src/radius/radius_server.h

   1 /*
   2  * RADIUS authentication server
   3  * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #ifndef RADIUS_SERVER_H
  10 #define RADIUS_SERVER_H
  11
  12 struct radius_server_data;
  13 struct eap_user;
  14
  15 /**
  16  * struct radius_server_conf - RADIUS server configuration
  17  */
  18 struct radius_server_conf {
  19         /**
  20          * auth_port - UDP port to listen to as an authentication server
  21          */
  22         int auth_port;
  23
  24         /**
  25          * acct_port - UDP port to listen to as an accounting server
  26          */
  27         int acct_port;
  28
  29         /**
  30          * client_file - RADIUS client configuration file
  31          *
  32          * This file contains the RADIUS clients and the shared secret to be
  33          * used with them in a format where each client is on its own line. The
  34          * first item on the line is the IPv4 or IPv6 address of the client
  35          * with an optional address mask to allow full network to be specified
  36          * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white
  37          * space (space or tabulator) and the shared secret. Lines starting
  38          * with '#' are skipped and can be used as comments.
  39          */
  40         char *client_file;
  41
  42         /**
  43          * sqlite_file - SQLite database for storing debug log information
  44          */
  45         const char *sqlite_file;
  46
  47         /**
  48          * conf_ctx - Context pointer for callbacks
  49          *
  50          * This is used as the ctx argument in get_eap_user() calls.
  51          */
  52         void *conf_ctx;
  53
  54         /**
  55          * eap_sim_db_priv - EAP-SIM/AKA database context
  56          *
  57          * This is passed to the EAP-SIM/AKA server implementation as a
  58          * callback context.
  59          */
  60         void *eap_sim_db_priv;
  61
  62         /**
  63          * ssl_ctx - TLS context
  64          *
  65          * This is passed to the EAP server implementation as a callback
  66          * context for TLS operations.
  67          */
  68         void *ssl_ctx;
  69
  70         /**
  71          * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
  72          *
  73          * This parameter is used to set a key for EAP-FAST to encrypt the
  74          * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
  75          * set, must point to a 16-octet key.
  76          */
  77         u8 *pac_opaque_encr_key;
  78
  79         /**
  80          * eap_fast_a_id - EAP-FAST authority identity (A-ID)
  81          *
  82          * If EAP-FAST is not used, this can be set to %NULL. In theory, this
  83          * is a variable length field, but due to some existing implementations
  84          * requiring A-ID to be 16 octets in length, it is recommended to use
  85          * that length for the field to provide interoperability with deployed
  86          * peer implementations.
  87          */
  88         u8 *eap_fast_a_id;
  89
  90         /**
  91          * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
  92          */
  93         size_t eap_fast_a_id_len;
  94
  95         /**
  96          * eap_fast_a_id_info - EAP-FAST authority identifier information
  97          *
  98          * This A-ID-Info contains a user-friendly name for the A-ID. For
  99          * example, this could be the enterprise and server names in
 100          * human-readable format. This field is encoded as UTF-8. If EAP-FAST
 101          * is not used, this can be set to %NULL.
 102          */
 103         char *eap_fast_a_id_info;
 104
 105         /**
 106          * eap_fast_prov - EAP-FAST provisioning modes
 107          *
 108          * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
 109          * 2 = only authenticated provisioning allowed, 3 = both provisioning
 110          * modes allowed.
 111          */
 112         int eap_fast_prov;
 113
 114         /**
 115          * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
 116          *
 117          * This is the hard limit on how long a provisioned PAC-Key can be
 118          * used.
 119          */
 120         int pac_key_lifetime;
 121
 122         /**
 123          * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
 124          *
 125          * This is a soft limit on the PAC-Key. The server will automatically
 126          * generate a new PAC-Key when this number of seconds (or fewer) of the
 127          * lifetime remains.
 128          */
 129         int pac_key_refresh_time;
 130
 131         /**
 132          * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
 133          *
 134          * This controls whether the protected success/failure indication
 135          * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
 136          */
 137         int eap_sim_aka_result_ind;
 138
 139         /**
 140          * tnc - Trusted Network Connect (TNC)
 141          *
 142          * This controls whether TNC is enabled and will be required before the
 143          * peer is allowed to connect. Note: This is only used with EAP-TTLS
 144          * and EAP-FAST. If any other EAP method is enabled, the peer will be
 145          * allowed to connect without TNC.
 146          */
 147         int tnc;
 148
 149         /**
 150          * pwd_group - EAP-pwd D-H group
 151          *
 152          * This is used to select which D-H group to use with EAP-pwd.
 153          */
 154         u16 pwd_group;
 155
 156         /**
 157          * server_id - Server identity
 158          */
 159         const char *server_id;
 160
 161         /**
 162          * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
 163          *
 164          * This controls whether the authentication server derives ERP key
 165          * hierarchy (rRK and rIK) from full EAP authentication and allows
 166          * these keys to be used to perform ERP to derive rMSK instead of full
 167          * EAP authentication to derive MSK.
 168          */
 169         int erp;
 170
 171         const char *erp_domain;
 172
 173         unsigned int tls_session_lifetime;
 174
 175         /**
 176          * wps - Wi-Fi Protected Setup context
 177          *
 178          * If WPS is used with an external RADIUS server (which is quite
 179          * unlikely configuration), this is used to provide a pointer to WPS
 180          * context data. Normally, this can be set to %NULL.
 181          */
 182         struct wps_context *wps;
 183
 184         /**
 185          * ipv6 - Whether to enable IPv6 support in the RADIUS server
 186          */
 187         int ipv6;
 188
 189         /**
 190          * get_eap_user - Callback for fetching EAP user information
 191          * @ctx: Context data from conf_ctx
 192          * @identity: User identity
 193          * @identity_len: identity buffer length in octets
 194          * @phase2: Whether this is for Phase 2 identity
 195          * @user: Data structure for filling in the user information
 196          * Returns: 0 on success, -1 on failure
 197          *
 198          * This is used to fetch information from user database. The callback
 199          * will fill in information about allowed EAP methods and the user
 200          * password. The password field will be an allocated copy of the
 201          * password data and RADIUS server will free it after use.
 202          */
 203         int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
 204                             int phase2, struct eap_user *user);
 205
 206         /**
 207          * eap_req_id_text - Optional data for EAP-Request/Identity
 208          *
 209          * This can be used to configure an optional, displayable message that
 210          * will be sent in EAP-Request/Identity. This string can contain an
 211          * ASCII-0 character (nul) to separate network infromation per RFC
 212          * 4284. The actual string length is explicit provided in
 213          * eap_req_id_text_len since nul character will not be used as a string
 214          * terminator.
 215          */
 216         const char *eap_req_id_text;
 217
 218         /**
 219          * eap_req_id_text_len - Length of eap_req_id_text buffer in octets
 220          */
 221         size_t eap_req_id_text_len;
 222
 223         /*
 224          * msg_ctx - Context data for wpa_msg() calls
 225          */
 226         void *msg_ctx;
 227
 228 #ifdef CONFIG_RADIUS_TEST
 229         const char *dump_msk_file;
 230 #endif /* CONFIG_RADIUS_TEST */
 231
 232         char *subscr_remediation_url;
 233         u8 subscr_remediation_method;
 234 };
 235
 236
 237 struct radius_server_data *
 238 radius_server_init(struct radius_server_conf *conf);
 239
 240 void radius_server_erp_flush(struct radius_server_data *data);
 241 void radius_server_deinit(struct radius_server_data *data);
 242
 243 int radius_server_get_mib(struct radius_server_data *data, char *buf,
 244                           size_t buflen);
 245
 246 void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx);
 247
 248 #endif /* RADIUS_SERVER_H */