xref: /freebsd/lib/libradius/libradius.3 (revision b52b9d56d4e96089873a75f9e29062eec19fabba) 
1.\" Copyright 1998 Juniper Networks, Inc.
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd October 30, 1999
28.Dt LIBRADIUS 3
29.Os
30.Sh NAME
31.Nm libradius
32.Nd RADIUS client library
33.Sh SYNOPSIS
34.In radlib.h
35.Ft struct rad_handle *
36.Fn rad_acct_open "void"
37.Ft int
38.Fn rad_add_server "struct rad_handle *h" "const char *host" "int port" "const char *secret" "int timeout" "int max_tries"
39.Ft struct rad_handle *
40.Fn rad_auth_open "void"
41.Ft void
42.Fn rad_close "struct rad_handle *h"
43.Ft int
44.Fn rad_config "struct rad_handle *h" "const char *file"
45.Ft int
46.Fn rad_continue_send_request "struct rad_handle *h" "int selected" "int *fd" "struct timeval *tv"
47.Ft int
48.Fn rad_create_request "struct rad_handle *h" "int code"
49.Ft struct in_addr
50.Fn rad_cvt_addr "const void *data"
51.Ft u_int32_t
52.Fn rad_cvt_int "const void *data"
53.Ft char *
54.Fn rad_cvt_string "const void *data" "size_t len"
55.Ft int
56.Fn rad_get_attr "struct rad_handle *h" "const void **data" "size_t *len"
57.Ft int
58.Fn rad_get_vendor_attr "u_int32_t *vendor" "const void **data" "size_t *len"
59.Ft int
60.Fn rad_init_send_request "struct rad_handle *h" "int *fd" "struct timeval *tv"
61.Ft int
62.Fn rad_put_addr "struct rad_handle *h" "int type" "struct in_addr addr"
63.Ft int
64.Fn rad_put_attr "struct rad_handle *h" "int type" "const void *data" "size_t len"
65.Ft int
66.Fn rad_put_int "struct rad_handle *h" "int type" "u_int32_t value"
67.Ft int
68.Fn rad_put_string "struct rad_handle *h" "int type" "const char *str"
69.Ft int
70.Fn rad_put_vendor_addr "struct rad_handle *h" "int vendor" "int type" "struct in_addr addr"
71.Ft int
72.Fn rad_put_vendor_attr "struct rad_handle *h" "int vendor" "int type" "const void *data" "size_t len"
73.Ft int
74.Fn rad_put_vendor_int "struct rad_handle *h" "int vendor" "int type" "u_int32_t value"
75.Ft int
76.Fn rad_put_vendor_string "struct rad_handle *h" "int vendor" "int type" "const char *str"
77.Ft ssize_t
78.Fn rad_request_authenticator "struct rad_handle *h" "char *buf" "size_t len"
79.Ft int
80.Fn rad_send_request "struct rad_handle *h"
81.Ft const char *
82.Fn rad_server_secret "struct rad_handle *h"
83.Ft const char *
84.Fn rad_strerror "struct rad_handle *h"
85.Sh DESCRIPTION
86The
87.Nm
88library implements the client side of the Remote Authentication Dial
89In User Service (RADIUS).  RADIUS, defined in RFCs 2138 and 2139,
90allows clients to perform authentication and accounting by means of
91network requests to remote servers.
92.Sh INITIALIZATION
93To use the library, an application must first call
94.Fn rad_auth_open
95or
96.Fn rad_acct_open
97to obtain a
98.Va struct rad_handle * ,
99which provides the context for subsequent operations.
100The former function is used for RADIUS authentication and the
101latter is used for RADIUS accounting.
102Calls to
103.Fn rad_auth_open
104and
105.Fn rad_acct_open
106always succeed unless insufficient virtual memory is available.  If
107the necessary memory cannot be allocated, the functions return
108.Dv NULL .
109For compatibility with earlier versions of this library,
110.Fn rad_open
111is provided as a synonym for
112.Fn rad_auth_open .
113.Pp
114Before issuing any RADIUS requests, the library must be made aware
115of the servers it can contact.  The easiest way to configure the
116library is to call
117.Fn rad_config .
118.Fn rad_config
119causes the library to read a configuration file whose format is
120described in
121.Xr radius.conf 5 .
122The pathname of the configuration file is passed as the
123.Va file
124argument to
125.Fn rad_config .
126This argument may also be given as
127.Dv NULL ,
128in which case the standard configuration file
129.Pa /etc/radius.conf
130is used.
131.Fn rad_config
132returns 0 on success, or -1 if an error occurs.
133.Pp
134The library can also be configured programmatically by calls to
135.Fn rad_add_server .
136The
137.Va host
138parameter specifies the server host, either as a fully qualified
139domain name or as a dotted-quad IP address in text form.
140The
141.Va port
142parameter specifies the UDP port to contact on the server.  If
143.Va port
144is given as 0, the library looks up the
145.Ql radius/udp
146or
147.Ql radacct/udp
148service in the network services database, and uses the port found
149there.  If no entry is found, the library uses the standard RADIUS
150ports, 1812 for authentication and 1813 for accounting.
151The shared secret for the server host is passed to the
152.Va secret
153parameter.
154It may be any NUL-terminated string of bytes.  The RADIUS protocol
155ignores all but the leading 128 bytes of the shared secret.
156The timeout for receiving replies from the server is passed to the
157.Va timeout
158parameter, in units of seconds.  The maximum number of repeated
159requests to make before giving up is passed into the
160.Va max_tries
161parameter.
162.Fn rad_add_server
163returns 0 on success, or -1 if an error occurs.
164.Pp
165.Fn rad_add_server
166may be called multiple times, and it may be used together with
167.Fn rad_config .
168At most 10 servers may be specified.
169When multiple servers are given, they are tried in round-robin
170fashion until a valid response is received, or until each server's
171.Va max_tries
172limit has been reached.
173.Sh CREATING A RADIUS REQUEST
174A RADIUS request consists of a code specifying the kind of request,
175and zero or more attributes which provide additional information.  To
176begin constructing a new request, call
177.Fn rad_create_request .
178In addition to the usual
179.Va struct rad_handle * ,
180this function takes a
181.Va code
182parameter which specifies the type of the request.  Most often this
183will be
184.Dv RAD_ACCESS_REQUEST .
185.Fn rad_create_request
186returns 0 on success, or -1 on if an error occurs.
187.Pp
188After the request has been created with
189.Fn rad_create_request ,
190attributes can be attached to it.  This is done through calls to
191.Fn rad_put_addr ,
192.Fn rad_put_int ,
193and
194.Fn rad_put_string .
195Each accepts a
196.Va type
197parameter identifying the attribute, and a value which may be
198an Internet address, an integer, or a NUL-terminated string,
199respectively.
200Alternatively,
201.Fn rad_put_vendor_addr ,
202.Fn rad_put_vendor_int
203or
204.Fn rad_put_vendor_string
205may be used to specify vendor specific attributes.  Vendor specific
206definitions may be found in
207.In radlib_vs.h
208.Pp
209The library also provides a function
210.Fn rad_put_attr
211which can be used to supply a raw, uninterpreted attribute.  The
212.Va data
213argument points to an array of bytes, and the
214.Va len
215argument specifies its length.
216.Pp
217The
218.Fn rad_put_X
219functions return 0 on success, or -1 if an error occurs.
220.Sh SENDING THE REQUEST AND RECEIVING THE RESPONSE
221After the RADIUS request has been constructed, it is sent either by means of
222.Fn rad_send_request
223or by a combination of calls to
224.Fn rad_init_send_request
225and
226.Fn rad_continue_send_request .
227.Pp
228The
229.Fn rad_send_request
230function sends the request and waits for a valid reply,
231retrying the defined servers in round-robin fashion as necessary.
232If a valid response is received,
233.Fn rad_send_request
234returns the RADIUS code which specifies the type of the response.
235This will typically be
236.Dv RAD_ACCESS_ACCEPT ,
237.Dv RAD_ACCESS_REJECT ,
238or
239.Dv RAD_ACCESS_CHALLENGE .
240If no valid response is received,
241.Fn rad_send_request
242returns -1.
243.Pp
244As an alternative, if you do not wish to block waiting for a response,
245.Fn rad_init_send_request
246and
247.Fn rad_continue_send_request
248may be used instead.  If a reply is received from the RADIUS server or a
249timeout occurs, these functions return a value as described for
250.Fn rad_send_request .
251Otherwise, a value of zero is returned and the values pointed to by
252.Ar fd
253and
254.Ar tv
255are set to the descriptor and timeout that should be passed to
256.Xr select 2 .
257.Pp
258.Fn rad_init_send_request
259must be called first, followed by repeated calls to
260.Fn rad_continue_send_request
261as long as a return value of zero is given.
262Between each call, the application should call
263.Xr select 2 ,
264passing
265.Ar *fd
266as a read descriptor and timing out after the interval specified by
267.Ar tv .
268When select returns,
269.Fn rad_continue_send_request
270should be called with
271.Ar selected
272set to a non-zero value if
273.Xr select 2
274indicated that the descriptor is readable.
275.Pp
276Like RADIUS requests, each response may contain zero or more
277attributes.  After a response has been received successfully by
278.Fn rad_send_request
279or
280.Fn rad_continue_send_request ,
281its attributes can be extracted one by one using
282.Fn rad_get_attr .
283Each time
284.Fn rad_get_attr
285is called, it gets the next attribute from the current response, and
286stores a pointer to the data and the length of the data via the
287reference parameters
288.Va data
289and
290.Va len ,
291respectively.  Note that the data resides in the response itself,
292and must not be modified.
293A successful call to
294.Fn rad_get_attr
295returns the RADIUS attribute type.
296If no more attributes remain in the current response,
297.Fn rad_get_attr
298returns 0.
299If an error such as a malformed attribute is detected, -1 is
300returned.
301.Pp
302If
303.Fn rad_get_attr
304returns
305.Dv RAD_VENDOR_SPECIFIC ,
306.Fn rad_get_vendor_attr
307may be called to determine the vendor.
308The vendor specific RADIUS attribute type is returned.
309The reference parameters
310.Va data
311and
312.Va len
313(as returned from
314.Fn rad_get_attr )
315are passed to
316.Fn rad_get_vendor_attr ,
317and are adjusted to point to the vendor specific attribute data.
318.Pp
319The common types of attributes can be decoded using
320.Fn rad_cvt_addr ,
321.Fn rad_cvt_int ,
322and
323.Fn rad_cvt_string .
324These functions accept a pointer to the attribute data, which should
325have been obtained using
326.Fn rad_get_attr
327and optionally
328.Fn rad_get_vendor_attr .
329In the case of
330.Fn rad_cvt_string ,
331the length
332.Va len
333must also be given.  These functions interpret the attribute as an
334Internet address, an integer, or a string, respectively, and return
335its value.
336.Fn rad_cvt_string
337returns its value as a NUL-terminated string in dynamically
338allocated memory.  The application should free the string using
339.Xr free 3
340when it is no longer needed.
341.Pp
342If insufficient virtual memory is available,
343.Fn rad_cvt_string
344returns
345.Dv NULL .
346.Fn rad_cvt_addr
347and
348.Fn rad_cvt_int
349cannot fail.
350.Pp
351The
352.Fn rad_request_authenticator
353function may be used to obtain the Request-Authenticator attribute value
354associated with the current RADIUS server according to the supplied
355rad_handle.
356The target buffer
357.Ar buf
358of length
359.Ar len
360must be supplied and should be at least 16 bytes.
361The return value is the number of bytes written to
362.Ar buf
363or -1 to indicate that
364.Ar len
365was not large enough.
366.Pp
367The
368.Fn rad_server_secret
369returns the secret shared with the current RADIUS server according to the
370supplied rad_handle.
371.Sh OBTAINING ERROR MESSAGES
372Those functions which accept a
373.Va struct rad_handle *
374argument record an error message if they fail.  The error message
375can be retrieved by calling
376.Fn rad_strerror .
377The message text is overwritten on each new error for the given
378.Va struct rad_handle * .
379Thus the message must be copied if it is to be preserved through
380subsequent library calls using the same handle.
381.Sh CLEANUP
382To free the resources used by the RADIUS library, call
383.Fn rad_close .
384.Sh RETURN VALUES
385The following functions return a non-negative value on success.  If
386they detect an error, they return -1 and record an error message
387which can be retrieved using
388.Fn rad_strerror .
389.Pp
390.Bl -item -offset indent -compact
391.It
392.Fn rad_add_server
393.It
394.Fn rad_config
395.It
396.Fn rad_create_request
397.It
398.Fn rad_get_attr
399.It
400.Fn rad_put_addr
401.It
402.Fn rad_put_attr
403.It
404.Fn rad_put_int
405.It
406.Fn rad_put_string
407.It
408.Fn rad_init_send_request
409.It
410.Fn rad_continue_send_request
411.It
412.Fn rad_send_request
413.El
414.Pp
415The following functions return a
416.No non- Ns Dv NULL
417pointer on success.  If they are unable to allocate sufficient
418virtual memory, they return
419.Dv NULL ,
420without recording an error message.
421.Pp
422.Bl -item -offset indent -compact
423.It
424.Fn rad_acct_open
425.It
426.Fn rad_auth_open
427.It
428.Fn rad_cvt_string
429.El
430.Sh FILES
431.Pa /etc/radius.conf
432.Sh SEE ALSO
433.Xr radius.conf 5
434.Rs
435.%A C. Rigney, et al
436.%T "Remote Authentication Dial In User Service (RADIUS)"
437.%O RFC 2138
438.Re
439.Rs
440.%A C. Rigney
441.%T RADIUS Accounting
442.%O RFC 2139
443.Re
444.Sh AUTHORS
445This software was originally written by
446.An John Polstra ,
447and donated to the
448.Fx
449project by Juniper Networks, Inc.
450Oleg Semyonov subsequently added the ability to perform RADIUS
451accounting.
452