1/* 2 * Copyright (c) 2002-2014 Apple Inc. All rights reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24#ifndef _EAP8021X_EAPCLIENTPROPERTIES_H 25#define _EAP8021X_EAPCLIENTPROPERTIES_H 26 27#include <CoreFoundation/CFString.h> 28#include <TargetConditionals.h> 29 30/* 31 * The type of the value corresponding to the following keys are CFString's 32 * unless otherwise noted 33 */ 34 35/* 36 * kEAPClientProp* 37 * - properties used to configure the EAPClient, and for the client to report 38 * its configuration needs 39 * Note: default values shown in parenthesis (when applicable) 40 */ 41 42/** 43 ** Properties applicable to most protocols 44 **/ 45#define kEAPClientPropUserName CFSTR("UserName") 46#define kEAPClientPropUserPassword CFSTR("UserPassword") 47#define kEAPClientPropUserPasswordKeychainItemID CFSTR("UserPasswordKeychainItemID") 48#define kEAPClientPropOneTimeUserPassword CFSTR("OneTimeUserPassword") /* boolean (false) */ 49#define kEAPClientPropAcceptEAPTypes CFSTR("AcceptEAPTypes") /* array[integer] */ 50#define kEAPClientPropInnerAcceptEAPTypes CFSTR("InnerAcceptEAPTypes") /* array[integer] */ 51 52/** 53 ** Properties for TLS-based authentication (EAP-TLS, EAP-TTLS, PEAP, EAP-FAST) 54 **/ 55 56/* 57 * kEAPClientPropTLSCertificateIsRequired 58 * - TLS-based authentication protocol requires a certificate to authenticate 59 * - the default value is TRUE for EAP-TLS, FALSE otherwise 60 * - allows for two-factor authentication (certificate + name/password) 61 * when set to TRUE for EAP-TTLS, PEAP, EAP-FAST 62 * - allows for zero-factor authentication when set to FALSE for EAP-TLS 63 */ 64#define kEAPClientPropTLSCertificateIsRequired \ 65 CFSTR("TLSCertificateIsRequired") /* boolean */ 66/* 67 * kEAPClientPropTLSTrustedCertificates 68 * - which certificates we should trust for this authentication session 69 * - may contain root, leaf, or intermediate certificates 70 */ 71#define kEAPClientPropTLSTrustedCertificates \ 72 CFSTR("TLSTrustedCertificates") /* array[data] */ 73 74/* 75 * kEAPClientPropTLSTrustedServerNames 76 * - which server names we should trust for this authentication session 77 */ 78#define kEAPClientPropTLSTrustedServerNames \ 79 CFSTR("TLSTrustedServerNames") /* array[string] */ 80 81/* 82 * kEAPClientPropProfileID 83 * - the profile identifier of the configuration, if the configuration came 84 * from an EAPOLClientProfileRef 85 */ 86#define kEAPClientPropProfileID CFSTR("ProfileID") /* string */ 87 88#if TARGET_OS_EMBEDDED 89/* 90 * kEAPClientPropTLSSaveTrustExceptions 91 * - tells the client to save trust exceptions for the current server 92 * certificate chain, kEAPClientPropTLSUserTrustProceedCertificateChain 93 */ 94#define kEAPClientPropTLSSaveTrustExceptions \ 95 CFSTR("TLSSaveTrustExceptions") /* boolean (false) */ 96 97/* 98 * kEAPClientPropTLSTrustExceptionsDomain 99 * kEAPClientPropTLSTrustExceptionsID 100 * - properties used to locate the appropriate trust exception for the 101 * current authentication session 102 */ 103#define kEAPClientPropTLSTrustExceptionsDomain \ 104 CFSTR("TLSTrustExceptionsDomain") 105#define kEAPClientPropTLSTrustExceptionsID \ 106 CFSTR("TLSTrustExceptionsID") 107 108/* 109 * kEAPTLSTrustExceptionsDomain* 110 * 111 * Values for the kEAPClientPropTLSTrustExceptionsDomain property 112 * 113 * kEAPTrustExceptionsDomainWirelessSSID 114 * - used when the desired trust domain is the wireless SSID to which we 115 * are authenticating 116 * 117 * kEAPTrustExceptionsDomainProfileID 118 * - used when the desired trust domain is the UUID of the configuration profile 119 * 120 * kEAPTLSTrustExceptionsDomainNetworkInterfaceName 121 * - used when the desired trust domain is the unique network interface name 122 */ 123#define kEAPTLSTrustExceptionsDomainWirelessSSID \ 124 CFSTR("WirelessSSID") 125#define kEAPTLSTrustExceptionsDomainProfileID \ 126 CFSTR("ProfileID") 127#define kEAPTLSTrustExceptionsDomainNetworkInterfaceName \ 128 CFSTR("NetworkInterfaceName") 129#else /* TARGET_OS_EMBEDDED */ 130 131/* 132 * kEAPClientPropSaveCredentialsOnSuccessfulAuthentication 133 * - when set to TRUE and the authentication is successful, 134 * the credentials/identity preference are saved in the keychain 135 */ 136#define kEAPClientPropSaveCredentialsOnSuccessfulAuthentication \ 137 CFSTR("SaveCredentialsOnSuccessfulAuthentication") 138 139#endif /* TARGET_OS_EMBEDDED */ 140 141#define kEAPClientPropTLSVerifyServerCertificate \ 142 CFSTR("TLSVerifyServerCertificate") /* boolean (true) */ 143#define kEAPClientPropTLSEnableSessionResumption \ 144 CFSTR("TLSEnableSessionResumption") /* boolean (true) */ 145#define kEAPClientPropTLSUserTrustProceedCertificateChain \ 146 CFSTR("TLSUserTrustProceedCertificateChain") /* array[data] */ 147 148/* 149 * kEAPClientPropSystemModeUseOpenDirectoryCredentials 150 * - when true, tells the EAP client to use OpenDirectory machine credentials 151 * when running in System mode 152 * - supercedes kEAPClientPropSystemModeCredentialsSource 153 */ 154#define kEAPClientPropSystemModeUseOpenDirectoryCredentials \ 155 CFSTR("SystemModeUseOpenDirectoryCredentials") /* boolean (false) */ 156 157/* 158 * kEAPClientPropSystemModeOpenDirectoryNodeName 159 * - if kEAPClientPropSystemModeUseOpenDirectoryCredentials is true, 160 * tells the EAP client to specify a particular node name to retrieve 161 * OpenDirectory machine credentials 162 */ 163#define kEAPClientPropSystemModeOpenDirectoryNodeName \ 164 CFSTR("SystemModeOpenDirectoryNodeName") 165/* 166 * kEAPClientPropSystemModeCredentialsSource 167 * - tells the EAP client to use an alternate source for credentials when 168 * running in System mode 169 * - when set to kEAPClientCredentialsSourceActiveDirectory, the EAP client 170 * will attempt to use the machine name/password used by Active Directory; 171 * if those credentials are missing, the authentication will fail 172 * - superceded by kEAPClientPropSystemModeUseOpenDirectoryCredentials 173 */ 174#define kEAPClientPropSystemModeCredentialsSource CFSTR("SystemModeCredentialsSource") 175#define kEAPClientCredentialsSourceActiveDirectory CFSTR("ActiveDirectory") 176 177/** 178 ** Properties for TTLS 179 **/ 180#define kEAPClientPropTTLSInnerAuthentication CFSTR("TTLSInnerAuthentication") 181#define kEAPTTLSInnerAuthenticationPAP CFSTR("PAP") 182#define kEAPTTLSInnerAuthenticationCHAP CFSTR("CHAP") 183#define kEAPTTLSInnerAuthenticationMSCHAP CFSTR("MSCHAP") 184#define kEAPTTLSInnerAuthenticationMSCHAPv2 CFSTR("MSCHAPv2") 185#define kEAPTTLSInnerAuthenticationEAP CFSTR("EAP") 186 187#define kEAPClientPropNewPassword CFSTR("NewPassword") 188/* for TTLS, PEAP, EAP-FAST: */ 189#define kEAPClientPropOuterIdentity CFSTR("OuterIdentity") 190 191/* for TLS: */ 192#define kEAPClientPropTLSIdentityHandle CFSTR("TLSIdentityHandle") /* EAPSecIdentityHandle */ 193 194/* for EAP-FAST */ 195#define kEAPClientPropEAPFASTUsePAC CFSTR("EAPFASTUsePAC") /* boolean (false) */ 196#define kEAPClientPropEAPFASTProvisionPAC CFSTR("EAPFASTProvisionPAC") /* boolean (false) */ 197#define kEAPClientPropEAPFASTProvisionPACAnonymously CFSTR("EAPFASTProvisionPACAnonymously") /* boolean (false) */ 198 199 200/* 201 * for EAP-MSCHAPv2 202 * 203 * Note: these are only used as an internal communication mechanism between the 204 * outer authentication and EAP-MSCHAPv2. 205 */ 206#define kEAPClientPropEAPMSCHAPv2ServerChallenge CFSTR("EAPMSCHAPv2ServerChallenge") /* data */ 207#define kEAPClientPropEAPMSCHAPv2ClientChallenge CFSTR("EAPMSCHAPv2ClientChallenge") /* data */ 208 209/* 210 * Properties supplied by the client as published/additional properties 211 */ 212#define kEAPClientInnerEAPType CFSTR("InnerEAPType") /* integer (EAPType) */ 213#define kEAPClientInnerEAPTypeName CFSTR("InnerEAPTypeName") 214#define kEAPClientPropTLSServerCertificateChain \ 215 CFSTR("TLSServerCertificateChain") /* array[data] */ 216#define kEAPClientPropTLSTrustClientStatus CFSTR("TLSTrustClientStatus") /* integer (EAPClientStatus) */ 217#define kEAPClientPropTLSSessionWasResumed \ 218 CFSTR("TLSSessionWasResumed") /* boolean */ 219#define kEAPClientPropTLSNegotiatedCipher \ 220 CFSTR("TLSNegotiatedCipher") /* integer (UInt32) */ 221 222#define kEAPClientPropEAPFASTPACWasProvisioned CFSTR("EAPFASTPACWasProvisioned") /* boolean */ 223 224/* 225 * Deprecated/unused properties 226 */ 227#define kEAPClientPropIdentity CFSTR("Identity") 228#define kEAPClientPropTLSReplaceTrustedRootCertificates \ 229 CFSTR("TLSReplaceTrustedRootCertificates") /* boolean (false) */ 230#define kEAPClientPropTLSTrustedRootCertificates \ 231 CFSTR("TLSTrustedRootCertificates") /* array[data] */ 232#define kEAPClientPropTLSAllowAnyRoot \ 233 CFSTR("TLSAllowAnyRoot") /* boolean (false) */ 234 235#if TARGET_OS_EMBEDDED 236/* 237 * kEAPClientPropTLSAllowTrustExceptions 238 * - this property is no longer consulted 239 * - if trust is explicitly configured using 240 * kEAPClientPropTLSTrustedCertificate and/or 241 * kEAPClientPropTLSTrustedServerNames), trust exceptions are not allowed 242 */ 243#define kEAPClientPropTLSAllowTrustExceptions \ 244 CFSTR("TLSAllowTrustExceptions") /* boolean (see above) */ 245#else /* TARGET_OS_EMBEDDED */ 246/* 247 * kEAPClientPropTLSAllowTrustDecisions 248 * - this property is no longer consulted 249 * - if trust is explicitly configured using 250 * kEAPClientPropTLSTrustedCertificate and/or 251 * kEAPClientPropTLSTrustedServerNames), trust decisions are not allowed 252 */ 253#define kEAPClientPropTLSAllowTrustDecisions \ 254 CFSTR("TLSAllowTrustDecisions") /* boolean (see above) */ 255#endif /* TARGET_OS_EMBEDDED */ 256 257#endif /* _EAP8021X_EAPCLIENTPROPERTIES_H */ 258