src/radius/radius_server.h

   1 /*
   2  * RADIUS authentication server
   3  * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #ifndef RADIUS_SERVER_H
  10 #define RADIUS_SERVER_H
  11
  12 struct radius_server_data;
  13 struct eap_user;
  14
  15 /**
  16  * struct radius_server_conf - RADIUS server configuration
  17  */
  18 struct radius_server_conf {
  19         /**
  20          * auth_port - UDP port to listen to as an authentication server
  21          */
  22         int auth_port;
  23
  24         /**
  25          * client_file - RADIUS client configuration file
  26          *
  27          * This file contains the RADIUS clients and the shared secret to be
  28          * used with them in a format where each client is on its own line. The
  29          * first item on the line is the IPv4 or IPv6 address of the client
  30          * with an optional address mask to allow full network to be specified
  31          * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white
  32          * space (space or tabulator) and the shared secret. Lines starting
  33          * with '#' are skipped and can be used as comments.
  34          */
  35         char *client_file;
  36
  37         /**
  38          * conf_ctx - Context pointer for callbacks
  39          *
  40          * This is used as the ctx argument in get_eap_user() calls.
  41          */
  42         void *conf_ctx;
  43
  44         /**
  45          * eap_sim_db_priv - EAP-SIM/AKA database context
  46          *
  47          * This is passed to the EAP-SIM/AKA server implementation as a
  48          * callback context.
  49          */
  50         void *eap_sim_db_priv;
  51
  52         /**
  53          * ssl_ctx - TLS context
  54          *
  55          * This is passed to the EAP server implementation as a callback
  56          * context for TLS operations.
  57          */
  58         void *ssl_ctx;
  59
  60         /**
  61          * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
  62          *
  63          * This parameter is used to set a key for EAP-FAST to encrypt the
  64          * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
  65          * set, must point to a 16-octet key.
  66          */
  67         u8 *pac_opaque_encr_key;
  68
  69         /**
  70          * eap_fast_a_id - EAP-FAST authority identity (A-ID)
  71          *
  72          * If EAP-FAST is not used, this can be set to %NULL. In theory, this
  73          * is a variable length field, but due to some existing implementations
  74          * requiring A-ID to be 16 octets in length, it is recommended to use
  75          * that length for the field to provide interoperability with deployed
  76          * peer implementations.
  77          */
  78         u8 *eap_fast_a_id;
  79
  80         /**
  81          * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
  82          */
  83         size_t eap_fast_a_id_len;
  84
  85         /**
  86          * eap_fast_a_id_info - EAP-FAST authority identifier information
  87          *
  88          * This A-ID-Info contains a user-friendly name for the A-ID. For
  89          * example, this could be the enterprise and server names in
  90          * human-readable format. This field is encoded as UTF-8. If EAP-FAST
  91          * is not used, this can be set to %NULL.
  92          */
  93         char *eap_fast_a_id_info;
  94
  95         /**
  96          * eap_fast_prov - EAP-FAST provisioning modes
  97          *
  98          * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
  99          * 2 = only authenticated provisioning allowed, 3 = both provisioning
 100          * modes allowed.
 101          */
 102         int eap_fast_prov;
 103
 104         /**
 105          * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
 106          *
 107          * This is the hard limit on how long a provisioned PAC-Key can be
 108          * used.
 109          */
 110         int pac_key_lifetime;
 111
 112         /**
 113          * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
 114          *
 115          * This is a soft limit on the PAC-Key. The server will automatically
 116          * generate a new PAC-Key when this number of seconds (or fewer) of the
 117          * lifetime remains.
 118          */
 119         int pac_key_refresh_time;
 120
 121         /**
 122          * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
 123          *
 124          * This controls whether the protected success/failure indication
 125          * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
 126          */
 127         int eap_sim_aka_result_ind;
 128
 129         /**
 130          * tnc - Trusted Network Connect (TNC)
 131          *
 132          * This controls whether TNC is enabled and will be required before the
 133          * peer is allowed to connect. Note: This is only used with EAP-TTLS
 134          * and EAP-FAST. If any other EAP method is enabled, the peer will be
 135          * allowed to connect without TNC.
 136          */
 137         int tnc;
 138
 139         /**
 140          * pwd_group - EAP-pwd D-H group
 141          *
 142          * This is used to select which D-H group to use with EAP-pwd.
 143          */
 144         u16 pwd_group;
 145
 146         /**
 147          * server_id - Server identity
 148          */
 149         const char *server_id;
 150
 151         /**
 152          * wps - Wi-Fi Protected Setup context
 153          *
 154          * If WPS is used with an external RADIUS server (which is quite
 155          * unlikely configuration), this is used to provide a pointer to WPS
 156          * context data. Normally, this can be set to %NULL.
 157          */
 158         struct wps_context *wps;
 159
 160         /**
 161          * ipv6 - Whether to enable IPv6 support in the RADIUS server
 162          */
 163         int ipv6;
 164
 165         /**
 166          * get_eap_user - Callback for fetching EAP user information
 167          * @ctx: Context data from conf_ctx
 168          * @identity: User identity
 169          * @identity_len: identity buffer length in octets
 170          * @phase2: Whether this is for Phase 2 identity
 171          * @user: Data structure for filling in the user information
 172          * Returns: 0 on success, -1 on failure
 173          *
 174          * This is used to fetch information from user database. The callback
 175          * will fill in information about allowed EAP methods and the user
 176          * password. The password field will be an allocated copy of the
 177          * password data and RADIUS server will free it after use.
 178          */
 179         int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
 180                             int phase2, struct eap_user *user);
 181
 182         /**
 183          * eap_req_id_text - Optional data for EAP-Request/Identity
 184          *
 185          * This can be used to configure an optional, displayable message that
 186          * will be sent in EAP-Request/Identity. This string can contain an
 187          * ASCII-0 character (nul) to separate network infromation per RFC
 188          * 4284. The actual string length is explicit provided in
 189          * eap_req_id_text_len since nul character will not be used as a string
 190          * terminator.
 191          */
 192         const char *eap_req_id_text;
 193
 194         /**
 195          * eap_req_id_text_len - Length of eap_req_id_text buffer in octets
 196          */
 197         size_t eap_req_id_text_len;
 198
 199         /*
 200          * msg_ctx - Context data for wpa_msg() calls
 201          */
 202         void *msg_ctx;
 203
 204 #ifdef CONFIG_RADIUS_TEST
 205         const char *dump_msk_file;
 206 #endif /* CONFIG_RADIUS_TEST */
 207 };
 208
 209
 210 struct radius_server_data *
 211 radius_server_init(struct radius_server_conf *conf);
 212
 213 void radius_server_deinit(struct radius_server_data *data);
 214
 215 int radius_server_get_mib(struct radius_server_data *data, char *buf,
 216                           size_t buflen);
 217
 218 void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx);
 219
 220 #endif /* RADIUS_SERVER_H */