]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | /* |
2 | * EAP peer configuration data | |
3 | * Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * Alternatively, this software may be distributed under the terms of BSD | |
10 | * license. | |
11 | * | |
12 | * See README and COPYING for more details. | |
13 | */ | |
14 | ||
15 | #ifndef EAP_CONFIG_H | |
16 | #define EAP_CONFIG_H | |
17 | ||
18 | /** | |
19 | * struct eap_peer_config - EAP peer configuration/credentials | |
20 | */ | |
21 | struct eap_peer_config { | |
22 | /** | |
23 | * identity - EAP Identity | |
24 | * | |
25 | * This field is used to set the real user identity or NAI (for | |
26 | * EAP-PSK/PAX/SAKE/GPSK). | |
27 | */ | |
28 | u8 *identity; | |
29 | ||
30 | /** | |
31 | * identity_len - EAP Identity length | |
32 | */ | |
33 | size_t identity_len; | |
34 | ||
35 | /** | |
36 | * anonymous_identity - Anonymous EAP Identity | |
37 | * | |
38 | * This field is used for unencrypted use with EAP types that support | |
39 | * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the | |
40 | * real identity (identity field) only to the authentication server. | |
41 | * | |
42 | * If not set, the identity field will be used for both unencrypted and | |
43 | * protected fields. | |
44 | */ | |
45 | u8 *anonymous_identity; | |
46 | ||
47 | /** | |
48 | * anonymous_identity_len - Length of anonymous_identity | |
49 | */ | |
50 | size_t anonymous_identity_len; | |
51 | ||
52 | /** | |
53 | * password - Password string for EAP | |
54 | * | |
55 | * This field can include either the plaintext password (default | |
56 | * option) or a NtPasswordHash (16-byte MD4 hash of the unicode | |
57 | * presentation of the password) if flags field has | |
58 | * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can | |
59 | * only be used with authentication mechanism that use this hash as the | |
60 | * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2, | |
61 | * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). | |
62 | * | |
63 | * In addition, this field is used to configure a pre-shared key for | |
64 | * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK | |
65 | * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length | |
66 | * PSK. | |
67 | */ | |
68 | u8 *password; | |
69 | ||
70 | /** | |
71 | * password_len - Length of password field | |
72 | */ | |
73 | size_t password_len; | |
74 | ||
75 | /** | |
76 | * ca_cert - File path to CA certificate file (PEM/DER) | |
77 | * | |
78 | * This file can have one or more trusted CA certificates. If ca_cert | |
79 | * and ca_path are not included, server certificate will not be | |
80 | * verified. This is insecure and a trusted CA certificate should | |
81 | * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the | |
82 | * file should be used since working directory may change when | |
83 | * wpa_supplicant is run in the background. | |
84 | * | |
85 | * Alternatively, a named configuration blob can be used by setting | |
86 | * this to blob://<blob name>. | |
87 | * | |
88 | * On Windows, trusted CA certificates can be loaded from the system | |
89 | * certificate store by setting this to cert_store://<name>, e.g., | |
90 | * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". | |
91 | * Note that when running wpa_supplicant as an application, the user | |
92 | * certificate store (My user account) is used, whereas computer store | |
93 | * (Computer account) is used when running wpasvc as a service. | |
94 | */ | |
95 | u8 *ca_cert; | |
96 | ||
97 | /** | |
98 | * ca_path - Directory path for CA certificate files (PEM) | |
99 | * | |
100 | * This path may contain multiple CA certificates in OpenSSL format. | |
101 | * Common use for this is to point to system trusted CA list which is | |
102 | * often installed into directory like /etc/ssl/certs. If configured, | |
103 | * these certificates are added to the list of trusted CAs. ca_cert | |
104 | * may also be included in that case, but it is not required. | |
105 | */ | |
106 | u8 *ca_path; | |
107 | ||
108 | /** | |
109 | * client_cert - File path to client certificate file (PEM/DER) | |
110 | * | |
111 | * This field is used with EAP method that use TLS authentication. | |
112 | * Usually, this is only configured for EAP-TLS, even though this could | |
113 | * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the | |
114 | * file should be used since working directory may change when | |
115 | * wpa_supplicant is run in the background. | |
116 | * | |
117 | * Alternatively, a named configuration blob can be used by setting | |
118 | * this to blob://<blob name>. | |
119 | */ | |
120 | u8 *client_cert; | |
121 | ||
122 | /** | |
123 | * private_key - File path to client private key file (PEM/DER/PFX) | |
124 | * | |
125 | * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be | |
126 | * commented out. Both the private key and certificate will be read | |
127 | * from the PKCS#12 file in this case. Full path to the file should be | |
128 | * used since working directory may change when wpa_supplicant is run | |
129 | * in the background. | |
130 | * | |
131 | * Windows certificate store can be used by leaving client_cert out and | |
132 | * configuring private_key in one of the following formats: | |
133 | * | |
134 | * cert://substring_to_match | |
135 | * | |
136 | * hash://certificate_thumbprint_in_hex | |
137 | * | |
138 | * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" | |
139 | * | |
140 | * Note that when running wpa_supplicant as an application, the user | |
141 | * certificate store (My user account) is used, whereas computer store | |
142 | * (Computer account) is used when running wpasvc as a service. | |
143 | * | |
144 | * Alternatively, a named configuration blob can be used by setting | |
145 | * this to blob://<blob name>. | |
146 | */ | |
147 | u8 *private_key; | |
148 | ||
149 | /** | |
150 | * private_key_passwd - Password for private key file | |
151 | * | |
152 | * If left out, this will be asked through control interface. | |
153 | */ | |
154 | u8 *private_key_passwd; | |
155 | ||
156 | /** | |
157 | * dh_file - File path to DH/DSA parameters file (in PEM format) | |
158 | * | |
159 | * This is an optional configuration file for setting parameters for an | |
160 | * ephemeral DH key exchange. In most cases, the default RSA | |
161 | * authentication does not use this configuration. However, it is | |
162 | * possible setup RSA to use ephemeral DH key exchange. In addition, | |
163 | * ciphers with DSA keys always use ephemeral DH keys. This can be used | |
164 | * to achieve forward secrecy. If the file is in DSA parameters format, | |
165 | * it will be automatically converted into DH params. Full path to the | |
166 | * file should be used since working directory may change when | |
167 | * wpa_supplicant is run in the background. | |
168 | * | |
169 | * Alternatively, a named configuration blob can be used by setting | |
170 | * this to blob://<blob name>. | |
171 | */ | |
172 | u8 *dh_file; | |
173 | ||
174 | /** | |
175 | * subject_match - Constraint for server certificate subject | |
176 | * | |
177 | * This substring is matched against the subject of the authentication | |
178 | * server certificate. If this string is set, the server sertificate is | |
179 | * only accepted if it contains this string in the subject. The subject | |
180 | * string is in following format: | |
181 | * | |
182 | * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com | |
183 | */ | |
184 | u8 *subject_match; | |
185 | ||
186 | /** | |
187 | * altsubject_match - Constraint for server certificate alt. subject | |
188 | * | |
189 | * Semicolon separated string of entries to be matched against the | |
190 | * alternative subject name of the authentication server certificate. | |
191 | * If this string is set, the server sertificate is only accepted if it | |
192 | * contains one of the entries in an alternative subject name | |
193 | * extension. | |
194 | * | |
195 | * altSubjectName string is in following format: TYPE:VALUE | |
196 | * | |
197 | * Example: EMAIL:server@example.com | |
198 | * Example: DNS:server.example.com;DNS:server2.example.com | |
199 | * | |
200 | * Following types are supported: EMAIL, DNS, URI | |
201 | */ | |
202 | u8 *altsubject_match; | |
203 | ||
204 | /** | |
205 | * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2) | |
206 | * | |
207 | * This file can have one or more trusted CA certificates. If ca_cert2 | |
208 | * and ca_path2 are not included, server certificate will not be | |
209 | * verified. This is insecure and a trusted CA certificate should | |
210 | * always be configured. Full path to the file should be used since | |
211 | * working directory may change when wpa_supplicant is run in the | |
212 | * background. | |
213 | * | |
214 | * This field is like ca_cert, but used for phase 2 (inside | |
215 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
216 | * | |
217 | * Alternatively, a named configuration blob can be used by setting | |
218 | * this to blob://<blob name>. | |
219 | */ | |
220 | u8 *ca_cert2; | |
221 | ||
222 | /** | |
223 | * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2) | |
224 | * | |
225 | * This path may contain multiple CA certificates in OpenSSL format. | |
226 | * Common use for this is to point to system trusted CA list which is | |
227 | * often installed into directory like /etc/ssl/certs. If configured, | |
228 | * these certificates are added to the list of trusted CAs. ca_cert | |
229 | * may also be included in that case, but it is not required. | |
230 | * | |
231 | * This field is like ca_path, but used for phase 2 (inside | |
232 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
233 | */ | |
234 | u8 *ca_path2; | |
235 | ||
236 | /** | |
237 | * client_cert2 - File path to client certificate file | |
238 | * | |
239 | * This field is like client_cert, but used for phase 2 (inside | |
240 | * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the | |
241 | * file should be used since working directory may change when | |
242 | * wpa_supplicant is run in the background. | |
243 | * | |
244 | * Alternatively, a named configuration blob can be used by setting | |
245 | * this to blob://<blob name>. | |
246 | */ | |
247 | u8 *client_cert2; | |
248 | ||
249 | /** | |
250 | * private_key2 - File path to client private key file | |
251 | * | |
252 | * This field is like private_key, but used for phase 2 (inside | |
253 | * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the | |
254 | * file should be used since working directory may change when | |
255 | * wpa_supplicant is run in the background. | |
256 | * | |
257 | * Alternatively, a named configuration blob can be used by setting | |
258 | * this to blob://<blob name>. | |
259 | */ | |
260 | u8 *private_key2; | |
261 | ||
262 | /** | |
263 | * private_key2_passwd - Password for private key file | |
264 | * | |
265 | * This field is like private_key_passwd, but used for phase 2 (inside | |
266 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
267 | */ | |
268 | u8 *private_key2_passwd; | |
269 | ||
270 | /** | |
271 | * dh_file2 - File path to DH/DSA parameters file (in PEM format) | |
272 | * | |
273 | * This field is like dh_file, but used for phase 2 (inside | |
274 | * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the | |
275 | * file should be used since working directory may change when | |
276 | * wpa_supplicant is run in the background. | |
277 | * | |
278 | * Alternatively, a named configuration blob can be used by setting | |
279 | * this to blob://<blob name>. | |
280 | */ | |
281 | u8 *dh_file2; | |
282 | ||
283 | /** | |
284 | * subject_match2 - Constraint for server certificate subject | |
285 | * | |
286 | * This field is like subject_match, but used for phase 2 (inside | |
287 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
288 | */ | |
289 | u8 *subject_match2; | |
290 | ||
291 | /** | |
292 | * altsubject_match2 - Constraint for server certificate alt. subject | |
293 | * | |
294 | * This field is like altsubject_match, but used for phase 2 (inside | |
295 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
296 | */ | |
297 | u8 *altsubject_match2; | |
298 | ||
299 | /** | |
300 | * eap_methods - Allowed EAP methods | |
301 | * | |
302 | * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of | |
303 | * allowed EAP methods or %NULL if all methods are accepted. | |
304 | */ | |
305 | struct eap_method_type *eap_methods; | |
306 | ||
307 | /** | |
308 | * phase1 - Phase 1 (outer authentication) parameters | |
309 | * | |
310 | * String with field-value pairs, e.g., "peapver=0" or | |
311 | * "peapver=1 peaplabel=1". | |
312 | * | |
313 | * 'peapver' can be used to force which PEAP version (0 or 1) is used. | |
314 | * | |
315 | * 'peaplabel=1' can be used to force new label, "client PEAP | |
316 | * encryption", to be used during key derivation when PEAPv1 or newer. | |
317 | * | |
318 | * Most existing PEAPv1 implementation seem to be using the old label, | |
319 | * "client EAP encryption", and wpa_supplicant is now using that as the | |
320 | * default value. | |
321 | * | |
322 | * Some servers, e.g., Radiator, may require peaplabel=1 configuration | |
323 | * to interoperate with PEAPv1; see eap_testing.txt for more details. | |
324 | * | |
325 | * 'peap_outer_success=0' can be used to terminate PEAP authentication | |
326 | * on tunneled EAP-Success. This is required with some RADIUS servers | |
327 | * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., | |
328 | * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode). | |
329 | * | |
330 | * include_tls_length=1 can be used to force wpa_supplicant to include | |
331 | * TLS Message Length field in all TLS messages even if they are not | |
332 | * fragmented. | |
333 | * | |
334 | * sim_min_num_chal=3 can be used to configure EAP-SIM to require three | |
335 | * challenges (by default, it accepts 2 or 3). | |
336 | * | |
337 | * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use | |
338 | * protected result indication. | |
339 | * | |
340 | * fast_provisioning option can be used to enable in-line provisioning | |
341 | * of EAP-FAST credentials (PAC): | |
342 | * 0 = disabled, | |
343 | * 1 = allow unauthenticated provisioning, | |
344 | * 2 = allow authenticated provisioning, | |
345 | * 3 = allow both unauthenticated and authenticated provisioning | |
346 | * | |
347 | * fast_max_pac_list_len=<num> option can be used to set the maximum | |
348 | * number of PAC entries to store in a PAC list (default: 10). | |
349 | * | |
350 | * fast_pac_format=binary option can be used to select binary format | |
2e8c9a27 | 351 | * for storing PAC entries in order to save some space (the default |
6fc6879b | 352 | * text format uses about 2.5 times the size of minimal binary format). |
d6888f9e JM |
353 | * |
354 | * crypto_binding option can be used to control PEAPv0 cryptobinding | |
355 | * behavior: | |
c31a11c9 JM |
356 | * 0 = do not use cryptobinding (default) |
357 | * 1 = use cryptobinding if server supports it | |
d6888f9e | 358 | * 2 = require cryptobinding |
ad08c363 JM |
359 | * |
360 | * EAP-WSC (WPS) uses following options: pin=<Device Password> and | |
361 | * uuid=<Device UUID> | |
6fc6879b JM |
362 | */ |
363 | char *phase1; | |
364 | ||
365 | /** | |
366 | * phase2 - Phase2 (inner authentication with TLS tunnel) parameters | |
367 | * | |
368 | * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or | |
369 | * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. | |
370 | */ | |
371 | char *phase2; | |
372 | ||
373 | /** | |
374 | * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM | |
375 | * | |
376 | * This field is used to configure PC/SC smartcard interface. | |
377 | * Currently, the only configuration is whether this field is %NULL (do | |
378 | * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC. | |
379 | * | |
380 | * This field is used for EAP-SIM and EAP-AKA. | |
381 | */ | |
382 | char *pcsc; | |
383 | ||
384 | /** | |
385 | * pin - PIN for USIM, GSM SIM, and smartcards | |
386 | * | |
387 | * This field is used to configure PIN for SIM and smartcards for | |
388 | * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a | |
389 | * smartcard is used for private key operations. | |
390 | * | |
391 | * If left out, this will be asked through control interface. | |
392 | */ | |
393 | char *pin; | |
394 | ||
395 | /** | |
396 | * engine - Enable OpenSSL engine (e.g., for smartcard access) | |
397 | * | |
398 | * This is used if private key operations for EAP-TLS are performed | |
399 | * using a smartcard. | |
400 | */ | |
401 | int engine; | |
402 | ||
403 | /** | |
404 | * engine_id - Engine ID for OpenSSL engine | |
405 | * | |
406 | * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 | |
407 | * engine. | |
408 | * | |
409 | * This is used if private key operations for EAP-TLS are performed | |
410 | * using a smartcard. | |
411 | */ | |
412 | char *engine_id; | |
413 | ||
98842d51 CL |
414 | /** |
415 | * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2) | |
416 | * | |
417 | * This is used if private key operations for EAP-TLS are performed | |
418 | * using a smartcard. | |
419 | * | |
420 | * This field is like engine, but used for phase 2 (inside | |
421 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
422 | */ | |
423 | int engine2; | |
424 | ||
425 | ||
426 | /** | |
427 | * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2) | |
428 | * | |
429 | * This field is used to configure PIN for SIM and smartcards for | |
430 | * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a | |
431 | * smartcard is used for private key operations. | |
432 | * | |
433 | * This field is like pin2, but used for phase 2 (inside | |
434 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
435 | * | |
436 | * If left out, this will be asked through control interface. | |
437 | */ | |
438 | char *pin2; | |
439 | ||
440 | /** | |
441 | * engine2_id - Engine ID for OpenSSL engine (Phase 2) | |
442 | * | |
443 | * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 | |
444 | * engine. | |
445 | * | |
446 | * This is used if private key operations for EAP-TLS are performed | |
447 | * using a smartcard. | |
448 | * | |
449 | * This field is like engine_id, but used for phase 2 (inside | |
450 | * EAP-TTLS/PEAP/FAST tunnel) authentication. | |
451 | */ | |
452 | char *engine2_id; | |
453 | ||
454 | ||
6fc6879b JM |
455 | /** |
456 | * key_id - Key ID for OpenSSL engine | |
457 | * | |
458 | * This is used if private key operations for EAP-TLS are performed | |
459 | * using a smartcard. | |
460 | */ | |
461 | char *key_id; | |
462 | ||
d1f73353 DS |
463 | /** |
464 | * cert_id - Cert ID for OpenSSL engine | |
465 | * | |
466 | * This is used if the certificate operations for EAP-TLS are performed | |
467 | * using a smartcard. | |
468 | */ | |
469 | char *cert_id; | |
470 | ||
471 | /** | |
472 | * ca_cert_id - CA Cert ID for OpenSSL engine | |
473 | * | |
474 | * This is used if the CA certificate for EAP-TLS is on a smartcard. | |
475 | */ | |
476 | char *ca_cert_id; | |
477 | ||
478 | /** | |
479 | * key2_id - Key ID for OpenSSL engine (phase2) | |
480 | * | |
481 | * This is used if private key operations for EAP-TLS are performed | |
482 | * using a smartcard. | |
483 | */ | |
484 | char *key2_id; | |
485 | ||
486 | /** | |
487 | * cert2_id - Cert ID for OpenSSL engine (phase2) | |
488 | * | |
489 | * This is used if the certificate operations for EAP-TLS are performed | |
490 | * using a smartcard. | |
491 | */ | |
492 | char *cert2_id; | |
493 | ||
494 | /** | |
495 | * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2) | |
496 | * | |
497 | * This is used if the CA certificate for EAP-TLS is on a smartcard. | |
498 | */ | |
499 | char *ca_cert2_id; | |
500 | ||
6fc6879b JM |
501 | /** |
502 | * otp - One-time-password | |
503 | * | |
504 | * This field should not be set in configuration step. It is only used | |
505 | * internally when OTP is entered through the control interface. | |
506 | */ | |
507 | u8 *otp; | |
508 | ||
509 | /** | |
510 | * otp_len - Length of the otp field | |
511 | */ | |
512 | size_t otp_len; | |
513 | ||
514 | /** | |
515 | * pending_req_identity - Whether there is a pending identity request | |
516 | * | |
517 | * This field should not be set in configuration step. It is only used | |
518 | * internally when control interface is used to request needed | |
519 | * information. | |
520 | */ | |
521 | int pending_req_identity; | |
522 | ||
523 | /** | |
524 | * pending_req_password - Whether there is a pending password request | |
525 | * | |
526 | * This field should not be set in configuration step. It is only used | |
527 | * internally when control interface is used to request needed | |
528 | * information. | |
529 | */ | |
530 | int pending_req_password; | |
531 | ||
532 | /** | |
533 | * pending_req_pin - Whether there is a pending PIN request | |
534 | * | |
535 | * This field should not be set in configuration step. It is only used | |
536 | * internally when control interface is used to request needed | |
537 | * information. | |
538 | */ | |
539 | int pending_req_pin; | |
540 | ||
541 | /** | |
542 | * pending_req_new_password - Pending password update request | |
543 | * | |
544 | * This field should not be set in configuration step. It is only used | |
545 | * internally when control interface is used to request needed | |
546 | * information. | |
547 | */ | |
548 | int pending_req_new_password; | |
549 | ||
550 | /** | |
551 | * pending_req_passphrase - Pending passphrase request | |
552 | * | |
553 | * This field should not be set in configuration step. It is only used | |
554 | * internally when control interface is used to request needed | |
555 | * information. | |
556 | */ | |
557 | int pending_req_passphrase; | |
558 | ||
559 | /** | |
560 | * pending_req_otp - Whether there is a pending OTP request | |
561 | * | |
562 | * This field should not be set in configuration step. It is only used | |
563 | * internally when control interface is used to request needed | |
564 | * information. | |
565 | */ | |
566 | char *pending_req_otp; | |
567 | ||
568 | /** | |
569 | * pending_req_otp_len - Length of the pending OTP request | |
570 | */ | |
571 | size_t pending_req_otp_len; | |
572 | ||
573 | /** | |
574 | * pac_file - File path or blob name for the PAC entries (EAP-FAST) | |
575 | * | |
576 | * wpa_supplicant will need to be able to create this file and write | |
577 | * updates to it when PAC is being provisioned or refreshed. Full path | |
578 | * to the file should be used since working directory may change when | |
579 | * wpa_supplicant is run in the background. | |
580 | * Alternatively, a named configuration blob can be used by setting | |
581 | * this to blob://<blob name>. | |
582 | */ | |
583 | char *pac_file; | |
584 | ||
585 | /** | |
586 | * mschapv2_retry - MSCHAPv2 retry in progress | |
587 | * | |
588 | * This field is used internally by EAP-MSCHAPv2 and should not be set | |
589 | * as part of configuration. | |
590 | */ | |
591 | int mschapv2_retry; | |
592 | ||
593 | /** | |
594 | * new_password - New password for password update | |
595 | * | |
596 | * This field is used during MSCHAPv2 password update. This is normally | |
597 | * requested from the user through the control interface and not set | |
598 | * from configuration. | |
599 | */ | |
600 | u8 *new_password; | |
601 | ||
602 | /** | |
603 | * new_password_len - Length of new_password field | |
604 | */ | |
605 | size_t new_password_len; | |
606 | ||
607 | /** | |
608 | * fragment_size - Maximum EAP fragment size in bytes (default 1398) | |
609 | * | |
610 | * This value limits the fragment size for EAP methods that support | |
611 | * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set | |
612 | * small enough to make the EAP messages fit in MTU of the network | |
613 | * interface used for EAPOL. The default value is suitable for most | |
614 | * cases. | |
615 | */ | |
616 | int fragment_size; | |
617 | ||
618 | #define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0) | |
619 | /** | |
620 | * flags - Network configuration flags (bitfield) | |
621 | * | |
622 | * This variable is used for internal flags to describe further details | |
623 | * for the network parameters. | |
624 | * bit 0 = password is represented as a 16-byte NtPasswordHash value | |
625 | * instead of plaintext password | |
626 | */ | |
627 | u32 flags; | |
628 | }; | |
629 | ||
630 | ||
631 | /** | |
632 | * struct wpa_config_blob - Named configuration blob | |
633 | * | |
634 | * This data structure is used to provide storage for binary objects to store | |
635 | * abstract information like certificates and private keys inlined with the | |
636 | * configuration data. | |
637 | */ | |
638 | struct wpa_config_blob { | |
639 | /** | |
640 | * name - Blob name | |
641 | */ | |
642 | char *name; | |
643 | ||
644 | /** | |
645 | * data - Pointer to binary data | |
646 | */ | |
647 | u8 *data; | |
648 | ||
649 | /** | |
650 | * len - Length of binary data | |
651 | */ | |
652 | size_t len; | |
653 | ||
654 | /** | |
655 | * next - Pointer to next blob in the configuration | |
656 | */ | |
657 | struct wpa_config_blob *next; | |
658 | }; | |
659 | ||
660 | #endif /* EAP_CONFIG_H */ |