
|
struct tls_config conf;
|
2009-12-25 12:43:43 +01:00
|
|
|
struct tls_connection_params params;
|
|
|
|
|
2015-08-23 20:26:39 +02:00
|
|
|
os_memset(&conf, 0, sizeof(conf));
|
|
|
|
conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
|
2019-01-16 16:15:01 +01:00
|
|
|
if (hapd->conf->crl_reload_interval > 0 &&
|
|
|
|
hapd->conf->check_crl <= 0) {
|
|
|
|
wpa_printf(MSG_INFO,
|
|
|
|
"Cannot enable CRL reload functionality - it depends on check_crl being set");
|
|
|
|
} else if (hapd->conf->crl_reload_interval > 0) {
|
|
|
|
conf.crl_reload_interval =
|
|
|
|
hapd->conf->crl_reload_interval;
|
|
|
|
wpa_printf(MSG_INFO,
|
|
|
|
"Enabled CRL reload functionality");
|
|
|
|
}
|
2017-09-16 23:11:37 +02:00
|
|
|
conf.tls_flags = hapd->conf->tls_flags;
|
2018-10-07 15:01:30 +02:00
|
|
|
conf.event_cb = authsrv_tls_event;
|
|
|
|
conf.cb_ctx = hapd;
|
2015-08-23 20:26:39 +02:00
|
|
|
hapd->ssl_ctx = tls_init(&conf);
|
2009-12-25 12:43:43 +01:00
|
|
|
if (hapd->ssl_ctx == NULL) {
|
|
|
|
wpa_printf(MSG_ERROR, "Failed to initialize TLS");
|
|
|
|
authsrv_deinit(hapd);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
os_memset(¶ms, 0, sizeof(params));
|
|
|
|
params.ca_cert = hapd->conf->ca_cert;
|
|
|
|
params.client_cert = hapd->conf->server_cert;
|
2019-07-12 17:11:53 +02:00
|
|
|
params.client_cert2 = hapd->conf->server_cert2;
|
2009-12-25 12:43:43 +01:00
|
|
|
params.private_key = hapd->conf->private_key;
|
2019-07-12 17:11:53 +02:00
|
|
|
params.private_key2 = hapd->conf->private_key2;
|
2009-12-25 12:43:43 +01:00
|
|
|
params.private_key_passwd = hapd->conf->private_key_passwd;
|
2019-07-12 17:11:53 +02:00
|
|
|
params.private_key_passwd2 = hapd->conf->private_key_passwd2;
|
2009-12-25 12:43:43 +01:00
|
|
|
params.dh_file = hapd->conf->dh_file;
|
2014-10-12 10:52:05 +02:00
|
|
|
params.openssl_ciphers = hapd->conf->openssl_ciphers;
|
2017-04-20 15:44:31 +02:00
|
|
|
params.openssl_ecdh_curves = hapd->conf->openssl_ecdh_curves;
|
2013-06-29 23:54:24 +02:00
|
|
|
params.ocsp_stapling_response =
|
|
|
|
hapd->conf->ocsp_stapling_response;
|
2015-12-22 18:34:36 +01:00
|
|
|
params.ocsp_stapling_response_multi =
|
|
|
|
hapd->conf->ocsp_stapling_response_multi;
|
2019-02-28 20:39:50 +01:00
|
|
|
params.check_cert_subject = hapd->conf->check_cert_subject;
|
2009-12-25 12:43:43 +01:00
|
|
|
|
|
|
|
if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) {
|
|
|
|
wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
|
|
|
|
authsrv_deinit(hapd);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tls_global_set_verify(hapd->ssl_ctx,
|
2017-08-07 18:26:33 +02:00
|
|
|
hapd->conf->check_crl,
|
|
|
|
hapd->conf->check_crl_strict)) {
|
2009-12-25 12:43:43 +01:00
|
|
|
wpa_printf(MSG_ERROR, "Failed to enable check_crl");
|
|
|
|
authsrv_deinit(hapd);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* EAP_TLS_FUNCS */
|
|
|
|
|
|
|
|
#ifdef EAP_SIM_DB
|
|
|
|
if (hapd->conf->eap_sim_db) {
|
|
|
|
hapd->eap_sim_db_priv =
|
|
|
|
eap_sim_db_init(hapd->conf->eap_sim_db,
|
2015-06-10 13:15:24 +02:00
|
|
|
hapd->conf->eap_sim_db_timeout,
|
2009-12-25 12:43:43 +01:00
|
|
|
hostapd_sim_db_cb, hapd);
|
|
|
|
if (hapd->eap_sim_db_priv == NULL) {
|
|
|
|
wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM "
|
|
|
|
"database interface");
|
|
|
|
authsrv_deinit(hapd);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* EAP_SIM_DB */
|
|
|
|
|
|
|
|
#ifdef RADIUS_SERVER
|
|
|
|
if (hapd->conf->radius_server_clients &&
|
|
|
|
hostapd_setup_radius_srv(hapd))
|
|
|
|
return -1;
|
|
|
|
#endif /* RADIUS_SERVER */
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void authsrv_deinit(struct hostapd_data *hapd)
|
|
|
|
{
|
|
|
|
#ifdef RADIUS_SERVER
|
|
|
|
radius_server_deinit(hapd->radius_srv);
|
|
|
|
hapd->radius_srv = NULL;
|
|
|
|
#endif /* RADIUS_SERVER */
|
|
|
|
|
|
|
|
#ifdef EAP_TLS_FUNCS
|
|
|
|
if (hapd->ssl_ctx) {
|
|
|
|
tls_deinit(hapd->ssl_ctx);
|
|
|
|
hapd->ssl_ctx = NULL;
|
|
|
|
}
|
|
|
|
#endif /* EAP_TLS_FUNCS */
|
|
|
|
|
|
|
|
#ifdef EAP_SIM_DB
|
|
|
|
if (hapd->eap_sim_db_priv) {
|
|
|
|
eap_sim_db_deinit(hapd->eap_sim_db_priv);
|
|
|
|
hapd->eap_sim_db_priv = NULL;
|
|
|
|
}
|
|
|
|
#endif /* EAP_SIM_DB */
|
|
|
|
}
|