2 * EAP peer configuration data
3 * Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
19 * struct eap_peer_config - EAP peer configuration/credentials
21 struct eap_peer_config {
23 * identity - EAP Identity
25 * This field is used to set the real user identity or NAI (for
26 * EAP-PSK/PAX/SAKE/GPSK).
31 * identity_len - EAP Identity length
36 * anonymous_identity - Anonymous EAP Identity
38 * This field is used for unencrypted use with EAP types that support
39 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
40 * real identity (identity field) only to the authentication server.
42 * If not set, the identity field will be used for both unencrypted and
45 u8 *anonymous_identity;
48 * anonymous_identity_len - Length of anonymous_identity
50 size_t anonymous_identity_len;
53 * password - Password string for EAP
55 * This field can include either the plaintext password (default
56 * option) or a NtPasswordHash (16-byte MD4 hash of the unicode
57 * presentation of the password) if flags field has
58 * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can
59 * only be used with authentication mechanism that use this hash as the
60 * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2,
61 * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
63 * In addition, this field is used to configure a pre-shared key for
64 * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK
65 * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length
71 * password_len - Length of password field
76 * ca_cert - File path to CA certificate file (PEM/DER)
78 * This file can have one or more trusted CA certificates. If ca_cert
79 * and ca_path are not included, server certificate will not be
80 * verified. This is insecure and a trusted CA certificate should
81 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
82 * file should be used since working directory may change when
83 * wpa_supplicant is run in the background.
85 * Alternatively, a named configuration blob can be used by setting
86 * this to blob://blob_name.
88 * On Windows, trusted CA certificates can be loaded from the system
89 * certificate store by setting this to cert_store://name, e.g.,
90 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
91 * Note that when running wpa_supplicant as an application, the user
92 * certificate store (My user account) is used, whereas computer store
93 * (Computer account) is used when running wpasvc as a service.
98 * ca_path - Directory path for CA certificate files (PEM)
100 * This path may contain multiple CA certificates in OpenSSL format.
101 * Common use for this is to point to system trusted CA list which is
102 * often installed into directory like /etc/ssl/certs. If configured,
103 * these certificates are added to the list of trusted CAs. ca_cert
104 * may also be included in that case, but it is not required.
109 * client_cert - File path to client certificate file (PEM/DER)
111 * This field is used with EAP method that use TLS authentication.
112 * Usually, this is only configured for EAP-TLS, even though this could
113 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
114 * file should be used since working directory may change when
115 * wpa_supplicant is run in the background.
117 * Alternatively, a named configuration blob can be used by setting
118 * this to blob://blob_name.
123 * private_key - File path to client private key file (PEM/DER/PFX)
125 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
126 * commented out. Both the private key and certificate will be read
127 * from the PKCS#12 file in this case. Full path to the file should be
128 * used since working directory may change when wpa_supplicant is run
131 * Windows certificate store can be used by leaving client_cert out and
132 * configuring private_key in one of the following formats:
134 * cert://substring_to_match
136 * hash://certificate_thumbprint_in_hex
138 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
140 * Note that when running wpa_supplicant as an application, the user
141 * certificate store (My user account) is used, whereas computer store
142 * (Computer account) is used when running wpasvc as a service.
144 * Alternatively, a named configuration blob can be used by setting
145 * this to blob://blob_name.
150 * private_key_passwd - Password for private key file
152 * If left out, this will be asked through control interface.
154 u8 *private_key_passwd;
157 * dh_file - File path to DH/DSA parameters file (in PEM format)
159 * This is an optional configuration file for setting parameters for an
160 * ephemeral DH key exchange. In most cases, the default RSA
161 * authentication does not use this configuration. However, it is
162 * possible setup RSA to use ephemeral DH key exchange. In addition,
163 * ciphers with DSA keys always use ephemeral DH keys. This can be used
164 * to achieve forward secrecy. If the file is in DSA parameters format,
165 * it will be automatically converted into DH params. Full path to the
166 * file should be used since working directory may change when
167 * wpa_supplicant is run in the background.
169 * Alternatively, a named configuration blob can be used by setting
170 * this to blob://blob_name.
175 * subject_match - Constraint for server certificate subject
177 * This substring is matched against the subject of the authentication
178 * server certificate. If this string is set, the server sertificate is
179 * only accepted if it contains this string in the subject. The subject
180 * string is in following format:
182 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com
187 * altsubject_match - Constraint for server certificate alt. subject
189 * Semicolon separated string of entries to be matched against the
190 * alternative subject name of the authentication server certificate.
191 * If this string is set, the server sertificate is only accepted if it
192 * contains one of the entries in an alternative subject name
195 * altSubjectName string is in following format: TYPE:VALUE
197 * Example: EMAIL:server@example.com
198 * Example: DNS:server.example.com;DNS:server2.example.com
200 * Following types are supported: EMAIL, DNS, URI
202 u8 *altsubject_match;
205 * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
207 * This file can have one or more trusted CA certificates. If ca_cert2
208 * and ca_path2 are not included, server certificate will not be
209 * verified. This is insecure and a trusted CA certificate should
210 * always be configured. Full path to the file should be used since
211 * working directory may change when wpa_supplicant is run in the
214 * This field is like ca_cert, but used for phase 2 (inside
215 * EAP-TTLS/PEAP/FAST tunnel) authentication.
217 * Alternatively, a named configuration blob can be used by setting
218 * this to blob://blob_name.
223 * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2)
225 * This path may contain multiple CA certificates in OpenSSL format.
226 * Common use for this is to point to system trusted CA list which is
227 * often installed into directory like /etc/ssl/certs. If configured,
228 * these certificates are added to the list of trusted CAs. ca_cert
229 * may also be included in that case, but it is not required.
231 * This field is like ca_path, but used for phase 2 (inside
232 * EAP-TTLS/PEAP/FAST tunnel) authentication.
237 * client_cert2 - File path to client certificate file
239 * This field is like client_cert, but used for phase 2 (inside
240 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
241 * file should be used since working directory may change when
242 * wpa_supplicant is run in the background.
244 * Alternatively, a named configuration blob can be used by setting
245 * this to blob://blob_name.
250 * private_key2 - File path to client private key file
252 * This field is like private_key, but used for phase 2 (inside
253 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
254 * file should be used since working directory may change when
255 * wpa_supplicant is run in the background.
257 * Alternatively, a named configuration blob can be used by setting
258 * this to blob://blob_name.
263 * private_key2_passwd - Password for private key file
265 * This field is like private_key_passwd, but used for phase 2 (inside
266 * EAP-TTLS/PEAP/FAST tunnel) authentication.
268 u8 *private_key2_passwd;
271 * dh_file2 - File path to DH/DSA parameters file (in PEM format)
273 * This field is like dh_file, but used for phase 2 (inside
274 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
275 * file should be used since working directory may change when
276 * wpa_supplicant is run in the background.
278 * Alternatively, a named configuration blob can be used by setting
279 * this to blob://blob_name.
284 * subject_match2 - Constraint for server certificate subject
286 * This field is like subject_match, but used for phase 2 (inside
287 * EAP-TTLS/PEAP/FAST tunnel) authentication.
292 * altsubject_match2 - Constraint for server certificate alt. subject
294 * This field is like altsubject_match, but used for phase 2 (inside
295 * EAP-TTLS/PEAP/FAST tunnel) authentication.
297 u8 *altsubject_match2;
300 * eap_methods - Allowed EAP methods
302 * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
303 * allowed EAP methods or %NULL if all methods are accepted.
305 struct eap_method_type *eap_methods;
308 * phase1 - Phase 1 (outer authentication) parameters
310 * String with field-value pairs, e.g., "peapver=0" or
311 * "peapver=1 peaplabel=1".
313 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
315 * 'peaplabel=1' can be used to force new label, "client PEAP
316 * encryption", to be used during key derivation when PEAPv1 or newer.
318 * Most existing PEAPv1 implementation seem to be using the old label,
319 * "client EAP encryption", and wpa_supplicant is now using that as the
322 * Some servers, e.g., Radiator, may require peaplabel=1 configuration
323 * to interoperate with PEAPv1; see eap_testing.txt for more details.
325 * 'peap_outer_success=0' can be used to terminate PEAP authentication
326 * on tunneled EAP-Success. This is required with some RADIUS servers
327 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
328 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
330 * include_tls_length=1 can be used to force wpa_supplicant to include
331 * TLS Message Length field in all TLS messages even if they are not
334 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
335 * challenges (by default, it accepts 2 or 3).
337 * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
338 * protected result indication.
340 * fast_provisioning option can be used to enable in-line provisioning
341 * of EAP-FAST credentials (PAC):
343 * 1 = allow unauthenticated provisioning,
344 * 2 = allow authenticated provisioning,
345 * 3 = allow both unauthenticated and authenticated provisioning
347 * fast_max_pac_list_len=num option can be used to set the maximum
348 * number of PAC entries to store in a PAC list (default: 10).
350 * fast_pac_format=binary option can be used to select binary format
351 * for storing PAC entries in order to save some space (the default
352 * text format uses about 2.5 times the size of minimal binary format).
354 * crypto_binding option can be used to control PEAPv0 cryptobinding
356 * 0 = do not use cryptobinding (default)
357 * 1 = use cryptobinding if server supports it
358 * 2 = require cryptobinding
360 * EAP-WSC (WPS) uses following options: pin=Device_Password and
366 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
368 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
369 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
374 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
376 * This field is used to configure PC/SC smartcard interface.
377 * Currently, the only configuration is whether this field is %NULL (do
378 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
380 * This field is used for EAP-SIM and EAP-AKA.
385 * pin - PIN for USIM, GSM SIM, and smartcards
387 * This field is used to configure PIN for SIM and smartcards for
388 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
389 * smartcard is used for private key operations.
391 * If left out, this will be asked through control interface.
396 * engine - Enable OpenSSL engine (e.g., for smartcard access)
398 * This is used if private key operations for EAP-TLS are performed
404 * engine_id - Engine ID for OpenSSL engine
406 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
409 * This is used if private key operations for EAP-TLS are performed
415 * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2)
417 * This is used if private key operations for EAP-TLS are performed
420 * This field is like engine, but used for phase 2 (inside
421 * EAP-TTLS/PEAP/FAST tunnel) authentication.
427 * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2)
429 * This field is used to configure PIN for SIM and smartcards for
430 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
431 * smartcard is used for private key operations.
433 * This field is like pin2, but used for phase 2 (inside
434 * EAP-TTLS/PEAP/FAST tunnel) authentication.
436 * If left out, this will be asked through control interface.
441 * engine2_id - Engine ID for OpenSSL engine (Phase 2)
443 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
446 * This is used if private key operations for EAP-TLS are performed
449 * This field is like engine_id, but used for phase 2 (inside
450 * EAP-TTLS/PEAP/FAST tunnel) authentication.
456 * key_id - Key ID for OpenSSL engine
458 * This is used if private key operations for EAP-TLS are performed
464 * cert_id - Cert ID for OpenSSL engine
466 * This is used if the certificate operations for EAP-TLS are performed
472 * ca_cert_id - CA Cert ID for OpenSSL engine
474 * This is used if the CA certificate for EAP-TLS is on a smartcard.
479 * key2_id - Key ID for OpenSSL engine (phase2)
481 * This is used if private key operations for EAP-TLS are performed
487 * cert2_id - Cert ID for OpenSSL engine (phase2)
489 * This is used if the certificate operations for EAP-TLS are performed
495 * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2)
497 * This is used if the CA certificate for EAP-TLS is on a smartcard.
502 * otp - One-time-password
504 * This field should not be set in configuration step. It is only used
505 * internally when OTP is entered through the control interface.
510 * otp_len - Length of the otp field
515 * pending_req_identity - Whether there is a pending identity request
517 * This field should not be set in configuration step. It is only used
518 * internally when control interface is used to request needed
521 int pending_req_identity;
524 * pending_req_password - Whether there is a pending password request
526 * This field should not be set in configuration step. It is only used
527 * internally when control interface is used to request needed
530 int pending_req_password;
533 * pending_req_pin - Whether there is a pending PIN request
535 * This field should not be set in configuration step. It is only used
536 * internally when control interface is used to request needed
542 * pending_req_new_password - Pending password update request
544 * This field should not be set in configuration step. It is only used
545 * internally when control interface is used to request needed
548 int pending_req_new_password;
551 * pending_req_passphrase - Pending passphrase request
553 * This field should not be set in configuration step. It is only used
554 * internally when control interface is used to request needed
557 int pending_req_passphrase;
560 * pending_req_otp - Whether there is a pending OTP request
562 * This field should not be set in configuration step. It is only used
563 * internally when control interface is used to request needed
566 char *pending_req_otp;
569 * pending_req_otp_len - Length of the pending OTP request
571 size_t pending_req_otp_len;
574 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
576 * wpa_supplicant will need to be able to create this file and write
577 * updates to it when PAC is being provisioned or refreshed. Full path
578 * to the file should be used since working directory may change when
579 * wpa_supplicant is run in the background.
580 * Alternatively, a named configuration blob can be used by setting
581 * this to blob://blob_name.
586 * mschapv2_retry - MSCHAPv2 retry in progress
588 * This field is used internally by EAP-MSCHAPv2 and should not be set
589 * as part of configuration.
594 * new_password - New password for password update
596 * This field is used during MSCHAPv2 password update. This is normally
597 * requested from the user through the control interface and not set
598 * from configuration.
603 * new_password_len - Length of new_password field
605 size_t new_password_len;
608 * fragment_size - Maximum EAP fragment size in bytes (default 1398)
610 * This value limits the fragment size for EAP methods that support
611 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
612 * small enough to make the EAP messages fit in MTU of the network
613 * interface used for EAPOL. The default value is suitable for most
618 #define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0)
620 * flags - Network configuration flags (bitfield)
622 * This variable is used for internal flags to describe further details
623 * for the network parameters.
624 * bit 0 = password is represented as a 16-byte NtPasswordHash value
625 * instead of plaintext password
632 * struct wpa_config_blob - Named configuration blob
634 * This data structure is used to provide storage for binary objects to store
635 * abstract information like certificates and private keys inlined with the
636 * configuration data.
638 struct wpa_config_blob {
645 * data - Pointer to binary data
650 * len - Length of binary data
655 * next - Pointer to next blob in the configuration
657 struct wpa_config_blob *next;
660 #endif /* EAP_CONFIG_H */