diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index 1fd1e382b..110c0caff 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -110,30 +110,10 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd) srv.auth_port = conf->radius_server_auth_port; srv.acct_port = conf->radius_server_acct_port; srv.conf_ctx = hapd; - srv.eap_sim_db_priv = hapd->eap_sim_db_priv; - srv.ssl_ctx = hapd->ssl_ctx; - srv.msg_ctx = hapd->msg_ctx; - srv.pac_opaque_encr_key = conf->pac_opaque_encr_key; - srv.eap_fast_a_id = conf->eap_fast_a_id; - srv.eap_fast_a_id_len = conf->eap_fast_a_id_len; - srv.eap_fast_a_id_info = conf->eap_fast_a_id_info; - srv.eap_fast_prov = conf->eap_fast_prov; - srv.pac_key_lifetime = conf->pac_key_lifetime; - srv.pac_key_refresh_time = conf->pac_key_refresh_time; - srv.eap_teap_auth = conf->eap_teap_auth; - srv.eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; - srv.eap_teap_separate_result = conf->eap_teap_separate_result; - srv.eap_teap_id = conf->eap_teap_id; - srv.eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; - srv.eap_sim_id = conf->eap_sim_id; - srv.tnc = conf->tnc; - srv.wps = hapd->wps; srv.ipv6 = conf->radius_server_ipv6; srv.get_eap_user = hostapd_radius_get_eap_user; srv.eap_req_id_text = conf->eap_req_id_text; srv.eap_req_id_text_len = conf->eap_req_id_text_len; - srv.pwd_group = conf->pwd_group; - srv.server_id = conf->server_id ? conf->server_id : "hostapd"; srv.sqlite_file = conf->eap_user_sqlite; #ifdef CONFIG_RADIUS_TEST srv.dump_msk_file = conf->dump_msk_file; @@ -144,10 +124,8 @@ static int hostapd_setup_radius_srv(struct hostapd_data *hapd) srv.hs20_sim_provisioning_url = conf->hs20_sim_provisioning_url; srv.t_c_server_url = conf->t_c_server_url; #endif /* CONFIG_HS20 */ - srv.erp = conf->eap_server_erp; srv.erp_domain = conf->erp_domain; - srv.tls_session_lifetime = conf->tls_session_lifetime; - srv.tls_flags = conf->tls_flags; + srv.eap_cfg = hapd->eap_cfg; hapd->radius_srv = radius_server_init(&srv); if (hapd->radius_srv == NULL) { @@ -195,6 +173,58 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev, #endif /* EAP_TLS_FUNCS */ +static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd) +{ + struct eap_config *cfg; + + cfg = os_zalloc(sizeof(*cfg)); + if (!cfg) + return NULL; + + cfg->eap_server = hapd->conf->eap_server; + cfg->ssl_ctx = hapd->ssl_ctx; + cfg->msg_ctx = hapd->msg_ctx; + cfg->eap_sim_db_priv = hapd->eap_sim_db_priv; + cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime; + cfg->tls_flags = hapd->conf->tls_flags; + if (hapd->conf->pac_opaque_encr_key) + cfg->pac_opaque_encr_key = + os_memdup(hapd->conf->pac_opaque_encr_key, 16); + if (hapd->conf->eap_fast_a_id) { + cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id, + hapd->conf->eap_fast_a_id_len); + cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; + } + if (hapd->conf->eap_fast_a_id_info) + cfg->eap_fast_a_id_info = + os_strdup(hapd->conf->eap_fast_a_id_info); + cfg->eap_fast_prov = hapd->conf->eap_fast_prov; + cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime; + cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time; + cfg->eap_teap_auth = hapd->conf->eap_teap_auth; + cfg->eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; + cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result; + cfg->eap_teap_id = hapd->conf->eap_teap_id; + cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; + cfg->eap_sim_id = hapd->conf->eap_sim_id; + cfg->tnc = hapd->conf->tnc; + cfg->wps = hapd->wps; + cfg->fragment_size = hapd->conf->fragment_size; + cfg->pwd_group = hapd->conf->pwd_group; + cfg->pbc_in_m1 = hapd->conf->pbc_in_m1; + if (hapd->conf->server_id) { + cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id); + cfg->server_id_len = os_strlen(hapd->conf->server_id); + } else { + cfg->server_id = (u8 *) os_strdup("hostapd"); + cfg->server_id_len = 7; + } + cfg->erp = hapd->conf->eap_server_erp; + + return cfg; +} + + int authsrv_init(struct hostapd_data *hapd) { #ifdef EAP_TLS_FUNCS @@ -275,6 +305,14 @@ int authsrv_init(struct hostapd_data *hapd) } #endif /* EAP_SIM_DB */ + hapd->eap_cfg = authsrv_eap_config(hapd); + if (!hapd->eap_cfg) { + wpa_printf(MSG_ERROR, + "Failed to build EAP server configuration"); + authsrv_deinit(hapd); + return -1; + } + #ifdef RADIUS_SERVER if (hapd->conf->radius_server_clients && hostapd_setup_radius_srv(hapd)) @@ -305,4 +343,7 @@ void authsrv_deinit(struct hostapd_data *hapd) hapd->eap_sim_db_priv = NULL; } #endif /* EAP_SIM_DB */ + + eap_server_config_free(hapd->eap_cfg); + hapd->eap_cfg = NULL; } diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c index 57ec4fdf0..317febd4b 100644 --- a/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c @@ -2403,58 +2403,6 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp) #endif /* CONFIG_ERP */ -static struct eap_config * ieee802_1x_eap_config(struct hostapd_data *hapd) -{ - struct eap_config *cfg; - - cfg = os_zalloc(sizeof(*cfg)); - if (!cfg) - return NULL; - - cfg->eap_server = hapd->conf->eap_server; - cfg->ssl_ctx = hapd->ssl_ctx; - cfg->msg_ctx = hapd->msg_ctx; - cfg->eap_sim_db_priv = hapd->eap_sim_db_priv; - cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime; - cfg->tls_flags = hapd->conf->tls_flags; - if (hapd->conf->pac_opaque_encr_key) - cfg->pac_opaque_encr_key = - os_memdup(hapd->conf->pac_opaque_encr_key, 16); - if (hapd->conf->eap_fast_a_id) { - cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id, - hapd->conf->eap_fast_a_id_len); - cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; - } - if (hapd->conf->eap_fast_a_id_info) - cfg->eap_fast_a_id_info = - os_strdup(hapd->conf->eap_fast_a_id_info); - cfg->eap_fast_prov = hapd->conf->eap_fast_prov; - cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime; - cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time; - cfg->eap_teap_auth = hapd->conf->eap_teap_auth; - cfg->eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; - cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result; - cfg->eap_teap_id = hapd->conf->eap_teap_id; - cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; - cfg->eap_sim_id = hapd->conf->eap_sim_id; - cfg->tnc = hapd->conf->tnc; - cfg->wps = hapd->wps; - cfg->fragment_size = hapd->conf->fragment_size; - cfg->pwd_group = hapd->conf->pwd_group; - cfg->pbc_in_m1 = hapd->conf->pbc_in_m1; - if (hapd->conf->server_id) { - cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id); - cfg->server_id_len = os_strlen(hapd->conf->server_id); - } else { - cfg->server_id = (u8 *) os_strdup("hostapd"); - cfg->server_id_len = 7; - } - cfg->erp = hapd->conf->eap_server_erp; - - return cfg; -} - - int ieee802_1x_init(struct hostapd_data *hapd) { int i; @@ -2463,9 +2411,6 @@ int ieee802_1x_init(struct hostapd_data *hapd) dl_list_init(&hapd->erp_keys); - hapd->eap_cfg = ieee802_1x_eap_config(hapd); - if (!hapd->eap_cfg) - return -1; os_memset(&conf, 0, sizeof(conf)); conf.eap_cfg = hapd->eap_cfg; conf.ctx = hapd; @@ -2546,9 +2491,6 @@ void ieee802_1x_deinit(struct hostapd_data *hapd) eapol_auth_deinit(hapd->eapol_auth); hapd->eapol_auth = NULL; - eap_server_config_free(hapd->eap_cfg); - hapd->eap_cfg = NULL; - ieee802_1x_erp_flush(hapd); } diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c index 067147b7b..c909f43a4 100644 --- a/src/radius/radius_server.c +++ b/src/radius/radius_server.c @@ -230,7 +230,7 @@ struct radius_server_data { sqlite3 *db; #endif /* CONFIG_SQLITE */ - struct eap_config *eap_cfg; + const struct eap_config *eap_cfg; }; @@ -2189,7 +2189,6 @@ struct radius_server_data * radius_server_init(struct radius_server_conf *conf) { struct radius_server_data *data; - struct eap_config *eap_cfg; #ifndef CONFIG_IPV6 if (conf->ipv6) { @@ -2202,57 +2201,16 @@ radius_server_init(struct radius_server_conf *conf) if (data == NULL) return NULL; - eap_cfg = data->eap_cfg = os_zalloc(sizeof(*eap_cfg)); - if (!eap_cfg) { - os_free(data); - return NULL; - } + data->eap_cfg = conf->eap_cfg; data->auth_sock = -1; data->acct_sock = -1; dl_list_init(&data->erp_keys); os_get_reltime(&data->start_time); data->conf_ctx = conf->conf_ctx; - eap_cfg->backend_auth = TRUE; - eap_cfg->eap_server = 1; - eap_cfg->eap_sim_db_priv = conf->eap_sim_db_priv; - eap_cfg->ssl_ctx = conf->ssl_ctx; - eap_cfg->msg_ctx = conf->msg_ctx; + conf->eap_cfg->backend_auth = TRUE; + conf->eap_cfg->eap_server = 1; data->ipv6 = conf->ipv6; - if (conf->pac_opaque_encr_key) { - eap_cfg->pac_opaque_encr_key = os_malloc(16); - if (eap_cfg->pac_opaque_encr_key) { - os_memcpy(eap_cfg->pac_opaque_encr_key, - conf->pac_opaque_encr_key, 16); - } - } - if (conf->eap_fast_a_id) { - eap_cfg->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len); - if (eap_cfg->eap_fast_a_id) { - os_memcpy(eap_cfg->eap_fast_a_id, conf->eap_fast_a_id, - conf->eap_fast_a_id_len); - eap_cfg->eap_fast_a_id_len = conf->eap_fast_a_id_len; - } - } - if (conf->eap_fast_a_id_info) - eap_cfg->eap_fast_a_id_info = - os_strdup(conf->eap_fast_a_id_info); - eap_cfg->eap_fast_prov = conf->eap_fast_prov; - eap_cfg->pac_key_lifetime = conf->pac_key_lifetime; - eap_cfg->pac_key_refresh_time = conf->pac_key_refresh_time; - eap_cfg->eap_teap_auth = conf->eap_teap_auth; - eap_cfg->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner; - eap_cfg->eap_teap_separate_result = conf->eap_teap_separate_result; - eap_cfg->eap_teap_id = conf->eap_teap_id; data->get_eap_user = conf->get_eap_user; - eap_cfg->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind; - eap_cfg->eap_sim_id = conf->eap_sim_id; - eap_cfg->tnc = conf->tnc; - eap_cfg->wps = conf->wps; - eap_cfg->pwd_group = conf->pwd_group; - if (conf->server_id) { - eap_cfg->server_id = (u8 *) os_strdup(conf->server_id); - eap_cfg->server_id_len = os_strlen(conf->server_id); - } if (conf->eap_req_id_text) { data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len); if (data->eap_req_id_text) { @@ -2261,10 +2219,7 @@ radius_server_init(struct radius_server_conf *conf) data->eap_req_id_text_len = conf->eap_req_id_text_len; } } - eap_cfg->erp = conf->erp; data->erp_domain = conf->erp_domain; - eap_cfg->tls_session_lifetime = conf->tls_session_lifetime; - eap_cfg->tls_flags = conf->tls_flags; if (conf->subscr_remediation_url) { data->subscr_remediation_url = @@ -2400,7 +2355,6 @@ void radius_server_deinit(struct radius_server_data *data) #endif /* CONFIG_SQLITE */ radius_server_erp_flush(data); - eap_server_config_free(data->eap_cfg); os_free(data); } diff --git a/src/radius/radius_server.h b/src/radius/radius_server.h index 580a653ef..43192e585 100644 --- a/src/radius/radius_server.h +++ b/src/radius/radius_server.h @@ -51,145 +51,8 @@ struct radius_server_conf { */ void *conf_ctx; - /** - * eap_sim_db_priv - EAP-SIM/AKA database context - * - * This is passed to the EAP-SIM/AKA server implementation as a - * callback context. - */ - void *eap_sim_db_priv; - - /** - * ssl_ctx - TLS context - * - * This is passed to the EAP server implementation as a callback - * context for TLS operations. - */ - void *ssl_ctx; - - /** - * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST - * - * This parameter is used to set a key for EAP-FAST to encrypt the - * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If - * set, must point to a 16-octet key. - */ - u8 *pac_opaque_encr_key; - - /** - * eap_fast_a_id - EAP-FAST authority identity (A-ID) - * - * If EAP-FAST is not used, this can be set to %NULL. In theory, this - * is a variable length field, but due to some existing implementations - * requiring A-ID to be 16 octets in length, it is recommended to use - * that length for the field to provide interoperability with deployed - * peer implementations. - */ - u8 *eap_fast_a_id; - - /** - * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets - */ - size_t eap_fast_a_id_len; - - /** - * eap_fast_a_id_info - EAP-FAST authority identifier information - * - * This A-ID-Info contains a user-friendly name for the A-ID. For - * example, this could be the enterprise and server names in - * human-readable format. This field is encoded as UTF-8. If EAP-FAST - * is not used, this can be set to %NULL. - */ - char *eap_fast_a_id_info; - - /** - * eap_fast_prov - EAP-FAST provisioning modes - * - * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, - * 2 = only authenticated provisioning allowed, 3 = both provisioning - * modes allowed. - */ - int eap_fast_prov; - - /** - * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds - * - * This is the hard limit on how long a provisioned PAC-Key can be - * used. - */ - int pac_key_lifetime; - - /** - * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds - * - * This is a soft limit on the PAC-Key. The server will automatically - * generate a new PAC-Key when this number of seconds (or fewer) of the - * lifetime remains. - */ - int pac_key_refresh_time; - - int eap_teap_auth; - int eap_teap_pac_no_inner; - int eap_teap_separate_result; - int eap_teap_id; - - /** - * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication - * - * This controls whether the protected success/failure indication - * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. - */ - int eap_sim_aka_result_ind; - - int eap_sim_id; - - /** - * tnc - Trusted Network Connect (TNC) - * - * This controls whether TNC is enabled and will be required before the - * peer is allowed to connect. Note: This is only used with EAP-TTLS - * and EAP-FAST. If any other EAP method is enabled, the peer will be - * allowed to connect without TNC. - */ - int tnc; - - /** - * pwd_group - EAP-pwd D-H group - * - * This is used to select which D-H group to use with EAP-pwd. - */ - u16 pwd_group; - - /** - * server_id - Server identity - */ - const char *server_id; - - /** - * erp - Whether EAP Re-authentication Protocol (ERP) is enabled - * - * This controls whether the authentication server derives ERP key - * hierarchy (rRK and rIK) from full EAP authentication and allows - * these keys to be used to perform ERP to derive rMSK instead of full - * EAP authentication to derive MSK. - */ - int erp; - const char *erp_domain; - unsigned int tls_session_lifetime; - - unsigned int tls_flags; - - /** - * wps - Wi-Fi Protected Setup context - * - * If WPS is used with an external RADIUS server (which is quite - * unlikely configuration), this is used to provide a pointer to WPS - * context data. Normally, this can be set to %NULL. - */ - struct wps_context *wps; - /** * ipv6 - Whether to enable IPv6 support in the RADIUS server */ @@ -229,11 +92,6 @@ struct radius_server_conf { */ size_t eap_req_id_text_len; - /* - * msg_ctx - Context data for wpa_msg() calls - */ - void *msg_ctx; - #ifdef CONFIG_RADIUS_TEST const char *dump_msk_file; #endif /* CONFIG_RADIUS_TEST */ @@ -243,6 +101,8 @@ struct radius_server_conf { char *hs20_sim_provisioning_url; char *t_c_server_url; + + struct eap_config *eap_cfg; };