xref: /freebsd/contrib/wpa/src/eap_peer/eap_config.h (revision 5b9c547c072b84410b50897cc53710c75b2f6b74)
139beb93cSSam Leffler /*
239beb93cSSam Leffler  * EAP peer configuration data
3*5b9c547cSRui Paulo  * Copyright (c) 2003-2013, Jouni Malinen <j@w1.fi>
439beb93cSSam Leffler  *
5f05cddf9SRui Paulo  * This software may be distributed under the terms of the BSD license.
6f05cddf9SRui Paulo  * See README for more details.
739beb93cSSam Leffler  */
839beb93cSSam Leffler 
939beb93cSSam Leffler #ifndef EAP_CONFIG_H
1039beb93cSSam Leffler #define EAP_CONFIG_H
1139beb93cSSam Leffler 
1239beb93cSSam Leffler /**
1339beb93cSSam Leffler  * struct eap_peer_config - EAP peer configuration/credentials
1439beb93cSSam Leffler  */
1539beb93cSSam Leffler struct eap_peer_config {
1639beb93cSSam Leffler 	/**
1739beb93cSSam Leffler 	 * identity - EAP Identity
1839beb93cSSam Leffler 	 *
1939beb93cSSam Leffler 	 * This field is used to set the real user identity or NAI (for
2039beb93cSSam Leffler 	 * EAP-PSK/PAX/SAKE/GPSK).
2139beb93cSSam Leffler 	 */
2239beb93cSSam Leffler 	u8 *identity;
2339beb93cSSam Leffler 
2439beb93cSSam Leffler 	/**
2539beb93cSSam Leffler 	 * identity_len - EAP Identity length
2639beb93cSSam Leffler 	 */
2739beb93cSSam Leffler 	size_t identity_len;
2839beb93cSSam Leffler 
2939beb93cSSam Leffler 	/**
3039beb93cSSam Leffler 	 * anonymous_identity -  Anonymous EAP Identity
3139beb93cSSam Leffler 	 *
3239beb93cSSam Leffler 	 * This field is used for unencrypted use with EAP types that support
3339beb93cSSam Leffler 	 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
3439beb93cSSam Leffler 	 * real identity (identity field) only to the authentication server.
3539beb93cSSam Leffler 	 *
3639beb93cSSam Leffler 	 * If not set, the identity field will be used for both unencrypted and
3739beb93cSSam Leffler 	 * protected fields.
38f05cddf9SRui Paulo 	 *
39f05cddf9SRui Paulo 	 * This field can also be used with EAP-SIM/AKA/AKA' to store the
40f05cddf9SRui Paulo 	 * pseudonym identity.
4139beb93cSSam Leffler 	 */
4239beb93cSSam Leffler 	u8 *anonymous_identity;
4339beb93cSSam Leffler 
4439beb93cSSam Leffler 	/**
4539beb93cSSam Leffler 	 * anonymous_identity_len - Length of anonymous_identity
4639beb93cSSam Leffler 	 */
4739beb93cSSam Leffler 	size_t anonymous_identity_len;
4839beb93cSSam Leffler 
4939beb93cSSam Leffler 	/**
5039beb93cSSam Leffler 	 * password - Password string for EAP
5139beb93cSSam Leffler 	 *
5239beb93cSSam Leffler 	 * This field can include either the plaintext password (default
5339beb93cSSam Leffler 	 * option) or a NtPasswordHash (16-byte MD4 hash of the unicode
5439beb93cSSam Leffler 	 * presentation of the password) if flags field has
5539beb93cSSam Leffler 	 * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can
5639beb93cSSam Leffler 	 * only be used with authentication mechanism that use this hash as the
5739beb93cSSam Leffler 	 * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2,
5839beb93cSSam Leffler 	 * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
5939beb93cSSam Leffler 	 *
6039beb93cSSam Leffler 	 * In addition, this field is used to configure a pre-shared key for
6139beb93cSSam Leffler 	 * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK
6239beb93cSSam Leffler 	 * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length
6339beb93cSSam Leffler 	 * PSK.
6439beb93cSSam Leffler 	 */
6539beb93cSSam Leffler 	u8 *password;
6639beb93cSSam Leffler 
6739beb93cSSam Leffler 	/**
6839beb93cSSam Leffler 	 * password_len - Length of password field
6939beb93cSSam Leffler 	 */
7039beb93cSSam Leffler 	size_t password_len;
7139beb93cSSam Leffler 
7239beb93cSSam Leffler 	/**
7339beb93cSSam Leffler 	 * ca_cert - File path to CA certificate file (PEM/DER)
7439beb93cSSam Leffler 	 *
7539beb93cSSam Leffler 	 * This file can have one or more trusted CA certificates. If ca_cert
7639beb93cSSam Leffler 	 * and ca_path are not included, server certificate will not be
7739beb93cSSam Leffler 	 * verified. This is insecure and a trusted CA certificate should
7839beb93cSSam Leffler 	 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
7939beb93cSSam Leffler 	 * file should be used since working directory may change when
8039beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
8139beb93cSSam Leffler 	 *
8239beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
8339beb93cSSam Leffler 	 * this to blob://blob_name.
8439beb93cSSam Leffler 	 *
85e28a4053SRui Paulo 	 * Alternatively, this can be used to only perform matching of the
86e28a4053SRui Paulo 	 * server certificate (SHA-256 hash of the DER encoded X.509
87e28a4053SRui Paulo 	 * certificate). In this case, the possible CA certificates in the
88e28a4053SRui Paulo 	 * server certificate chain are ignored and only the server certificate
89e28a4053SRui Paulo 	 * is verified. This is configured with the following format:
90e28a4053SRui Paulo 	 * hash:://server/sha256/cert_hash_in_hex
91e28a4053SRui Paulo 	 * For example: "hash://server/sha256/
92e28a4053SRui Paulo 	 * 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
93e28a4053SRui Paulo 	 *
9439beb93cSSam Leffler 	 * On Windows, trusted CA certificates can be loaded from the system
9539beb93cSSam Leffler 	 * certificate store by setting this to cert_store://name, e.g.,
9639beb93cSSam Leffler 	 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
9739beb93cSSam Leffler 	 * Note that when running wpa_supplicant as an application, the user
9839beb93cSSam Leffler 	 * certificate store (My user account) is used, whereas computer store
9939beb93cSSam Leffler 	 * (Computer account) is used when running wpasvc as a service.
10039beb93cSSam Leffler 	 */
10139beb93cSSam Leffler 	u8 *ca_cert;
10239beb93cSSam Leffler 
10339beb93cSSam Leffler 	/**
10439beb93cSSam Leffler 	 * ca_path - Directory path for CA certificate files (PEM)
10539beb93cSSam Leffler 	 *
10639beb93cSSam Leffler 	 * This path may contain multiple CA certificates in OpenSSL format.
10739beb93cSSam Leffler 	 * Common use for this is to point to system trusted CA list which is
10839beb93cSSam Leffler 	 * often installed into directory like /etc/ssl/certs. If configured,
10939beb93cSSam Leffler 	 * these certificates are added to the list of trusted CAs. ca_cert
11039beb93cSSam Leffler 	 * may also be included in that case, but it is not required.
11139beb93cSSam Leffler 	 */
11239beb93cSSam Leffler 	u8 *ca_path;
11339beb93cSSam Leffler 
11439beb93cSSam Leffler 	/**
11539beb93cSSam Leffler 	 * client_cert - File path to client certificate file (PEM/DER)
11639beb93cSSam Leffler 	 *
11739beb93cSSam Leffler 	 * This field is used with EAP method that use TLS authentication.
11839beb93cSSam Leffler 	 * Usually, this is only configured for EAP-TLS, even though this could
11939beb93cSSam Leffler 	 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
12039beb93cSSam Leffler 	 * file should be used since working directory may change when
12139beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
12239beb93cSSam Leffler 	 *
12339beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
12439beb93cSSam Leffler 	 * this to blob://blob_name.
12539beb93cSSam Leffler 	 */
12639beb93cSSam Leffler 	u8 *client_cert;
12739beb93cSSam Leffler 
12839beb93cSSam Leffler 	/**
12939beb93cSSam Leffler 	 * private_key - File path to client private key file (PEM/DER/PFX)
13039beb93cSSam Leffler 	 *
13139beb93cSSam Leffler 	 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
13239beb93cSSam Leffler 	 * commented out. Both the private key and certificate will be read
13339beb93cSSam Leffler 	 * from the PKCS#12 file in this case. Full path to the file should be
13439beb93cSSam Leffler 	 * used since working directory may change when wpa_supplicant is run
13539beb93cSSam Leffler 	 * in the background.
13639beb93cSSam Leffler 	 *
13739beb93cSSam Leffler 	 * Windows certificate store can be used by leaving client_cert out and
13839beb93cSSam Leffler 	 * configuring private_key in one of the following formats:
13939beb93cSSam Leffler 	 *
14039beb93cSSam Leffler 	 * cert://substring_to_match
14139beb93cSSam Leffler 	 *
14239beb93cSSam Leffler 	 * hash://certificate_thumbprint_in_hex
14339beb93cSSam Leffler 	 *
14439beb93cSSam Leffler 	 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
14539beb93cSSam Leffler 	 *
14639beb93cSSam Leffler 	 * Note that when running wpa_supplicant as an application, the user
14739beb93cSSam Leffler 	 * certificate store (My user account) is used, whereas computer store
14839beb93cSSam Leffler 	 * (Computer account) is used when running wpasvc as a service.
14939beb93cSSam Leffler 	 *
15039beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
15139beb93cSSam Leffler 	 * this to blob://blob_name.
15239beb93cSSam Leffler 	 */
15339beb93cSSam Leffler 	u8 *private_key;
15439beb93cSSam Leffler 
15539beb93cSSam Leffler 	/**
15639beb93cSSam Leffler 	 * private_key_passwd - Password for private key file
15739beb93cSSam Leffler 	 *
15839beb93cSSam Leffler 	 * If left out, this will be asked through control interface.
15939beb93cSSam Leffler 	 */
160*5b9c547cSRui Paulo 	char *private_key_passwd;
16139beb93cSSam Leffler 
16239beb93cSSam Leffler 	/**
16339beb93cSSam Leffler 	 * dh_file - File path to DH/DSA parameters file (in PEM format)
16439beb93cSSam Leffler 	 *
16539beb93cSSam Leffler 	 * This is an optional configuration file for setting parameters for an
16639beb93cSSam Leffler 	 * ephemeral DH key exchange. In most cases, the default RSA
16739beb93cSSam Leffler 	 * authentication does not use this configuration. However, it is
16839beb93cSSam Leffler 	 * possible setup RSA to use ephemeral DH key exchange. In addition,
16939beb93cSSam Leffler 	 * ciphers with DSA keys always use ephemeral DH keys. This can be used
17039beb93cSSam Leffler 	 * to achieve forward secrecy. If the file is in DSA parameters format,
17139beb93cSSam Leffler 	 * it will be automatically converted into DH params. Full path to the
17239beb93cSSam Leffler 	 * file should be used since working directory may change when
17339beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
17439beb93cSSam Leffler 	 *
17539beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
17639beb93cSSam Leffler 	 * this to blob://blob_name.
17739beb93cSSam Leffler 	 */
17839beb93cSSam Leffler 	u8 *dh_file;
17939beb93cSSam Leffler 
18039beb93cSSam Leffler 	/**
18139beb93cSSam Leffler 	 * subject_match - Constraint for server certificate subject
18239beb93cSSam Leffler 	 *
18339beb93cSSam Leffler 	 * This substring is matched against the subject of the authentication
18439beb93cSSam Leffler 	 * server certificate. If this string is set, the server sertificate is
18539beb93cSSam Leffler 	 * only accepted if it contains this string in the subject. The subject
18639beb93cSSam Leffler 	 * string is in following format:
18739beb93cSSam Leffler 	 *
18839beb93cSSam Leffler 	 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com
189*5b9c547cSRui Paulo 	 *
190*5b9c547cSRui Paulo 	 * Note: Since this is a substring match, this cannot be used securily
191*5b9c547cSRui Paulo 	 * to do a suffix match against a possible domain name in the CN entry.
192*5b9c547cSRui Paulo 	 * For such a use case, domain_suffix_match should be used instead.
19339beb93cSSam Leffler 	 */
19439beb93cSSam Leffler 	u8 *subject_match;
19539beb93cSSam Leffler 
19639beb93cSSam Leffler 	/**
19739beb93cSSam Leffler 	 * altsubject_match - Constraint for server certificate alt. subject
19839beb93cSSam Leffler 	 *
19939beb93cSSam Leffler 	 * Semicolon separated string of entries to be matched against the
20039beb93cSSam Leffler 	 * alternative subject name of the authentication server certificate.
20139beb93cSSam Leffler 	 * If this string is set, the server sertificate is only accepted if it
20239beb93cSSam Leffler 	 * contains one of the entries in an alternative subject name
20339beb93cSSam Leffler 	 * extension.
20439beb93cSSam Leffler 	 *
20539beb93cSSam Leffler 	 * altSubjectName string is in following format: TYPE:VALUE
20639beb93cSSam Leffler 	 *
20739beb93cSSam Leffler 	 * Example: EMAIL:server@example.com
20839beb93cSSam Leffler 	 * Example: DNS:server.example.com;DNS:server2.example.com
20939beb93cSSam Leffler 	 *
21039beb93cSSam Leffler 	 * Following types are supported: EMAIL, DNS, URI
21139beb93cSSam Leffler 	 */
21239beb93cSSam Leffler 	u8 *altsubject_match;
21339beb93cSSam Leffler 
21439beb93cSSam Leffler 	/**
215*5b9c547cSRui Paulo 	 * domain_suffix_match - Constraint for server domain name
216*5b9c547cSRui Paulo 	 *
217*5b9c547cSRui Paulo 	 * If set, this FQDN is used as a suffix match requirement for the
218*5b9c547cSRui Paulo 	 * server certificate in SubjectAltName dNSName element(s). If a
219*5b9c547cSRui Paulo 	 * matching dNSName is found, this constraint is met. If no dNSName
220*5b9c547cSRui Paulo 	 * values are present, this constraint is matched against SubjectName CN
221*5b9c547cSRui Paulo 	 * using same suffix match comparison. Suffix match here means that the
222*5b9c547cSRui Paulo 	 * host/domain name is compared one label at a time starting from the
223*5b9c547cSRui Paulo 	 * top-level domain and all the labels in domain_suffix_match shall be
224*5b9c547cSRui Paulo 	 * included in the certificate. The certificate may include additional
225*5b9c547cSRui Paulo 	 * sub-level labels in addition to the required labels.
226*5b9c547cSRui Paulo 	 *
227*5b9c547cSRui Paulo 	 * For example, domain_suffix_match=example.com would match
228*5b9c547cSRui Paulo 	 * test.example.com but would not match test-example.com.
229*5b9c547cSRui Paulo 	 */
230*5b9c547cSRui Paulo 	char *domain_suffix_match;
231*5b9c547cSRui Paulo 
232*5b9c547cSRui Paulo 	/**
233*5b9c547cSRui Paulo 	 * domain_match - Constraint for server domain name
234*5b9c547cSRui Paulo 	 *
235*5b9c547cSRui Paulo 	 * If set, this FQDN is used as a full match requirement for the
236*5b9c547cSRui Paulo 	 * server certificate in SubjectAltName dNSName element(s). If a
237*5b9c547cSRui Paulo 	 * matching dNSName is found, this constraint is met. If no dNSName
238*5b9c547cSRui Paulo 	 * values are present, this constraint is matched against SubjectName CN
239*5b9c547cSRui Paulo 	 * using same full match comparison. This behavior is similar to
240*5b9c547cSRui Paulo 	 * domain_suffix_match, but has the requirement of a full match, i.e.,
241*5b9c547cSRui Paulo 	 * no subdomains or wildcard matches are allowed. Case-insensitive
242*5b9c547cSRui Paulo 	 * comparison is used, so "Example.com" matches "example.com", but would
243*5b9c547cSRui Paulo 	 * not match "test.Example.com".
244*5b9c547cSRui Paulo 	 */
245*5b9c547cSRui Paulo 	char *domain_match;
246*5b9c547cSRui Paulo 
247*5b9c547cSRui Paulo 	/**
24839beb93cSSam Leffler 	 * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
24939beb93cSSam Leffler 	 *
25039beb93cSSam Leffler 	 * This file can have one or more trusted CA certificates. If ca_cert2
25139beb93cSSam Leffler 	 * and ca_path2 are not included, server certificate will not be
25239beb93cSSam Leffler 	 * verified. This is insecure and a trusted CA certificate should
25339beb93cSSam Leffler 	 * always be configured. Full path to the file should be used since
25439beb93cSSam Leffler 	 * working directory may change when wpa_supplicant is run in the
25539beb93cSSam Leffler 	 * background.
25639beb93cSSam Leffler 	 *
25739beb93cSSam Leffler 	 * This field is like ca_cert, but used for phase 2 (inside
25839beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
25939beb93cSSam Leffler 	 *
26039beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
26139beb93cSSam Leffler 	 * this to blob://blob_name.
26239beb93cSSam Leffler 	 */
26339beb93cSSam Leffler 	u8 *ca_cert2;
26439beb93cSSam Leffler 
26539beb93cSSam Leffler 	/**
26639beb93cSSam Leffler 	 * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2)
26739beb93cSSam Leffler 	 *
26839beb93cSSam Leffler 	 * This path may contain multiple CA certificates in OpenSSL format.
26939beb93cSSam Leffler 	 * Common use for this is to point to system trusted CA list which is
27039beb93cSSam Leffler 	 * often installed into directory like /etc/ssl/certs. If configured,
27139beb93cSSam Leffler 	 * these certificates are added to the list of trusted CAs. ca_cert
27239beb93cSSam Leffler 	 * may also be included in that case, but it is not required.
27339beb93cSSam Leffler 	 *
27439beb93cSSam Leffler 	 * This field is like ca_path, but used for phase 2 (inside
27539beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
27639beb93cSSam Leffler 	 */
27739beb93cSSam Leffler 	u8 *ca_path2;
27839beb93cSSam Leffler 
27939beb93cSSam Leffler 	/**
28039beb93cSSam Leffler 	 * client_cert2 - File path to client certificate file
28139beb93cSSam Leffler 	 *
28239beb93cSSam Leffler 	 * This field is like client_cert, but used for phase 2 (inside
28339beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
28439beb93cSSam Leffler 	 * file should be used since working directory may change when
28539beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
28639beb93cSSam Leffler 	 *
28739beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
28839beb93cSSam Leffler 	 * this to blob://blob_name.
28939beb93cSSam Leffler 	 */
29039beb93cSSam Leffler 	u8 *client_cert2;
29139beb93cSSam Leffler 
29239beb93cSSam Leffler 	/**
29339beb93cSSam Leffler 	 * private_key2 - File path to client private key file
29439beb93cSSam Leffler 	 *
29539beb93cSSam Leffler 	 * This field is like private_key, but used for phase 2 (inside
29639beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
29739beb93cSSam Leffler 	 * file should be used since working directory may change when
29839beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
29939beb93cSSam Leffler 	 *
30039beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
30139beb93cSSam Leffler 	 * this to blob://blob_name.
30239beb93cSSam Leffler 	 */
30339beb93cSSam Leffler 	u8 *private_key2;
30439beb93cSSam Leffler 
30539beb93cSSam Leffler 	/**
30639beb93cSSam Leffler 	 * private_key2_passwd -  Password for private key file
30739beb93cSSam Leffler 	 *
30839beb93cSSam Leffler 	 * This field is like private_key_passwd, but used for phase 2 (inside
30939beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
31039beb93cSSam Leffler 	 */
311*5b9c547cSRui Paulo 	char *private_key2_passwd;
31239beb93cSSam Leffler 
31339beb93cSSam Leffler 	/**
31439beb93cSSam Leffler 	 * dh_file2 - File path to DH/DSA parameters file (in PEM format)
31539beb93cSSam Leffler 	 *
31639beb93cSSam Leffler 	 * This field is like dh_file, but used for phase 2 (inside
31739beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
31839beb93cSSam Leffler 	 * file should be used since working directory may change when
31939beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
32039beb93cSSam Leffler 	 *
32139beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
32239beb93cSSam Leffler 	 * this to blob://blob_name.
32339beb93cSSam Leffler 	 */
32439beb93cSSam Leffler 	u8 *dh_file2;
32539beb93cSSam Leffler 
32639beb93cSSam Leffler 	/**
32739beb93cSSam Leffler 	 * subject_match2 - Constraint for server certificate subject
32839beb93cSSam Leffler 	 *
32939beb93cSSam Leffler 	 * This field is like subject_match, but used for phase 2 (inside
33039beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
33139beb93cSSam Leffler 	 */
33239beb93cSSam Leffler 	u8 *subject_match2;
33339beb93cSSam Leffler 
33439beb93cSSam Leffler 	/**
33539beb93cSSam Leffler 	 * altsubject_match2 - Constraint for server certificate alt. subject
33639beb93cSSam Leffler 	 *
33739beb93cSSam Leffler 	 * This field is like altsubject_match, but used for phase 2 (inside
33839beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
33939beb93cSSam Leffler 	 */
34039beb93cSSam Leffler 	u8 *altsubject_match2;
34139beb93cSSam Leffler 
34239beb93cSSam Leffler 	/**
343*5b9c547cSRui Paulo 	 * domain_suffix_match2 - Constraint for server domain name
344*5b9c547cSRui Paulo 	 *
345*5b9c547cSRui Paulo 	 * This field is like domain_suffix_match, but used for phase 2 (inside
346*5b9c547cSRui Paulo 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
347*5b9c547cSRui Paulo 	 */
348*5b9c547cSRui Paulo 	char *domain_suffix_match2;
349*5b9c547cSRui Paulo 
350*5b9c547cSRui Paulo 	/**
351*5b9c547cSRui Paulo 	 * domain_match2 - Constraint for server domain name
352*5b9c547cSRui Paulo 	 *
353*5b9c547cSRui Paulo 	 * This field is like domain_match, but used for phase 2 (inside
354*5b9c547cSRui Paulo 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
355*5b9c547cSRui Paulo 	 */
356*5b9c547cSRui Paulo 	char *domain_match2;
357*5b9c547cSRui Paulo 
358*5b9c547cSRui Paulo 	/**
35939beb93cSSam Leffler 	 * eap_methods - Allowed EAP methods
36039beb93cSSam Leffler 	 *
36139beb93cSSam Leffler 	 * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
36239beb93cSSam Leffler 	 * allowed EAP methods or %NULL if all methods are accepted.
36339beb93cSSam Leffler 	 */
36439beb93cSSam Leffler 	struct eap_method_type *eap_methods;
36539beb93cSSam Leffler 
36639beb93cSSam Leffler 	/**
36739beb93cSSam Leffler 	 * phase1 - Phase 1 (outer authentication) parameters
36839beb93cSSam Leffler 	 *
36939beb93cSSam Leffler 	 * String with field-value pairs, e.g., "peapver=0" or
37039beb93cSSam Leffler 	 * "peapver=1 peaplabel=1".
37139beb93cSSam Leffler 	 *
37239beb93cSSam Leffler 	 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
37339beb93cSSam Leffler 	 *
37439beb93cSSam Leffler 	 * 'peaplabel=1' can be used to force new label, "client PEAP
37539beb93cSSam Leffler 	 * encryption",	to be used during key derivation when PEAPv1 or newer.
37639beb93cSSam Leffler 	 *
37739beb93cSSam Leffler 	 * Most existing PEAPv1 implementation seem to be using the old label,
37839beb93cSSam Leffler 	 * "client EAP encryption", and wpa_supplicant is now using that as the
37939beb93cSSam Leffler 	 * default value.
38039beb93cSSam Leffler 	 *
38139beb93cSSam Leffler 	 * Some servers, e.g., Radiator, may require peaplabel=1 configuration
38239beb93cSSam Leffler 	 * to interoperate with PEAPv1; see eap_testing.txt for more details.
38339beb93cSSam Leffler 	 *
38439beb93cSSam Leffler 	 * 'peap_outer_success=0' can be used to terminate PEAP authentication
38539beb93cSSam Leffler 	 * on tunneled EAP-Success. This is required with some RADIUS servers
38639beb93cSSam Leffler 	 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
38739beb93cSSam Leffler 	 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
38839beb93cSSam Leffler 	 *
38939beb93cSSam Leffler 	 * include_tls_length=1 can be used to force wpa_supplicant to include
39039beb93cSSam Leffler 	 * TLS Message Length field in all TLS messages even if they are not
39139beb93cSSam Leffler 	 * fragmented.
39239beb93cSSam Leffler 	 *
39339beb93cSSam Leffler 	 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
39439beb93cSSam Leffler 	 * challenges (by default, it accepts 2 or 3).
39539beb93cSSam Leffler 	 *
39639beb93cSSam Leffler 	 * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
39739beb93cSSam Leffler 	 * protected result indication.
39839beb93cSSam Leffler 	 *
39939beb93cSSam Leffler 	 * fast_provisioning option can be used to enable in-line provisioning
40039beb93cSSam Leffler 	 * of EAP-FAST credentials (PAC):
40139beb93cSSam Leffler 	 * 0 = disabled,
40239beb93cSSam Leffler 	 * 1 = allow unauthenticated provisioning,
40339beb93cSSam Leffler 	 * 2 = allow authenticated provisioning,
40439beb93cSSam Leffler 	 * 3 = allow both unauthenticated and authenticated provisioning
40539beb93cSSam Leffler 	 *
40639beb93cSSam Leffler 	 * fast_max_pac_list_len=num option can be used to set the maximum
40739beb93cSSam Leffler 	 * number of PAC entries to store in a PAC list (default: 10).
40839beb93cSSam Leffler 	 *
40939beb93cSSam Leffler 	 * fast_pac_format=binary option can be used to select binary format
41039beb93cSSam Leffler 	 * for storing PAC entries in order to save some space (the default
41139beb93cSSam Leffler 	 * text format uses about 2.5 times the size of minimal binary format).
41239beb93cSSam Leffler 	 *
41339beb93cSSam Leffler 	 * crypto_binding option can be used to control PEAPv0 cryptobinding
41439beb93cSSam Leffler 	 * behavior:
41539beb93cSSam Leffler 	 * 0 = do not use cryptobinding (default)
41639beb93cSSam Leffler 	 * 1 = use cryptobinding if server supports it
41739beb93cSSam Leffler 	 * 2 = require cryptobinding
41839beb93cSSam Leffler 	 *
41939beb93cSSam Leffler 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
42039beb93cSSam Leffler 	 * uuid=Device_UUID
421*5b9c547cSRui Paulo 	 *
422*5b9c547cSRui Paulo 	 * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
423*5b9c547cSRui Paulo 	 * used to configure a mode that allows EAP-Success (and EAP-Failure)
424*5b9c547cSRui Paulo 	 * without going through authentication step. Some switches use such
425*5b9c547cSRui Paulo 	 * sequence when forcing the port to be authorized/unauthorized or as a
426*5b9c547cSRui Paulo 	 * fallback option if the authentication server is unreachable. By
427*5b9c547cSRui Paulo 	 * default, wpa_supplicant discards such frames to protect against
428*5b9c547cSRui Paulo 	 * potential attacks by rogue devices, but this option can be used to
429*5b9c547cSRui Paulo 	 * disable that protection for cases where the server/authenticator does
430*5b9c547cSRui Paulo 	 * not need to be authenticated.
43139beb93cSSam Leffler 	 */
43239beb93cSSam Leffler 	char *phase1;
43339beb93cSSam Leffler 
43439beb93cSSam Leffler 	/**
43539beb93cSSam Leffler 	 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
43639beb93cSSam Leffler 	 *
43739beb93cSSam Leffler 	 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
438*5b9c547cSRui Paulo 	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
439*5b9c547cSRui Paulo 	 * be used to disable MSCHAPv2 password retry in authentication failure
440*5b9c547cSRui Paulo 	 * cases.
44139beb93cSSam Leffler 	 */
44239beb93cSSam Leffler 	char *phase2;
44339beb93cSSam Leffler 
44439beb93cSSam Leffler 	/**
44539beb93cSSam Leffler 	 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
44639beb93cSSam Leffler 	 *
44739beb93cSSam Leffler 	 * This field is used to configure PC/SC smartcard interface.
44839beb93cSSam Leffler 	 * Currently, the only configuration is whether this field is %NULL (do
44939beb93cSSam Leffler 	 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
45039beb93cSSam Leffler 	 *
45139beb93cSSam Leffler 	 * This field is used for EAP-SIM and EAP-AKA.
45239beb93cSSam Leffler 	 */
45339beb93cSSam Leffler 	char *pcsc;
45439beb93cSSam Leffler 
45539beb93cSSam Leffler 	/**
45639beb93cSSam Leffler 	 * pin - PIN for USIM, GSM SIM, and smartcards
45739beb93cSSam Leffler 	 *
45839beb93cSSam Leffler 	 * This field is used to configure PIN for SIM and smartcards for
45939beb93cSSam Leffler 	 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
46039beb93cSSam Leffler 	 * smartcard is used for private key operations.
46139beb93cSSam Leffler 	 *
46239beb93cSSam Leffler 	 * If left out, this will be asked through control interface.
46339beb93cSSam Leffler 	 */
46439beb93cSSam Leffler 	char *pin;
46539beb93cSSam Leffler 
46639beb93cSSam Leffler 	/**
46739beb93cSSam Leffler 	 * engine - Enable OpenSSL engine (e.g., for smartcard access)
46839beb93cSSam Leffler 	 *
46939beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
47039beb93cSSam Leffler 	 * using a smartcard.
47139beb93cSSam Leffler 	 */
47239beb93cSSam Leffler 	int engine;
47339beb93cSSam Leffler 
47439beb93cSSam Leffler 	/**
47539beb93cSSam Leffler 	 * engine_id - Engine ID for OpenSSL engine
47639beb93cSSam Leffler 	 *
47739beb93cSSam Leffler 	 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
47839beb93cSSam Leffler 	 * engine.
47939beb93cSSam Leffler 	 *
48039beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
48139beb93cSSam Leffler 	 * using a smartcard.
48239beb93cSSam Leffler 	 */
48339beb93cSSam Leffler 	char *engine_id;
48439beb93cSSam Leffler 
48539beb93cSSam Leffler 	/**
48639beb93cSSam Leffler 	 * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2)
48739beb93cSSam Leffler 	 *
48839beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
48939beb93cSSam Leffler 	 * using a smartcard.
49039beb93cSSam Leffler 	 *
49139beb93cSSam Leffler 	 * This field is like engine, but used for phase 2 (inside
49239beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
49339beb93cSSam Leffler 	 */
49439beb93cSSam Leffler 	int engine2;
49539beb93cSSam Leffler 
49639beb93cSSam Leffler 
49739beb93cSSam Leffler 	/**
49839beb93cSSam Leffler 	 * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2)
49939beb93cSSam Leffler 	 *
50039beb93cSSam Leffler 	 * This field is used to configure PIN for SIM and smartcards for
50139beb93cSSam Leffler 	 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
50239beb93cSSam Leffler 	 * smartcard is used for private key operations.
50339beb93cSSam Leffler 	 *
50439beb93cSSam Leffler 	 * This field is like pin2, but used for phase 2 (inside
50539beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
50639beb93cSSam Leffler 	 *
50739beb93cSSam Leffler 	 * If left out, this will be asked through control interface.
50839beb93cSSam Leffler 	 */
50939beb93cSSam Leffler 	char *pin2;
51039beb93cSSam Leffler 
51139beb93cSSam Leffler 	/**
51239beb93cSSam Leffler 	 * engine2_id - Engine ID for OpenSSL engine (Phase 2)
51339beb93cSSam Leffler 	 *
51439beb93cSSam Leffler 	 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
51539beb93cSSam Leffler 	 * engine.
51639beb93cSSam Leffler 	 *
51739beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
51839beb93cSSam Leffler 	 * using a smartcard.
51939beb93cSSam Leffler 	 *
52039beb93cSSam Leffler 	 * This field is like engine_id, but used for phase 2 (inside
52139beb93cSSam Leffler 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
52239beb93cSSam Leffler 	 */
52339beb93cSSam Leffler 	char *engine2_id;
52439beb93cSSam Leffler 
52539beb93cSSam Leffler 
52639beb93cSSam Leffler 	/**
52739beb93cSSam Leffler 	 * key_id - Key ID for OpenSSL engine
52839beb93cSSam Leffler 	 *
52939beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
53039beb93cSSam Leffler 	 * using a smartcard.
53139beb93cSSam Leffler 	 */
53239beb93cSSam Leffler 	char *key_id;
53339beb93cSSam Leffler 
53439beb93cSSam Leffler 	/**
53539beb93cSSam Leffler 	 * cert_id - Cert ID for OpenSSL engine
53639beb93cSSam Leffler 	 *
53739beb93cSSam Leffler 	 * This is used if the certificate operations for EAP-TLS are performed
53839beb93cSSam Leffler 	 * using a smartcard.
53939beb93cSSam Leffler 	 */
54039beb93cSSam Leffler 	char *cert_id;
54139beb93cSSam Leffler 
54239beb93cSSam Leffler 	/**
54339beb93cSSam Leffler 	 * ca_cert_id - CA Cert ID for OpenSSL engine
54439beb93cSSam Leffler 	 *
54539beb93cSSam Leffler 	 * This is used if the CA certificate for EAP-TLS is on a smartcard.
54639beb93cSSam Leffler 	 */
54739beb93cSSam Leffler 	char *ca_cert_id;
54839beb93cSSam Leffler 
54939beb93cSSam Leffler 	/**
55039beb93cSSam Leffler 	 * key2_id - Key ID for OpenSSL engine (phase2)
55139beb93cSSam Leffler 	 *
55239beb93cSSam Leffler 	 * This is used if private key operations for EAP-TLS are performed
55339beb93cSSam Leffler 	 * using a smartcard.
55439beb93cSSam Leffler 	 */
55539beb93cSSam Leffler 	char *key2_id;
55639beb93cSSam Leffler 
55739beb93cSSam Leffler 	/**
55839beb93cSSam Leffler 	 * cert2_id - Cert ID for OpenSSL engine (phase2)
55939beb93cSSam Leffler 	 *
56039beb93cSSam Leffler 	 * This is used if the certificate operations for EAP-TLS are performed
56139beb93cSSam Leffler 	 * using a smartcard.
56239beb93cSSam Leffler 	 */
56339beb93cSSam Leffler 	char *cert2_id;
56439beb93cSSam Leffler 
56539beb93cSSam Leffler 	/**
56639beb93cSSam Leffler 	 * ca_cert2_id - CA Cert ID for OpenSSL engine (phase2)
56739beb93cSSam Leffler 	 *
56839beb93cSSam Leffler 	 * This is used if the CA certificate for EAP-TLS is on a smartcard.
56939beb93cSSam Leffler 	 */
57039beb93cSSam Leffler 	char *ca_cert2_id;
57139beb93cSSam Leffler 
57239beb93cSSam Leffler 	/**
57339beb93cSSam Leffler 	 * otp - One-time-password
57439beb93cSSam Leffler 	 *
57539beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
57639beb93cSSam Leffler 	 * internally when OTP is entered through the control interface.
57739beb93cSSam Leffler 	 */
57839beb93cSSam Leffler 	u8 *otp;
57939beb93cSSam Leffler 
58039beb93cSSam Leffler 	/**
58139beb93cSSam Leffler 	 * otp_len - Length of the otp field
58239beb93cSSam Leffler 	 */
58339beb93cSSam Leffler 	size_t otp_len;
58439beb93cSSam Leffler 
58539beb93cSSam Leffler 	/**
58639beb93cSSam Leffler 	 * pending_req_identity - Whether there is a pending identity request
58739beb93cSSam Leffler 	 *
58839beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
58939beb93cSSam Leffler 	 * internally when control interface is used to request needed
59039beb93cSSam Leffler 	 * information.
59139beb93cSSam Leffler 	 */
59239beb93cSSam Leffler 	int pending_req_identity;
59339beb93cSSam Leffler 
59439beb93cSSam Leffler 	/**
59539beb93cSSam Leffler 	 * pending_req_password - Whether there is a pending password request
59639beb93cSSam Leffler 	 *
59739beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
59839beb93cSSam Leffler 	 * internally when control interface is used to request needed
59939beb93cSSam Leffler 	 * information.
60039beb93cSSam Leffler 	 */
60139beb93cSSam Leffler 	int pending_req_password;
60239beb93cSSam Leffler 
60339beb93cSSam Leffler 	/**
60439beb93cSSam Leffler 	 * pending_req_pin - Whether there is a pending PIN request
60539beb93cSSam Leffler 	 *
60639beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
60739beb93cSSam Leffler 	 * internally when control interface is used to request needed
60839beb93cSSam Leffler 	 * information.
60939beb93cSSam Leffler 	 */
61039beb93cSSam Leffler 	int pending_req_pin;
61139beb93cSSam Leffler 
61239beb93cSSam Leffler 	/**
61339beb93cSSam Leffler 	 * pending_req_new_password - Pending password update request
61439beb93cSSam Leffler 	 *
61539beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
61639beb93cSSam Leffler 	 * internally when control interface is used to request needed
61739beb93cSSam Leffler 	 * information.
61839beb93cSSam Leffler 	 */
61939beb93cSSam Leffler 	int pending_req_new_password;
62039beb93cSSam Leffler 
62139beb93cSSam Leffler 	/**
62239beb93cSSam Leffler 	 * pending_req_passphrase - Pending passphrase request
62339beb93cSSam Leffler 	 *
62439beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
62539beb93cSSam Leffler 	 * internally when control interface is used to request needed
62639beb93cSSam Leffler 	 * information.
62739beb93cSSam Leffler 	 */
62839beb93cSSam Leffler 	int pending_req_passphrase;
62939beb93cSSam Leffler 
63039beb93cSSam Leffler 	/**
63139beb93cSSam Leffler 	 * pending_req_otp - Whether there is a pending OTP request
63239beb93cSSam Leffler 	 *
63339beb93cSSam Leffler 	 * This field should not be set in configuration step. It is only used
63439beb93cSSam Leffler 	 * internally when control interface is used to request needed
63539beb93cSSam Leffler 	 * information.
63639beb93cSSam Leffler 	 */
63739beb93cSSam Leffler 	char *pending_req_otp;
63839beb93cSSam Leffler 
63939beb93cSSam Leffler 	/**
64039beb93cSSam Leffler 	 * pending_req_otp_len - Length of the pending OTP request
64139beb93cSSam Leffler 	 */
64239beb93cSSam Leffler 	size_t pending_req_otp_len;
64339beb93cSSam Leffler 
64439beb93cSSam Leffler 	/**
64539beb93cSSam Leffler 	 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
64639beb93cSSam Leffler 	 *
64739beb93cSSam Leffler 	 * wpa_supplicant will need to be able to create this file and write
64839beb93cSSam Leffler 	 * updates to it when PAC is being provisioned or refreshed. Full path
64939beb93cSSam Leffler 	 * to the file should be used since working directory may change when
65039beb93cSSam Leffler 	 * wpa_supplicant is run in the background.
65139beb93cSSam Leffler 	 * Alternatively, a named configuration blob can be used by setting
65239beb93cSSam Leffler 	 * this to blob://blob_name.
65339beb93cSSam Leffler 	 */
65439beb93cSSam Leffler 	char *pac_file;
65539beb93cSSam Leffler 
65639beb93cSSam Leffler 	/**
65739beb93cSSam Leffler 	 * mschapv2_retry - MSCHAPv2 retry in progress
65839beb93cSSam Leffler 	 *
65939beb93cSSam Leffler 	 * This field is used internally by EAP-MSCHAPv2 and should not be set
66039beb93cSSam Leffler 	 * as part of configuration.
66139beb93cSSam Leffler 	 */
66239beb93cSSam Leffler 	int mschapv2_retry;
66339beb93cSSam Leffler 
66439beb93cSSam Leffler 	/**
66539beb93cSSam Leffler 	 * new_password - New password for password update
66639beb93cSSam Leffler 	 *
66739beb93cSSam Leffler 	 * This field is used during MSCHAPv2 password update. This is normally
66839beb93cSSam Leffler 	 * requested from the user through the control interface and not set
66939beb93cSSam Leffler 	 * from configuration.
67039beb93cSSam Leffler 	 */
67139beb93cSSam Leffler 	u8 *new_password;
67239beb93cSSam Leffler 
67339beb93cSSam Leffler 	/**
67439beb93cSSam Leffler 	 * new_password_len - Length of new_password field
67539beb93cSSam Leffler 	 */
67639beb93cSSam Leffler 	size_t new_password_len;
67739beb93cSSam Leffler 
67839beb93cSSam Leffler 	/**
67939beb93cSSam Leffler 	 * fragment_size - Maximum EAP fragment size in bytes (default 1398)
68039beb93cSSam Leffler 	 *
68139beb93cSSam Leffler 	 * This value limits the fragment size for EAP methods that support
68239beb93cSSam Leffler 	 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
68339beb93cSSam Leffler 	 * small enough to make the EAP messages fit in MTU of the network
68439beb93cSSam Leffler 	 * interface used for EAPOL. The default value is suitable for most
68539beb93cSSam Leffler 	 * cases.
68639beb93cSSam Leffler 	 */
68739beb93cSSam Leffler 	int fragment_size;
68839beb93cSSam Leffler 
68939beb93cSSam Leffler #define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0)
690f05cddf9SRui Paulo #define EAP_CONFIG_FLAGS_EXT_PASSWORD BIT(1)
69139beb93cSSam Leffler 	/**
69239beb93cSSam Leffler 	 * flags - Network configuration flags (bitfield)
69339beb93cSSam Leffler 	 *
69439beb93cSSam Leffler 	 * This variable is used for internal flags to describe further details
69539beb93cSSam Leffler 	 * for the network parameters.
69639beb93cSSam Leffler 	 * bit 0 = password is represented as a 16-byte NtPasswordHash value
69739beb93cSSam Leffler 	 *         instead of plaintext password
698f05cddf9SRui Paulo 	 * bit 1 = password is stored in external storage; the value in the
699f05cddf9SRui Paulo 	 *         password field is the name of that external entry
70039beb93cSSam Leffler 	 */
70139beb93cSSam Leffler 	u32 flags;
702*5b9c547cSRui Paulo 
703*5b9c547cSRui Paulo 	/**
704*5b9c547cSRui Paulo 	 * ocsp - Whether to use/require OCSP to check server certificate
705*5b9c547cSRui Paulo 	 *
706*5b9c547cSRui Paulo 	 * 0 = do not use OCSP stapling (TLS certificate status extension)
707*5b9c547cSRui Paulo 	 * 1 = try to use OCSP stapling, but not require response
708*5b9c547cSRui Paulo 	 * 2 = require valid OCSP stapling response
709*5b9c547cSRui Paulo 	 */
710*5b9c547cSRui Paulo 	int ocsp;
711*5b9c547cSRui Paulo 
712*5b9c547cSRui Paulo 	/**
713*5b9c547cSRui Paulo 	 * external_sim_resp - Response from external SIM processing
714*5b9c547cSRui Paulo 	 *
715*5b9c547cSRui Paulo 	 * This field should not be set in configuration step. It is only used
716*5b9c547cSRui Paulo 	 * internally when control interface is used to request external
717*5b9c547cSRui Paulo 	 * SIM/USIM processing.
718*5b9c547cSRui Paulo 	 */
719*5b9c547cSRui Paulo 	char *external_sim_resp;
720*5b9c547cSRui Paulo 
721*5b9c547cSRui Paulo 	/**
722*5b9c547cSRui Paulo 	 * sim_num - User selected SIM identifier
723*5b9c547cSRui Paulo 	 *
724*5b9c547cSRui Paulo 	 * This variable is used for identifying which SIM is used if the system
725*5b9c547cSRui Paulo 	 * has more than one.
726*5b9c547cSRui Paulo 	 */
727*5b9c547cSRui Paulo 	int sim_num;
728*5b9c547cSRui Paulo 
729*5b9c547cSRui Paulo 	/**
730*5b9c547cSRui Paulo 	 * openssl_ciphers - OpenSSL cipher string
731*5b9c547cSRui Paulo 	 *
732*5b9c547cSRui Paulo 	 * This is an OpenSSL specific configuration option for configuring the
733*5b9c547cSRui Paulo 	 * ciphers for this connection. If not set, the default cipher suite
734*5b9c547cSRui Paulo 	 * list is used.
735*5b9c547cSRui Paulo 	 */
736*5b9c547cSRui Paulo 	char *openssl_ciphers;
737*5b9c547cSRui Paulo 
738*5b9c547cSRui Paulo 	/**
739*5b9c547cSRui Paulo 	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
740*5b9c547cSRui Paulo 	 */
741*5b9c547cSRui Paulo 	int erp;
74239beb93cSSam Leffler };
74339beb93cSSam Leffler 
74439beb93cSSam Leffler 
74539beb93cSSam Leffler /**
74639beb93cSSam Leffler  * struct wpa_config_blob - Named configuration blob
74739beb93cSSam Leffler  *
74839beb93cSSam Leffler  * This data structure is used to provide storage for binary objects to store
74939beb93cSSam Leffler  * abstract information like certificates and private keys inlined with the
75039beb93cSSam Leffler  * configuration data.
75139beb93cSSam Leffler  */
75239beb93cSSam Leffler struct wpa_config_blob {
75339beb93cSSam Leffler 	/**
75439beb93cSSam Leffler 	 * name - Blob name
75539beb93cSSam Leffler 	 */
75639beb93cSSam Leffler 	char *name;
75739beb93cSSam Leffler 
75839beb93cSSam Leffler 	/**
75939beb93cSSam Leffler 	 * data - Pointer to binary data
76039beb93cSSam Leffler 	 */
76139beb93cSSam Leffler 	u8 *data;
76239beb93cSSam Leffler 
76339beb93cSSam Leffler 	/**
76439beb93cSSam Leffler 	 * len - Length of binary data
76539beb93cSSam Leffler 	 */
76639beb93cSSam Leffler 	size_t len;
76739beb93cSSam Leffler 
76839beb93cSSam Leffler 	/**
76939beb93cSSam Leffler 	 * next - Pointer to next blob in the configuration
77039beb93cSSam Leffler 	 */
77139beb93cSSam Leffler 	struct wpa_config_blob *next;
77239beb93cSSam Leffler };
77339beb93cSSam Leffler 
77439beb93cSSam Leffler #endif /* EAP_CONFIG_H */
775