1189251Ssam/* 2189251Ssam * EAP peer configuration data 3189251Ssam * Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> 4189251Ssam * 5189251Ssam * This program is free software; you can redistribute it and/or modify 6189251Ssam * it under the terms of the GNU General Public License version 2 as 7189251Ssam * published by the Free Software Foundation. 8189251Ssam * 9189251Ssam * Alternatively, this software may be distributed under the terms of BSD 10189251Ssam * license. 11189251Ssam * 12189251Ssam * See README and COPYING for more details. 13189251Ssam */ 14189251Ssam 15189251Ssam#ifndef EAP_CONFIG_H 16189251Ssam#define EAP_CONFIG_H 17189251Ssam 18189251Ssam/** 19189251Ssam * struct eap_peer_config - EAP peer configuration/credentials 20189251Ssam */ 21189251Ssamstruct eap_peer_config { 22189251Ssam /** 23189251Ssam * identity - EAP Identity 24189251Ssam * 25189251Ssam * This field is used to set the real user identity or NAI (for 26189251Ssam * EAP-PSK/PAX/SAKE/GPSK). 27189251Ssam */ 28189251Ssam u8 *identity; 29189251Ssam 30189251Ssam /** 31189251Ssam * identity_len - EAP Identity length 32189251Ssam */ 33189251Ssam size_t identity_len; 34189251Ssam 35189251Ssam /** 36189251Ssam * anonymous_identity - Anonymous EAP Identity 37189251Ssam * 38189251Ssam * This field is used for unencrypted use with EAP types that support 39189251Ssam * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the 40189251Ssam * real identity (identity field) only to the authentication server. 41189251Ssam * 42189251Ssam * If not set, the identity field will be used for both unencrypted and 43189251Ssam * protected fields. 44189251Ssam */ 45189251Ssam u8 *anonymous_identity; 46189251Ssam 47189251Ssam /** 48189251Ssam * anonymous_identity_len - Length of anonymous_identity 49189251Ssam */ 50189251Ssam size_t anonymous_identity_len; 51189251Ssam 52189251Ssam /** 53189251Ssam * password - Password string for EAP 54189251Ssam * 55189251Ssam * This field can include either the plaintext password (default 56189251Ssam * option) or a NtPasswordHash (16-byte MD4 hash of the unicode 57189251Ssam * presentation of the password) if flags field has 58189251Ssam * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can 59189251Ssam * only be used with authentication mechanism that use this hash as the 60189251Ssam * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2, 61189251Ssam * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 62189251Ssam * 63189251Ssam * In addition, this field is used to configure a pre-shared key for 64189251Ssam * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK 65189251Ssam * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length 66189251Ssam * PSK. 67189251Ssam */ 68189251Ssam u8 *password; 69189251Ssam 70189251Ssam /** 71189251Ssam * password_len - Length of password field 72189251Ssam */ 73189251Ssam size_t password_len; 74189251Ssam 75189251Ssam /** 76189251Ssam * ca_cert - File path to CA certificate file (PEM/DER) 77189251Ssam * 78189251Ssam * This file can have one or more trusted CA certificates. If ca_cert 79189251Ssam * and ca_path are not included, server certificate will not be 80189251Ssam * verified. This is insecure and a trusted CA certificate should 81189251Ssam * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the 82189251Ssam * file should be used since working directory may change when 83189251Ssam * wpa_supplicant is run in the background. 84189251Ssam * 85189251Ssam * Alternatively, a named configuration blob can be used by setting 86189251Ssam * this to blob://blob_name. 87189251Ssam * 88214734Srpaulo * Alternatively, this can be used to only perform matching of the 89214734Srpaulo * server certificate (SHA-256 hash of the DER encoded X.509 90214734Srpaulo * certificate). In this case, the possible CA certificates in the 91214734Srpaulo * server certificate chain are ignored and only the server certificate 92214734Srpaulo * is verified. This is configured with the following format: 93214734Srpaulo * hash:://server/sha256/cert_hash_in_hex 94214734Srpaulo * For example: "hash://server/sha256/ 95214734Srpaulo * 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 96214734Srpaulo * 97189251Ssam * On Windows, trusted CA certificates can be loaded from the system 98189251Ssam * certificate store by setting this to cert_store://name, e.g., 99189251Ssam * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 100189251Ssam * Note that when running wpa_supplicant as an application, the user 101189251Ssam * certificate store (My user account) is used, whereas computer store 102189251Ssam * (Computer account) is used when running wpasvc as a service. 103189251Ssam */ 104189251Ssam u8 *ca_cert; 105189251Ssam 106189251Ssam /** 107189251Ssam * ca_path - Directory path for CA certificate files (PEM) 108189251Ssam * 109189251Ssam * This path may contain multiple CA certificates in OpenSSL format. 110189251Ssam * Common use for this is to point to system trusted CA list which is 111189251Ssam * often installed into directory like /etc/ssl/certs. If configured, 112189251Ssam * these certificates are added to the list of trusted CAs. ca_cert 113189251Ssam * may also be included in that case, but it is not required. 114189251Ssam */ 115189251Ssam u8 *ca_path; 116189251Ssam 117189251Ssam /** 118189251Ssam * client_cert - File path to client certificate file (PEM/DER) 119189251Ssam * 120189251Ssam * This field is used with EAP method that use TLS authentication. 121189251Ssam * Usually, this is only configured for EAP-TLS, even though this could 122189251Ssam * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the 123189251Ssam * file should be used since working directory may change when 124189251Ssam * wpa_supplicant is run in the background. 125189251Ssam * 126189251Ssam * Alternatively, a named configuration blob can be used by setting 127189251Ssam * this to blob://blob_name. 128189251Ssam */ 129189251Ssam u8 *client_cert; 130189251Ssam 131189251Ssam /** 132189251Ssam * private_key - File path to client private key file (PEM/DER/PFX) 133189251Ssam * 134189251Ssam * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 135189251Ssam * commented out. Both the private key and certificate will be read 136189251Ssam * from the PKCS#12 file in this case. Full path to the file should be 137189251Ssam * used since working directory may change when wpa_supplicant is run 138189251Ssam * in the background. 139189251Ssam * 140189251Ssam * Windows certificate store can be used by leaving client_cert out and 141189251Ssam * configuring private_key in one of the following formats: 142189251Ssam * 143189251Ssam * cert://substring_to_match 144189251Ssam * 145189251Ssam * hash://certificate_thumbprint_in_hex 146189251Ssam * 147189251Ssam * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 148189251Ssam * 149189251Ssam * Note that when running wpa_supplicant as an application, the user 150189251Ssam * certificate store (My user account) is used, whereas computer store 151189251Ssam * (Computer account) is used when running wpasvc as a service. 152189251Ssam * 153189251Ssam * Alternatively, a named configuration blob can be used by setting 154189251Ssam * this to blob://blob_name. 155189251Ssam */ 156189251Ssam u8 *private_key; 157189251Ssam 158189251Ssam /** 159189251Ssam * private_key_passwd - Password for private key file 160189251Ssam * 161189251Ssam * If left out, this will be asked through control interface. 162189251Ssam */ 163189251Ssam u8 *private_key_passwd; 164189251Ssam 165189251Ssam /** 166189251Ssam * dh_file - File path to DH/DSA parameters file (in PEM format) 167189251Ssam * 168189251Ssam * This is an optional configuration file for setting parameters for an 169189251Ssam * ephemeral DH key exchange. In most cases, the default RSA 170189251Ssam * authentication does not use this configuration. However, it is 171189251Ssam * possible setup RSA to use ephemeral DH key exchange. In addition, 172189251Ssam * ciphers with DSA keys always use ephemeral DH keys. This can be used 173189251Ssam * to achieve forward secrecy. If the file is in DSA parameters format, 174189251Ssam * it will be automatically converted into DH params. Full path to the 175189251Ssam * file should be used since working directory may change when 176189251Ssam * wpa_supplicant is run in the background. 177189251Ssam * 178189251Ssam * Alternatively, a named configuration blob can be used by setting 179189251Ssam * this to blob://blob_name. 180189251Ssam */ 181189251Ssam u8 *dh_file; 182189251Ssam 183189251Ssam /** 184189251Ssam * subject_match - Constraint for server certificate subject 185189251Ssam * 186189251Ssam * This substring is matched against the subject of the authentication 187189251Ssam * server certificate. If this string is set, the server sertificate is 188189251Ssam * only accepted if it contains this string in the subject. The subject 189189251Ssam * string is in following format: 190189251Ssam * 191189251Ssam * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com 192189251Ssam */ 193189251Ssam u8 *subject_match; 194189251Ssam 195189251Ssam /** 196189251Ssam * altsubject_match - Constraint for server certificate alt. subject 197189251Ssam * 198189251Ssam * Semicolon separated string of entries to be matched against the 199189251Ssam * alternative subject name of the authentication server certificate. 200189251Ssam * If this string is set, the server sertificate is only accepted if it 201189251Ssam * contains one of the entries in an alternative subject name 202189251Ssam * extension. 203189251Ssam * 204189251Ssam * altSubjectName string is in following format: TYPE:VALUE 205189251Ssam * 206189251Ssam * Example: EMAIL:server@example.com 207189251Ssam * Example: DNS:server.example.com;DNS:server2.example.com 208189251Ssam * 209189251Ssam * Following types are supported: EMAIL, DNS, URI 210189251Ssam */ 211189251Ssam u8 *altsubject_match; 212189251Ssam 213189251Ssam /** 214189251Ssam * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2) 215189251Ssam * 216189251Ssam * This file can have one or more trusted CA certificates. If ca_cert2 217189251Ssam * and ca_path2 are not included, server certificate will not be 218189251Ssam * verified. This is insecure and a trusted CA certificate should 219189251Ssam * always be configured. Full path to the file should be used since 220189251Ssam * working directory may change when wpa_supplicant is run in the 221189251Ssam * background. 222189251Ssam * 223189251Ssam * This field is like ca_cert, but used for phase 2 (inside 224189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 225189251Ssam * 226189251Ssam * Alternatively, a named configuration blob can be used by setting 227189251Ssam * this to blob://blob_name. 228189251Ssam */ 229189251Ssam u8 *ca_cert2; 230189251Ssam 231189251Ssam /** 232189251Ssam * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2) 233189251Ssam * 234189251Ssam * This path may contain multiple CA certificates in OpenSSL format. 235189251Ssam * Common use for this is to point to system trusted CA list which is 236189251Ssam * often installed into directory like /etc/ssl/certs. If configured, 237189251Ssam * these certificates are added to the list of trusted CAs. ca_cert 238189251Ssam * may also be included in that case, but it is not required. 239189251Ssam * 240189251Ssam * This field is like ca_path, but used for phase 2 (inside 241189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 242189251Ssam */ 243189251Ssam u8 *ca_path2; 244189251Ssam 245189251Ssam /** 246189251Ssam * client_cert2 - File path to client certificate file 247189251Ssam * 248189251Ssam * This field is like client_cert, but used for phase 2 (inside 249189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 250189251Ssam * file should be used since working directory may change when 251189251Ssam * wpa_supplicant is run in the background. 252189251Ssam * 253189251Ssam * Alternatively, a named configuration blob can be used by setting 254189251Ssam * this to blob://blob_name. 255189251Ssam */ 256189251Ssam u8 *client_cert2; 257189251Ssam 258189251Ssam /** 259189251Ssam * private_key2 - File path to client private key file 260189251Ssam * 261189251Ssam * This field is like private_key, but used for phase 2 (inside 262189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 263189251Ssam * file should be used since working directory may change when 264189251Ssam * wpa_supplicant is run in the background. 265189251Ssam * 266189251Ssam * Alternatively, a named configuration blob can be used by setting 267189251Ssam * this to blob://blob_name. 268189251Ssam */ 269189251Ssam u8 *private_key2; 270189251Ssam 271189251Ssam /** 272189251Ssam * private_key2_passwd - Password for private key file 273189251Ssam * 274189251Ssam * This field is like private_key_passwd, but used for phase 2 (inside 275189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 276189251Ssam */ 277189251Ssam u8 *private_key2_passwd; 278189251Ssam 279189251Ssam /** 280189251Ssam * dh_file2 - File path to DH/DSA parameters file (in PEM format) 281189251Ssam * 282189251Ssam * This field is like dh_file, but used for phase 2 (inside 283189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 284189251Ssam * file should be used since working directory may change when 285189251Ssam * wpa_supplicant is run in the background. 286189251Ssam * 287189251Ssam * Alternatively, a named configuration blob can be used by setting 288189251Ssam * this to blob://blob_name. 289189251Ssam */ 290189251Ssam u8 *dh_file2; 291189251Ssam 292189251Ssam /** 293189251Ssam * subject_match2 - Constraint for server certificate subject 294189251Ssam * 295189251Ssam * This field is like subject_match, but used for phase 2 (inside 296189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 297189251Ssam */ 298189251Ssam u8 *subject_match2; 299189251Ssam 300189251Ssam /** 301189251Ssam * altsubject_match2 - Constraint for server certificate alt. subject 302189251Ssam * 303189251Ssam * This field is like altsubject_match, but used for phase 2 (inside 304189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 305189251Ssam */ 306189251Ssam u8 *altsubject_match2; 307189251Ssam 308189251Ssam /** 309189251Ssam * eap_methods - Allowed EAP methods 310189251Ssam * 311189251Ssam * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of 312189251Ssam * allowed EAP methods or %NULL if all methods are accepted. 313189251Ssam */ 314189251Ssam struct eap_method_type *eap_methods; 315189251Ssam 316189251Ssam /** 317189251Ssam * phase1 - Phase 1 (outer authentication) parameters 318189251Ssam * 319189251Ssam * String with field-value pairs, e.g., "peapver=0" or 320189251Ssam * "peapver=1 peaplabel=1". 321189251Ssam * 322189251Ssam * 'peapver' can be used to force which PEAP version (0 or 1) is used. 323189251Ssam * 324189251Ssam * 'peaplabel=1' can be used to force new label, "client PEAP 325189251Ssam * encryption", to be used during key derivation when PEAPv1 or newer. 326189251Ssam * 327189251Ssam * Most existing PEAPv1 implementation seem to be using the old label, 328189251Ssam * "client EAP encryption", and wpa_supplicant is now using that as the 329189251Ssam * default value. 330189251Ssam * 331189251Ssam * Some servers, e.g., Radiator, may require peaplabel=1 configuration 332189251Ssam * to interoperate with PEAPv1; see eap_testing.txt for more details. 333189251Ssam * 334189251Ssam * 'peap_outer_success=0' can be used to terminate PEAP authentication 335189251Ssam * on tunneled EAP-Success. This is required with some RADIUS servers 336189251Ssam * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 337189251Ssam * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode). 338189251Ssam * 339189251Ssam * include_tls_length=1 can be used to force wpa_supplicant to include 340189251Ssam * TLS Message Length field in all TLS messages even if they are not 341189251Ssam * fragmented. 342189251Ssam * 343189251Ssam * sim_min_num_chal=3 can be used to configure EAP-SIM to require three 344189251Ssam * challenges (by default, it accepts 2 or 3). 345189251Ssam * 346189251Ssam * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 347189251Ssam * protected result indication. 348189251Ssam * 349189251Ssam * fast_provisioning option can be used to enable in-line provisioning 350189251Ssam * of EAP-FAST credentials (PAC): 351189251Ssam * 0 = disabled, 352189251Ssam * 1 = allow unauthenticated provisioning, 353189251Ssam * 2 = allow authenticated provisioning, 354189251Ssam * 3 = allow both unauthenticated and authenticated provisioning 355189251Ssam * 356189251Ssam * fast_max_pac_list_len=num option can be used to set the maximum 357189251Ssam * number of PAC entries to store in a PAC list (default: 10). 358189251Ssam * 359189251Ssam * fast_pac_format=binary option can be used to select binary format 360189251Ssam * for storing PAC entries in order to save some space (the default 361189251Ssam * text format uses about 2.5 times the size of minimal binary format). 362189251Ssam * 363189251Ssam * crypto_binding option can be used to control PEAPv0 cryptobinding 364189251Ssam * behavior: 365189251Ssam * 0 = do not use cryptobinding (default) 366189251Ssam * 1 = use cryptobinding if server supports it 367189251Ssam * 2 = require cryptobinding 368189251Ssam * 369189251Ssam * EAP-WSC (WPS) uses following options: pin=Device_Password and 370189251Ssam * uuid=Device_UUID 371189251Ssam */ 372189251Ssam char *phase1; 373189251Ssam 374189251Ssam /** 375189251Ssam * phase2 - Phase2 (inner authentication with TLS tunnel) parameters 376189251Ssam * 377189251Ssam * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 378189251Ssam * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. 379189251Ssam */ 380189251Ssam char *phase2; 381189251Ssam 382189251Ssam /** 383189251Ssam * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM 384189251Ssam * 385189251Ssam * This field is used to configure PC/SC smartcard interface. 386189251Ssam * Currently, the only configuration is whether this field is %NULL (do 387189251Ssam * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC. 388189251Ssam * 389189251Ssam * This field is used for EAP-SIM and EAP-AKA. 390189251Ssam */ 391189251Ssam char *pcsc; 392189251Ssam 393189251Ssam /** 394189251Ssam * pin - PIN for USIM, GSM SIM, and smartcards 395189251Ssam * 396189251Ssam * This field is used to configure PIN for SIM and smartcards for 397189251Ssam * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a 398189251Ssam * smartcard is used for private key operations. 399189251Ssam * 400189251Ssam * If left out, this will be asked through control interface. 401189251Ssam */ 402189251Ssam char *pin; 403189251Ssam 404189251Ssam /** 405189251Ssam * engine - Enable OpenSSL engine (e.g., for smartcard access) 406189251Ssam * 407189251Ssam * This is used if private key operations for EAP-TLS are performed 408189251Ssam * using a smartcard. 409189251Ssam */ 410189251Ssam int engine; 411189251Ssam 412189251Ssam /** 413189251Ssam * engine_id - Engine ID for OpenSSL engine 414189251Ssam * 415189251Ssam * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 416189251Ssam * engine. 417189251Ssam * 418189251Ssam * This is used if private key operations for EAP-TLS are performed 419189251Ssam * using a smartcard. 420189251Ssam */ 421189251Ssam char *engine_id; 422189251Ssam 423189251Ssam /** 424189251Ssam * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2) 425189251Ssam * 426189251Ssam * This is used if private key operations for EAP-TLS are performed 427189251Ssam * using a smartcard. 428189251Ssam * 429189251Ssam * This field is like engine, but used for phase 2 (inside 430189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 431189251Ssam */ 432189251Ssam int engine2; 433189251Ssam 434189251Ssam 435189251Ssam /** 436189251Ssam * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2) 437189251Ssam * 438189251Ssam * This field is used to configure PIN for SIM and smartcards for 439189251Ssam * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a 440189251Ssam * smartcard is used for private key operations. 441189251Ssam * 442189251Ssam * This field is like pin2, but used for phase 2 (inside 443189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 444189251Ssam * 445189251Ssam * If left out, this will be asked through control interface. 446189251Ssam */ 447189251Ssam char *pin2; 448189251Ssam 449189251Ssam /** 450189251Ssam * engine2_id - Engine ID for OpenSSL engine (Phase 2) 451189251Ssam * 452189251Ssam * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 453189251Ssam * engine. 454189251Ssam * 455189251Ssam * This is used if private key operations for EAP-TLS are performed 456189251Ssam * using a smartcard. 457189251Ssam * 458189251Ssam * This field is like engine_id, but used for phase 2 (inside 459189251Ssam * EAP-TTLS/PEAP/FAST tunnel) authentication. 460189251Ssam */ 461189251Ssam char *engine2_id; 462189251Ssam 463189251Ssam 464189251Ssam /** 465189251Ssam * key_id - Key ID for OpenSSL engine 466189251Ssam * 467189251Ssam * This is used if private key operations for EAP-TLS are performed 468189251Ssam * using a smartcard. 469189251Ssam */ 470189251Ssam char *key_id; 471189251Ssam 472189251Ssam /** 473189251Ssam * cert_id - Cert ID for OpenSSL engine 474189251Ssam * 475189251Ssam * This is used if the certificate operations for EAP-TLS are performed 476189251Ssam * using a smartcard. 477189251Ssam */ 478189251Ssam char *cert_id; 479189251Ssam 480189251Ssam /** 481189251Ssam * ca_cert_id - CA Cert ID for OpenSSL engine 482189251Ssam * 483189251Ssam * This is used if the CA certificate for EAP-TLS is on a smartcard. 484189251Ssam */ 485189251Ssam char *ca_cert_id; 486189251Ssam 487189251Ssam /** 488189251Ssam * key2_id - Key ID for OpenSSL engine (phase2) 489189251Ssam * 490189251Ssam * This is used if private key operations for EAP-TLS are performed 491189251Ssam * using a smartcard. 492189251Ssam */ 493189251Ssam char *key2_id; 494189251Ssam 495189251Ssam /** 496189251Ssam * cert2_id - Cert ID for OpenSSL engine (phase2) 497189251Ssam * 498189251Ssam * This is used if the certificate operations for EAP-TLS are performed 499189251Ssam * using a smartcard. 500189251Ssam */ 501189251Ssam char *cert2_id; 502189251Ssam 503189251Ssam /** 504189251Ssam * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2) 505189251Ssam * 506189251Ssam * This is used if the CA certificate for EAP-TLS is on a smartcard. 507189251Ssam */ 508189251Ssam char *ca_cert2_id; 509189251Ssam 510189251Ssam /** 511189251Ssam * otp - One-time-password 512189251Ssam * 513189251Ssam * This field should not be set in configuration step. It is only used 514189251Ssam * internally when OTP is entered through the control interface. 515189251Ssam */ 516189251Ssam u8 *otp; 517189251Ssam 518189251Ssam /** 519189251Ssam * otp_len - Length of the otp field 520189251Ssam */ 521189251Ssam size_t otp_len; 522189251Ssam 523189251Ssam /** 524189251Ssam * pending_req_identity - Whether there is a pending identity request 525189251Ssam * 526189251Ssam * This field should not be set in configuration step. It is only used 527189251Ssam * internally when control interface is used to request needed 528189251Ssam * information. 529189251Ssam */ 530189251Ssam int pending_req_identity; 531189251Ssam 532189251Ssam /** 533189251Ssam * pending_req_password - Whether there is a pending password request 534189251Ssam * 535189251Ssam * This field should not be set in configuration step. It is only used 536189251Ssam * internally when control interface is used to request needed 537189251Ssam * information. 538189251Ssam */ 539189251Ssam int pending_req_password; 540189251Ssam 541189251Ssam /** 542189251Ssam * pending_req_pin - Whether there is a pending PIN request 543189251Ssam * 544189251Ssam * This field should not be set in configuration step. It is only used 545189251Ssam * internally when control interface is used to request needed 546189251Ssam * information. 547189251Ssam */ 548189251Ssam int pending_req_pin; 549189251Ssam 550189251Ssam /** 551189251Ssam * pending_req_new_password - Pending password update request 552189251Ssam * 553189251Ssam * This field should not be set in configuration step. It is only used 554189251Ssam * internally when control interface is used to request needed 555189251Ssam * information. 556189251Ssam */ 557189251Ssam int pending_req_new_password; 558189251Ssam 559189251Ssam /** 560189251Ssam * pending_req_passphrase - Pending passphrase request 561189251Ssam * 562189251Ssam * This field should not be set in configuration step. It is only used 563189251Ssam * internally when control interface is used to request needed 564189251Ssam * information. 565189251Ssam */ 566189251Ssam int pending_req_passphrase; 567189251Ssam 568189251Ssam /** 569189251Ssam * pending_req_otp - Whether there is a pending OTP request 570189251Ssam * 571189251Ssam * This field should not be set in configuration step. It is only used 572189251Ssam * internally when control interface is used to request needed 573189251Ssam * information. 574189251Ssam */ 575189251Ssam char *pending_req_otp; 576189251Ssam 577189251Ssam /** 578189251Ssam * pending_req_otp_len - Length of the pending OTP request 579189251Ssam */ 580189251Ssam size_t pending_req_otp_len; 581189251Ssam 582189251Ssam /** 583189251Ssam * pac_file - File path or blob name for the PAC entries (EAP-FAST) 584189251Ssam * 585189251Ssam * wpa_supplicant will need to be able to create this file and write 586189251Ssam * updates to it when PAC is being provisioned or refreshed. Full path 587189251Ssam * to the file should be used since working directory may change when 588189251Ssam * wpa_supplicant is run in the background. 589189251Ssam * Alternatively, a named configuration blob can be used by setting 590189251Ssam * this to blob://blob_name. 591189251Ssam */ 592189251Ssam char *pac_file; 593189251Ssam 594189251Ssam /** 595189251Ssam * mschapv2_retry - MSCHAPv2 retry in progress 596189251Ssam * 597189251Ssam * This field is used internally by EAP-MSCHAPv2 and should not be set 598189251Ssam * as part of configuration. 599189251Ssam */ 600189251Ssam int mschapv2_retry; 601189251Ssam 602189251Ssam /** 603189251Ssam * new_password - New password for password update 604189251Ssam * 605189251Ssam * This field is used during MSCHAPv2 password update. This is normally 606189251Ssam * requested from the user through the control interface and not set 607189251Ssam * from configuration. 608189251Ssam */ 609189251Ssam u8 *new_password; 610189251Ssam 611189251Ssam /** 612189251Ssam * new_password_len - Length of new_password field 613189251Ssam */ 614189251Ssam size_t new_password_len; 615189251Ssam 616189251Ssam /** 617189251Ssam * fragment_size - Maximum EAP fragment size in bytes (default 1398) 618189251Ssam * 619189251Ssam * This value limits the fragment size for EAP methods that support 620189251Ssam * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 621189251Ssam * small enough to make the EAP messages fit in MTU of the network 622189251Ssam * interface used for EAPOL. The default value is suitable for most 623189251Ssam * cases. 624189251Ssam */ 625189251Ssam int fragment_size; 626189251Ssam 627189251Ssam#define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0) 628189251Ssam /** 629189251Ssam * flags - Network configuration flags (bitfield) 630189251Ssam * 631189251Ssam * This variable is used for internal flags to describe further details 632189251Ssam * for the network parameters. 633189251Ssam * bit 0 = password is represented as a 16-byte NtPasswordHash value 634189251Ssam * instead of plaintext password 635189251Ssam */ 636189251Ssam u32 flags; 637189251Ssam}; 638189251Ssam 639189251Ssam 640189251Ssam/** 641189251Ssam * struct wpa_config_blob - Named configuration blob 642189251Ssam * 643189251Ssam * This data structure is used to provide storage for binary objects to store 644189251Ssam * abstract information like certificates and private keys inlined with the 645189251Ssam * configuration data. 646189251Ssam */ 647189251Ssamstruct wpa_config_blob { 648189251Ssam /** 649189251Ssam * name - Blob name 650189251Ssam */ 651189251Ssam char *name; 652189251Ssam 653189251Ssam /** 654189251Ssam * data - Pointer to binary data 655189251Ssam */ 656189251Ssam u8 *data; 657189251Ssam 658189251Ssam /** 659189251Ssam * len - Length of binary data 660189251Ssam */ 661189251Ssam size_t len; 662189251Ssam 663189251Ssam /** 664189251Ssam * next - Pointer to next blob in the configuration 665189251Ssam */ 666189251Ssam struct wpa_config_blob *next; 667189251Ssam}; 668189251Ssam 669189251Ssam#endif /* EAP_CONFIG_H */ 670