1/*
2 * Copyright (c) 2002-2014 Apple Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24#ifndef _EAP8021X_EAPCLIENTPROPERTIES_H
25#define _EAP8021X_EAPCLIENTPROPERTIES_H
26
27#include <CoreFoundation/CFString.h>
28#include <TargetConditionals.h>
29
30/*
31 * The type of the value corresponding to the following keys are CFString's
32 * unless otherwise noted
33 */
34
35/*
36 * kEAPClientProp*
37 * - properties used to configure the EAPClient, and for the client to report
38 *   its configuration needs
39 * Note: default values shown in parenthesis (when applicable)
40 */
41
42/**
43 ** Properties applicable to most protocols
44 **/
45#define kEAPClientPropUserName	       		CFSTR("UserName")
46#define kEAPClientPropUserPassword		CFSTR("UserPassword")
47#define kEAPClientPropUserPasswordKeychainItemID CFSTR("UserPasswordKeychainItemID")
48#define kEAPClientPropOneTimeUserPassword CFSTR("OneTimeUserPassword") /* boolean (false) */
49#define kEAPClientPropAcceptEAPTypes		CFSTR("AcceptEAPTypes") /* array[integer] */
50#define kEAPClientPropInnerAcceptEAPTypes	CFSTR("InnerAcceptEAPTypes") /* array[integer] */
51
52/**
53 ** Properties for TLS-based authentication (EAP-TLS, EAP-TTLS, PEAP, EAP-FAST)
54 **/
55
56/*
57 * kEAPClientPropTLSCertificateIsRequired
58 * - TLS-based authentication protocol requires a certificate to authenticate
59 * - the default value is TRUE for EAP-TLS, FALSE otherwise
60 * - allows for two-factor authentication (certificate + name/password)
61 *   when set to TRUE for EAP-TTLS, PEAP, EAP-FAST
62 * - allows for zero-factor authentication when set to FALSE for EAP-TLS
63 */
64#define kEAPClientPropTLSCertificateIsRequired \
65	CFSTR("TLSCertificateIsRequired") 		/* boolean */
66/*
67 * kEAPClientPropTLSTrustedCertificates
68 * - which certificates we should trust for this authentication session
69 * - may contain root, leaf, or intermediate certificates
70 */
71#define kEAPClientPropTLSTrustedCertificates \
72	CFSTR("TLSTrustedCertificates") 		/* array[data] */
73
74/*
75 * kEAPClientPropTLSTrustedServerNames
76 * - which server names we should trust for this authentication session
77 */
78#define kEAPClientPropTLSTrustedServerNames \
79	CFSTR("TLSTrustedServerNames") 		/* array[string] */
80
81/*
82 * kEAPClientPropProfileID
83 * - the profile identifier of the configuration, if the configuration came
84 *   from an EAPOLClientProfileRef
85 */
86#define kEAPClientPropProfileID 	CFSTR("ProfileID")	/* string */
87
88#if TARGET_OS_EMBEDDED
89/*
90 * kEAPClientPropTLSSaveTrustExceptions
91 * - tells the client to save trust exceptions for the current server
92 *   certificate chain, kEAPClientPropTLSUserTrustProceedCertificateChain
93 */
94#define kEAPClientPropTLSSaveTrustExceptions \
95	CFSTR("TLSSaveTrustExceptions")			/* boolean (false) */
96
97/*
98 * kEAPClientPropTLSTrustExceptionsDomain
99 * kEAPClientPropTLSTrustExceptionsID
100 * - properties used to locate the appropriate trust exception for the
101 *   current authentication session
102 */
103#define kEAPClientPropTLSTrustExceptionsDomain \
104	CFSTR("TLSTrustExceptionsDomain")
105#define kEAPClientPropTLSTrustExceptionsID \
106	CFSTR("TLSTrustExceptionsID")
107
108/*
109 * kEAPTLSTrustExceptionsDomain*
110 *
111 * Values for the kEAPClientPropTLSTrustExceptionsDomain property
112 *
113 * kEAPTrustExceptionsDomainWirelessSSID
114 * - used when the desired trust domain is the wireless SSID to which we
115 *   are authenticating
116 *
117 * kEAPTrustExceptionsDomainProfileID
118 * - used when the desired trust domain is the UUID of the configuration profile
119 *
120 * kEAPTLSTrustExceptionsDomainNetworkInterfaceName
121 * - used when the desired trust domain is the unique network interface name
122 */
123#define kEAPTLSTrustExceptionsDomainWirelessSSID \
124    	CFSTR("WirelessSSID")
125#define kEAPTLSTrustExceptionsDomainProfileID \
126    	CFSTR("ProfileID")
127#define kEAPTLSTrustExceptionsDomainNetworkInterfaceName \
128    	CFSTR("NetworkInterfaceName")
129#else /* TARGET_OS_EMBEDDED */
130
131/*
132 * kEAPClientPropSaveCredentialsOnSuccessfulAuthentication
133 * - when set to TRUE and the authentication is successful,
134 *   the credentials/identity preference are saved in the keychain
135 */
136#define kEAPClientPropSaveCredentialsOnSuccessfulAuthentication \
137    CFSTR("SaveCredentialsOnSuccessfulAuthentication")
138
139#endif /* TARGET_OS_EMBEDDED */
140
141#define kEAPClientPropTLSVerifyServerCertificate \
142	CFSTR("TLSVerifyServerCertificate") 		/* boolean (true) */
143#define kEAPClientPropTLSEnableSessionResumption \
144	CFSTR("TLSEnableSessionResumption") 		/* boolean (true) */
145#define kEAPClientPropTLSUserTrustProceedCertificateChain \
146	CFSTR("TLSUserTrustProceedCertificateChain")	/* array[data] */
147
148/*
149 * kEAPClientPropSystemModeUseOpenDirectoryCredentials
150 * - when true, tells the EAP client to use OpenDirectory machine credentials
151 *   when running in System mode
152 * - supercedes kEAPClientPropSystemModeCredentialsSource
153 */
154#define kEAPClientPropSystemModeUseOpenDirectoryCredentials \
155    CFSTR("SystemModeUseOpenDirectoryCredentials") /* boolean (false) */
156
157/*
158 * kEAPClientPropSystemModeOpenDirectoryNodeName
159 * - if kEAPClientPropSystemModeUseOpenDirectoryCredentials is true,
160 *   tells the EAP client to specify a particular node name to retrieve
161 *   OpenDirectory machine credentials
162 */
163#define kEAPClientPropSystemModeOpenDirectoryNodeName \
164    CFSTR("SystemModeOpenDirectoryNodeName")
165/*
166 * kEAPClientPropSystemModeCredentialsSource
167 * - tells the EAP client to use an alternate source for credentials when
168 *   running in System mode
169 * - when set to kEAPClientCredentialsSourceActiveDirectory, the EAP client
170 *   will attempt to use the machine name/password used by Active Directory;
171 *   if those credentials are missing, the authentication will fail
172 * - superceded by kEAPClientPropSystemModeUseOpenDirectoryCredentials
173 */
174#define kEAPClientPropSystemModeCredentialsSource	CFSTR("SystemModeCredentialsSource")
175#define kEAPClientCredentialsSourceActiveDirectory	CFSTR("ActiveDirectory")
176
177/**
178 ** Properties for TTLS
179 **/
180#define kEAPClientPropTTLSInnerAuthentication	CFSTR("TTLSInnerAuthentication")
181#define kEAPTTLSInnerAuthenticationPAP		CFSTR("PAP")
182#define kEAPTTLSInnerAuthenticationCHAP		CFSTR("CHAP")
183#define kEAPTTLSInnerAuthenticationMSCHAP	CFSTR("MSCHAP")
184#define kEAPTTLSInnerAuthenticationMSCHAPv2	CFSTR("MSCHAPv2")
185#define kEAPTTLSInnerAuthenticationEAP		CFSTR("EAP")
186
187#define kEAPClientPropNewPassword		CFSTR("NewPassword")
188/* for TTLS, PEAP, EAP-FAST: */
189#define kEAPClientPropOuterIdentity		CFSTR("OuterIdentity")
190
191/* for TLS: */
192#define kEAPClientPropTLSIdentityHandle		CFSTR("TLSIdentityHandle") /* EAPSecIdentityHandle */
193
194/* for EAP-FAST */
195#define kEAPClientPropEAPFASTUsePAC		CFSTR("EAPFASTUsePAC") /* boolean (false) */
196#define kEAPClientPropEAPFASTProvisionPAC	CFSTR("EAPFASTProvisionPAC") /* boolean (false) */
197#define kEAPClientPropEAPFASTProvisionPACAnonymously	CFSTR("EAPFASTProvisionPACAnonymously") /* boolean (false) */
198
199
200/*
201 * for EAP-MSCHAPv2
202 *
203 * Note: these are only used as an internal communication mechanism between the
204 * outer authentication and EAP-MSCHAPv2.
205 */
206#define kEAPClientPropEAPMSCHAPv2ServerChallenge CFSTR("EAPMSCHAPv2ServerChallenge") /* data */
207#define kEAPClientPropEAPMSCHAPv2ClientChallenge CFSTR("EAPMSCHAPv2ClientChallenge") /* data */
208
209/*
210 * Properties supplied by the client as published/additional properties
211 */
212#define kEAPClientInnerEAPType		CFSTR("InnerEAPType")	/* integer (EAPType) */
213#define kEAPClientInnerEAPTypeName	CFSTR("InnerEAPTypeName")
214#define kEAPClientPropTLSServerCertificateChain	\
215	CFSTR("TLSServerCertificateChain") /* array[data] */
216#define kEAPClientPropTLSTrustClientStatus	CFSTR("TLSTrustClientStatus") /* integer (EAPClientStatus) */
217#define kEAPClientPropTLSSessionWasResumed \
218	CFSTR("TLSSessionWasResumed")	/* boolean */
219#define kEAPClientPropTLSNegotiatedCipher \
220	CFSTR("TLSNegotiatedCipher")	/* integer (UInt32) */
221
222#define kEAPClientPropEAPFASTPACWasProvisioned	CFSTR("EAPFASTPACWasProvisioned") /* boolean */
223
224/*
225 * Deprecated/unused properties
226 */
227#define kEAPClientPropIdentity			CFSTR("Identity")
228#define kEAPClientPropTLSReplaceTrustedRootCertificates \
229	CFSTR("TLSReplaceTrustedRootCertificates")	/* boolean (false) */
230#define kEAPClientPropTLSTrustedRootCertificates \
231	CFSTR("TLSTrustedRootCertificates") 		/* array[data] */
232#define kEAPClientPropTLSAllowAnyRoot \
233	CFSTR("TLSAllowAnyRoot") 			/* boolean (false) */
234
235#if TARGET_OS_EMBEDDED
236/*
237 * kEAPClientPropTLSAllowTrustExceptions
238 * - this property is no longer consulted
239 * - if trust is explicitly configured using
240 *   kEAPClientPropTLSTrustedCertificate and/or
241 *   kEAPClientPropTLSTrustedServerNames), trust exceptions are not allowed
242 */
243#define kEAPClientPropTLSAllowTrustExceptions \
244	CFSTR("TLSAllowTrustExceptions") 		/* boolean (see above) */
245#else /* TARGET_OS_EMBEDDED */
246/*
247 * kEAPClientPropTLSAllowTrustDecisions
248 * - this property is no longer consulted
249 * - if trust is explicitly configured using
250 *   kEAPClientPropTLSTrustedCertificate and/or
251 *   kEAPClientPropTLSTrustedServerNames), trust decisions are not allowed
252 */
253#define kEAPClientPropTLSAllowTrustDecisions \
254	CFSTR("TLSAllowTrustDecisions")		/* boolean (see above) */
255#endif /* TARGET_OS_EMBEDDED */
256
257#endif /* _EAP8021X_EAPCLIENTPROPERTIES_H */
258