1 /*
2  * RADIUS client
3  * Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef RADIUS_CLIENT_H
10 #define RADIUS_CLIENT_H
11 
12 #include "ip_addr.h"
13 
14 struct radius_msg;
15 
16 /**
17  * struct hostapd_radius_server - RADIUS server information for RADIUS client
18  *
19  * This structure contains information about a RADIUS server. The values are
20  * mainly for MIB information. The MIB variable prefix (radiusAuth or
21  * radiusAcc) depends on whether this is an authentication or accounting
22  * server.
23  *
24  * radiusAuthClientPendingRequests (or radiusAccClientPendingRequests) is the
25  * number struct radius_client_data::msgs for matching msg_type.
26  */
27 struct hostapd_radius_server {
28 	/**
29 	 * addr - radiusAuthServerAddress or radiusAccServerAddress
30 	 */
31 	struct hostapd_ip_addr addr;
32 
33 	/**
34 	 * port - radiusAuthClientServerPortNumber or radiusAccClientServerPortNumber
35 	 */
36 	int port;
37 
38 	/**
39 	 * shared_secret - Shared secret for authenticating RADIUS messages
40 	 */
41 	u8 *shared_secret;
42 
43 	/**
44 	 * shared_secret_len - Length of shared_secret in octets
45 	 */
46 	size_t shared_secret_len;
47 
48 	/* Dynamic (not from configuration file) MIB data */
49 
50 	/**
51 	 * index - radiusAuthServerIndex or radiusAccServerIndex
52 	 */
53 	int index;
54 
55 	/**
56 	 * round_trip_time - radiusAuthClientRoundTripTime or radiusAccClientRoundTripTime
57 	 * Round-trip time in hundredths of a second.
58 	 */
59 	int round_trip_time;
60 
61 	/**
62 	 * requests - radiusAuthClientAccessRequests or radiusAccClientRequests
63 	 */
64 	u32 requests;
65 
66 	/**
67 	 * retransmissions - radiusAuthClientAccessRetransmissions or radiusAccClientRetransmissions
68 	 */
69 	u32 retransmissions;
70 
71 	/**
72 	 * access_accepts - radiusAuthClientAccessAccepts
73 	 */
74 	u32 access_accepts;
75 
76 	/**
77 	 * access_rejects - radiusAuthClientAccessRejects
78 	 */
79 	u32 access_rejects;
80 
81 	/**
82 	 * access_challenges - radiusAuthClientAccessChallenges
83 	 */
84 	u32 access_challenges;
85 
86 	/**
87 	 * responses - radiusAccClientResponses
88 	 */
89 	u32 responses;
90 
91 	/**
92 	 * malformed_responses - radiusAuthClientMalformedAccessResponses or radiusAccClientMalformedResponses
93 	 */
94 	u32 malformed_responses;
95 
96 	/**
97 	 * bad_authenticators - radiusAuthClientBadAuthenticators or radiusAccClientBadAuthenticators
98 	 */
99 	u32 bad_authenticators;
100 
101 	/**
102 	 * timeouts - radiusAuthClientTimeouts or radiusAccClientTimeouts
103 	 */
104 	u32 timeouts;
105 
106 	/**
107 	 * unknown_types - radiusAuthClientUnknownTypes or radiusAccClientUnknownTypes
108 	 */
109 	u32 unknown_types;
110 
111 	/**
112 	 * packets_dropped - radiusAuthClientPacketsDropped or radiusAccClientPacketsDropped
113 	 */
114 	u32 packets_dropped;
115 };
116 
117 /**
118  * struct hostapd_radius_servers - RADIUS servers for RADIUS client
119  */
120 struct hostapd_radius_servers {
121 	/**
122 	 * auth_servers - RADIUS Authentication servers in priority order
123 	 */
124 	struct hostapd_radius_server *auth_servers;
125 
126 	/**
127 	 * num_auth_servers - Number of auth_servers entries
128 	 */
129 	int num_auth_servers;
130 
131 	/**
132 	 * auth_server - The current Authentication server
133 	 */
134 	struct hostapd_radius_server *auth_server;
135 
136 	/**
137 	 * acct_servers - RADIUS Accounting servers in priority order
138 	 */
139 	struct hostapd_radius_server *acct_servers;
140 
141 	/**
142 	 * num_acct_servers - Number of acct_servers entries
143 	 */
144 	int num_acct_servers;
145 
146 	/**
147 	 * acct_server - The current Accounting server
148 	 */
149 	struct hostapd_radius_server *acct_server;
150 
151 	/**
152 	 * retry_primary_interval - Retry interval for trying primary server
153 	 *
154 	 * This specifies a retry interval in sexconds for trying to return to
155 	 * the primary RADIUS server. RADIUS client code will automatically try
156 	 * to use the next server when the current server is not replying to
157 	 * requests. If this interval is set (non-zero), the primary server
158 	 * will be retried after the specified number of seconds has passed
159 	 * even if the current used secondary server is still working.
160 	 */
161 	int retry_primary_interval;
162 
163 	/**
164 	 * msg_dumps - Whether RADIUS message details are shown in stdout
165 	 */
166 	int msg_dumps;
167 
168 	/**
169 	 * client_addr - Client (local) address to use if force_client_addr
170 	 */
171 	struct hostapd_ip_addr client_addr;
172 
173 	/**
174 	 * force_client_addr - Whether to force client (local) address
175 	 */
176 	int force_client_addr;
177 };
178 
179 
180 /**
181  * RadiusType - RADIUS server type for RADIUS client
182  */
183 typedef enum {
184 	/**
185 	 * RADIUS authentication
186 	 */
187 	RADIUS_AUTH,
188 
189 	/**
190 	 * RADIUS_ACCT - RADIUS accounting
191 	 */
192 	RADIUS_ACCT,
193 
194 	/**
195 	 * RADIUS_ACCT_INTERIM - RADIUS interim accounting message
196 	 *
197 	 * Used only with radius_client_send(). This behaves just like
198 	 * RADIUS_ACCT, but removes any pending interim RADIUS Accounting
199 	 * messages for the same STA before sending the new interim update.
200 	 */
201 	RADIUS_ACCT_INTERIM
202 } RadiusType;
203 
204 /**
205  * RadiusRxResult - RADIUS client RX handler result
206  */
207 typedef enum {
208 	/**
209 	 * RADIUS_RX_PROCESSED - Message processed
210 	 *
211 	 * This stops handler calls and frees the message.
212 	 */
213 	RADIUS_RX_PROCESSED,
214 
215 	/**
216 	 * RADIUS_RX_QUEUED - Message has been queued
217 	 *
218 	 * This stops handler calls, but does not free the message; the handler
219 	 * that returned this is responsible for eventually freeing the
220 	 * message.
221 	 */
222 	RADIUS_RX_QUEUED,
223 
224 	/**
225 	 * RADIUS_RX_UNKNOWN - Message is not for this handler
226 	 */
227 	RADIUS_RX_UNKNOWN,
228 
229 	/**
230 	 * RADIUS_RX_INVALID_AUTHENTICATOR - Message has invalid Authenticator
231 	 */
232 	RADIUS_RX_INVALID_AUTHENTICATOR
233 } RadiusRxResult;
234 
235 struct radius_client_data;
236 
237 int radius_client_register(struct radius_client_data *radius,
238 			   RadiusType msg_type,
239 			   RadiusRxResult (*handler)
240 			   (struct radius_msg *msg, struct radius_msg *req,
241 			    const u8 *shared_secret, size_t shared_secret_len,
242 			    void *data),
243 			   void *data);
244 int radius_client_send(struct radius_client_data *radius,
245 		       struct radius_msg *msg,
246 		       RadiusType msg_type, const u8 *addr);
247 u8 radius_client_get_id(struct radius_client_data *radius);
248 void radius_client_flush(struct radius_client_data *radius, int only_auth);
249 struct radius_client_data *
250 radius_client_init(void *ctx, struct hostapd_radius_servers *conf);
251 void radius_client_deinit(struct radius_client_data *radius);
252 void radius_client_flush_auth(struct radius_client_data *radius,
253 			      const u8 *addr);
254 int radius_client_get_mib(struct radius_client_data *radius, char *buf,
255 			  size_t buflen);
256 void radius_client_reconfig(struct radius_client_data *radius,
257 			    struct hostapd_radius_servers *conf);
258 
259 #endif /* RADIUS_CLIENT_H */
260