radius_server.h revision 351611
14Srgrimes/* 24Srgrimes * RADIUS authentication server 3295Sjtc * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi> 44Srgrimes * 5295Sjtc * This software may be distributed under the terms of the BSD license. 6295Sjtc * See README for more details. 750471Speter */ 84Srgrimes 9468Sjtc#ifndef RADIUS_SERVER_H 1062926Sse#define RADIUS_SERVER_H 1192979Swollman 1292979Swollmanstruct radius_server_data; 1392979Swollmanstruct eap_user; 1492979Swollman 1592979Swollman/** 1692979Swollman * struct radius_server_conf - RADIUS server configuration 1792979Swollman */ 184Srgrimesstruct radius_server_conf { 194Srgrimes /** 204Srgrimes * auth_port - UDP port to listen to as an authentication server 2162926Sse */ 2292979Swollman int auth_port; 2331Salm 2492979Swollman /** 2592979Swollman * acct_port - UDP port to listen to as an accounting server 2692979Swollman */ 2792979Swollman int acct_port; 2892979Swollman 2992979Swollman /** 304Srgrimes * client_file - RADIUS client configuration file 3112378Sjoerg * 324Srgrimes * This file contains the RADIUS clients and the shared secret to be 3331Salm * used with them in a format where each client is on its own line. The 344Srgrimes * first item on the line is the IPv4 or IPv6 address of the client 354Srgrimes * with an optional address mask to allow full network to be specified 364Srgrimes * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white 374Srgrimes * space (space or tabulator) and the shared secret. Lines starting 3892979Swollman * with '#' are skipped and can be used as comments. 394Srgrimes */ 4031Salm char *client_file; 414Srgrimes 424Srgrimes /** 434Srgrimes * sqlite_file - SQLite database for storing debug log information 4492979Swollman */ 4592979Swollman const char *sqlite_file; 4692979Swollman 4792979Swollman /** 4890109Simp * conf_ctx - Context pointer for callbacks 4990109Simp * 5090109Simp * This is used as the ctx argument in get_eap_user() calls. 5192979Swollman */ 5290109Simp void *conf_ctx; 5390109Simp 5490109Simp /** 5590109Simp * eap_sim_db_priv - EAP-SIM/AKA database context 5690109Simp * 5790109Simp * This is passed to the EAP-SIM/AKA server implementation as a 5890109Simp * callback context. 5990109Simp */ 6090109Simp void *eap_sim_db_priv; 6190109Simp 6290109Simp /** 6390109Simp * ssl_ctx - TLS context 6490109Simp * 6590109Simp * This is passed to the EAP server implementation as a callback 6690109Simp * context for TLS operations. 6792979Swollman */ 6890109Simp void *ssl_ctx; 6990109Simp 7090109Simp /** 7190109Simp * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 7277244Skris * 734Srgrimes * This parameter is used to set a key for EAP-FAST to encrypt the 744Srgrimes * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 754Srgrimes * set, must point to a 16-octet key. 764Srgrimes */ 774Srgrimes u8 *pac_opaque_encr_key; 784Srgrimes 794Srgrimes /** 804Srgrimes * eap_fast_a_id - EAP-FAST authority identity (A-ID) 814Srgrimes * 824Srgrimes * If EAP-FAST is not used, this can be set to %NULL. In theory, this 834Srgrimes * is a variable length field, but due to some existing implementations 844Srgrimes * requiring A-ID to be 16 octets in length, it is recommended to use 854Srgrimes * that length for the field to provide interoperability with deployed 864Srgrimes * peer implementations. 874Srgrimes */ 884Srgrimes u8 *eap_fast_a_id; 894Srgrimes 904Srgrimes /** 914Srgrimes * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 924Srgrimes */ 934Srgrimes size_t eap_fast_a_id_len; 944Srgrimes 954Srgrimes /** 964Srgrimes * eap_fast_a_id_info - EAP-FAST authority identifier information 974Srgrimes * 984Srgrimes * This A-ID-Info contains a user-friendly name for the A-ID. For 994Srgrimes * example, this could be the enterprise and server names in 1004Srgrimes * human-readable format. This field is encoded as UTF-8. If EAP-FAST 1014Srgrimes * is not used, this can be set to %NULL. 1024Srgrimes */ 1034Srgrimes char *eap_fast_a_id_info; 1044Srgrimes 1054Srgrimes /** 1064Srgrimes * eap_fast_prov - EAP-FAST provisioning modes 1074Srgrimes * 1084Srgrimes * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 1094Srgrimes * 2 = only authenticated provisioning allowed, 3 = both provisioning 1104Srgrimes * modes allowed. 1114Srgrimes */ 1124Srgrimes int eap_fast_prov; 1134Srgrimes 1144Srgrimes /** 1154Srgrimes * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 1164Srgrimes * 11792979Swollman * This is the hard limit on how long a provisioned PAC-Key can be 1184Srgrimes * used. 1194Srgrimes */ 1204Srgrimes int pac_key_lifetime; 1214Srgrimes 1224Srgrimes /** 12392979Swollman * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 1244Srgrimes * 1254Srgrimes * This is a soft limit on the PAC-Key. The server will automatically 1264Srgrimes * generate a new PAC-Key when this number of seconds (or fewer) of the 1274Srgrimes * lifetime remains. 1284Srgrimes */ 1294Srgrimes int pac_key_refresh_time; 1304Srgrimes 1314Srgrimes int eap_teap_auth; 13290109Simp int eap_teap_pac_no_inner; 1334Srgrimes 1344Srgrimes /** 13592979Swollman * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 1364Srgrimes * 1374Srgrimes * This controls whether the protected success/failure indication 1384Srgrimes * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 13992979Swollman */ 1404Srgrimes int eap_sim_aka_result_ind; 1414Srgrimes 14292979Swollman int eap_sim_id; 14392979Swollman 14492979Swollman /** 14592979Swollman * tnc - Trusted Network Connect (TNC) 14692979Swollman * 14792979Swollman * This controls whether TNC is enabled and will be required before the 14892979Swollman * peer is allowed to connect. Note: This is only used with EAP-TTLS 14992979Swollman * and EAP-FAST. If any other EAP method is enabled, the peer will be 15092979Swollman * allowed to connect without TNC. 15192979Swollman */ 15292979Swollman int tnc; 15392979Swollman 15492979Swollman /** 15592979Swollman * pwd_group - EAP-pwd D-H group 15692979Swollman * 15792979Swollman * This is used to select which D-H group to use with EAP-pwd. 1589909Sjoerg */ 15992979Swollman u16 pwd_group; 16092979Swollman 16192979Swollman /** 16212378Sjoerg * server_id - Server identity 1639909Sjoerg */ 1644Srgrimes const char *server_id; 1654Srgrimes 1664Srgrimes /** 1674Srgrimes * erp - Whether EAP Re-authentication Protocol (ERP) is enabled 1684Srgrimes * 16990109Simp * This controls whether the authentication server derives ERP key 1704Srgrimes * hierarchy (rRK and rIK) from full EAP authentication and allows 17112378Sjoerg * these keys to be used to perform ERP to derive rMSK instead of full 1724Srgrimes * EAP authentication to derive MSK. 1734Srgrimes */ 1744Srgrimes int erp; 1754Srgrimes 17692979Swollman const char *erp_domain; 17790109Simp 1784Srgrimes unsigned int tls_session_lifetime; 17992979Swollman 1804Srgrimes unsigned int tls_flags; 1814Srgrimes 1824Srgrimes /** 1834Srgrimes * wps - Wi-Fi Protected Setup context 18412378Sjoerg * 18512378Sjoerg * If WPS is used with an external RADIUS server (which is quite 1864Srgrimes * unlikely configuration), this is used to provide a pointer to WPS 18712378Sjoerg * context data. Normally, this can be set to %NULL. 18863755Sse */ 18992979Swollman struct wps_context *wps; 19092979Swollman 19192979Swollman /** 19292979Swollman * ipv6 - Whether to enable IPv6 support in the RADIUS server 1934Srgrimes */ 19412378Sjoerg int ipv6; 1954Srgrimes 1964Srgrimes /** 1974Srgrimes * get_eap_user - Callback for fetching EAP user information 1984Srgrimes * @ctx: Context data from conf_ctx 1994Srgrimes * @identity: User identity 20090109Simp * @identity_len: identity buffer length in octets 2014Srgrimes * @phase2: Whether this is for Phase 2 identity 2024Srgrimes * @user: Data structure for filling in the user information 2034Srgrimes * Returns: 0 on success, -1 on failure 20412378Sjoerg * 2054Srgrimes * This is used to fetch information from user database. The callback 2064Srgrimes * will fill in information about allowed EAP methods and the user 20792979Swollman * password. The password field will be an allocated copy of the 20892979Swollman * password data and RADIUS server will free it after use. 20992979Swollman */ 21092979Swollman int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 21192979Swollman int phase2, struct eap_user *user); 21292979Swollman 21392979Swollman /** 21492979Swollman * eap_req_id_text - Optional data for EAP-Request/Identity 21592979Swollman * 2164Srgrimes * This can be used to configure an optional, displayable message that 21792979Swollman * will be sent in EAP-Request/Identity. This string can contain an 2184Srgrimes * ASCII-0 character (nul) to separate network infromation per RFC 2194Srgrimes * 4284. The actual string length is explicit provided in 2204Srgrimes * eap_req_id_text_len since nul character will not be used as a string 2214Srgrimes * terminator. 2224Srgrimes */ 2234Srgrimes const char *eap_req_id_text; 22490109Simp 2254Srgrimes /** 22612378Sjoerg * eap_req_id_text_len - Length of eap_req_id_text buffer in octets 2274Srgrimes */ 2284Srgrimes size_t eap_req_id_text_len; 2294Srgrimes 2304Srgrimes /* 2314Srgrimes * msg_ctx - Context data for wpa_msg() calls 23290109Simp */ 2334Srgrimes void *msg_ctx; 2344Srgrimes 2354Srgrimes#ifdef CONFIG_RADIUS_TEST 2364Srgrimes const char *dump_msk_file; 2374Srgrimes#endif /* CONFIG_RADIUS_TEST */ 2384Srgrimes 2394Srgrimes char *subscr_remediation_url; 2404Srgrimes u8 subscr_remediation_method; 2414Srgrimes char *hs20_sim_provisioning_url; 2424Srgrimes 2434Srgrimes char *t_c_server_url; 2444Srgrimes}; 2454Srgrimes 2464Srgrimes 2474Srgrimesstruct radius_server_data * 2484Srgrimesradius_server_init(struct radius_server_conf *conf); 2494Srgrimes 2504Srgrimesvoid radius_server_erp_flush(struct radius_server_data *data); 2514Srgrimesvoid radius_server_deinit(struct radius_server_data *data); 2524Srgrimes 2534Srgrimesint radius_server_get_mib(struct radius_server_data *data, char *buf, 2544Srgrimes size_t buflen); 2554Srgrimes 2564Srgrimesvoid radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx); 25790109Simpint radius_server_dac_request(struct radius_server_data *data, const char *req); 2584Srgrimes 2594Srgrimes#endif /* RADIUS_SERVER_H */ 2604Srgrimes