18dbcf02cSchristos /* 28dbcf02cSchristos * RADIUS authentication server 362a52023Schristos * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi> 48dbcf02cSchristos * 562a52023Schristos * This software may be distributed under the terms of the BSD license. 662a52023Schristos * See README for more details. 78dbcf02cSchristos */ 88dbcf02cSchristos 98dbcf02cSchristos #ifndef RADIUS_SERVER_H 108dbcf02cSchristos #define RADIUS_SERVER_H 118dbcf02cSchristos 128dbcf02cSchristos struct radius_server_data; 138dbcf02cSchristos struct eap_user; 148dbcf02cSchristos 158dbcf02cSchristos /** 168dbcf02cSchristos * struct radius_server_conf - RADIUS server configuration 178dbcf02cSchristos */ 188dbcf02cSchristos struct radius_server_conf { 198dbcf02cSchristos /** 208dbcf02cSchristos * auth_port - UDP port to listen to as an authentication server 218dbcf02cSchristos */ 228dbcf02cSchristos int auth_port; 238dbcf02cSchristos 248dbcf02cSchristos /** 2536d97821Schristos * acct_port - UDP port to listen to as an accounting server 2636d97821Schristos */ 2736d97821Schristos int acct_port; 2836d97821Schristos 2936d97821Schristos /** 308dbcf02cSchristos * client_file - RADIUS client configuration file 318dbcf02cSchristos * 328dbcf02cSchristos * This file contains the RADIUS clients and the shared secret to be 338dbcf02cSchristos * used with them in a format where each client is on its own line. The 348dbcf02cSchristos * first item on the line is the IPv4 or IPv6 address of the client 358dbcf02cSchristos * with an optional address mask to allow full network to be specified 368dbcf02cSchristos * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white 378dbcf02cSchristos * space (space or tabulator) and the shared secret. Lines starting 388dbcf02cSchristos * with '#' are skipped and can be used as comments. 398dbcf02cSchristos */ 408dbcf02cSchristos char *client_file; 418dbcf02cSchristos 428dbcf02cSchristos /** 4336d97821Schristos * sqlite_file - SQLite database for storing debug log information 4436d97821Schristos */ 4536d97821Schristos const char *sqlite_file; 4636d97821Schristos 4736d97821Schristos /** 488dbcf02cSchristos * conf_ctx - Context pointer for callbacks 498dbcf02cSchristos * 508dbcf02cSchristos * This is used as the ctx argument in get_eap_user() calls. 518dbcf02cSchristos */ 528dbcf02cSchristos void *conf_ctx; 538dbcf02cSchristos 548dbcf02cSchristos /** 558dbcf02cSchristos * eap_sim_db_priv - EAP-SIM/AKA database context 568dbcf02cSchristos * 578dbcf02cSchristos * This is passed to the EAP-SIM/AKA server implementation as a 588dbcf02cSchristos * callback context. 598dbcf02cSchristos */ 608dbcf02cSchristos void *eap_sim_db_priv; 618dbcf02cSchristos 628dbcf02cSchristos /** 638dbcf02cSchristos * ssl_ctx - TLS context 648dbcf02cSchristos * 658dbcf02cSchristos * This is passed to the EAP server implementation as a callback 668dbcf02cSchristos * context for TLS operations. 678dbcf02cSchristos */ 688dbcf02cSchristos void *ssl_ctx; 698dbcf02cSchristos 708dbcf02cSchristos /** 718dbcf02cSchristos * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 728dbcf02cSchristos * 738dbcf02cSchristos * This parameter is used to set a key for EAP-FAST to encrypt the 748dbcf02cSchristos * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 758dbcf02cSchristos * set, must point to a 16-octet key. 768dbcf02cSchristos */ 778dbcf02cSchristos u8 *pac_opaque_encr_key; 788dbcf02cSchristos 798dbcf02cSchristos /** 808dbcf02cSchristos * eap_fast_a_id - EAP-FAST authority identity (A-ID) 818dbcf02cSchristos * 828dbcf02cSchristos * If EAP-FAST is not used, this can be set to %NULL. In theory, this 838dbcf02cSchristos * is a variable length field, but due to some existing implementations 848dbcf02cSchristos * requiring A-ID to be 16 octets in length, it is recommended to use 858dbcf02cSchristos * that length for the field to provide interoperability with deployed 868dbcf02cSchristos * peer implementations. 878dbcf02cSchristos */ 888dbcf02cSchristos u8 *eap_fast_a_id; 898dbcf02cSchristos 908dbcf02cSchristos /** 918dbcf02cSchristos * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 928dbcf02cSchristos */ 938dbcf02cSchristos size_t eap_fast_a_id_len; 948dbcf02cSchristos 958dbcf02cSchristos /** 968dbcf02cSchristos * eap_fast_a_id_info - EAP-FAST authority identifier information 978dbcf02cSchristos * 988dbcf02cSchristos * This A-ID-Info contains a user-friendly name for the A-ID. For 998dbcf02cSchristos * example, this could be the enterprise and server names in 1008dbcf02cSchristos * human-readable format. This field is encoded as UTF-8. If EAP-FAST 1018dbcf02cSchristos * is not used, this can be set to %NULL. 1028dbcf02cSchristos */ 1038dbcf02cSchristos char *eap_fast_a_id_info; 1048dbcf02cSchristos 1058dbcf02cSchristos /** 1068dbcf02cSchristos * eap_fast_prov - EAP-FAST provisioning modes 1078dbcf02cSchristos * 1088dbcf02cSchristos * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 1098dbcf02cSchristos * 2 = only authenticated provisioning allowed, 3 = both provisioning 1108dbcf02cSchristos * modes allowed. 1118dbcf02cSchristos */ 1128dbcf02cSchristos int eap_fast_prov; 1138dbcf02cSchristos 1148dbcf02cSchristos /** 1158dbcf02cSchristos * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 1168dbcf02cSchristos * 1178dbcf02cSchristos * This is the hard limit on how long a provisioned PAC-Key can be 1188dbcf02cSchristos * used. 1198dbcf02cSchristos */ 1208dbcf02cSchristos int pac_key_lifetime; 1218dbcf02cSchristos 1228dbcf02cSchristos /** 1238dbcf02cSchristos * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 1248dbcf02cSchristos * 1258dbcf02cSchristos * This is a soft limit on the PAC-Key. The server will automatically 1268dbcf02cSchristos * generate a new PAC-Key when this number of seconds (or fewer) of the 1278dbcf02cSchristos * lifetime remains. 1288dbcf02cSchristos */ 1298dbcf02cSchristos int pac_key_refresh_time; 1308dbcf02cSchristos 131*0d69f216Schristos int eap_teap_auth; 132*0d69f216Schristos int eap_teap_pac_no_inner; 133*0d69f216Schristos 1348dbcf02cSchristos /** 1358dbcf02cSchristos * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 1368dbcf02cSchristos * 1378dbcf02cSchristos * This controls whether the protected success/failure indication 1388dbcf02cSchristos * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 1398dbcf02cSchristos */ 1408dbcf02cSchristos int eap_sim_aka_result_ind; 1418dbcf02cSchristos 142*0d69f216Schristos int eap_sim_id; 143*0d69f216Schristos 1448dbcf02cSchristos /** 1458dbcf02cSchristos * tnc - Trusted Network Connect (TNC) 1468dbcf02cSchristos * 1478dbcf02cSchristos * This controls whether TNC is enabled and will be required before the 1488dbcf02cSchristos * peer is allowed to connect. Note: This is only used with EAP-TTLS 1498dbcf02cSchristos * and EAP-FAST. If any other EAP method is enabled, the peer will be 1508dbcf02cSchristos * allowed to connect without TNC. 1518dbcf02cSchristos */ 1528dbcf02cSchristos int tnc; 1538dbcf02cSchristos 1548dbcf02cSchristos /** 15542669be3Schristos * pwd_group - EAP-pwd D-H group 15642669be3Schristos * 15742669be3Schristos * This is used to select which D-H group to use with EAP-pwd. 15842669be3Schristos */ 15942669be3Schristos u16 pwd_group; 16042669be3Schristos 16142669be3Schristos /** 16236d97821Schristos * server_id - Server identity 16336d97821Schristos */ 16436d97821Schristos const char *server_id; 16536d97821Schristos 16636d97821Schristos /** 1679a53cbbeSchristos * erp - Whether EAP Re-authentication Protocol (ERP) is enabled 1689a53cbbeSchristos * 1699a53cbbeSchristos * This controls whether the authentication server derives ERP key 1709a53cbbeSchristos * hierarchy (rRK and rIK) from full EAP authentication and allows 1719a53cbbeSchristos * these keys to be used to perform ERP to derive rMSK instead of full 1729a53cbbeSchristos * EAP authentication to derive MSK. 1739a53cbbeSchristos */ 1749a53cbbeSchristos int erp; 1759a53cbbeSchristos 1769a53cbbeSchristos const char *erp_domain; 1779a53cbbeSchristos 178928750b6Schristos unsigned int tls_session_lifetime; 179928750b6Schristos 180ebb5671cSchristos unsigned int tls_flags; 181ebb5671cSchristos 1829a53cbbeSchristos /** 1838dbcf02cSchristos * wps - Wi-Fi Protected Setup context 1848dbcf02cSchristos * 1858dbcf02cSchristos * If WPS is used with an external RADIUS server (which is quite 1868dbcf02cSchristos * unlikely configuration), this is used to provide a pointer to WPS 1878dbcf02cSchristos * context data. Normally, this can be set to %NULL. 1888dbcf02cSchristos */ 1898dbcf02cSchristos struct wps_context *wps; 1908dbcf02cSchristos 1918dbcf02cSchristos /** 1928dbcf02cSchristos * ipv6 - Whether to enable IPv6 support in the RADIUS server 1938dbcf02cSchristos */ 1948dbcf02cSchristos int ipv6; 1958dbcf02cSchristos 1968dbcf02cSchristos /** 1978dbcf02cSchristos * get_eap_user - Callback for fetching EAP user information 1988dbcf02cSchristos * @ctx: Context data from conf_ctx 1998dbcf02cSchristos * @identity: User identity 2008dbcf02cSchristos * @identity_len: identity buffer length in octets 2018dbcf02cSchristos * @phase2: Whether this is for Phase 2 identity 2028dbcf02cSchristos * @user: Data structure for filling in the user information 2038dbcf02cSchristos * Returns: 0 on success, -1 on failure 2048dbcf02cSchristos * 2058dbcf02cSchristos * This is used to fetch information from user database. The callback 2068dbcf02cSchristos * will fill in information about allowed EAP methods and the user 2078dbcf02cSchristos * password. The password field will be an allocated copy of the 2088dbcf02cSchristos * password data and RADIUS server will free it after use. 2098dbcf02cSchristos */ 2108dbcf02cSchristos int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 2118dbcf02cSchristos int phase2, struct eap_user *user); 2128dbcf02cSchristos 2138dbcf02cSchristos /** 2148dbcf02cSchristos * eap_req_id_text - Optional data for EAP-Request/Identity 2158dbcf02cSchristos * 2168dbcf02cSchristos * This can be used to configure an optional, displayable message that 2178dbcf02cSchristos * will be sent in EAP-Request/Identity. This string can contain an 2188dbcf02cSchristos * ASCII-0 character (nul) to separate network infromation per RFC 2198dbcf02cSchristos * 4284. The actual string length is explicit provided in 2208dbcf02cSchristos * eap_req_id_text_len since nul character will not be used as a string 2218dbcf02cSchristos * terminator. 2228dbcf02cSchristos */ 2238dbcf02cSchristos const char *eap_req_id_text; 2248dbcf02cSchristos 2258dbcf02cSchristos /** 2268dbcf02cSchristos * eap_req_id_text_len - Length of eap_req_id_text buffer in octets 2278dbcf02cSchristos */ 2288dbcf02cSchristos size_t eap_req_id_text_len; 2298dbcf02cSchristos 2308dbcf02cSchristos /* 2318dbcf02cSchristos * msg_ctx - Context data for wpa_msg() calls 2328dbcf02cSchristos */ 2338dbcf02cSchristos void *msg_ctx; 23462a52023Schristos 23562a52023Schristos #ifdef CONFIG_RADIUS_TEST 23662a52023Schristos const char *dump_msk_file; 23762a52023Schristos #endif /* CONFIG_RADIUS_TEST */ 23836d97821Schristos 23936d97821Schristos char *subscr_remediation_url; 24036d97821Schristos u8 subscr_remediation_method; 241*0d69f216Schristos char *hs20_sim_provisioning_url; 242ebb5671cSchristos 243ebb5671cSchristos char *t_c_server_url; 2448dbcf02cSchristos }; 2458dbcf02cSchristos 2468dbcf02cSchristos 2478dbcf02cSchristos struct radius_server_data * 2488dbcf02cSchristos radius_server_init(struct radius_server_conf *conf); 2498dbcf02cSchristos 2509a53cbbeSchristos void radius_server_erp_flush(struct radius_server_data *data); 2518dbcf02cSchristos void radius_server_deinit(struct radius_server_data *data); 2528dbcf02cSchristos 2538dbcf02cSchristos int radius_server_get_mib(struct radius_server_data *data, char *buf, 2548dbcf02cSchristos size_t buflen); 2558dbcf02cSchristos 2568dbcf02cSchristos void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx); 257ebb5671cSchristos int radius_server_dac_request(struct radius_server_data *data, const char *req); 2588dbcf02cSchristos 2598dbcf02cSchristos #endif /* RADIUS_SERVER_H */ 260