xref: /freebsd/contrib/wpa/src/radius/radius_client.h (revision 87b759f0fa1f7554d50ce640c40138512bbded44)
1 /*
2  * RADIUS client
3  * Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef RADIUS_CLIENT_H
10 #define RADIUS_CLIENT_H
11 
12 #include "ip_addr.h"
13 
14 struct radius_msg;
15 
16 /**
17  * struct hostapd_radius_server - RADIUS server information for RADIUS client
18  *
19  * This structure contains information about a RADIUS server. The values are
20  * mainly for MIB information. The MIB variable prefix (radiusAuth or
21  * radiusAcc) depends on whether this is an authentication or accounting
22  * server.
23  *
24  * radiusAuthClientPendingRequests (or radiusAccClientPendingRequests) is the
25  * number struct radius_client_data::msgs for matching msg_type.
26  */
27 struct hostapd_radius_server {
28 	/**
29 	 * addr - radiusAuthServerAddress or radiusAccServerAddress
30 	 */
31 	struct hostapd_ip_addr addr;
32 
33 	/**
34 	 * port - radiusAuthClientServerPortNumber or radiusAccClientServerPortNumber
35 	 */
36 	int port;
37 
38 	/**
39 	 * tls - Whether to use RADIUS/TLS instead of RADIUS/UDP
40 	 */
41 	bool tls;
42 
43 	/**
44 	 * shared_secret - Shared secret for authenticating RADIUS messages
45 	 */
46 	u8 *shared_secret;
47 
48 	/**
49 	 * shared_secret_len - Length of shared_secret in octets
50 	 */
51 	size_t shared_secret_len;
52 
53 	/**
54 	 * ca_cert - Path to trusted CA certificate(s) for RADIUS/TLS
55 	 */
56 	char *ca_cert;
57 
58 	/**
59 	 * client_cert - Path to client certificate for RADIUS/TLS
60 	 */
61 	char *client_cert;
62 
63 	/**
64 	 * private_key - Path to clienbt private key for RADIUS/TLS
65 	 */
66 	char *private_key;
67 
68 	/**
69 	 * private_key_passwd - Password for the private key for RADIUS/TLS
70 	 */
71 	char *private_key_passwd;
72 
73 	/* Dynamic (not from configuration file) MIB data */
74 
75 	/**
76 	 * index - radiusAuthServerIndex or radiusAccServerIndex
77 	 */
78 	int index;
79 
80 	/**
81 	 * round_trip_time - radiusAuthClientRoundTripTime or radiusAccClientRoundTripTime
82 	 * Round-trip time in hundredths of a second.
83 	 */
84 	int round_trip_time;
85 
86 	/**
87 	 * requests - radiusAuthClientAccessRequests or radiusAccClientRequests
88 	 */
89 	u32 requests;
90 
91 	/**
92 	 * retransmissions - radiusAuthClientAccessRetransmissions or radiusAccClientRetransmissions
93 	 */
94 	u32 retransmissions;
95 
96 	/**
97 	 * access_accepts - radiusAuthClientAccessAccepts
98 	 */
99 	u32 access_accepts;
100 
101 	/**
102 	 * access_rejects - radiusAuthClientAccessRejects
103 	 */
104 	u32 access_rejects;
105 
106 	/**
107 	 * access_challenges - radiusAuthClientAccessChallenges
108 	 */
109 	u32 access_challenges;
110 
111 	/**
112 	 * responses - radiusAccClientResponses
113 	 */
114 	u32 responses;
115 
116 	/**
117 	 * malformed_responses - radiusAuthClientMalformedAccessResponses or radiusAccClientMalformedResponses
118 	 */
119 	u32 malformed_responses;
120 
121 	/**
122 	 * bad_authenticators - radiusAuthClientBadAuthenticators or radiusAccClientBadAuthenticators
123 	 */
124 	u32 bad_authenticators;
125 
126 	/**
127 	 * timeouts - radiusAuthClientTimeouts or radiusAccClientTimeouts
128 	 */
129 	u32 timeouts;
130 
131 	/**
132 	 * unknown_types - radiusAuthClientUnknownTypes or radiusAccClientUnknownTypes
133 	 */
134 	u32 unknown_types;
135 
136 	/**
137 	 * packets_dropped - radiusAuthClientPacketsDropped or radiusAccClientPacketsDropped
138 	 */
139 	u32 packets_dropped;
140 };
141 
142 /**
143  * struct hostapd_radius_servers - RADIUS servers for RADIUS client
144  */
145 struct hostapd_radius_servers {
146 	/**
147 	 * auth_servers - RADIUS Authentication servers in priority order
148 	 */
149 	struct hostapd_radius_server *auth_servers;
150 
151 	/**
152 	 * num_auth_servers - Number of auth_servers entries
153 	 */
154 	int num_auth_servers;
155 
156 	/**
157 	 * auth_server - The current Authentication server
158 	 */
159 	struct hostapd_radius_server *auth_server;
160 
161 	/**
162 	 * acct_servers - RADIUS Accounting servers in priority order
163 	 */
164 	struct hostapd_radius_server *acct_servers;
165 
166 	/**
167 	 * num_acct_servers - Number of acct_servers entries
168 	 */
169 	int num_acct_servers;
170 
171 	/**
172 	 * acct_server - The current Accounting server
173 	 */
174 	struct hostapd_radius_server *acct_server;
175 
176 	/**
177 	 * retry_primary_interval - Retry interval for trying primary server
178 	 *
179 	 * This specifies a retry interval in sexconds for trying to return to
180 	 * the primary RADIUS server. RADIUS client code will automatically try
181 	 * to use the next server when the current server is not replying to
182 	 * requests. If this interval is set (non-zero), the primary server
183 	 * will be retried after the specified number of seconds has passed
184 	 * even if the current used secondary server is still working.
185 	 */
186 	int retry_primary_interval;
187 
188 	/**
189 	 * msg_dumps - Whether RADIUS message details are shown in stdout
190 	 */
191 	int msg_dumps;
192 
193 	/**
194 	 * client_addr - Client (local) address to use if force_client_addr
195 	 */
196 	struct hostapd_ip_addr client_addr;
197 
198 	/**
199 	 * force_client_addr - Whether to force client (local) address
200 	 */
201 	int force_client_addr;
202 
203 	/**
204 	 * force_client_dev - Bind the socket to a specified interface, if set
205 	 */
206 	char *force_client_dev;
207 };
208 
209 
210 /**
211  * RadiusType - RADIUS server type for RADIUS client
212  */
213 typedef enum {
214 	/**
215 	 * RADIUS authentication
216 	 */
217 	RADIUS_AUTH,
218 
219 	/**
220 	 * RADIUS_ACCT - RADIUS accounting
221 	 */
222 	RADIUS_ACCT,
223 
224 	/**
225 	 * RADIUS_ACCT_INTERIM - RADIUS interim accounting message
226 	 *
227 	 * Used only with radius_client_send(). This behaves just like
228 	 * RADIUS_ACCT, but removes any pending interim RADIUS Accounting
229 	 * messages for the same STA before sending the new interim update.
230 	 */
231 	RADIUS_ACCT_INTERIM
232 } RadiusType;
233 
234 /**
235  * RadiusRxResult - RADIUS client RX handler result
236  */
237 typedef enum {
238 	/**
239 	 * RADIUS_RX_PROCESSED - Message processed
240 	 *
241 	 * This stops handler calls and frees the message.
242 	 */
243 	RADIUS_RX_PROCESSED,
244 
245 	/**
246 	 * RADIUS_RX_QUEUED - Message has been queued
247 	 *
248 	 * This stops handler calls, but does not free the message; the handler
249 	 * that returned this is responsible for eventually freeing the
250 	 * message.
251 	 */
252 	RADIUS_RX_QUEUED,
253 
254 	/**
255 	 * RADIUS_RX_UNKNOWN - Message is not for this handler
256 	 */
257 	RADIUS_RX_UNKNOWN,
258 
259 	/**
260 	 * RADIUS_RX_INVALID_AUTHENTICATOR - Message has invalid Authenticator
261 	 */
262 	RADIUS_RX_INVALID_AUTHENTICATOR
263 } RadiusRxResult;
264 
265 struct radius_client_data;
266 
267 int radius_client_register(struct radius_client_data *radius,
268 			   RadiusType msg_type,
269 			   RadiusRxResult (*handler)
270 			   (struct radius_msg *msg, struct radius_msg *req,
271 			    const u8 *shared_secret, size_t shared_secret_len,
272 			    void *data),
273 			   void *data);
274 void radius_client_set_interim_error_cb(struct radius_client_data *radius,
275 					void (*cb)(const u8 *addr, void *ctx),
276 					void *ctx);
277 int radius_client_send(struct radius_client_data *radius,
278 		       struct radius_msg *msg,
279 		       RadiusType msg_type, const u8 *addr);
280 u8 radius_client_get_id(struct radius_client_data *radius);
281 void radius_client_flush(struct radius_client_data *radius, int only_auth);
282 struct radius_client_data *
283 radius_client_init(void *ctx, struct hostapd_radius_servers *conf);
284 void radius_client_deinit(struct radius_client_data *radius);
285 void radius_client_flush_auth(struct radius_client_data *radius,
286 			      const u8 *addr);
287 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
288 			  size_t buflen);
289 void radius_client_reconfig(struct radius_client_data *radius,
290 			    struct hostapd_radius_servers *conf);
291 
292 #endif /* RADIUS_CLIENT_H */
293