1189251Ssam/* 2189251Ssam * EAP peer configuration data 3189251Ssam * Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> 4189251Ssam * 5252726Srpaulo * This software may be distributed under the terms of the BSD license. 6252726Srpaulo * See README for more details. 7189251Ssam */ 8189251Ssam 9189251Ssam#ifndef EAP_CONFIG_H 10189251Ssam#define EAP_CONFIG_H 11189251Ssam 12189251Ssam/** 13189251Ssam * struct eap_peer_config - EAP peer configuration/credentials 14189251Ssam */ 15189251Ssamstruct eap_peer_config { 16189251Ssam /** 17189251Ssam * identity - EAP Identity 18189251Ssam * 19189251Ssam * This field is used to set the real user identity or NAI (for 20189251Ssam * EAP-PSK/PAX/SAKE/GPSK). 21189251Ssam */ 22189251Ssam u8 *identity; 23189251Ssam 24189251Ssam /** 25189251Ssam * identity_len - EAP Identity length 26189251Ssam */ 27189251Ssam size_t identity_len; 28189251Ssam 29189251Ssam /** 30189251Ssam * anonymous_identity - Anonymous EAP Identity 31189251Ssam * 32189251Ssam * This field is used for unencrypted use with EAP types that support 33189251Ssam * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the 34189251Ssam * real identity (identity field) only to the authentication server. 35189251Ssam * 36189251Ssam * If not set, the identity field will be used for both unencrypted and 37189251Ssam * protected fields. 38252726Srpaulo * 39252726Srpaulo * This field can also be used with EAP-SIM/AKA/AKA' to store the 40252726Srpaulo * pseudonym identity. 41189251Ssam */ 42189251Ssam u8 *anonymous_identity; 43189251Ssam 44189251Ssam /** 45189251Ssam * anonymous_identity_len - Length of anonymous_identity 46189251Ssam */ 47189251Ssam size_t anonymous_identity_len; 48189251Ssam 49189251Ssam /** 50189251Ssam * password - Password string for EAP 51189251Ssam * 52189251Ssam * This field can include either the plaintext password (default 53189251Ssam * option) or a NtPasswordHash (16-byte MD4 hash of the unicode 54189251Ssam * presentation of the password) if flags field has 55189251Ssam * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can 56189251Ssam * only be used with authentication mechanism that use this hash as the 57189251Ssam * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2, 58189251Ssam * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 59189251Ssam * 60189251Ssam * In addition, this field is used to configure a pre-shared key for 61189251Ssam * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK 62189251Ssam * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length 63189251Ssam * PSK. 64189251Ssam */ 65189251Ssam u8 *password; 66189251Ssam 67189251Ssam /** 68189251Ssam * password_len - Length of password field 69189251Ssam */ 70189251Ssam size_t password_len; 71189251Ssam 72189251Ssam /** 73189251Ssam * ca_cert - File path to CA certificate file (PEM/DER) 74189251Ssam * 75189251Ssam * This file can have one or more trusted CA certificates. If ca_cert 76189251Ssam * and ca_path are not included, server certificate will not be 77189251Ssam * verified. This is insecure and a trusted CA certificate should 78189251Ssam * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the 79189251Ssam * file should be used since working directory may change when 80189251Ssam * wpa_supplicant is run in the background. 81189251Ssam * 82189251Ssam * Alternatively, a named configuration blob can be used by setting 83189251Ssam * this to blob://blob_name. 84189251Ssam * 85214734Srpaulo * Alternatively, this can be used to only perform matching of the 86214734Srpaulo * server certificate (SHA-256 hash of the DER encoded X.509 87214734Srpaulo * certificate). In this case, the possible CA certificates in the 88214734Srpaulo * server certificate chain are ignored and only the server certificate 89214734Srpaulo * is verified. This is configured with the following format: 90214734Srpaulo * hash:://server/sha256/cert_hash_in_hex 91214734Srpaulo * For example: "hash://server/sha256/ 92214734Srpaulo * 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 93214734Srpaulo * 94189251Ssam * On Windows, trusted CA certificates can be loaded from the system 95189251Ssam * certificate store by setting this to cert_store://name, e.g., 96189251Ssam * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 97189251Ssam * Note that when running wpa_supplicant as an application, the user 98189251Ssam * certificate store (My user account) is used, whereas computer store 99189251Ssam * (Computer account) is used when running wpasvc as a service. 100189251Ssam */ 101189251Ssam u8 *ca_cert; 102189251Ssam 103189251Ssam /** 104189251Ssam * ca_path - Directory path for CA certificate files (PEM) 105189251Ssam * 106189251Ssam * This path may contain multiple CA certificates in OpenSSL format. 107189251Ssam * Common use for this is to point to system trusted CA list which is 108189251Ssam * often installed into directory like /etc/ssl/certs. If configured, 109189251Ssam * these certificates are added to the list of trusted CAs. ca_cert 110189251Ssam * may also be included in that case, but it is not required. 111189251Ssam */ 112189251Ssam u8 *ca_path; 113189251Ssam 114189251Ssam /** 115189251Ssam * client_cert - File path to client certificate file (PEM/DER) 116189251Ssam * 117189251Ssam * This field is used with EAP method that use TLS authentication. 118189251Ssam * Usually, this is only configured for EAP-TLS, even though this could 119189251Ssam * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the 120189251Ssam * file should be used since working directory may change when 121189251Ssam * wpa_supplicant is run in the background. 122189251Ssam * 123189251Ssam * Alternatively, a named configuration blob can be used by setting 124189251Ssam * this to blob://blob_name. 125189251Ssam */ 126189251Ssam u8 *client_cert; 127189251Ssam 128189251Ssam /** 129189251Ssam * private_key - File path to client private key file (PEM/DER/PFX) 130189251Ssam * 131189251Ssam * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 132189251Ssam * commented out. Both the private key and certificate will be read 133189251Ssam * from the PKCS#12 file in this case. Full path to the file should be 134189251Ssam * used since working directory may change when wpa_supplicant is run 135189251Ssam * in the background. 136189251Ssam * 137189251Ssam * Windows certificate store can be used by leaving client_cert out and 138189251Ssam * configuring private_key in one of the following formats: 139189251Ssam * 140189251Ssam * cert://substring_to_match 141189251Ssam * 142189251Ssam * hash://certificate_thumbprint_in_hex 143189251Ssam * 144189251Ssam * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 145189251Ssam * 146189251Ssam * Note that when running wpa_supplicant as an application, the user 147189251Ssam * certificate store (My user account) is used, whereas computer store 148189251Ssam * (Computer account) is used when running wpasvc as a service. 149189251Ssam * 150189251Ssam * Alternatively, a named configuration blob can be used by setting 151189251Ssam * this to blob://blob_name. 152189251Ssam */ 153189251Ssam u8 *private_key; 154189251Ssam 155189251Ssam /** 156189251Ssam * private_key_passwd - Password for private key file 157189251Ssam * 158189251Ssam * If left out, this will be asked through control interface. 159189251Ssam */ 160189251Ssam u8 *private_key_passwd; 161189251Ssam 162189251Ssam /** 163189251Ssam * dh_file - File path to DH/DSA parameters file (in PEM format) 164189251Ssam * 165189251Ssam * This is an optional configuration file for setting parameters for an 166189251Ssam * ephemeral DH key exchange. In most cases, the default RSA 167189251Ssam * authentication does not use this configuration. However, it is 168189251Ssam * possible setup RSA to use ephemeral DH key exchange. In addition, 169189251Ssam * ciphers with DSA keys always use ephemeral DH keys. This can be used 170189251Ssam * to achieve forward secrecy. If the file is in DSA parameters format, 171189251Ssam * it will be automatically converted into DH params. Full path to the 172189251Ssam * file should be used since working directory may change when 173189251Ssam * wpa_supplicant is run in the background. 174189251Ssam * 175189251Ssam * Alternatively, a named configuration blob can be used by setting 176189251Ssam * this to blob://blob_name. 177189251Ssam */ 178189251Ssam u8 *dh_file; 179189251Ssam 180189251Ssam /** 181189251Ssam * subject_match - Constraint for server certificate subject 182189251Ssam * 183189251Ssam * This substring is matched against the subject of the authentication 184189251Ssam * server certificate. If this string is set, the server sertificate is 185189251Ssam * only accepted if it contains this string in the subject. The subject 186189251Ssam * string is in following format: 187189251Ssam * 188189251Ssam * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com 189189251Ssam */ 190189251Ssam u8 *subject_match; 191189251Ssam 192189251Ssam /** 193189251Ssam * altsubject_match - Constraint for server certificate alt. subject 194189251Ssam * 195189251Ssam * Semicolon separated string of entries to be matched against the 196189251Ssam * alternative subject name of the authentication server certificate. 197189251Ssam * If this string is set, the server sertificate is only accepted if it 198189251Ssam * contains one of the entries in an alternative subject name 199189251Ssam * extension. 200189251Ssam * 201189251Ssam * altSubjectName string is in following format: TYPE:VALUE 202189251Ssam * 203189251Ssam * Example: EMAIL:server@example.com 204189251Ssam * Example: DNS:server.example.com;DNS:server2.example.com 205189251Ssam * 206189251Ssam * Following types are supported: EMAIL, DNS, URI 207189251Ssam */ 208189251Ssam u8 *altsubject_match; 209189251Ssam 210189251Ssam /** 211189251Ssam * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2) 212189251Ssam * 213189251Ssam * This file can have one or more trusted CA certificates. If ca_cert2 214189251Ssam * and ca_path2 are not included, server certificate will not be 215189251Ssam * verified. This is insecure and a trusted CA certificate should 216189251Ssam * always be configured. Full path to the file should be used since 217189251Ssam * working directory may change when wpa_supplicant is run in the 218189251Ssam * background. 219189251Ssam * 220189251Ssam * This field is like ca_cert, but used for phase 2 (inside 221189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 222189251Ssam * 223189251Ssam * Alternatively, a named configuration blob can be used by setting 224189251Ssam * this to blob://blob_name. 225189251Ssam */ 226189251Ssam u8 *ca_cert2; 227189251Ssam 228189251Ssam /** 229189251Ssam * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2) 230189251Ssam * 231189251Ssam * This path may contain multiple CA certificates in OpenSSL format. 232189251Ssam * Common use for this is to point to system trusted CA list which is 233189251Ssam * often installed into directory like /etc/ssl/certs. If configured, 234189251Ssam * these certificates are added to the list of trusted CAs. ca_cert 235189251Ssam * may also be included in that case, but it is not required. 236189251Ssam * 237189251Ssam * This field is like ca_path, but used for phase 2 (inside 238189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 239189251Ssam */ 240189251Ssam u8 *ca_path2; 241189251Ssam 242189251Ssam /** 243189251Ssam * client_cert2 - File path to client certificate file 244189251Ssam * 245189251Ssam * This field is like client_cert, but used for phase 2 (inside 246189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 247189251Ssam * file should be used since working directory may change when 248189251Ssam * wpa_supplicant is run in the background. 249189251Ssam * 250189251Ssam * Alternatively, a named configuration blob can be used by setting 251189251Ssam * this to blob://blob_name. 252189251Ssam */ 253189251Ssam u8 *client_cert2; 254189251Ssam 255189251Ssam /** 256189251Ssam * private_key2 - File path to client private key file 257189251Ssam * 258189251Ssam * This field is like private_key, but used for phase 2 (inside 259189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 260189251Ssam * file should be used since working directory may change when 261189251Ssam * wpa_supplicant is run in the background. 262189251Ssam * 263189251Ssam * Alternatively, a named configuration blob can be used by setting 264189251Ssam * this to blob://blob_name. 265189251Ssam */ 266189251Ssam u8 *private_key2; 267189251Ssam 268189251Ssam /** 269189251Ssam * private_key2_passwd - Password for private key file 270189251Ssam * 271189251Ssam * This field is like private_key_passwd, but used for phase 2 (inside 272189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 273189251Ssam */ 274189251Ssam u8 *private_key2_passwd; 275189251Ssam 276189251Ssam /** 277189251Ssam * dh_file2 - File path to DH/DSA parameters file (in PEM format) 278189251Ssam * 279189251Ssam * This field is like dh_file, but used for phase 2 (inside 280189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 281189251Ssam * file should be used since working directory may change when 282189251Ssam * wpa_supplicant is run in the background. 283189251Ssam * 284189251Ssam * Alternatively, a named configuration blob can be used by setting 285189251Ssam * this to blob://blob_name. 286189251Ssam */ 287189251Ssam u8 *dh_file2; 288189251Ssam 289189251Ssam /** 290189251Ssam * subject_match2 - Constraint for server certificate subject 291189251Ssam * 292189251Ssam * This field is like subject_match, but used for phase 2 (inside 293189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 294189251Ssam */ 295189251Ssam u8 *subject_match2; 296189251Ssam 297189251Ssam /** 298189251Ssam * altsubject_match2 - Constraint for server certificate alt. subject 299189251Ssam * 300189251Ssam * This field is like altsubject_match, but used for phase 2 (inside 301189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 302189251Ssam */ 303189251Ssam u8 *altsubject_match2; 304189251Ssam 305189251Ssam /** 306189251Ssam * eap_methods - Allowed EAP methods 307189251Ssam * 308189251Ssam * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of 309189251Ssam * allowed EAP methods or %NULL if all methods are accepted. 310189251Ssam */ 311189251Ssam struct eap_method_type *eap_methods; 312189251Ssam 313189251Ssam /** 314189251Ssam * phase1 - Phase 1 (outer authentication) parameters 315189251Ssam * 316189251Ssam * String with field-value pairs, e.g., "peapver=0" or 317189251Ssam * "peapver=1 peaplabel=1". 318189251Ssam * 319189251Ssam * 'peapver' can be used to force which PEAP version (0 or 1) is used. 320189251Ssam * 321189251Ssam * 'peaplabel=1' can be used to force new label, "client PEAP 322189251Ssam * encryption", to be used during key derivation when PEAPv1 or newer. 323189251Ssam * 324189251Ssam * Most existing PEAPv1 implementation seem to be using the old label, 325189251Ssam * "client EAP encryption", and wpa_supplicant is now using that as the 326189251Ssam * default value. 327189251Ssam * 328189251Ssam * Some servers, e.g., Radiator, may require peaplabel=1 configuration 329189251Ssam * to interoperate with PEAPv1; see eap_testing.txt for more details. 330189251Ssam * 331189251Ssam * 'peap_outer_success=0' can be used to terminate PEAP authentication 332189251Ssam * on tunneled EAP-Success. This is required with some RADIUS servers 333189251Ssam * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 334189251Ssam * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode). 335189251Ssam * 336189251Ssam * include_tls_length=1 can be used to force wpa_supplicant to include 337189251Ssam * TLS Message Length field in all TLS messages even if they are not 338189251Ssam * fragmented. 339189251Ssam * 340189251Ssam * sim_min_num_chal=3 can be used to configure EAP-SIM to require three 341189251Ssam * challenges (by default, it accepts 2 or 3). 342189251Ssam * 343189251Ssam * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 344189251Ssam * protected result indication. 345189251Ssam * 346189251Ssam * fast_provisioning option can be used to enable in-line provisioning 347189251Ssam * of EAP-FAST credentials (PAC): 348189251Ssam * 0 = disabled, 349189251Ssam * 1 = allow unauthenticated provisioning, 350189251Ssam * 2 = allow authenticated provisioning, 351189251Ssam * 3 = allow both unauthenticated and authenticated provisioning 352189251Ssam * 353189251Ssam * fast_max_pac_list_len=num option can be used to set the maximum 354189251Ssam * number of PAC entries to store in a PAC list (default: 10). 355189251Ssam * 356189251Ssam * fast_pac_format=binary option can be used to select binary format 357189251Ssam * for storing PAC entries in order to save some space (the default 358189251Ssam * text format uses about 2.5 times the size of minimal binary format). 359189251Ssam * 360189251Ssam * crypto_binding option can be used to control PEAPv0 cryptobinding 361189251Ssam * behavior: 362189251Ssam * 0 = do not use cryptobinding (default) 363189251Ssam * 1 = use cryptobinding if server supports it 364189251Ssam * 2 = require cryptobinding 365189251Ssam * 366189251Ssam * EAP-WSC (WPS) uses following options: pin=Device_Password and 367189251Ssam * uuid=Device_UUID 368189251Ssam */ 369189251Ssam char *phase1; 370189251Ssam 371189251Ssam /** 372189251Ssam * phase2 - Phase2 (inner authentication with TLS tunnel) parameters 373189251Ssam * 374189251Ssam * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 375189251Ssam * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. 376189251Ssam */ 377189251Ssam char *phase2; 378189251Ssam 379189251Ssam /** 380189251Ssam * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM 381189251Ssam * 382189251Ssam * This field is used to configure PC/SC smartcard interface. 383189251Ssam * Currently, the only configuration is whether this field is %NULL (do 384189251Ssam * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC. 385189251Ssam * 386189251Ssam * This field is used for EAP-SIM and EAP-AKA. 387189251Ssam */ 388189251Ssam char *pcsc; 389189251Ssam 390189251Ssam /** 391189251Ssam * pin - PIN for USIM, GSM SIM, and smartcards 392189251Ssam * 393189251Ssam * This field is used to configure PIN for SIM and smartcards for 394189251Ssam * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a 395189251Ssam * smartcard is used for private key operations. 396189251Ssam * 397189251Ssam * If left out, this will be asked through control interface. 398189251Ssam */ 399189251Ssam char *pin; 400189251Ssam 401189251Ssam /** 402189251Ssam * engine - Enable OpenSSL engine (e.g., for smartcard access) 403189251Ssam * 404189251Ssam * This is used if private key operations for EAP-TLS are performed 405189251Ssam * using a smartcard. 406189251Ssam */ 407189251Ssam int engine; 408189251Ssam 409189251Ssam /** 410189251Ssam * engine_id - Engine ID for OpenSSL engine 411189251Ssam * 412189251Ssam * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 413189251Ssam * engine. 414189251Ssam * 415189251Ssam * This is used if private key operations for EAP-TLS are performed 416189251Ssam * using a smartcard. 417189251Ssam */ 418189251Ssam char *engine_id; 419189251Ssam 420189251Ssam /** 421189251Ssam * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2) 422189251Ssam * 423189251Ssam * This is used if private key operations for EAP-TLS are performed 424189251Ssam * using a smartcard. 425189251Ssam * 426189251Ssam * This field is like engine, but used for phase 2 (inside 427189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 428189251Ssam */ 429189251Ssam int engine2; 430189251Ssam 431189251Ssam 432189251Ssam /** 433189251Ssam * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2) 434189251Ssam * 435189251Ssam * This field is used to configure PIN for SIM and smartcards for 436189251Ssam * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a 437189251Ssam * smartcard is used for private key operations. 438189251Ssam * 439189251Ssam * This field is like pin2, but used for phase 2 (inside 440189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 441189251Ssam * 442189251Ssam * If left out, this will be asked through control interface. 443189251Ssam */ 444189251Ssam char *pin2; 445189251Ssam 446189251Ssam /** 447189251Ssam * engine2_id - Engine ID for OpenSSL engine (Phase 2) 448189251Ssam * 449189251Ssam * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 450189251Ssam * engine. 451189251Ssam * 452189251Ssam * This is used if private key operations for EAP-TLS are performed 453189251Ssam * using a smartcard. 454189251Ssam * 455189251Ssam * This field is like engine_id, but used for phase 2 (inside 456189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 457189251Ssam */ 458189251Ssam char *engine2_id; 459189251Ssam 460189251Ssam 461189251Ssam /** 462189251Ssam * key_id - Key ID for OpenSSL engine 463189251Ssam * 464189251Ssam * This is used if private key operations for EAP-TLS are performed 465189251Ssam * using a smartcard. 466189251Ssam */ 467189251Ssam char *key_id; 468189251Ssam 469189251Ssam /** 470189251Ssam * cert_id - Cert ID for OpenSSL engine 471189251Ssam * 472189251Ssam * This is used if the certificate operations for EAP-TLS are performed 473189251Ssam * using a smartcard. 474189251Ssam */ 475189251Ssam char *cert_id; 476189251Ssam 477189251Ssam /** 478189251Ssam * ca_cert_id - CA Cert ID for OpenSSL engine 479189251Ssam * 480189251Ssam * This is used if the CA certificate for EAP-TLS is on a smartcard. 481189251Ssam */ 482189251Ssam char *ca_cert_id; 483189251Ssam 484189251Ssam /** 485189251Ssam * key2_id - Key ID for OpenSSL engine (phase2) 486189251Ssam * 487189251Ssam * This is used if private key operations for EAP-TLS are performed 488189251Ssam * using a smartcard. 489189251Ssam */ 490189251Ssam char *key2_id; 491189251Ssam 492189251Ssam /** 493189251Ssam * cert2_id - Cert ID for OpenSSL engine (phase2) 494189251Ssam * 495189251Ssam * This is used if the certificate operations for EAP-TLS are performed 496189251Ssam * using a smartcard. 497189251Ssam */ 498189251Ssam char *cert2_id; 499189251Ssam 500189251Ssam /** 501189251Ssam * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2) 502189251Ssam * 503189251Ssam * This is used if the CA certificate for EAP-TLS is on a smartcard. 504189251Ssam */ 505189251Ssam char *ca_cert2_id; 506189251Ssam 507189251Ssam /** 508189251Ssam * otp - One-time-password 509189251Ssam * 510189251Ssam * This field should not be set in configuration step. It is only used 511189251Ssam * internally when OTP is entered through the control interface. 512189251Ssam */ 513189251Ssam u8 *otp; 514189251Ssam 515189251Ssam /** 516189251Ssam * otp_len - Length of the otp field 517189251Ssam */ 518189251Ssam size_t otp_len; 519189251Ssam 520189251Ssam /** 521189251Ssam * pending_req_identity - Whether there is a pending identity request 522189251Ssam * 523189251Ssam * This field should not be set in configuration step. It is only used 524189251Ssam * internally when control interface is used to request needed 525189251Ssam * information. 526189251Ssam */ 527189251Ssam int pending_req_identity; 528189251Ssam 529189251Ssam /** 530189251Ssam * pending_req_password - Whether there is a pending password request 531189251Ssam * 532189251Ssam * This field should not be set in configuration step. It is only used 533189251Ssam * internally when control interface is used to request needed 534189251Ssam * information. 535189251Ssam */ 536189251Ssam int pending_req_password; 537189251Ssam 538189251Ssam /** 539189251Ssam * pending_req_pin - Whether there is a pending PIN request 540189251Ssam * 541189251Ssam * This field should not be set in configuration step. It is only used 542189251Ssam * internally when control interface is used to request needed 543189251Ssam * information. 544189251Ssam */ 545189251Ssam int pending_req_pin; 546189251Ssam 547189251Ssam /** 548189251Ssam * pending_req_new_password - Pending password update request 549189251Ssam * 550189251Ssam * This field should not be set in configuration step. It is only used 551189251Ssam * internally when control interface is used to request needed 552189251Ssam * information. 553189251Ssam */ 554189251Ssam int pending_req_new_password; 555189251Ssam 556189251Ssam /** 557189251Ssam * pending_req_passphrase - Pending passphrase request 558189251Ssam * 559189251Ssam * This field should not be set in configuration step. It is only used 560189251Ssam * internally when control interface is used to request needed 561189251Ssam * information. 562189251Ssam */ 563189251Ssam int pending_req_passphrase; 564189251Ssam 565189251Ssam /** 566189251Ssam * pending_req_otp - Whether there is a pending OTP request 567189251Ssam * 568189251Ssam * This field should not be set in configuration step. It is only used 569189251Ssam * internally when control interface is used to request needed 570189251Ssam * information. 571189251Ssam */ 572189251Ssam char *pending_req_otp; 573189251Ssam 574189251Ssam /** 575189251Ssam * pending_req_otp_len - Length of the pending OTP request 576189251Ssam */ 577189251Ssam size_t pending_req_otp_len; 578189251Ssam 579189251Ssam /** 580189251Ssam * pac_file - File path or blob name for the PAC entries (EAP-FAST) 581189251Ssam * 582189251Ssam * wpa_supplicant will need to be able to create this file and write 583189251Ssam * updates to it when PAC is being provisioned or refreshed. Full path 584189251Ssam * to the file should be used since working directory may change when 585189251Ssam * wpa_supplicant is run in the background. 586189251Ssam * Alternatively, a named configuration blob can be used by setting 587189251Ssam * this to blob://blob_name. 588189251Ssam */ 589189251Ssam char *pac_file; 590189251Ssam 591189251Ssam /** 592189251Ssam * mschapv2_retry - MSCHAPv2 retry in progress 593189251Ssam * 594189251Ssam * This field is used internally by EAP-MSCHAPv2 and should not be set 595189251Ssam * as part of configuration. 596189251Ssam */ 597189251Ssam int mschapv2_retry; 598189251Ssam 599189251Ssam /** 600189251Ssam * new_password - New password for password update 601189251Ssam * 602189251Ssam * This field is used during MSCHAPv2 password update. This is normally 603189251Ssam * requested from the user through the control interface and not set 604189251Ssam * from configuration. 605189251Ssam */ 606189251Ssam u8 *new_password; 607189251Ssam 608189251Ssam /** 609189251Ssam * new_password_len - Length of new_password field 610189251Ssam */ 611189251Ssam size_t new_password_len; 612189251Ssam 613189251Ssam /** 614189251Ssam * fragment_size - Maximum EAP fragment size in bytes (default 1398) 615189251Ssam * 616189251Ssam * This value limits the fragment size for EAP methods that support 617189251Ssam * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 618189251Ssam * small enough to make the EAP messages fit in MTU of the network 619189251Ssam * interface used for EAPOL. The default value is suitable for most 620189251Ssam * cases. 621189251Ssam */ 622189251Ssam int fragment_size; 623189251Ssam 624189251Ssam#define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0) 625252726Srpaulo#define EAP_CONFIG_FLAGS_EXT_PASSWORD BIT(1) 626189251Ssam /** 627189251Ssam * flags - Network configuration flags (bitfield) 628189251Ssam * 629189251Ssam * This variable is used for internal flags to describe further details 630189251Ssam * for the network parameters. 631189251Ssam * bit 0 = password is represented as a 16-byte NtPasswordHash value 632189251Ssam * instead of plaintext password 633252726Srpaulo * bit 1 = password is stored in external storage; the value in the 634252726Srpaulo * password field is the name of that external entry 635189251Ssam */ 636189251Ssam u32 flags; 637189251Ssam}; 638189251Ssam 639189251Ssam 640189251Ssam/** 641189251Ssam * struct wpa_config_blob - Named configuration blob 642189251Ssam * 643189251Ssam * This data structure is used to provide storage for binary objects to store 644189251Ssam * abstract information like certificates and private keys inlined with the 645189251Ssam * configuration data. 646189251Ssam */ 647189251Ssamstruct wpa_config_blob { 648189251Ssam /** 649189251Ssam * name - Blob name 650189251Ssam */ 651189251Ssam char *name; 652189251Ssam 653189251Ssam /** 654189251Ssam * data - Pointer to binary data 655189251Ssam */ 656189251Ssam u8 *data; 657189251Ssam 658189251Ssam /** 659189251Ssam * len - Length of binary data 660189251Ssam */ 661189251Ssam size_t len; 662189251Ssam 663189251Ssam /** 664189251Ssam * next - Pointer to next blob in the configuration 665189251Ssam */ 666189251Ssam struct wpa_config_blob *next; 667189251Ssam}; 668189251Ssam 669189251Ssam#endif /* EAP_CONFIG_H */ 670