1189251Ssam/* 2214734Srpaulo * RADIUS authentication server 3252726Srpaulo * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#ifndef RADIUS_SERVER_H 10189251Ssam#define RADIUS_SERVER_H 11189251Ssam 12189251Ssamstruct radius_server_data; 13189251Ssamstruct eap_user; 14189251Ssam 15214734Srpaulo/** 16214734Srpaulo * struct radius_server_conf - RADIUS server configuration 17214734Srpaulo */ 18189251Ssamstruct radius_server_conf { 19214734Srpaulo /** 20214734Srpaulo * auth_port - UDP port to listen to as an authentication server 21214734Srpaulo */ 22189251Ssam int auth_port; 23214734Srpaulo 24214734Srpaulo /** 25214734Srpaulo * client_file - RADIUS client configuration file 26214734Srpaulo * 27214734Srpaulo * This file contains the RADIUS clients and the shared secret to be 28214734Srpaulo * used with them in a format where each client is on its own line. The 29214734Srpaulo * first item on the line is the IPv4 or IPv6 address of the client 30214734Srpaulo * with an optional address mask to allow full network to be specified 31214734Srpaulo * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white 32214734Srpaulo * space (space or tabulator) and the shared secret. Lines starting 33214734Srpaulo * with '#' are skipped and can be used as comments. 34214734Srpaulo */ 35189251Ssam char *client_file; 36214734Srpaulo 37214734Srpaulo /** 38214734Srpaulo * conf_ctx - Context pointer for callbacks 39214734Srpaulo * 40214734Srpaulo * This is used as the ctx argument in get_eap_user() calls. 41214734Srpaulo */ 42189251Ssam void *conf_ctx; 43214734Srpaulo 44214734Srpaulo /** 45214734Srpaulo * eap_sim_db_priv - EAP-SIM/AKA database context 46214734Srpaulo * 47214734Srpaulo * This is passed to the EAP-SIM/AKA server implementation as a 48214734Srpaulo * callback context. 49214734Srpaulo */ 50189251Ssam void *eap_sim_db_priv; 51214734Srpaulo 52214734Srpaulo /** 53214734Srpaulo * ssl_ctx - TLS context 54214734Srpaulo * 55214734Srpaulo * This is passed to the EAP server implementation as a callback 56214734Srpaulo * context for TLS operations. 57214734Srpaulo */ 58189251Ssam void *ssl_ctx; 59214734Srpaulo 60214734Srpaulo /** 61214734Srpaulo * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 62214734Srpaulo * 63214734Srpaulo * This parameter is used to set a key for EAP-FAST to encrypt the 64214734Srpaulo * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 65214734Srpaulo * set, must point to a 16-octet key. 66214734Srpaulo */ 67189251Ssam u8 *pac_opaque_encr_key; 68214734Srpaulo 69214734Srpaulo /** 70214734Srpaulo * eap_fast_a_id - EAP-FAST authority identity (A-ID) 71214734Srpaulo * 72214734Srpaulo * If EAP-FAST is not used, this can be set to %NULL. In theory, this 73214734Srpaulo * is a variable length field, but due to some existing implementations 74214734Srpaulo * requiring A-ID to be 16 octets in length, it is recommended to use 75214734Srpaulo * that length for the field to provide interoperability with deployed 76214734Srpaulo * peer implementations. 77214734Srpaulo */ 78189251Ssam u8 *eap_fast_a_id; 79214734Srpaulo 80214734Srpaulo /** 81214734Srpaulo * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 82214734Srpaulo */ 83189251Ssam size_t eap_fast_a_id_len; 84214734Srpaulo 85214734Srpaulo /** 86214734Srpaulo * eap_fast_a_id_info - EAP-FAST authority identifier information 87214734Srpaulo * 88214734Srpaulo * This A-ID-Info contains a user-friendly name for the A-ID. For 89214734Srpaulo * example, this could be the enterprise and server names in 90214734Srpaulo * human-readable format. This field is encoded as UTF-8. If EAP-FAST 91214734Srpaulo * is not used, this can be set to %NULL. 92214734Srpaulo */ 93189251Ssam char *eap_fast_a_id_info; 94214734Srpaulo 95214734Srpaulo /** 96214734Srpaulo * eap_fast_prov - EAP-FAST provisioning modes 97214734Srpaulo * 98214734Srpaulo * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 99214734Srpaulo * 2 = only authenticated provisioning allowed, 3 = both provisioning 100214734Srpaulo * modes allowed. 101214734Srpaulo */ 102189251Ssam int eap_fast_prov; 103214734Srpaulo 104214734Srpaulo /** 105214734Srpaulo * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 106214734Srpaulo * 107214734Srpaulo * This is the hard limit on how long a provisioned PAC-Key can be 108214734Srpaulo * used. 109214734Srpaulo */ 110189251Ssam int pac_key_lifetime; 111214734Srpaulo 112214734Srpaulo /** 113214734Srpaulo * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 114214734Srpaulo * 115214734Srpaulo * This is a soft limit on the PAC-Key. The server will automatically 116214734Srpaulo * generate a new PAC-Key when this number of seconds (or fewer) of the 117214734Srpaulo * lifetime remains. 118214734Srpaulo */ 119189251Ssam int pac_key_refresh_time; 120214734Srpaulo 121214734Srpaulo /** 122214734Srpaulo * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 123214734Srpaulo * 124214734Srpaulo * This controls whether the protected success/failure indication 125214734Srpaulo * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 126214734Srpaulo */ 127189251Ssam int eap_sim_aka_result_ind; 128214734Srpaulo 129214734Srpaulo /** 130214734Srpaulo * tnc - Trusted Network Connect (TNC) 131214734Srpaulo * 132214734Srpaulo * This controls whether TNC is enabled and will be required before the 133214734Srpaulo * peer is allowed to connect. Note: This is only used with EAP-TTLS 134214734Srpaulo * and EAP-FAST. If any other EAP method is enabled, the peer will be 135214734Srpaulo * allowed to connect without TNC. 136214734Srpaulo */ 137189251Ssam int tnc; 138214734Srpaulo 139214734Srpaulo /** 140252726Srpaulo * pwd_group - EAP-pwd D-H group 141252726Srpaulo * 142252726Srpaulo * This is used to select which D-H group to use with EAP-pwd. 143252726Srpaulo */ 144252726Srpaulo u16 pwd_group; 145252726Srpaulo 146252726Srpaulo /** 147214734Srpaulo * wps - Wi-Fi Protected Setup context 148214734Srpaulo * 149214734Srpaulo * If WPS is used with an external RADIUS server (which is quite 150214734Srpaulo * unlikely configuration), this is used to provide a pointer to WPS 151214734Srpaulo * context data. Normally, this can be set to %NULL. 152214734Srpaulo */ 153189251Ssam struct wps_context *wps; 154214734Srpaulo 155214734Srpaulo /** 156214734Srpaulo * ipv6 - Whether to enable IPv6 support in the RADIUS server 157214734Srpaulo */ 158189251Ssam int ipv6; 159214734Srpaulo 160214734Srpaulo /** 161214734Srpaulo * get_eap_user - Callback for fetching EAP user information 162214734Srpaulo * @ctx: Context data from conf_ctx 163214734Srpaulo * @identity: User identity 164214734Srpaulo * @identity_len: identity buffer length in octets 165214734Srpaulo * @phase2: Whether this is for Phase 2 identity 166214734Srpaulo * @user: Data structure for filling in the user information 167214734Srpaulo * Returns: 0 on success, -1 on failure 168214734Srpaulo * 169214734Srpaulo * This is used to fetch information from user database. The callback 170214734Srpaulo * will fill in information about allowed EAP methods and the user 171214734Srpaulo * password. The password field will be an allocated copy of the 172214734Srpaulo * password data and RADIUS server will free it after use. 173214734Srpaulo */ 174189251Ssam int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 175189251Ssam int phase2, struct eap_user *user); 176214734Srpaulo 177214734Srpaulo /** 178214734Srpaulo * eap_req_id_text - Optional data for EAP-Request/Identity 179214734Srpaulo * 180214734Srpaulo * This can be used to configure an optional, displayable message that 181214734Srpaulo * will be sent in EAP-Request/Identity. This string can contain an 182214734Srpaulo * ASCII-0 character (nul) to separate network infromation per RFC 183214734Srpaulo * 4284. The actual string length is explicit provided in 184214734Srpaulo * eap_req_id_text_len since nul character will not be used as a string 185214734Srpaulo * terminator. 186214734Srpaulo */ 187189251Ssam const char *eap_req_id_text; 188214734Srpaulo 189214734Srpaulo /** 190214734Srpaulo * eap_req_id_text_len - Length of eap_req_id_text buffer in octets 191214734Srpaulo */ 192189251Ssam size_t eap_req_id_text_len; 193214734Srpaulo 194214734Srpaulo /* 195214734Srpaulo * msg_ctx - Context data for wpa_msg() calls 196214734Srpaulo */ 197214734Srpaulo void *msg_ctx; 198252726Srpaulo 199252726Srpaulo#ifdef CONFIG_RADIUS_TEST 200252726Srpaulo const char *dump_msk_file; 201252726Srpaulo#endif /* CONFIG_RADIUS_TEST */ 202189251Ssam}; 203189251Ssam 204189251Ssam 205189251Ssamstruct radius_server_data * 206189251Ssamradius_server_init(struct radius_server_conf *conf); 207189251Ssam 208189251Ssamvoid radius_server_deinit(struct radius_server_data *data); 209189251Ssam 210189251Ssamint radius_server_get_mib(struct radius_server_data *data, char *buf, 211189251Ssam size_t buflen); 212189251Ssam 213189251Ssamvoid radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx); 214189251Ssam 215189251Ssam#endif /* RADIUS_SERVER_H */ 216