esp-idf/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h

327 lines
13 KiB
C

/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#include <stdbool.h>
#include "esp_err.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief Enumeration of phase 2 authentication types for EAP-TTLS.
*
* This enumeration defines the supported phase 2 authentication methods
* that can be used in the EAP-TTLS (Extensible Authentication Protocol -
* Tunneled Transport Layer Security) protocol for the second authentication
* phase.
*/
typedef enum {
ESP_EAP_TTLS_PHASE2_EAP, /**< EAP (Extensible Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_MSCHAPV2, /**< MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol - Version 2) */
ESP_EAP_TTLS_PHASE2_MSCHAP, /**< MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_PAP, /**< PAP (Password Authentication Protocol) */
ESP_EAP_TTLS_PHASE2_CHAP /**< CHAP (Challenge Handshake Authentication Protocol) */
} esp_eap_ttls_phase2_types;
/**
* @brief Configuration settings for EAP-FAST
* (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling).
*
* This structure defines the configuration options that can be used to customize the behavior of the
* EAP-FAST authentication protocol, specifically for Fast Provisioning and PAC (Protected Access Credential) handling.
*/
typedef struct {
int fast_provisioning; /**< Enable or disable Fast Provisioning in EAP-FAST (0 = disabled, 1 = enabled) */
int fast_max_pac_list_len; /**< Maximum length of the PAC (Protected Access Credential) list */
bool fast_pac_format_binary; /**< Set to true for binary format PAC, false for ASCII format PAC */
} esp_eap_fast_config;
/**
* @brief Enable EAP authentication(WiFi Enterprise) for the station mode.
*
* This function enables Extensible Authentication Protocol (EAP) authentication
* for the Wi-Fi station mode. When EAP authentication is enabled, the ESP device
* will attempt to authenticate with the configured EAP credentials when connecting
* to a secure Wi-Fi network.
*
* @note Before calling this function, ensure that the Wi-Fi configuration and EAP
* credentials (such as username and password) have been properly set using the
* appropriate configuration APIs.
*
* @return
* - ESP_OK: EAP authentication enabled successfully.
* - ESP_ERR_NO_MEM: Failed to enable EAP authentication due to memory allocation failure.
*/
esp_err_t esp_wifi_sta_enterprise_enable(void);
/**
* @brief Disable EAP authentication(WiFi Enterprise) for the station mode.
*
* This function disables Extensible Authentication Protocol (EAP) authentication
* for the Wi-Fi station mode. When EAP authentication is disabled, the ESP device
* will not attempt to authenticate using EAP credentials when connecting to a
* secure Wi-Fi network.
*
* @note Disabling EAP authentication may cause the device to connect to the Wi-Fi
* network using other available authentication methods, if configured using esp_wifi_set_config().
*
* @return
* - ESP_OK: EAP authentication disabled successfully.
* - ESP_ERR_INVALID_STATE: EAP client is in an invalid state for disabling.
*/
esp_err_t esp_wifi_sta_enterprise_disable(void);
/**
* @brief Set identity for PEAP/TTLS authentication method.
*
* This function sets the identity to be used during PEAP/TTLS authentication.
*
* @param[in] identity Pointer to the identity data.
* @param[in] len Length of the identity data (limited to 1~127 bytes).
*
* @return
* - ESP_OK: The identity was set successfully.
* - ESP_ERR_INVALID_ARG: Invalid argument (len <= 0 or len >= 128).
* - ESP_ERR_NO_MEM: Memory allocation failure.
*/
esp_err_t esp_eap_client_set_identity(const unsigned char *identity, int len);
/**
* @brief Clear the previously set identity for PEAP/TTLS authentication.
*
* This function clears the identity that was previously set for the EAP client.
* After calling this function, the EAP client will no longer use the previously
* configured identity during the authentication process.
*/
void esp_eap_client_clear_identity(void);
/**
* @brief Set username for PEAP/TTLS authentication method.
*
* This function sets the username to be used during PEAP/TTLS authentication.
*
* @param[in] username Pointer to the username data.
* @param[in] len Length of the username data (limited to 1~127 bytes).
*
* @return
* - ESP_OK: The username was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0 or len >= 128).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_username(const unsigned char *username, int len);
/**
* @brief Clear username for PEAP/TTLS method.
*
* This function clears the previously set username for the EAP client.
*/
void esp_eap_client_clear_username(void);
/**
* @brief Set password for PEAP/TTLS authentication method.
*
* This function sets the password to be used during PEAP/TTLS authentication.
*
* @param[in] password Pointer to the password data.
* @param[in] len Length of the password data (len > 0).
*
* @return
* - ESP_OK: The password was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_password(const unsigned char *password, int len);
/**
* @brief Clear password for PEAP/TTLS method.
*
* This function clears the previously set password for the EAP client.
*/
void esp_eap_client_clear_password(void);
/**
* @brief Set a new password for MSCHAPv2 authentication method.
*
* This function sets the new password to be used during MSCHAPv2 authentication.
* The new password is used to substitute the old password when an eap-mschapv2 failure request
* message with error code ERROR_PASSWD_EXPIRED is received.
*
* @param[in] new_password Pointer to the new password data.
* @param[in] len Length of the new password data.
*
* @return
* - ESP_OK: The new password was set successfully.
* - ESP_ERR_INVALID_ARG: Failed due to an invalid argument (len <= 0).
* - ESP_ERR_NO_MEM: Failed due to memory allocation failure.
*/
esp_err_t esp_eap_client_set_new_password(const unsigned char *new_password, int len);
/**
* @brief Clear new password for MSCHAPv2 method.
*
* This function clears the previously set new password for the EAP client.
*/
void esp_eap_client_clear_new_password(void);
/**
* @brief Set CA certificate for EAP authentication.
*
* This function sets the Certificate Authority (CA) certificate to be used during EAP authentication.
* The CA certificate is passed to the EAP client module through a global pointer.
*
* @param[in] ca_cert Pointer to the CA certificate data.
* @param[in] ca_cert_len Length of the CA certificate data.
*
* @return
* - ESP_OK: The CA certificate was set successfully.
*/
esp_err_t esp_eap_client_set_ca_cert(const unsigned char *ca_cert, int ca_cert_len);
/**
* @brief Clear the previously set Certificate Authority (CA) certificate for EAP authentication.
*
* This function clears the CA certificate that was previously set for the EAP client.
* After calling this function, the EAP client will no longer use the previously
* configured CA certificate during the authentication process.
*/
void esp_eap_client_clear_ca_cert(void);
/**
* @brief Set client certificate and private key for EAP authentication.
*
* This function sets the client certificate and private key to be used during authentication.
* Optionally, a private key password can be provided for encrypted private keys.
*
* @attention 1. The client certificate, private key, and private key password are provided as pointers
* to the respective data arrays.
* @attention 2. The client_cert, private_key, and private_key_password should be zero-terminated.
*
* @param[in] client_cert Pointer to the client certificate data.
* @param[in] client_cert_len Length of the client certificate data.
* @param[in] private_key Pointer to the private key data.
* @param[in] private_key_len Length of the private key data (limited to 1~4096 bytes).
* @param[in] private_key_password Pointer to the private key password data (optional).
* @param[in] private_key_passwd_len Length of the private key password data (can be 0 for no password).
*
* @return
* - ESP_OK: The certificate, private key, and password (if provided) were set successfully.
*/
esp_err_t esp_eap_client_set_certificate_and_key(const unsigned char *client_cert, int client_cert_len,
const unsigned char *private_key, int private_key_len,
const unsigned char *private_key_password, int private_key_passwd_len);
/**
* @brief Clear the previously set client certificate and private key for EAP authentication.
*
* This function clears the client certificate and private key that were previously set
* for the EAP client. After calling this function, the EAP client will no longer use the
* previously configured certificate and private key during the authentication process.
*/
void esp_eap_client_clear_certificate_and_key(void);
/**
* @brief Set EAP client certificates time check (disable or not).
*
* This function enables or disables the time check for EAP client certificates.
* When disabled, the certificates' expiration time will not be checked during the authentication process.
*
* @param[in] disable True to disable EAP client certificates time check, false to enable it.
*
* @return
* - ESP_OK: The EAP client certificates time check setting was updated successfully.
*/
esp_err_t esp_eap_client_set_disable_time_check(bool disable);
/**
* @brief Get EAP client certificates time check status.
*
* This function retrieves the current status of the EAP client certificates time check.
*
* @param[out] disable Pointer to a boolean variable to store the disable status.
*
* @return
* - ESP_OK: The status of EAP client certificates time check was retrieved successfully.
*/
esp_err_t esp_eap_client_get_disable_time_check(bool *disable);
/**
* @brief Set EAP-TTLS phase 2 method.
*
* This function sets the phase 2 method to be used during EAP-TTLS authentication.
*
* @param[in] type The type of phase 2 method to be used (e.g., EAP, MSCHAPv2, MSCHAP, PAP, CHAP).
*
* @return
* - ESP_OK: The EAP-TTLS phase 2 method was set successfully.
*/
esp_err_t esp_eap_client_set_ttls_phase2_method(esp_eap_ttls_phase2_types type);
/**
* @brief Enable or disable Suite-B 192-bit certification checks.
*
* This function enables or disables the 192-bit Suite-B certification checks during EAP-TLS authentication.
* Suite-B is a set of cryptographic algorithms which generally are considered more secure.
*
* @param[in] enable True to enable 192-bit Suite-B certification checks, false to disable it.
*
* @return
* - ESP_OK: The 192-bit Suite-B certification checks were set successfully.
*/
esp_err_t esp_eap_client_set_suiteb_192bit_certification(bool enable);
/**
* @brief Set the PAC (Protected Access Credential) file for EAP-FAST authentication.
*
* EAP-FAST requires a PAC file that contains the client's credentials.
*
* @attention 1. For files read from the file system, length has to be decremented by 1 byte.
* @attention 2. Disabling the WPA_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
* @param[in] pac_file Pointer to the PAC file buffer.
* @param[in] pac_file_len Length of the PAC file buffer.
*
* @return
* - ESP_OK: The PAC file for EAP-FAST authentication was set successfully.
*/
esp_err_t esp_eap_client_set_pac_file(const unsigned char *pac_file, int pac_file_len);
/**
* @brief Set the parameters for EAP-FAST Phase 1 authentication.
*
* EAP-FAST supports Fast Provisioning, where clients can be authenticated faster using precomputed keys (PAC).
* This function allows configuring parameters for Fast Provisioning.
*
* @attention 1. Disabling the WPA_MBEDTLS_TLS_CLIENT config is required to use EAP-FAST.
*
* @param[in] config Configuration structure with Fast Provisioning parameters.
*
* @return
* - ESP_OK: The parameters for EAP-FAST Phase 1 authentication were set successfully.
*/
esp_err_t esp_eap_client_set_fast_params(esp_eap_fast_config config);
/**
* @brief Use the default certificate bundle for EAP authentication.
*
* By default, the EAP client uses a built-in certificate bundle for server verification.
* Enabling this option allows the use of the default certificate bundle.
*
* @param[in] use_default_bundle True to use the default certificate bundle, false to use a custom bundle.
*
* @return
* - ESP_OK: The option to use the default certificate bundle was set successfully.
*/
esp_err_t esp_eap_client_use_default_cert_bundle(bool use_default_bundle);
#ifdef __cplusplus
}
#endif