Lines Matching +full:not +full:- +full:used
3 * Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
13 * struct eap_peer_cert_config - EAP peer certificate configuration/credential
17 * ca_cert - File path to CA certificate file (PEM/DER)
20 * and ca_path are not included, server certificate will not be
22 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
23 * file should be used since working directory may change when
26 * Alternatively, a named configuration blob can be used by setting
29 * Alternatively, this can be used to only perform matching of the
30 * server certificate (SHA-256 hash of the DER encoded X.509
42 * certificate store (My user account) is used, whereas computer store
43 * (Computer account) is used when running wpasvc as a service.
48 * ca_path - Directory path for CA certificate files (PEM)
54 * may also be included in that case, but it is not required.
59 * client_cert - File path to client certificate file (PEM/DER)
61 * This field is used with EAP method that use TLS authentication.
62 * Usually, this is only configured for EAP-TLS, even though this could
63 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
64 * file should be used since working directory may change when
67 * Alternatively, a named configuration blob can be used by setting
73 * private_key - File path to client private key file (PEM/DER/PFX)
75 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
78 * used since working directory may change when wpa_supplicant is run
81 * Windows certificate store can be used by leaving client_cert out and
91 * certificate store (My user account) is used, whereas computer store
92 * (Computer account) is used when running wpasvc as a service.
94 * Alternatively, a named configuration blob can be used by setting
100 * private_key_passwd - Password for private key file
107 * subject_match - Constraint for server certificate subject
116 * Note: Since this is a substring match, this cannot be used securely
118 * For such a use case, domain_suffix_match should be used instead.
123 * check_cert_subject - Constraint for server certificate subject fields
127 * certificate. If the values do not match, the certificate verification
137 * server because the order of 'OU' is not matching the specified string
142 * It can only be used as per the following example.
157 * altsubject_match - Constraint for server certificate alt. subject
175 * domain_suffix_match - Constraint for server domain name
177 * If set, this semicolon deliminated list of FQDNs is used as suffix
183 * name is compared case-insentively one label at a time starting from
184 * the top-level domain and all the labels in domain_suffix_match shall
186 * additional sub-level labels in addition to the required labels.
189 * test.example.com but would not match test-example.com. Multiple
196 * domain_match - Constraint for server domain name
198 * If set, this FQDN is used as a full match requirement for the
204 * no subdomains or wildcard matches are allowed. Case-insensitive
205 * comparison is used, so "Example.com" matches "example.com", but would
206 * not match "test.Example.com".
217 * pin - PIN for USIM, GSM SIM, and smartcards
219 * This field is used to configure PIN for SIM and smartcards for
220 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
221 * smartcard is used for private key operations.
228 * engine - Enable OpenSSL engine (e.g., for smartcard access)
230 * This is used if private key operations for EAP-TLS are performed
236 * engine_id - Engine ID for OpenSSL engine
241 * This is used if private key operations for EAP-TLS are performed
248 * key_id - Key ID for OpenSSL engine
250 * This is used if private key operations for EAP-TLS are performed
256 * cert_id - Cert ID for OpenSSL engine
258 * This is used if the certificate operations for EAP-TLS are performed
264 * ca_cert_id - CA Cert ID for OpenSSL engine
266 * This is used if the CA certificate for EAP-TLS is on a smartcard.
271 * ocsp - Whether to use/require OCSP to check server certificate
273 * 0 = do not use OCSP stapling (TLS certificate status extension)
274 * 1 = try to use OCSP stapling, but not require response
281 * struct eap_peer_config - EAP peer configuration/credentials
285 * identity - EAP Identity
287 * This field is used to set the real user identity or NAI (for
288 * EAP-PSK/PAX/SAKE/GPSK).
293 * identity_len - EAP Identity length
298 * anonymous_identity - Anonymous EAP Identity
300 * This field is used for unencrypted use with EAP types that support
301 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
304 * If not set, the identity field will be used for both unencrypted and
307 * This field can also be used with EAP-SIM/AKA/AKA' to store the
313 * anonymous_identity_len - Length of anonymous_identity
321 * imsi_privacy_cert - IMSI privacy certificate
323 * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
324 * identity (IMSI) to improve privacy. The referenced PEM-encoded
325 * X.509v3 certificate needs to include a 2048-bit RSA public key and
331 * imsi_privacy_attr - IMSI privacy attribute
333 * This field is used to help the EAP-SIM/AKA/AKA' server to identify
334 * the used certificate (and as such, the matching private key). This
341 * machine_identity - EAP Identity for machine credential
343 * This field is used to set the machine identity or NAI for cases where
350 * machine_identity_len - EAP Identity length for machine credential
355 * password - Password string for EAP
358 * option) or a NtPasswordHash (16-byte MD4 hash of the unicode
361 * only be used with authentication mechanism that use this hash as the
362 * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2,
363 * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
365 * In addition, this field is used to configure a pre-shared key for
366 * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK
367 * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length
373 * password_len - Length of password field
378 * machine_password - Password string for EAP machine credential
380 * This field is used when machine credential based on username/password
387 * machine_password_len - Length of machine credential password field
392 * cert - Certificate parameters for Phase 1
397 * phase2_cert - Certificate parameters for Phase 2
399 * This is like cert, but used for Phase 2 (inside
400 * EAP-TTLS/PEAP/FAST/TEAP tunnel) authentication.
405 * machine_cert - Certificate parameters for Phase 2 machine credential
407 * This is like cert, but used for Phase 2 (inside EAP-TEAP tunnel)
408 * authentication with machine credentials (while phase2_cert is used
414 * eap_methods - Allowed EAP methods
422 * phase1 - Phase 1 (outer authentication) parameters
424 * String with field-value pairs, e.g., "peapver=0" or
427 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
429 * 'peaplabel=1' can be used to force new label, "client PEAP
430 * encryption", to be used during key derivation when PEAPv1 or newer.
439 * 'peap_outer_success=0' can be used to terminate PEAP authentication
440 * on tunneled EAP-Success. This is required with some RADIUS servers
441 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
444 * include_tls_length=1 can be used to force wpa_supplicant to include
445 * TLS Message Length field in all TLS messages even if they are not
448 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
451 * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
454 * fast_provisioning option can be used to enable in-line provisioning
455 * of EAP-FAST credentials (PAC):
461 * fast_max_pac_list_len=num option can be used to set the maximum
464 * fast_pac_format=binary option can be used to select binary format
468 * crypto_binding option can be used to control PEAPv0 cryptobinding
470 * 0 = do not use cryptobinding (default)
474 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
476 * 0 = do not require Phase 2 authentication
478 * (private_key/client_cert) is no used and TLS session resumption was
479 * not used (default)
482 * EAP-WSC (WPS) uses following options: pin=Device_Password and
486 * used to configure a mode that allows EAP-Success (and EAP-Failure)
491 * potential attacks by rogue devices, but this option can be used to
493 * not need to be authenticated.
498 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
500 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
501 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
502 * be used to disable MSCHAPv2 password retry in authentication failure
508 * machine_phase2 - Phase2 parameters for machine credentials
515 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
517 * This field is used to configure PC/SC smartcard interface.
519 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
521 * This field is used for EAP-SIM and EAP-AKA.
526 * otp - One-time-password
528 * This field should not be set in configuration step. It is only used
534 * otp_len - Length of the otp field
539 * pending_req_identity - Whether there is a pending identity request
541 * This field should not be set in configuration step. It is only used
542 * internally when control interface is used to request needed
548 * pending_req_password - Whether there is a pending password request
550 * This field should not be set in configuration step. It is only used
551 * internally when control interface is used to request needed
557 * pending_req_pin - Whether there is a pending PIN request
559 * This field should not be set in configuration step. It is only used
560 * internally when control interface is used to request needed
566 * pending_req_new_password - Pending password update request
568 * This field should not be set in configuration step. It is only used
569 * internally when control interface is used to request needed
575 * pending_req_passphrase - Pending passphrase request
577 * This field should not be set in configuration step. It is only used
578 * internally when control interface is used to request needed
584 * pending_req_sim - Pending SIM request
586 * This field should not be set in configuration step. It is only used
587 * internally when control interface is used to request needed
593 * pending_req_otp - Whether there is a pending OTP request
595 * This field should not be set in configuration step. It is only used
596 * internally when control interface is used to request needed
602 * pending_req_otp_len - Length of the pending OTP request
607 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
611 * to the file should be used since working directory may change when
613 * Alternatively, a named configuration blob can be used by setting
619 * mschapv2_retry - MSCHAPv2 retry in progress
621 * This field is used internally by EAP-MSCHAPv2 and should not be set
627 * new_password - New password for password update
629 * This field is used during MSCHAPv2 password update. This is normally
630 * requested from the user through the control interface and not set
636 * new_password_len - Length of new_password field
641 * fragment_size - Maximum EAP fragment size in bytes (default 1398)
644 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
646 * interface used for EAPOL. The default value is suitable for most
656 * flags - Network configuration flags (bitfield)
658 * This variable is used for internal flags to describe further details
660 * bit 0 = password is represented as a 16-byte NtPasswordHash value
664 * bit 2 = machine password is represented as a 16-byte NtPasswordHash
672 * external_sim_resp - Response from external SIM processing
674 * This field should not be set in configuration step. It is only used
675 * internally when control interface is used to request external
681 * sim_num - User selected SIM identifier
683 * This variable is used for identifying which SIM is used if the system
689 * openssl_ciphers - OpenSSL cipher string
692 * ciphers for this connection. If not set, the default cipher suite
693 * list is used.
698 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
703 * pending_ext_cert_check - External server certificate check status
705 * This field should not be set in configuration step. It is only used
706 * internally when control interface is used to request external
721 * struct wpa_config_blob - Named configuration blob
723 * This data structure is used to provide storage for binary objects to store
729 * name - Blob name
734 * data - Pointer to binary data
739 * len - Length of binary data
744 * next - Pointer to next blob in the configuration