1e28a4053SRui Paulo /* 2e28a4053SRui Paulo * Authentication server setup 3e28a4053SRui Paulo * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi> 4e28a4053SRui Paulo * 5f05cddf9SRui Paulo * This software may be distributed under the terms of the BSD license. 6f05cddf9SRui Paulo * See README for more details. 7e28a4053SRui Paulo */ 8e28a4053SRui Paulo 9e28a4053SRui Paulo #include "utils/includes.h" 10e28a4053SRui Paulo 11e28a4053SRui Paulo #include "utils/common.h" 12*a90b9d01SCy Schubert #include "crypto/crypto.h" 13e28a4053SRui Paulo #include "crypto/tls.h" 14e28a4053SRui Paulo #include "eap_server/eap.h" 15e28a4053SRui Paulo #include "eap_server/eap_sim_db.h" 16e28a4053SRui Paulo #include "eapol_auth/eapol_auth_sm.h" 17e28a4053SRui Paulo #include "radius/radius_server.h" 18e28a4053SRui Paulo #include "hostapd.h" 19e28a4053SRui Paulo #include "ap_config.h" 20e28a4053SRui Paulo #include "sta_info.h" 21e28a4053SRui Paulo #include "authsrv.h" 22e28a4053SRui Paulo 23e28a4053SRui Paulo 24e28a4053SRui Paulo #if defined(EAP_SERVER_SIM) || defined(EAP_SERVER_AKA) 25e28a4053SRui Paulo #define EAP_SIM_DB 26e28a4053SRui Paulo #endif /* EAP_SERVER_SIM || EAP_SERVER_AKA */ 27e28a4053SRui Paulo 28e28a4053SRui Paulo 29e28a4053SRui Paulo #ifdef EAP_SIM_DB 30e28a4053SRui Paulo static int hostapd_sim_db_cb_sta(struct hostapd_data *hapd, 31e28a4053SRui Paulo struct sta_info *sta, void *ctx) 32e28a4053SRui Paulo { 33e28a4053SRui Paulo if (eapol_auth_eap_pending_cb(sta->eapol_sm, ctx) == 0) 34e28a4053SRui Paulo return 1; 35e28a4053SRui Paulo return 0; 36e28a4053SRui Paulo } 37e28a4053SRui Paulo 38e28a4053SRui Paulo 39e28a4053SRui Paulo static void hostapd_sim_db_cb(void *ctx, void *session_ctx) 40e28a4053SRui Paulo { 41e28a4053SRui Paulo struct hostapd_data *hapd = ctx; 42e28a4053SRui Paulo if (ap_for_each_sta(hapd, hostapd_sim_db_cb_sta, session_ctx) == 0) { 43e28a4053SRui Paulo #ifdef RADIUS_SERVER 44e28a4053SRui Paulo radius_server_eap_pending_cb(hapd->radius_srv, session_ctx); 45e28a4053SRui Paulo #endif /* RADIUS_SERVER */ 46e28a4053SRui Paulo } 47e28a4053SRui Paulo } 48e28a4053SRui Paulo #endif /* EAP_SIM_DB */ 49e28a4053SRui Paulo 50e28a4053SRui Paulo 51e28a4053SRui Paulo #ifdef RADIUS_SERVER 52e28a4053SRui Paulo 53e28a4053SRui Paulo static int hostapd_radius_get_eap_user(void *ctx, const u8 *identity, 54e28a4053SRui Paulo size_t identity_len, int phase2, 55e28a4053SRui Paulo struct eap_user *user) 56e28a4053SRui Paulo { 57e28a4053SRui Paulo const struct hostapd_eap_user *eap_user; 58f05cddf9SRui Paulo int i; 59325151a3SRui Paulo int rv = -1; 60e28a4053SRui Paulo 61e28a4053SRui Paulo eap_user = hostapd_get_eap_user(ctx, identity, identity_len, phase2); 62e28a4053SRui Paulo if (eap_user == NULL) 63325151a3SRui Paulo goto out; 64e28a4053SRui Paulo 65e28a4053SRui Paulo if (user == NULL) 66e28a4053SRui Paulo return 0; 67e28a4053SRui Paulo 68e28a4053SRui Paulo os_memset(user, 0, sizeof(*user)); 69f05cddf9SRui Paulo for (i = 0; i < EAP_MAX_METHODS; i++) { 70e28a4053SRui Paulo user->methods[i].vendor = eap_user->methods[i].vendor; 71e28a4053SRui Paulo user->methods[i].method = eap_user->methods[i].method; 72e28a4053SRui Paulo } 73e28a4053SRui Paulo 74e28a4053SRui Paulo if (eap_user->password) { 7585732ac8SCy Schubert user->password = os_memdup(eap_user->password, 7685732ac8SCy Schubert eap_user->password_len); 77e28a4053SRui Paulo if (user->password == NULL) 78325151a3SRui Paulo goto out; 79e28a4053SRui Paulo user->password_len = eap_user->password_len; 80e28a4053SRui Paulo user->password_hash = eap_user->password_hash; 8185732ac8SCy Schubert if (eap_user->salt && eap_user->salt_len) { 8285732ac8SCy Schubert user->salt = os_memdup(eap_user->salt, 8385732ac8SCy Schubert eap_user->salt_len); 8485732ac8SCy Schubert if (!user->salt) 8585732ac8SCy Schubert goto out; 8685732ac8SCy Schubert user->salt_len = eap_user->salt_len; 8785732ac8SCy Schubert } 88e28a4053SRui Paulo } 89e28a4053SRui Paulo user->force_version = eap_user->force_version; 905b9c547cSRui Paulo user->macacl = eap_user->macacl; 91e28a4053SRui Paulo user->ttls_auth = eap_user->ttls_auth; 925b9c547cSRui Paulo user->remediation = eap_user->remediation; 935b9c547cSRui Paulo user->accept_attr = eap_user->accept_attr; 9485732ac8SCy Schubert user->t_c_timestamp = eap_user->t_c_timestamp; 95325151a3SRui Paulo rv = 0; 96e28a4053SRui Paulo 97325151a3SRui Paulo out: 98325151a3SRui Paulo if (rv) 99325151a3SRui Paulo wpa_printf(MSG_DEBUG, "%s: Failed to find user", __func__); 100325151a3SRui Paulo 101325151a3SRui Paulo return rv; 102e28a4053SRui Paulo } 103e28a4053SRui Paulo 104e28a4053SRui Paulo 105e28a4053SRui Paulo static int hostapd_setup_radius_srv(struct hostapd_data *hapd) 106e28a4053SRui Paulo { 107e28a4053SRui Paulo struct radius_server_conf srv; 108e28a4053SRui Paulo struct hostapd_bss_config *conf = hapd->conf; 109*a90b9d01SCy Schubert 110*a90b9d01SCy Schubert #ifdef CONFIG_IEEE80211BE 111*a90b9d01SCy Schubert if (!hostapd_mld_is_first_bss(hapd)) { 112*a90b9d01SCy Schubert struct hostapd_data *first; 113*a90b9d01SCy Schubert 114*a90b9d01SCy Schubert wpa_printf(MSG_DEBUG, 115*a90b9d01SCy Schubert "MLD: Using RADIUS server of the first BSS"); 116*a90b9d01SCy Schubert 117*a90b9d01SCy Schubert first = hostapd_mld_get_first_bss(hapd); 118*a90b9d01SCy Schubert if (!first) 119*a90b9d01SCy Schubert return -1; 120*a90b9d01SCy Schubert hapd->radius_srv = first->radius_srv; 121*a90b9d01SCy Schubert return 0; 122*a90b9d01SCy Schubert } 123*a90b9d01SCy Schubert #endif /* CONFIG_IEEE80211BE */ 124*a90b9d01SCy Schubert 125e28a4053SRui Paulo os_memset(&srv, 0, sizeof(srv)); 126e28a4053SRui Paulo srv.client_file = conf->radius_server_clients; 127e28a4053SRui Paulo srv.auth_port = conf->radius_server_auth_port; 1285b9c547cSRui Paulo srv.acct_port = conf->radius_server_acct_port; 129f05cddf9SRui Paulo srv.conf_ctx = hapd; 130e28a4053SRui Paulo srv.ipv6 = conf->radius_server_ipv6; 131e28a4053SRui Paulo srv.get_eap_user = hostapd_radius_get_eap_user; 132e28a4053SRui Paulo srv.eap_req_id_text = conf->eap_req_id_text; 133e28a4053SRui Paulo srv.eap_req_id_text_len = conf->eap_req_id_text_len; 1345b9c547cSRui Paulo srv.sqlite_file = conf->eap_user_sqlite; 135f05cddf9SRui Paulo #ifdef CONFIG_RADIUS_TEST 136f05cddf9SRui Paulo srv.dump_msk_file = conf->dump_msk_file; 137f05cddf9SRui Paulo #endif /* CONFIG_RADIUS_TEST */ 1385b9c547cSRui Paulo #ifdef CONFIG_HS20 1395b9c547cSRui Paulo srv.subscr_remediation_url = conf->subscr_remediation_url; 1405b9c547cSRui Paulo srv.subscr_remediation_method = conf->subscr_remediation_method; 1414bc52338SCy Schubert srv.hs20_sim_provisioning_url = conf->hs20_sim_provisioning_url; 14285732ac8SCy Schubert srv.t_c_server_url = conf->t_c_server_url; 1435b9c547cSRui Paulo #endif /* CONFIG_HS20 */ 1445b9c547cSRui Paulo srv.erp_domain = conf->erp_domain; 145c1d255d3SCy Schubert srv.eap_cfg = hapd->eap_cfg; 146e28a4053SRui Paulo 147e28a4053SRui Paulo hapd->radius_srv = radius_server_init(&srv); 148e28a4053SRui Paulo if (hapd->radius_srv == NULL) { 149e28a4053SRui Paulo wpa_printf(MSG_ERROR, "RADIUS server initialization failed."); 150e28a4053SRui Paulo return -1; 151e28a4053SRui Paulo } 152e28a4053SRui Paulo 153e28a4053SRui Paulo return 0; 154e28a4053SRui Paulo } 155e28a4053SRui Paulo 156e28a4053SRui Paulo #endif /* RADIUS_SERVER */ 157e28a4053SRui Paulo 158e28a4053SRui Paulo 15985732ac8SCy Schubert #ifdef EAP_TLS_FUNCS 16085732ac8SCy Schubert static void authsrv_tls_event(void *ctx, enum tls_event ev, 16185732ac8SCy Schubert union tls_event_data *data) 16285732ac8SCy Schubert { 16385732ac8SCy Schubert switch (ev) { 16485732ac8SCy Schubert case TLS_CERT_CHAIN_SUCCESS: 16585732ac8SCy Schubert wpa_printf(MSG_DEBUG, "authsrv: remote certificate verification success"); 16685732ac8SCy Schubert break; 16785732ac8SCy Schubert case TLS_CERT_CHAIN_FAILURE: 16885732ac8SCy Schubert wpa_printf(MSG_INFO, "authsrv: certificate chain failure: reason=%d depth=%d subject='%s' err='%s'", 16985732ac8SCy Schubert data->cert_fail.reason, 17085732ac8SCy Schubert data->cert_fail.depth, 17185732ac8SCy Schubert data->cert_fail.subject, 17285732ac8SCy Schubert data->cert_fail.reason_txt); 17385732ac8SCy Schubert break; 17485732ac8SCy Schubert case TLS_PEER_CERTIFICATE: 17585732ac8SCy Schubert wpa_printf(MSG_DEBUG, "authsrv: peer certificate: depth=%d serial_num=%s subject=%s", 17685732ac8SCy Schubert data->peer_cert.depth, 17785732ac8SCy Schubert data->peer_cert.serial_num ? data->peer_cert.serial_num : "N/A", 17885732ac8SCy Schubert data->peer_cert.subject); 17985732ac8SCy Schubert break; 18085732ac8SCy Schubert case TLS_ALERT: 18185732ac8SCy Schubert if (data->alert.is_local) 18285732ac8SCy Schubert wpa_printf(MSG_DEBUG, "authsrv: local TLS alert: %s", 18385732ac8SCy Schubert data->alert.description); 18485732ac8SCy Schubert else 18585732ac8SCy Schubert wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s", 18685732ac8SCy Schubert data->alert.description); 18785732ac8SCy Schubert break; 188*a90b9d01SCy Schubert case TLS_UNSAFE_RENEGOTIATION_DISABLED: 189*a90b9d01SCy Schubert /* Not applicable to TLS server */ 190*a90b9d01SCy Schubert break; 19185732ac8SCy Schubert } 19285732ac8SCy Schubert } 19385732ac8SCy Schubert #endif /* EAP_TLS_FUNCS */ 19485732ac8SCy Schubert 19585732ac8SCy Schubert 196c1d255d3SCy Schubert static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd) 197c1d255d3SCy Schubert { 198c1d255d3SCy Schubert struct eap_config *cfg; 199c1d255d3SCy Schubert 200c1d255d3SCy Schubert cfg = os_zalloc(sizeof(*cfg)); 201c1d255d3SCy Schubert if (!cfg) 202c1d255d3SCy Schubert return NULL; 203c1d255d3SCy Schubert 204c1d255d3SCy Schubert cfg->eap_server = hapd->conf->eap_server; 205c1d255d3SCy Schubert cfg->ssl_ctx = hapd->ssl_ctx; 206c1d255d3SCy Schubert cfg->msg_ctx = hapd->msg_ctx; 207c1d255d3SCy Schubert cfg->eap_sim_db_priv = hapd->eap_sim_db_priv; 208c1d255d3SCy Schubert cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime; 209c1d255d3SCy Schubert cfg->tls_flags = hapd->conf->tls_flags; 210c1d255d3SCy Schubert cfg->max_auth_rounds = hapd->conf->max_auth_rounds; 211c1d255d3SCy Schubert cfg->max_auth_rounds_short = hapd->conf->max_auth_rounds_short; 212c1d255d3SCy Schubert if (hapd->conf->pac_opaque_encr_key) 213c1d255d3SCy Schubert cfg->pac_opaque_encr_key = 214c1d255d3SCy Schubert os_memdup(hapd->conf->pac_opaque_encr_key, 16); 215c1d255d3SCy Schubert if (hapd->conf->eap_fast_a_id) { 216c1d255d3SCy Schubert cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id, 217c1d255d3SCy Schubert hapd->conf->eap_fast_a_id_len); 218c1d255d3SCy Schubert cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len; 219c1d255d3SCy Schubert } 220c1d255d3SCy Schubert if (hapd->conf->eap_fast_a_id_info) 221c1d255d3SCy Schubert cfg->eap_fast_a_id_info = 222c1d255d3SCy Schubert os_strdup(hapd->conf->eap_fast_a_id_info); 223c1d255d3SCy Schubert cfg->eap_fast_prov = hapd->conf->eap_fast_prov; 224c1d255d3SCy Schubert cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime; 225c1d255d3SCy Schubert cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time; 226c1d255d3SCy Schubert cfg->eap_teap_auth = hapd->conf->eap_teap_auth; 227c1d255d3SCy Schubert cfg->eap_teap_pac_no_inner = hapd->conf->eap_teap_pac_no_inner; 228c1d255d3SCy Schubert cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result; 229c1d255d3SCy Schubert cfg->eap_teap_id = hapd->conf->eap_teap_id; 230*a90b9d01SCy Schubert cfg->eap_teap_method_sequence = hapd->conf->eap_teap_method_sequence; 231c1d255d3SCy Schubert cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind; 232c1d255d3SCy Schubert cfg->eap_sim_id = hapd->conf->eap_sim_id; 233*a90b9d01SCy Schubert cfg->imsi_privacy_key = hapd->imsi_privacy_key; 234*a90b9d01SCy Schubert cfg->eap_sim_aka_fast_reauth_limit = 235*a90b9d01SCy Schubert hapd->conf->eap_sim_aka_fast_reauth_limit; 236c1d255d3SCy Schubert cfg->tnc = hapd->conf->tnc; 237c1d255d3SCy Schubert cfg->wps = hapd->wps; 238c1d255d3SCy Schubert cfg->fragment_size = hapd->conf->fragment_size; 239c1d255d3SCy Schubert cfg->pwd_group = hapd->conf->pwd_group; 240c1d255d3SCy Schubert cfg->pbc_in_m1 = hapd->conf->pbc_in_m1; 241c1d255d3SCy Schubert if (hapd->conf->server_id) { 242c1d255d3SCy Schubert cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id); 243c1d255d3SCy Schubert cfg->server_id_len = os_strlen(hapd->conf->server_id); 244c1d255d3SCy Schubert } else { 245c1d255d3SCy Schubert cfg->server_id = (u8 *) os_strdup("hostapd"); 246c1d255d3SCy Schubert cfg->server_id_len = 7; 247c1d255d3SCy Schubert } 248c1d255d3SCy Schubert cfg->erp = hapd->conf->eap_server_erp; 249*a90b9d01SCy Schubert #ifdef CONFIG_TESTING_OPTIONS 250*a90b9d01SCy Schubert cfg->skip_prot_success = hapd->conf->eap_skip_prot_success; 251*a90b9d01SCy Schubert #endif /* CONFIG_TESTING_OPTIONS */ 252c1d255d3SCy Schubert 253c1d255d3SCy Schubert return cfg; 254c1d255d3SCy Schubert } 255c1d255d3SCy Schubert 256c1d255d3SCy Schubert 257e28a4053SRui Paulo int authsrv_init(struct hostapd_data *hapd) 258e28a4053SRui Paulo { 259*a90b9d01SCy Schubert #ifdef CONFIG_IEEE80211BE 260*a90b9d01SCy Schubert if (!hostapd_mld_is_first_bss(hapd)) { 261*a90b9d01SCy Schubert struct hostapd_data *first; 262*a90b9d01SCy Schubert 263*a90b9d01SCy Schubert first = hostapd_mld_get_first_bss(hapd); 264*a90b9d01SCy Schubert if (!first) 265*a90b9d01SCy Schubert return -1; 266*a90b9d01SCy Schubert 267*a90b9d01SCy Schubert if (!first->eap_cfg) { 268*a90b9d01SCy Schubert wpa_printf(MSG_DEBUG, 269*a90b9d01SCy Schubert "MLD: First BSS auth_serv does not exist. Init on its behalf"); 270*a90b9d01SCy Schubert 271*a90b9d01SCy Schubert if (authsrv_init(first)) 272*a90b9d01SCy Schubert return -1; 273*a90b9d01SCy Schubert } 274*a90b9d01SCy Schubert 275*a90b9d01SCy Schubert wpa_printf(MSG_DEBUG, "MLD: Using auth_serv of the first BSS"); 276*a90b9d01SCy Schubert 277*a90b9d01SCy Schubert #ifdef EAP_TLS_FUNCS 278*a90b9d01SCy Schubert hapd->ssl_ctx = first->ssl_ctx; 279*a90b9d01SCy Schubert #endif /* EAP_TLS_FUNCS */ 280*a90b9d01SCy Schubert hapd->eap_cfg = first->eap_cfg; 281*a90b9d01SCy Schubert #ifdef EAP_SIM_DB 282*a90b9d01SCy Schubert hapd->eap_sim_db_priv = first->eap_sim_db_priv; 283*a90b9d01SCy Schubert #endif /* EAP_SIM_DB */ 284*a90b9d01SCy Schubert return 0; 285*a90b9d01SCy Schubert } 286*a90b9d01SCy Schubert #endif /* CONFIG_IEEE80211BE */ 287*a90b9d01SCy Schubert 288e28a4053SRui Paulo #ifdef EAP_TLS_FUNCS 289e28a4053SRui Paulo if (hapd->conf->eap_server && 290e28a4053SRui Paulo (hapd->conf->ca_cert || hapd->conf->server_cert || 291206b73d0SCy Schubert hapd->conf->private_key || hapd->conf->dh_file || 292206b73d0SCy Schubert hapd->conf->server_cert2 || hapd->conf->private_key2)) { 293325151a3SRui Paulo struct tls_config conf; 294e28a4053SRui Paulo struct tls_connection_params params; 295e28a4053SRui Paulo 296325151a3SRui Paulo os_memset(&conf, 0, sizeof(conf)); 297325151a3SRui Paulo conf.tls_session_lifetime = hapd->conf->tls_session_lifetime; 2984bc52338SCy Schubert if (hapd->conf->crl_reload_interval > 0 && 2994bc52338SCy Schubert hapd->conf->check_crl <= 0) { 3004bc52338SCy Schubert wpa_printf(MSG_INFO, 3014bc52338SCy Schubert "Cannot enable CRL reload functionality - it depends on check_crl being set"); 3024bc52338SCy Schubert } else if (hapd->conf->crl_reload_interval > 0) { 3034bc52338SCy Schubert conf.crl_reload_interval = 3044bc52338SCy Schubert hapd->conf->crl_reload_interval; 3054bc52338SCy Schubert wpa_printf(MSG_INFO, 3064bc52338SCy Schubert "Enabled CRL reload functionality"); 3074bc52338SCy Schubert } 30885732ac8SCy Schubert conf.tls_flags = hapd->conf->tls_flags; 30985732ac8SCy Schubert conf.event_cb = authsrv_tls_event; 31085732ac8SCy Schubert conf.cb_ctx = hapd; 311325151a3SRui Paulo hapd->ssl_ctx = tls_init(&conf); 312e28a4053SRui Paulo if (hapd->ssl_ctx == NULL) { 313e28a4053SRui Paulo wpa_printf(MSG_ERROR, "Failed to initialize TLS"); 314e28a4053SRui Paulo authsrv_deinit(hapd); 315e28a4053SRui Paulo return -1; 316e28a4053SRui Paulo } 317e28a4053SRui Paulo 318e28a4053SRui Paulo os_memset(¶ms, 0, sizeof(params)); 319e28a4053SRui Paulo params.ca_cert = hapd->conf->ca_cert; 320e28a4053SRui Paulo params.client_cert = hapd->conf->server_cert; 321206b73d0SCy Schubert params.client_cert2 = hapd->conf->server_cert2; 322e28a4053SRui Paulo params.private_key = hapd->conf->private_key; 323206b73d0SCy Schubert params.private_key2 = hapd->conf->private_key2; 324e28a4053SRui Paulo params.private_key_passwd = hapd->conf->private_key_passwd; 325206b73d0SCy Schubert params.private_key_passwd2 = hapd->conf->private_key_passwd2; 326e28a4053SRui Paulo params.dh_file = hapd->conf->dh_file; 3275b9c547cSRui Paulo params.openssl_ciphers = hapd->conf->openssl_ciphers; 3284bc52338SCy Schubert params.openssl_ecdh_curves = hapd->conf->openssl_ecdh_curves; 3295b9c547cSRui Paulo params.ocsp_stapling_response = 3305b9c547cSRui Paulo hapd->conf->ocsp_stapling_response; 331780fb4a2SCy Schubert params.ocsp_stapling_response_multi = 332780fb4a2SCy Schubert hapd->conf->ocsp_stapling_response_multi; 3334bc52338SCy Schubert params.check_cert_subject = hapd->conf->check_cert_subject; 334e28a4053SRui Paulo 335e28a4053SRui Paulo if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { 336e28a4053SRui Paulo wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); 337e28a4053SRui Paulo authsrv_deinit(hapd); 338e28a4053SRui Paulo return -1; 339e28a4053SRui Paulo } 340e28a4053SRui Paulo 341e28a4053SRui Paulo if (tls_global_set_verify(hapd->ssl_ctx, 3424bc52338SCy Schubert hapd->conf->check_crl, 3434bc52338SCy Schubert hapd->conf->check_crl_strict)) { 344e28a4053SRui Paulo wpa_printf(MSG_ERROR, "Failed to enable check_crl"); 345e28a4053SRui Paulo authsrv_deinit(hapd); 346e28a4053SRui Paulo return -1; 347e28a4053SRui Paulo } 348e28a4053SRui Paulo } 349e28a4053SRui Paulo #endif /* EAP_TLS_FUNCS */ 350e28a4053SRui Paulo 351*a90b9d01SCy Schubert #ifdef CRYPTO_RSA_OAEP_SHA256 352*a90b9d01SCy Schubert crypto_rsa_key_free(hapd->imsi_privacy_key); 353*a90b9d01SCy Schubert hapd->imsi_privacy_key = NULL; 354*a90b9d01SCy Schubert if (hapd->conf->imsi_privacy_key) { 355*a90b9d01SCy Schubert hapd->imsi_privacy_key = crypto_rsa_key_read( 356*a90b9d01SCy Schubert hapd->conf->imsi_privacy_key, true); 357*a90b9d01SCy Schubert if (!hapd->imsi_privacy_key) { 358*a90b9d01SCy Schubert wpa_printf(MSG_ERROR, 359*a90b9d01SCy Schubert "Failed to read/parse IMSI privacy key %s", 360*a90b9d01SCy Schubert hapd->conf->imsi_privacy_key); 361*a90b9d01SCy Schubert authsrv_deinit(hapd); 362*a90b9d01SCy Schubert return -1; 363*a90b9d01SCy Schubert } 364*a90b9d01SCy Schubert } 365*a90b9d01SCy Schubert #endif /* CRYPTO_RSA_OAEP_SHA256 */ 366*a90b9d01SCy Schubert 367e28a4053SRui Paulo #ifdef EAP_SIM_DB 368e28a4053SRui Paulo if (hapd->conf->eap_sim_db) { 369e28a4053SRui Paulo hapd->eap_sim_db_priv = 370e28a4053SRui Paulo eap_sim_db_init(hapd->conf->eap_sim_db, 371780fb4a2SCy Schubert hapd->conf->eap_sim_db_timeout, 372e28a4053SRui Paulo hostapd_sim_db_cb, hapd); 373e28a4053SRui Paulo if (hapd->eap_sim_db_priv == NULL) { 374e28a4053SRui Paulo wpa_printf(MSG_ERROR, "Failed to initialize EAP-SIM " 375e28a4053SRui Paulo "database interface"); 376e28a4053SRui Paulo authsrv_deinit(hapd); 377e28a4053SRui Paulo return -1; 378e28a4053SRui Paulo } 379e28a4053SRui Paulo } 380e28a4053SRui Paulo #endif /* EAP_SIM_DB */ 381e28a4053SRui Paulo 382c1d255d3SCy Schubert hapd->eap_cfg = authsrv_eap_config(hapd); 383c1d255d3SCy Schubert if (!hapd->eap_cfg) { 384c1d255d3SCy Schubert wpa_printf(MSG_ERROR, 385c1d255d3SCy Schubert "Failed to build EAP server configuration"); 386c1d255d3SCy Schubert authsrv_deinit(hapd); 387c1d255d3SCy Schubert return -1; 388c1d255d3SCy Schubert } 389c1d255d3SCy Schubert 390e28a4053SRui Paulo #ifdef RADIUS_SERVER 391e28a4053SRui Paulo if (hapd->conf->radius_server_clients && 392e28a4053SRui Paulo hostapd_setup_radius_srv(hapd)) 393e28a4053SRui Paulo return -1; 394e28a4053SRui Paulo #endif /* RADIUS_SERVER */ 395e28a4053SRui Paulo 396e28a4053SRui Paulo return 0; 397e28a4053SRui Paulo } 398e28a4053SRui Paulo 399e28a4053SRui Paulo 400e28a4053SRui Paulo void authsrv_deinit(struct hostapd_data *hapd) 401e28a4053SRui Paulo { 402*a90b9d01SCy Schubert #ifdef CONFIG_IEEE80211BE 403*a90b9d01SCy Schubert if (!hostapd_mld_is_first_bss(hapd)) { 404*a90b9d01SCy Schubert wpa_printf(MSG_DEBUG, 405*a90b9d01SCy Schubert "MLD: Deinit auth_serv of a non-first BSS"); 406*a90b9d01SCy Schubert 407*a90b9d01SCy Schubert hapd->radius_srv = NULL; 408*a90b9d01SCy Schubert hapd->eap_cfg = NULL; 409*a90b9d01SCy Schubert #ifdef EAP_SIM_DB 410*a90b9d01SCy Schubert hapd->eap_sim_db_priv = NULL; 411*a90b9d01SCy Schubert #endif /* EAP_SIM_DB */ 412*a90b9d01SCy Schubert #ifdef EAP_TLS_FUNCS 413*a90b9d01SCy Schubert hapd->ssl_ctx = NULL; 414*a90b9d01SCy Schubert #endif /* EAP_TLS_FUNCS */ 415*a90b9d01SCy Schubert return; 416*a90b9d01SCy Schubert } 417*a90b9d01SCy Schubert #endif /* CONFIG_IEEE80211BE */ 418*a90b9d01SCy Schubert 419e28a4053SRui Paulo #ifdef RADIUS_SERVER 420e28a4053SRui Paulo radius_server_deinit(hapd->radius_srv); 421e28a4053SRui Paulo hapd->radius_srv = NULL; 422e28a4053SRui Paulo #endif /* RADIUS_SERVER */ 423e28a4053SRui Paulo 424*a90b9d01SCy Schubert #ifdef CRYPTO_RSA_OAEP_SHA256 425*a90b9d01SCy Schubert crypto_rsa_key_free(hapd->imsi_privacy_key); 426*a90b9d01SCy Schubert hapd->imsi_privacy_key = NULL; 427*a90b9d01SCy Schubert #endif /* CRYPTO_RSA_OAEP_SHA256 */ 428*a90b9d01SCy Schubert 429e28a4053SRui Paulo #ifdef EAP_TLS_FUNCS 430e28a4053SRui Paulo if (hapd->ssl_ctx) { 431e28a4053SRui Paulo tls_deinit(hapd->ssl_ctx); 432e28a4053SRui Paulo hapd->ssl_ctx = NULL; 433e28a4053SRui Paulo } 434e28a4053SRui Paulo #endif /* EAP_TLS_FUNCS */ 435e28a4053SRui Paulo 436e28a4053SRui Paulo #ifdef EAP_SIM_DB 437e28a4053SRui Paulo if (hapd->eap_sim_db_priv) { 438e28a4053SRui Paulo eap_sim_db_deinit(hapd->eap_sim_db_priv); 439e28a4053SRui Paulo hapd->eap_sim_db_priv = NULL; 440e28a4053SRui Paulo } 441e28a4053SRui Paulo #endif /* EAP_SIM_DB */ 442c1d255d3SCy Schubert 443c1d255d3SCy Schubert eap_server_config_free(hapd->eap_cfg); 444c1d255d3SCy Schubert hapd->eap_cfg = NULL; 445e28a4053SRui Paulo } 446