18dbcf02cSchristos /* 28dbcf02cSchristos * RADIUS authentication server 362a52023Schristos * Copyright (c) 2005-2009, 2011, Jouni Malinen <j@w1.fi> 48dbcf02cSchristos * 562a52023Schristos * This software may be distributed under the terms of the BSD license. 662a52023Schristos * See README for more details. 78dbcf02cSchristos */ 88dbcf02cSchristos 98dbcf02cSchristos #ifndef RADIUS_SERVER_H 108dbcf02cSchristos #define RADIUS_SERVER_H 118dbcf02cSchristos 128dbcf02cSchristos struct radius_server_data; 138dbcf02cSchristos struct eap_user; 148dbcf02cSchristos 158dbcf02cSchristos /** 168dbcf02cSchristos * struct radius_server_conf - RADIUS server configuration 178dbcf02cSchristos */ 188dbcf02cSchristos struct radius_server_conf { 198dbcf02cSchristos /** 208dbcf02cSchristos * auth_port - UDP port to listen to as an authentication server 218dbcf02cSchristos */ 228dbcf02cSchristos int auth_port; 238dbcf02cSchristos 248dbcf02cSchristos /** 2536d97821Schristos * acct_port - UDP port to listen to as an accounting server 2636d97821Schristos */ 2736d97821Schristos int acct_port; 2836d97821Schristos 2936d97821Schristos /** 308dbcf02cSchristos * client_file - RADIUS client configuration file 318dbcf02cSchristos * 328dbcf02cSchristos * This file contains the RADIUS clients and the shared secret to be 338dbcf02cSchristos * used with them in a format where each client is on its own line. The 348dbcf02cSchristos * first item on the line is the IPv4 or IPv6 address of the client 358dbcf02cSchristos * with an optional address mask to allow full network to be specified 368dbcf02cSchristos * (e.g., 192.168.1.2 or 192.168.1.0/24). This is followed by white 378dbcf02cSchristos * space (space or tabulator) and the shared secret. Lines starting 388dbcf02cSchristos * with '#' are skipped and can be used as comments. 398dbcf02cSchristos */ 408dbcf02cSchristos char *client_file; 418dbcf02cSchristos 428dbcf02cSchristos /** 4336d97821Schristos * sqlite_file - SQLite database for storing debug log information 4436d97821Schristos */ 4536d97821Schristos const char *sqlite_file; 4636d97821Schristos 4736d97821Schristos /** 488dbcf02cSchristos * conf_ctx - Context pointer for callbacks 498dbcf02cSchristos * 508dbcf02cSchristos * This is used as the ctx argument in get_eap_user() calls. 518dbcf02cSchristos */ 528dbcf02cSchristos void *conf_ctx; 538dbcf02cSchristos 548dbcf02cSchristos /** 558dbcf02cSchristos * eap_sim_db_priv - EAP-SIM/AKA database context 568dbcf02cSchristos * 578dbcf02cSchristos * This is passed to the EAP-SIM/AKA server implementation as a 588dbcf02cSchristos * callback context. 598dbcf02cSchristos */ 608dbcf02cSchristos void *eap_sim_db_priv; 618dbcf02cSchristos 628dbcf02cSchristos /** 638dbcf02cSchristos * ssl_ctx - TLS context 648dbcf02cSchristos * 658dbcf02cSchristos * This is passed to the EAP server implementation as a callback 668dbcf02cSchristos * context for TLS operations. 678dbcf02cSchristos */ 688dbcf02cSchristos void *ssl_ctx; 698dbcf02cSchristos 708dbcf02cSchristos /** 718dbcf02cSchristos * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST 728dbcf02cSchristos * 738dbcf02cSchristos * This parameter is used to set a key for EAP-FAST to encrypt the 748dbcf02cSchristos * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If 758dbcf02cSchristos * set, must point to a 16-octet key. 768dbcf02cSchristos */ 778dbcf02cSchristos u8 *pac_opaque_encr_key; 788dbcf02cSchristos 798dbcf02cSchristos /** 808dbcf02cSchristos * eap_fast_a_id - EAP-FAST authority identity (A-ID) 818dbcf02cSchristos * 828dbcf02cSchristos * If EAP-FAST is not used, this can be set to %NULL. In theory, this 838dbcf02cSchristos * is a variable length field, but due to some existing implementations 848dbcf02cSchristos * requiring A-ID to be 16 octets in length, it is recommended to use 858dbcf02cSchristos * that length for the field to provide interoperability with deployed 868dbcf02cSchristos * peer implementations. 878dbcf02cSchristos */ 888dbcf02cSchristos u8 *eap_fast_a_id; 898dbcf02cSchristos 908dbcf02cSchristos /** 918dbcf02cSchristos * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets 928dbcf02cSchristos */ 938dbcf02cSchristos size_t eap_fast_a_id_len; 948dbcf02cSchristos 958dbcf02cSchristos /** 968dbcf02cSchristos * eap_fast_a_id_info - EAP-FAST authority identifier information 978dbcf02cSchristos * 988dbcf02cSchristos * This A-ID-Info contains a user-friendly name for the A-ID. For 998dbcf02cSchristos * example, this could be the enterprise and server names in 1008dbcf02cSchristos * human-readable format. This field is encoded as UTF-8. If EAP-FAST 1018dbcf02cSchristos * is not used, this can be set to %NULL. 1028dbcf02cSchristos */ 1038dbcf02cSchristos char *eap_fast_a_id_info; 1048dbcf02cSchristos 1058dbcf02cSchristos /** 1068dbcf02cSchristos * eap_fast_prov - EAP-FAST provisioning modes 1078dbcf02cSchristos * 1088dbcf02cSchristos * 0 = provisioning disabled, 1 = only anonymous provisioning allowed, 1098dbcf02cSchristos * 2 = only authenticated provisioning allowed, 3 = both provisioning 1108dbcf02cSchristos * modes allowed. 1118dbcf02cSchristos */ 1128dbcf02cSchristos int eap_fast_prov; 1138dbcf02cSchristos 1148dbcf02cSchristos /** 1158dbcf02cSchristos * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds 1168dbcf02cSchristos * 1178dbcf02cSchristos * This is the hard limit on how long a provisioned PAC-Key can be 1188dbcf02cSchristos * used. 1198dbcf02cSchristos */ 1208dbcf02cSchristos int pac_key_lifetime; 1218dbcf02cSchristos 1228dbcf02cSchristos /** 1238dbcf02cSchristos * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds 1248dbcf02cSchristos * 1258dbcf02cSchristos * This is a soft limit on the PAC-Key. The server will automatically 1268dbcf02cSchristos * generate a new PAC-Key when this number of seconds (or fewer) of the 1278dbcf02cSchristos * lifetime remains. 1288dbcf02cSchristos */ 1298dbcf02cSchristos int pac_key_refresh_time; 1308dbcf02cSchristos 1318dbcf02cSchristos /** 1328dbcf02cSchristos * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication 1338dbcf02cSchristos * 1348dbcf02cSchristos * This controls whether the protected success/failure indication 1358dbcf02cSchristos * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA. 1368dbcf02cSchristos */ 1378dbcf02cSchristos int eap_sim_aka_result_ind; 1388dbcf02cSchristos 1398dbcf02cSchristos /** 1408dbcf02cSchristos * tnc - Trusted Network Connect (TNC) 1418dbcf02cSchristos * 1428dbcf02cSchristos * This controls whether TNC is enabled and will be required before the 1438dbcf02cSchristos * peer is allowed to connect. Note: This is only used with EAP-TTLS 1448dbcf02cSchristos * and EAP-FAST. If any other EAP method is enabled, the peer will be 1458dbcf02cSchristos * allowed to connect without TNC. 1468dbcf02cSchristos */ 1478dbcf02cSchristos int tnc; 1488dbcf02cSchristos 1498dbcf02cSchristos /** 15042669be3Schristos * pwd_group - EAP-pwd D-H group 15142669be3Schristos * 15242669be3Schristos * This is used to select which D-H group to use with EAP-pwd. 15342669be3Schristos */ 15442669be3Schristos u16 pwd_group; 15542669be3Schristos 15642669be3Schristos /** 15736d97821Schristos * server_id - Server identity 15836d97821Schristos */ 15936d97821Schristos const char *server_id; 16036d97821Schristos 16136d97821Schristos /** 1629a53cbbeSchristos * erp - Whether EAP Re-authentication Protocol (ERP) is enabled 1639a53cbbeSchristos * 1649a53cbbeSchristos * This controls whether the authentication server derives ERP key 1659a53cbbeSchristos * hierarchy (rRK and rIK) from full EAP authentication and allows 1669a53cbbeSchristos * these keys to be used to perform ERP to derive rMSK instead of full 1679a53cbbeSchristos * EAP authentication to derive MSK. 1689a53cbbeSchristos */ 1699a53cbbeSchristos int erp; 1709a53cbbeSchristos 1719a53cbbeSchristos const char *erp_domain; 1729a53cbbeSchristos 173928750b6Schristos unsigned int tls_session_lifetime; 174928750b6Schristos 175*ebb5671cSchristos unsigned int tls_flags; 176*ebb5671cSchristos 1779a53cbbeSchristos /** 1788dbcf02cSchristos * wps - Wi-Fi Protected Setup context 1798dbcf02cSchristos * 1808dbcf02cSchristos * If WPS is used with an external RADIUS server (which is quite 1818dbcf02cSchristos * unlikely configuration), this is used to provide a pointer to WPS 1828dbcf02cSchristos * context data. Normally, this can be set to %NULL. 1838dbcf02cSchristos */ 1848dbcf02cSchristos struct wps_context *wps; 1858dbcf02cSchristos 1868dbcf02cSchristos /** 1878dbcf02cSchristos * ipv6 - Whether to enable IPv6 support in the RADIUS server 1888dbcf02cSchristos */ 1898dbcf02cSchristos int ipv6; 1908dbcf02cSchristos 1918dbcf02cSchristos /** 1928dbcf02cSchristos * get_eap_user - Callback for fetching EAP user information 1938dbcf02cSchristos * @ctx: Context data from conf_ctx 1948dbcf02cSchristos * @identity: User identity 1958dbcf02cSchristos * @identity_len: identity buffer length in octets 1968dbcf02cSchristos * @phase2: Whether this is for Phase 2 identity 1978dbcf02cSchristos * @user: Data structure for filling in the user information 1988dbcf02cSchristos * Returns: 0 on success, -1 on failure 1998dbcf02cSchristos * 2008dbcf02cSchristos * This is used to fetch information from user database. The callback 2018dbcf02cSchristos * will fill in information about allowed EAP methods and the user 2028dbcf02cSchristos * password. The password field will be an allocated copy of the 2038dbcf02cSchristos * password data and RADIUS server will free it after use. 2048dbcf02cSchristos */ 2058dbcf02cSchristos int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len, 2068dbcf02cSchristos int phase2, struct eap_user *user); 2078dbcf02cSchristos 2088dbcf02cSchristos /** 2098dbcf02cSchristos * eap_req_id_text - Optional data for EAP-Request/Identity 2108dbcf02cSchristos * 2118dbcf02cSchristos * This can be used to configure an optional, displayable message that 2128dbcf02cSchristos * will be sent in EAP-Request/Identity. This string can contain an 2138dbcf02cSchristos * ASCII-0 character (nul) to separate network infromation per RFC 2148dbcf02cSchristos * 4284. The actual string length is explicit provided in 2158dbcf02cSchristos * eap_req_id_text_len since nul character will not be used as a string 2168dbcf02cSchristos * terminator. 2178dbcf02cSchristos */ 2188dbcf02cSchristos const char *eap_req_id_text; 2198dbcf02cSchristos 2208dbcf02cSchristos /** 2218dbcf02cSchristos * eap_req_id_text_len - Length of eap_req_id_text buffer in octets 2228dbcf02cSchristos */ 2238dbcf02cSchristos size_t eap_req_id_text_len; 2248dbcf02cSchristos 2258dbcf02cSchristos /* 2268dbcf02cSchristos * msg_ctx - Context data for wpa_msg() calls 2278dbcf02cSchristos */ 2288dbcf02cSchristos void *msg_ctx; 22962a52023Schristos 23062a52023Schristos #ifdef CONFIG_RADIUS_TEST 23162a52023Schristos const char *dump_msk_file; 23262a52023Schristos #endif /* CONFIG_RADIUS_TEST */ 23336d97821Schristos 23436d97821Schristos char *subscr_remediation_url; 23536d97821Schristos u8 subscr_remediation_method; 236*ebb5671cSchristos 237*ebb5671cSchristos char *t_c_server_url; 2388dbcf02cSchristos }; 2398dbcf02cSchristos 2408dbcf02cSchristos 2418dbcf02cSchristos struct radius_server_data * 2428dbcf02cSchristos radius_server_init(struct radius_server_conf *conf); 2438dbcf02cSchristos 2449a53cbbeSchristos void radius_server_erp_flush(struct radius_server_data *data); 2458dbcf02cSchristos void radius_server_deinit(struct radius_server_data *data); 2468dbcf02cSchristos 2478dbcf02cSchristos int radius_server_get_mib(struct radius_server_data *data, char *buf, 2488dbcf02cSchristos size_t buflen); 2498dbcf02cSchristos 2508dbcf02cSchristos void radius_server_eap_pending_cb(struct radius_server_data *data, void *ctx); 251*ebb5671cSchristos int radius_server_dac_request(struct radius_server_data *data, const char *req); 2528dbcf02cSchristos 2538dbcf02cSchristos #endif /* RADIUS_SERVER_H */ 254