2 \brief Public interface for libradsec. */
4 /* Copyright 2010-2013 NORDUnet A/S. All rights reserved.
5 See LICENSE for licensing information. */
7 #ifndef _RADSEC_RADSEC_H_
8 #define _RADSEC_RADSEC_H_ 1
13 #ifdef HAVE_SYS_TIME_H
16 #ifdef HAVE_ARPA_INET_H
17 #include <arpa/inet.h>
32 RSE_CONN_TYPE_MISMATCH = 5,
35 RSE_EVENT = 9, /* libevent error. */
40 RSE_SSLERR = 14, /* OpenSSL error. */
42 RSE_TIMEOUT_CONN = 16, /* Connection timeout. */
43 RSE_INVAL = 17, /* Invalid argument. */
44 RSE_TIMEOUT_IO = 18, /* I/O timeout. */
45 RSE_TIMEOUT = 19, /* High level timeout. */
48 RSE_PACKET_TOO_SMALL = 22,
49 RSE_PACKET_TOO_LARGE = 23,
50 RSE_ATTR_OVERFLOW = 24,
51 RSE_ATTR_TOO_SMALL = 25,
52 RSE_ATTR_TOO_LARGE = 26,
53 RSE_ATTR_UNKNOWN = 27,
54 RSE_ATTR_BAD_NAME = 28,
55 RSE_ATTR_VALUE_MALFORMED = 29,
56 RSE_ATTR_INVALID = 30,
57 RSE_TOO_MANY_ATTRS = 31,
58 RSE_ATTR_TYPE_UNKNOWN = 32,
59 RSE_MSG_AUTH_LEN = 33,
60 RSE_MSG_AUTH_WRONG = 34,
61 RSE_REQUEST_REQUIRED = 35,
62 RSE_INVALID_REQUEST_CODE = 36,
63 RSE_AUTH_VECTOR_WRONG = 37,
64 RSE_INVALID_RESPONSE_CODE = 38,
65 RSE_INVALID_RESPONSE_ID = 39,
66 RSE_INVALID_RESPONSE_SRC = 40,
67 RSE_NO_PACKET_DATA = 41,
68 RSE_VENDOR_UNKNOWN = 42,
75 RS_CONN_TYPE_NONE = 0,
81 typedef unsigned int rs_conn_type_t;
83 typedef enum rs_attr_type_t {
84 RS_TYPE_INVALID = 0, /**< Invalid data type */
85 RS_TYPE_STRING, /**< printable-text */
86 RS_TYPE_INTEGER, /**< a 32-bit unsigned integer */
87 RS_TYPE_IPADDR, /**< an IPv4 address */
88 RS_TYPE_DATE, /**< a 32-bit date, of seconds since January 1, 1970 */
89 RS_TYPE_OCTETS, /**< a sequence of binary octets */
90 RS_TYPE_IFID, /**< an Interface Id */
91 RS_TYPE_IPV6ADDR, /**< an IPv6 address */
92 RS_TYPE_IPV6PREFIX, /**< an IPv6 prefix */
93 RS_TYPE_BYTE, /**< an 8-bit integer */
94 RS_TYPE_SHORT, /**< a 16-bit integer */
97 #define PW_ACCESS_REQUEST 1
98 #define PW_ACCESS_ACCEPT 2
99 #define PW_ACCESS_REJECT 3
100 #define PW_ACCOUNTING_REQUEST 4
101 #define PW_ACCOUNTING_RESPONSE 5
102 #define PW_ACCOUNTING_STATUS 6
103 #define PW_PASSWORD_REQUEST 7
104 #define PW_PASSWORD_ACK 8
105 #define PW_PASSWORD_REJECT 9
106 #define PW_ACCOUNTING_MESSAGE 10
107 #define PW_ACCESS_CHALLENGE 11
108 #define PW_STATUS_SERVER 12
109 #define PW_STATUS_CLIENT 13
110 #define PW_DISCONNECT_REQUEST 40
111 #define PW_DISCONNECT_ACK 41
112 #define PW_DISCONNECT_NAK 42
113 #define PW_COA_REQUEST 43
114 #define PW_COA_ACK 44
115 #define PW_COA_NAK 45
117 #if defined (__cplusplus)
122 struct rs_context; /* radsec-impl.h */
123 struct rs_connection; /* radsec-impl.h */
124 struct rs_packet; /* radsec-impl.h */
125 struct rs_conn; /* radsec-impl.h */
126 struct rs_error; /* radsec-impl.h */
127 struct rs_peer; /* radsec-impl.h */
128 struct radius_packet; /* <radius/client.h> */
129 struct value_pair; /* <radius/client.h> */
130 struct event_base; /* <event2/event-internal.h> */
132 typedef void *(*rs_calloc_fp) (size_t nmemb, size_t size);
133 typedef void *(*rs_malloc_fp) (size_t size);
134 typedef void (*rs_free_fp) (void *ptr);
135 typedef void *(*rs_realloc_fp) (void *ptr, size_t size);
136 struct rs_alloc_scheme {
140 rs_realloc_fp realloc;
143 typedef void (*rs_conn_connected_cb) (void *user_data /* FIXME: peer? */ );
144 typedef void (*rs_conn_disconnected_cb) (void *user_data /* FIXME: reason? */ );
145 typedef void (*rs_conn_packet_received_cb) (struct rs_packet *packet,
147 typedef void (*rs_conn_packet_sent_cb) (void *user_data);
148 struct rs_conn_callbacks {
149 /** Callback invoked when the connection has been established. */
150 rs_conn_connected_cb connected_cb;
151 /** Callback invoked when the connection has been torn down. */
152 rs_conn_disconnected_cb disconnected_cb;
153 /** Callback invoked when a packet was received. */
154 rs_conn_packet_received_cb received_cb;
155 /** Callback invoked when a packet was successfully sent. */
156 rs_conn_packet_sent_cb sent_cb;
159 typedef struct value_pair rs_avp;
160 typedef const struct value_pair rs_const_avp;
162 /* Function prototypes. */
167 /** Create a context. Freed by calling \a rs_context_destroy. Note
168 that the context must not be freed before all other libradsec
169 objects have been freed.
171 \a ctx Address of pointer to a struct rs_context. This is the
172 output of this function.
174 \return RSE_OK (0) on success or RSE_NOMEM on out of memory. */
175 int rs_context_create(struct rs_context **ctx);
177 /** Free a context. Note that the context must not be freed before
178 all other libradsec objects have been freed. */
179 void rs_context_destroy(struct rs_context *ctx);
181 /** Set allocation scheme to use. \a scheme is the allocation scheme
182 to use, see \a rs_alloc_scheme. \return On success, RSE_OK (0) is
183 returned. On error, !0 is returned and a struct \a rs_error is
184 pushed on the error stack for the context. The error can be
185 accessed using \a rs_err_ctx_pop. */
186 int rs_context_set_alloc_scheme(struct rs_context *ctx,
187 struct rs_alloc_scheme *scheme);
189 /** Read configuration file. \a config_file is the path of the
190 configuration file to read. \return On success, RSE_OK (0) is
191 returned. On error, !0 is returned and a struct \a rs_error is
192 pushed on the error stack for the context. The error can be
193 accessed using \a rs_err_ctx_pop. */
194 int rs_context_read_config(struct rs_context *ctx, const char *config_file);
199 /** Create a connection. \a conn is the address of a pointer to an \a
200 rs_connection, the output. Free the connection using \a
201 rs_conn_destroy. Note that a connection must not be freed before
202 all packets associated with the connection have been freed. A
203 packet is associated with a connection when it's created (\a
204 rs_packet_create) or received (\a rs_conn_receive_packet).
206 If \a config is not NULL it should be the name of a configuration
207 found in the config file read in using \a rs_context_read_config.
208 \return On success, RSE_OK (0) is returned. On error, !0 is
209 returned and a struct \a rs_error is pushed on the error stack for
210 the context. The error can be accessed using \a
212 int rs_conn_create(struct rs_context *ctx,
213 struct rs_connection **conn,
216 /** Not implemented. */
217 int rs_conn_add_listener(struct rs_connection *conn,
219 const char *hostname,
221 /** Disconnect connection \a conn. \return RSE_OK (0) on success, !0
222 * on error. On error, errno is set appropriately. */
223 int rs_conn_disconnect (struct rs_connection *conn);
225 /** Disconnect and free memory allocated for connection \a conn. Note
226 that a connection must not be freed before all packets associated
227 with the connection have been freed. A packet is associated with
228 a connection when it's created (\a rs_packet_create) or received
229 (\a rs_conn_receive_packet). \return RSE_OK (0) on success, !0 *
230 on error. On error, errno is set appropriately. */
231 int rs_conn_destroy(struct rs_connection *conn);
233 /** Set connection type for \a conn. */
234 void rs_conn_set_type(struct rs_connection *conn, rs_conn_type_t type);
236 /** Not implemented. */
237 int rs_conn_set_eventbase(struct rs_connection *conn, struct event_base *eb);
239 /** Register callbacks \a cb for connection \a conn. */
240 void rs_conn_set_callbacks(struct rs_connection *conn,
241 struct rs_conn_callbacks *cb);
243 /** Remove callbacks for connection \a conn. */
244 void rs_conn_del_callbacks(struct rs_connection *conn);
246 /** Return callbacks registered for connection \a conn. \return
247 Installed callbacks are returned. */
248 struct rs_conn_callbacks *rs_conn_get_callbacks(struct rs_connection *conn);
250 /** Not implemented. */
251 int rs_conn_select_peer(struct rs_connection *conn, const char *name);
253 /** Not implemented. */
254 int rs_conn_get_current_peer(struct rs_connection *conn,
258 /** Special function used in blocking mode, i.e. with no callbacks
259 registered. For any other use of libradsec, a \a received_cb
260 callback should be registered using \a rs_conn_set_callbacks.
262 If \a req_msg is not NULL, a successfully received RADIUS message
263 is verified against it. If \a pkt_out is not NULL it will upon
264 return contain a pointer to an \a rs_packet containing the new
267 \return On error or if the connect (TCP only) or read times out,
268 \a pkt_out will not be changed and one or more errors are pushed
269 on \a conn (available through \a rs_err_conn_pop). */
270 int rs_conn_receive_packet(struct rs_connection *conn,
271 struct rs_packet *request,
272 struct rs_packet **pkt_out);
274 /** Get the file descriptor associated with connection \a conn.
275 * \return File descriptor. */
276 int rs_conn_fd(struct rs_connection *conn);
278 /** Set the timeout value for connection \a conn. */
279 void rs_conn_set_timeout(struct rs_connection *conn, struct timeval *tv);
281 /* Peer -- client and server. */
282 int rs_peer_create(struct rs_connection *conn, struct rs_peer **peer_out);
283 int rs_peer_set_address(struct rs_peer *peer,
284 const char *hostname,
285 const char *service);
286 int rs_peer_set_secret(struct rs_peer *peer, const char *secret);
287 void rs_peer_set_timeout(struct rs_peer *peer, int timeout);
288 void rs_peer_set_retries(struct rs_peer *peer, int retries);
293 /** Create a packet associated with connection \a conn. */
294 int rs_packet_create(struct rs_connection *conn, struct rs_packet **pkt_out);
296 /** Free all memory allocated for packet \a pkt. */
297 void rs_packet_destroy(struct rs_packet *pkt);
299 /** Send packet \a pkt on the connection associated with \a pkt.
300 \a user_data is passed to the \a rs_conn_packet_received_cb callback
301 registered with the connection. If no callback is registered with
302 the connection, the event loop is run by \a rs_packet_send and it
303 blocks until the full packet has been sent. Note that sending can
304 fail in several ways, f.ex. if the transmission protocol in use
305 is connection oriented (\a RS_CONN_TYPE_TCP and \a RS_CONN_TYPE_TLS)
306 and the connection can not be established. Also note that no
307 retransmission is done, something that is required for connectionless
308 transport protocols (\a RS_CONN_TYPE_UDP and \a RS_CONN_TYPE_DTLS).
309 The "request" API with \a rs_request_send can help with this.
311 \return On success, RSE_OK (0) is returned. On error, !0 is
312 returned and a struct \a rs_error is pushed on the error stack for
313 the connection. The error can be accessed using \a rs_err_conn_pop. */
314 int rs_packet_send(struct rs_packet *pkt, void *user_data);
316 /** Create a RADIUS authentication request packet associated with
317 connection \a conn. Optionally, User-Name and User-Password
318 attributes are added to the packet using the data in \a user_name
320 int rs_packet_create_authn_request(struct rs_connection *conn,
321 struct rs_packet **pkt,
322 const char *user_name,
323 const char *user_pw);
325 /** Add a new attribute-value pair to \a pkt. */
326 int rs_packet_add_avp(struct rs_packet *pkt,
327 unsigned int attr, unsigned int vendor,
328 const void *data, size_t data_len);
330 /** Append a new attribute to packet \a pkt. Note that this function
331 encodes the attribute and therefore might require the secret
332 shared with the thought recipient to be set in pkt->rpkt. Note
333 also that this function marks \a pkt as already encoded and can
334 not be used on packets with non-encoded value-pairs already
337 rs_packet_append_avp(struct rs_packet *pkt,
338 unsigned int attribute, unsigned int vendor,
339 const void *data, size_t data_len);
341 /*** Get pointer to \a pkt attribute value pairs. */
343 rs_packet_avps(struct rs_packet *pkt, rs_avp ***vps);
345 /*** Get RADIUS packet type of \a pkt. */
347 rs_packet_code(struct rs_packet *pkt);
349 /*** Get RADIUS AVP from \a pkt. */
351 rs_packet_find_avp(struct rs_packet *pkt, unsigned int attr, unsigned int vendor);
353 /*** Set packet identifier in \a pkt; returns old identifier */
355 rs_packet_set_id (struct rs_packet *pkt, int id);
360 /** Find the realm named \a name in the configuration file previoiusly
361 read in using \a rs_context_read_config. */
362 struct rs_realm *rs_conf_find_realm(struct rs_context *ctx, const char *name);
367 /** Create a struct \a rs_error and push it on a FIFO associated with
368 context \a ctx. Note: The depth of the error stack is one (1) at
369 the moment. This will change in a future release. */
370 int rs_err_ctx_push(struct rs_context *ctx, int code, const char *fmt, ...);
371 int rs_err_ctx_push_fl(struct rs_context *ctx,
377 /** Pop the first error from the error FIFO associated with context \a
378 ctx or NULL if there are no errors in the FIFO. */
379 struct rs_error *rs_err_ctx_pop(struct rs_context *ctx);
381 /** Create a struct \a rs_error and push it on a FIFO associated with
382 connection \a conn. Note: The depth of the error stack is one (1)
383 at the moment. This will change in a future release. */
384 int rs_err_conn_push(struct rs_connection *conn,
388 int rs_err_conn_push_fl(struct rs_connection *conn,
394 /** Pop the first error from the error FIFO associated with connection
395 \a conn or NULL if there are no errors in the FIFO. */
396 struct rs_error *rs_err_conn_pop(struct rs_connection *conn);
398 int rs_err_conn_peek_code (struct rs_connection *conn);
399 void rs_err_free(struct rs_error *err);
400 char *rs_err_msg(struct rs_error *err);
401 int rs_err_code(struct rs_error *err, int dofree_flag);
406 #define rs_avp_is_string(vp) (rs_avp_typeof(vp) == RS_TYPE_STRING)
407 #define rs_avp_is_integer(vp) (rs_avp_typeof(vp) == RS_TYPE_INTEGER)
408 #define rs_avp_is_ipaddr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPADDR)
409 #define rs_avp_is_date(vp) (rs_avp_typeof(vp) == RS_TYPE_DATE)
410 #define rs_avp_is_octets(vp) (rs_avp_typeof(vp) == RS_TYPE_OCTETS)
411 #define rs_avp_is_ifid(vp) (rs_avp_typeof(vp) == RS_TYPE_IFID)
412 #define rs_avp_is_ipv6addr(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6ADDR)
413 #define rs_avp_is_ipv6prefix(vp) (rs_avp_typeof(vp) == RS_TYPE_IPV6PREFIX)
414 #define rs_avp_is_byte(vp) (rs_avp_typeof(vp) == RS_TYPE_BYTE)
415 #define rs_avp_is_short(vp) (rs_avp_typeof(vp) == RS_TYPE_SHORT)
416 #define rs_avp_is_tlv(vp) (rs_avp_typeof(vp) == RS_TYPE_TLV)
418 /** The maximum length of a RADIUS attribute.
420 * The RFCs require that a RADIUS attribute transport no more than
421 * 253 octets of data. We add an extra byte for a trailing NUL, so
422 * that the VALUE_PAIR::vp_strvalue field can be handled as a C
425 #define RS_MAX_STRING_LEN 254
427 /** Free the AVP list \a vps */
429 rs_avp_free(rs_avp **vps);
431 /** Return the length of AVP \a vp in bytes */
433 rs_avp_length(rs_const_avp *vp);
435 /** Return the type of \a vp */
437 rs_avp_typeof(rs_const_avp *vp);
439 /** Retrieve the attribute and vendor ID of \a vp */
441 rs_avp_attrid(rs_const_avp *vp, unsigned int *attr, unsigned int *vendor);
443 /** Add \a vp to the list pointed to by \a head */
445 rs_avp_append(rs_avp **head, rs_avp *vp);
447 /** Find an AVP in \a vp that matches \a attr and \a vendor */
449 rs_avp_find(rs_avp *vp, unsigned int attr, unsigned int vendor);
451 /** Find an AVP in \a vp that matches \a attr and \a vendor */
453 rs_avp_find_const(rs_const_avp *vp, unsigned int attr, unsigned int vendor);
455 /** Alloc a new AVP for \a attr and \a vendor */
457 rs_avp_alloc(unsigned int attr, unsigned int vendor);
459 /** Duplicate existing AVP \a vp */
461 rs_avp_dup(rs_const_avp *vp);
463 /** Remove matching AVP from list \a vps */
465 rs_avp_delete(rs_avp **vps, unsigned int attr, unsigned int vendor);
467 /** Return next AVP in list */
469 rs_avp_next(rs_avp *vp);
471 /** Return next AVP in list */
473 rs_avp_next_const(rs_const_avp *avp);
475 /** Return string value of \a vp */
477 rs_avp_string_value(rs_const_avp *vp);
479 /** Set AVP \a vp to string \a str */
481 rs_avp_string_set(rs_avp *vp, const char *str);
483 /** Return integer value of \a vp */
485 rs_avp_integer_value(rs_const_avp *vp);
487 /** Set AVP \a vp to integer \a val */
489 rs_avp_integer_set(rs_avp *vp, uint32_t val);
491 /** Return IPv4 value of \a vp */
493 rs_avp_ipaddr_value(rs_const_avp *vp);
495 /** Set AVP \a vp to IPv4 address \a in */
497 rs_avp_ipaddr_set(rs_avp *vp, struct in_addr in);
499 /** Return POSIX time value of \a vp */
501 rs_avp_date_value(rs_const_avp *vp);
503 /** Set AVP \a vp to POSIX time \a date */
505 rs_avp_date_set(rs_avp *vp, time_t date);
507 /** Return constant pointer to octets in \a vp */
508 const unsigned char *
509 rs_avp_octets_value_const_ptr(rs_const_avp *vp);
511 /** Return pointer to octets in \a vp */
513 rs_avp_octets_value_ptr(rs_avp *vp);
515 /** Retrieve octet pointer \a p and length \a len from \a vp */
517 rs_avp_octets_value_byref(rs_avp *vp,
521 /** Copy octets from \a vp into \a buf and \a len */
523 rs_avp_octets_value(rs_const_avp *vp,
528 * Copy octets possibly fragmented across multiple VPs
529 * into \a buf and \a len
532 rs_avp_fragmented_value(rs_const_avp *vps,
536 /** Copy \a len octets in \a buf to AVP \a vp */
538 rs_avp_octets_set(rs_avp *vp,
539 const unsigned char *buf,
542 /** Return IFID value of \a vp */
544 rs_avp_ifid_value(rs_const_avp *vp, uint8_t val[8]);
547 rs_avp_ifid_set(rs_avp *vp, const uint8_t val[8]);
549 /** Return byte value of \a vp */
551 rs_avp_byte_value(rs_const_avp *vp);
553 /** Set AVP \a vp to byte \a val */
555 rs_avp_byte_set(rs_avp *vp, uint8_t val);
557 /** Return short value of \a vp */
559 rs_avp_short_value(rs_const_avp *vp);
561 /** Set AVP \a vp to short integer \a val */
563 rs_avp_short_set(rs_avp *vp, uint16_t val);
565 /** Display possibly \a canonical attribute name into \a buffer */
567 rs_attr_display_name (unsigned int attr,
573 /** Display AVP \a vp into \a buffer */
575 rs_avp_display_value(rs_const_avp *vp,
580 rs_attr_parse_name (const char *name,
582 unsigned int *vendor);
584 /** Lookup attribute \a name */
586 rs_attr_find(const char *name,
588 unsigned int *vendor);
590 /** Return dictionary name for AVP \a vp */
592 rs_avp_name(rs_const_avp *vp);
594 #if defined (__cplusplus)
598 #endif /* _RADSEC_RADSEC_H_ */
600 /* Local Variables: */
601 /* c-file-style: "stroustrup" */