2
* WPA Supplicant / Network configuration structures
3
* Copyright (c) 2003-2006, Jouni Malinen <j@w1.fi>
5
* This program is free software; you can redistribute it and/or modify
6
* it under the terms of the GNU General Public License version 2 as
7
* published by the Free Software Foundation.
9
* Alternatively, this software may be distributed under the terms of BSD
12
* See README and COPYING for more details.
19
#define BIT(n) (1 << (n))
22
#define WPA_CIPHER_NONE BIT(0)
23
#define WPA_CIPHER_WEP40 BIT(1)
24
#define WPA_CIPHER_WEP104 BIT(2)
25
#define WPA_CIPHER_TKIP BIT(3)
26
#define WPA_CIPHER_CCMP BIT(4)
27
#ifdef CONFIG_IEEE80211W
28
#define WPA_CIPHER_AES_128_CMAC BIT(5)
29
#endif /* CONFIG_IEEE80211W */
31
#define WPA_KEY_MGMT_IEEE8021X BIT(0)
32
#define WPA_KEY_MGMT_PSK BIT(1)
33
#define WPA_KEY_MGMT_NONE BIT(2)
34
#define WPA_KEY_MGMT_IEEE8021X_NO_WPA BIT(3)
35
#define WPA_KEY_MGMT_WPA_NONE BIT(4)
37
#define WPA_PROTO_WPA BIT(0)
38
#define WPA_PROTO_RSN BIT(1)
40
#define WPA_AUTH_ALG_OPEN BIT(0)
41
#define WPA_AUTH_ALG_SHARED BIT(1)
42
#define WPA_AUTH_ALG_LEAP BIT(2)
44
#define MAX_SSID_LEN 32
46
#define EAP_PSK_LEN_MIN 16
47
#define EAP_PSK_LEN_MAX 32
50
#define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
51
#define DEFAULT_EAPOL_FLAGS (EAPOL_FLAG_REQUIRE_KEY_UNICAST | \
52
EAPOL_FLAG_REQUIRE_KEY_BROADCAST)
53
#define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
54
#define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
55
#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
56
#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \
57
WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
58
#define DEFAULT_FRAGMENT_SIZE 1398
61
* struct wpa_ssid - Network configuration data
63
* This structure includes all the configuration variables for a network. This
64
* data is included in the per-interface configuration data as an element of
65
* the network list, struct wpa_config::ssid. Each network block in the
66
* configuration is mapped to a struct wpa_ssid instance.
70
* next - Next network in global list
72
* This pointer can be used to iterate over all networks. The head of
73
* this list is stored in the ssid field of struct wpa_config.
75
struct wpa_ssid *next;
78
* pnext - Next network in per-priority list
80
* This pointer can be used to iterate over all networks in the same
81
* priority class. The heads of these list are stored in the pssid
82
* fields of struct wpa_config.
84
struct wpa_ssid *pnext;
87
* id - Unique id for the network
89
* This identifier is used as a unique identifier for each network
90
* block when using the control interface. Each network is allocated an
91
* id when it is being created, either when reading the configuration
92
* file or when a new network is added through the control interface.
97
* priority - Priority group
99
* By default, all networks will get same priority group (0). If some
100
* of the networks are more desirable, this field can be used to change
101
* the order in which wpa_supplicant goes through the networks when
102
* selecting a BSS. The priority groups will be iterated in decreasing
103
* priority (i.e., the larger the priority value, the sooner the
104
* network is matched against the scan results). Within each priority
105
* group, networks will be selected based on security policy, signal
108
* Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are
109
* not using this priority to select the order for scanning. Instead,
110
* they try the networks in the order that used in the configuration
116
* ssid - Service set identifier (network name)
118
* This is the SSID for the network. For wireless interfaces, this is
119
* used to select which network will be used. If set to %NULL (or
120
* ssid_len=0), any SSID can be used. For wired interfaces, this must
121
* be set to %NULL. Note: SSID may contain any characters, even nul
122
* (ASCII 0) and as such, this should not be assumed to be a nul
123
* terminated string. ssid_len defines how many characters are valid
124
* and the ssid field is not guaranteed to be nul terminated.
129
* ssid_len - Length of the SSID
136
* If set, this network block is used only when associating with the AP
137
* using the configured BSSID
142
* bssid_set - Whether BSSID is configured for this network
147
* psk - WPA pre-shared key (256 bits)
152
* psk_set - Whether PSK field is configured
157
* passphrase - WPA ASCII passphrase
159
* If this is set, psk will be generated using the SSID and passphrase
160
* configured for the network. ASCII passphrase must be between 8 and
161
* 63 characters (inclusive).
166
* pairwise_cipher - Bitfield of allowed pairwise ciphers, WPA_CIPHER_*
171
* group_cipher - Bitfield of allowed group ciphers, WPA_CIPHER_*
176
* key_mgmt - Bitfield of allowed key management protocols
183
* proto - Bitfield of allowed protocols, WPA_PROTO_*
188
* auth_alg - Bitfield of allowed authentication algorithms
195
* scan_ssid - Scan this SSID with Probe Requests
197
* scan_ssid can be used to scan for APs using hidden SSIDs.
198
* Note: Many drivers do not support this. ap_mode=2 can be used with
199
* such drivers to use hidden SSIDs.
203
#ifdef IEEE8021X_EAPOL
206
* identity - EAP Identity
211
* identity_len - EAP Identity length
216
* anonymous_identity - Anonymous EAP Identity
218
* This field is used for unencrypted use with EAP types that support
219
* different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
220
* real identity (identity field) only to the authentication server.
222
u8 *anonymous_identity;
225
* anonymous_identity_len - Length of anonymous_identity
227
size_t anonymous_identity_len;
230
* eappsk - EAP-PSK/PAX/SAKE pre-shared key
235
* eappsk_len - EAP-PSK/PAX/SAKE pre-shared key length
237
* This field is always 16 for the current version of EAP-PSK/PAX and
243
* nai - User NAI (for EAP-PSK/PAX/SAKE)
248
* nai_len - Length of nai field
253
* password - Password string for EAP
258
* password_len - Length of password field
263
* ca_cert - File path to CA certificate file (PEM/DER)
265
* This file can have one or more trusted CA certificates. If ca_cert
266
* and ca_path are not included, server certificate will not be
267
* verified. This is insecure and a trusted CA certificate should
268
* always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
269
* file should be used since working directory may change when
270
* wpa_supplicant is run in the background.
272
* Alternatively, a named configuration blob can be used by setting
273
* this to blob://<blob name>.
275
* On Windows, trusted CA certificates can be loaded from the system
276
* certificate store by setting this to cert_store://<name>, e.g.,
277
* ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
278
* Note that when running wpa_supplicant as an application, the user
279
* certificate store (My user account) is used, whereas computer store
280
* (Computer account) is used when running wpasvc as a service.
285
* ca_path - Directory path for CA certificate files (PEM)
287
* This path may contain multiple CA certificates in OpenSSL format.
288
* Common use for this is to point to system trusted CA list which is
289
* often installed into directory like /etc/ssl/certs. If configured,
290
* these certificates are added to the list of trusted CAs. ca_cert
291
* may also be included in that case, but it is not required.
296
* client_cert - File path to client certificate file (PEM/DER)
298
* This field is used with EAP method that use TLS authentication.
299
* Usually, this is only configured for EAP-TLS, even though this could
300
* in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
301
* file should be used since working directory may change when
302
* wpa_supplicant is run in the background.
304
* Alternatively, a named configuration blob can be used by setting
305
* this to blob://<blob name>.
310
* private_key - File path to client private key file (PEM/DER/PFX)
312
* When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
313
* commented out. Both the private key and certificate will be read
314
* from the PKCS#12 file in this case. Full path to the file should be
315
* used since working directory may change when wpa_supplicant is run
318
* Windows certificate store can be used by leaving client_cert out and
319
* configuring private_key in one of the following formats:
321
* cert://substring_to_match
323
* hash://certificate_thumbprint_in_hex
325
* For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
327
* Note that when running wpa_supplicant as an application, the user
328
* certificate store (My user account) is used, whereas computer store
329
* (Computer account) is used when running wpasvc as a service.
331
* Alternatively, a named configuration blob can be used by setting
332
* this to blob://<blob name>.
337
* private_key_passwd - Password for private key file
339
* If left out, this will be asked through control interface.
341
u8 *private_key_passwd;
344
* dh_file - File path to DH/DSA parameters file (in PEM format)
346
* This is an optional configuration file for setting parameters for an
347
* ephemeral DH key exchange. In most cases, the default RSA
348
* authentication does not use this configuration. However, it is
349
* possible setup RSA to use ephemeral DH key exchange. In addition,
350
* ciphers with DSA keys always use ephemeral DH keys. This can be used
351
* to achieve forward secrecy. If the file is in DSA parameters format,
352
* it will be automatically converted into DH params. Full path to the
353
* file should be used since working directory may change when
354
* wpa_supplicant is run in the background.
356
* Alternatively, a named configuration blob can be used by setting
357
* this to blob://<blob name>.
362
* subject_match - Constraint for server certificate subject
364
* This substring is matched against the subject of the authentication
365
* server certificate. If this string is set, the server sertificate is
366
* only accepted if it contains this string in the subject. The subject
367
* string is in following format:
369
* /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com
374
* altsubject_match - Constraint for server certificate alt. subject
376
* Semicolon separated string of entries to be matched against the
377
* alternative subject name of the authentication server certificate.
378
* If this string is set, the server sertificate is only accepted if it
379
* contains one of the entries in an alternative subject name
382
* altSubjectName string is in following format: TYPE:VALUE
384
* Example: EMAIL:server@example.com
385
* Example: DNS:server.example.com;DNS:server2.example.com
387
* Following types are supported: EMAIL, DNS, URI
389
u8 *altsubject_match;
392
* ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
394
* This file can have one or more trusted CA certificates. If ca_cert2
395
* and ca_path2 are not included, server certificate will not be
396
* verified. This is insecure and a trusted CA certificate should
397
* always be configured. Full path to the file should be used since
398
* working directory may change when wpa_supplicant is run in the
401
* This field is like ca_cert, but used for phase 2 (inside
402
* EAP-TTLS/PEAP/FAST tunnel) authentication.
404
* Alternatively, a named configuration blob can be used by setting
405
* this to blob://<blob name>.
410
* ca_path2 - Directory path for CA certificate files (PEM) (Phase 2)
412
* This path may contain multiple CA certificates in OpenSSL format.
413
* Common use for this is to point to system trusted CA list which is
414
* often installed into directory like /etc/ssl/certs. If configured,
415
* these certificates are added to the list of trusted CAs. ca_cert
416
* may also be included in that case, but it is not required.
418
* This field is like ca_path, but used for phase 2 (inside
419
* EAP-TTLS/PEAP/FAST tunnel) authentication.
424
* client_cert2 - File path to client certificate file
426
* This field is like client_cert, but used for phase 2 (inside
427
* EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
428
* file should be used since working directory may change when
429
* wpa_supplicant is run in the background.
431
* Alternatively, a named configuration blob can be used by setting
432
* this to blob://<blob name>.
437
* private_key2 - File path to client private key file
439
* This field is like private_key, but used for phase 2 (inside
440
* EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
441
* file should be used since working directory may change when
442
* wpa_supplicant is run in the background.
444
* Alternatively, a named configuration blob can be used by setting
445
* this to blob://<blob name>.
450
* private_key2_passwd - Password for private key file
452
* This field is like private_key_passwd, but used for phase 2 (inside
453
* EAP-TTLS/PEAP/FAST tunnel) authentication.
455
u8 *private_key2_passwd;
458
* dh_file2 - File path to DH/DSA parameters file (in PEM format)
460
* This field is like dh_file, but used for phase 2 (inside
461
* EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
462
* file should be used since working directory may change when
463
* wpa_supplicant is run in the background.
465
* Alternatively, a named configuration blob can be used by setting
466
* this to blob://<blob name>.
471
* subject_match2 - Constraint for server certificate subject
473
* This field is like subject_match, but used for phase 2 (inside
474
* EAP-TTLS/PEAP/FAST tunnel) authentication.
479
* altsubject_match2 - Constraint for server certificate alt. subject
481
* This field is like altsubject_match, but used for phase 2 (inside
482
* EAP-TTLS/PEAP/FAST tunnel) authentication.
484
u8 *altsubject_match2;
487
* eap_methods - Allowed EAP methods
489
* (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
490
* allowed EAP methods or %NULL if all methods are accepted.
492
struct eap_method_type *eap_methods;
495
* phase1 - Phase 1 (outer authentication) parameters
497
* String with field-value pairs, e.g., "peapver=0" or
498
* "peapver=1 peaplabel=1".
500
* 'peapver' can be used to force which PEAP version (0 or 1) is used.
502
* 'peaplabel=1' can be used to force new label, "client PEAP
503
* encryption", to be used during key derivation when PEAPv1 or newer.
505
* Most existing PEAPv1 implementation seem to be using the old label,
506
* "client EAP encryption", and wpa_supplicant is now using that as the
509
* Some servers, e.g., Radiator, may require peaplabel=1 configuration
510
* to interoperate with PEAPv1; see eap_testing.txt for more details.
512
* 'peap_outer_success=0' can be used to terminate PEAP authentication
513
* on tunneled EAP-Success. This is required with some RADIUS servers
514
* that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
515
* Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
517
* include_tls_length=1 can be used to force wpa_supplicant to include
518
* TLS Message Length field in all TLS messages even if they are not
521
* sim_min_num_chal=3 can be used to configure EAP-SIM to require three
522
* challenges (by default, it accepts 2 or 3).
524
* fast_provisioning=1 can be used to enable in-line provisioning of
525
* EAP-FAST credentials (PAC)
530
* phase2 - Phase2 (inner authentication with TLS tunnel) parameters
532
* String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
533
* "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
538
* pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
540
* This field is used to configure PC/SC smartcard interface.
541
* Currently, the only configuration is whether this field is %NULL (do
542
* not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
544
* This field is used for EAP-SIM and EAP-AKA.
549
* pin - PIN for USIM, GSM SIM, and smartcards
551
* This field is used to configure PIN for SIM and smartcards for
552
* EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
553
* smartcard is used for private key operations.
555
* If left out, this will be asked through control interface.
560
* engine - Enable OpenSSL engine (e.g., for smartcard access)
562
* This is used if private key operations for EAP-TLS are performed
568
* engine_id - Engine ID for OpenSSL engine
570
* "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
573
* This is used if private key operations for EAP-TLS are performed
579
* key_id - Key ID for OpenSSL engine
581
* This is used if private key operations for EAP-TLS are performed
586
#define EAPOL_FLAG_REQUIRE_KEY_UNICAST BIT(0)
587
#define EAPOL_FLAG_REQUIRE_KEY_BROADCAST BIT(1)
589
* eapol_flags - Bit field of IEEE 802.1X/EAPOL options (EAPOL_FLAG_*)
593
#endif /* IEEE8021X_EAPOL */
595
#define NUM_WEP_KEYS 4
596
#define MAX_WEP_KEY_LEN 16
600
u8 wep_key[NUM_WEP_KEYS][MAX_WEP_KEY_LEN];
603
* wep_key_len - WEP key lengths
605
size_t wep_key_len[NUM_WEP_KEYS];
608
* wep_tx_keyidx - Default key index for TX frames using WEP
613
* proactive_key_caching - Enable proactive key caching
615
* This field can be used to enable proactive key caching which is also
616
* known as opportunistic PMKSA caching for WPA2. This is disabled (0)
617
* by default. Enable by setting this to 1.
619
* Proactive key caching is used to make supplicant assume that the APs
620
* are using the same PMK and generate PMKSA cache entries without
621
* doing RSN pre-authentication. This requires support from the AP side
622
* and is normally used with wireless switches that co-locate the
625
int proactive_key_caching;
628
* mixed_cell - Whether mixed cells are allowed
630
* This option can be used to configure whether so called mixed cells,
631
* i.e., networks that use both plaintext and encryption in the same
632
* SSID, are allowed. This is disabled (0) by default. Enable by
637
#ifdef IEEE8021X_EAPOL
640
* otp - One-time-password
642
* This field should not be set in configuration step. It is only used
643
* internally when OTP is entered through the control interface.
648
* otp_len - Length of the otp field
653
* pending_req_identity - Whether there is a pending identity request
655
* This field should not be set in configuration step. It is only used
656
* internally when control interface is used to request needed
659
int pending_req_identity;
662
* pending_req_password - Whether there is a pending password request
664
* This field should not be set in configuration step. It is only used
665
* internally when control interface is used to request needed
668
int pending_req_password;
671
* pending_req_pin - Whether there is a pending PIN request
673
* This field should not be set in configuration step. It is only used
674
* internally when control interface is used to request needed
680
* pending_req_new_password - Pending password update request
682
* This field should not be set in configuration step. It is only used
683
* internally when control interface is used to request needed
686
int pending_req_new_password;
689
* pending_req_passphrase - Pending passphrase request
691
* This field should not be set in configuration step. It is only used
692
* internally when control interface is used to request needed
695
int pending_req_passphrase;
698
* pending_req_otp - Whether there is a pending OTP request
700
* This field should not be set in configuration step. It is only used
701
* internally when control interface is used to request needed
704
char *pending_req_otp;
707
* pending_req_otp_len - Length of the pending OTP request
709
size_t pending_req_otp_len;
712
* leap - Number of EAP methods using LEAP
714
* This field should be set to 1 if LEAP is enabled. This is used to
715
* select IEEE 802.11 authentication algorithm.
720
* non_leap - Number of EAP methods not using LEAP
722
* This field should be set to >0 if any EAP method other than LEAP is
723
* enabled. This is used to select IEEE 802.11 authentication
729
* eap_workaround - EAP workarounds enabled
731
* wpa_supplicant supports number of "EAP workarounds" to work around
732
* interoperability issues with incorrectly behaving authentication
733
* servers. This is recommended to be enabled by default because some
734
* of the issues are present in large number of authentication servers.
736
* Strict EAP conformance mode can be configured by disabling
737
* workarounds with eap_workaround = 0.
739
unsigned int eap_workaround;
742
* pac_file - File path or blob name for the PAC entries (EAP-FAST)
744
* wpa_supplicant will need to be able to create this file and write
745
* updates to it when PAC is being provisioned or refreshed. Full path
746
* to the file should be used since working directory may change when
747
* wpa_supplicant is run in the background.
748
* Alternatively, a named configuration blob can be used by setting
749
* this to blob://<blob name>.
753
#endif /* IEEE8021X_EAPOL */
756
* mode - IEEE 802.11 operation mode (Infrastucture/IBSS)
758
* 0 = infrastructure (Managed) mode, i.e., associate with an AP.
760
* 1 = IBSS (ad-hoc, peer-to-peer)
762
* Note: IBSS can only be used with key_mgmt NONE (plaintext and
763
* static WEP) and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In
764
* addition, ap_scan has to be set to 2 for IBSS. WPA-None requires
765
* following network block options: proto=WPA, key_mgmt=WPA-NONE,
766
* pairwise=NONE, group=TKIP (or CCMP, but not both), and psk must also
767
* be set (either directly or using ASCII passphrase).
771
#ifdef IEEE8021X_EAPOL
774
* mschapv2_retry - MSCHAPv2 retry in progress
776
* This field is used internally by EAP-MSCHAPv2 and should not be set
777
* as part of configuration.
782
* new_password - New password for password update
784
* This field is used during MSCHAPv2 password update. This is normally
785
* requested from the user through the control interface and not set
786
* from configuration.
791
* new_password_len - Length of new_password field
793
size_t new_password_len;
795
#endif /* IEEE8021X_EAPOL */
798
* disabled - Whether this network is currently disabled
800
* 0 = this network can be used (default).
801
* 1 = this network block is disabled (can be enabled through
802
* ctrl_iface, e.g., with wpa_cli or wpa_gui).
807
* peerkey - Whether PeerKey handshake for direct links is allowed
809
* This is only used when both RSN/WPA2 and IEEE 802.11e (QoS) are
812
* 0 = disabled (default)
817
#ifdef IEEE8021X_EAPOL
820
* fragment_size - Maximum EAP fragment size in bytes (default 1398)
822
* This value limits the fragment size for EAP methods that support
823
* fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
824
* small enough to make the EAP messages fit in MTU of the network
825
* interface used for EAPOL. The default value is suitable for most
830
#endif /* IEEE8021X_EAPOL */
833
* id_str - Network identifier string for external scripts
835
* This value is passed to external ctrl_iface monitors in
836
* WPA_EVENT_CONNECTED event and wpa_cli sets this as WPA_ID_STR
837
* environment variable for action scripts.
841
#ifdef CONFIG_IEEE80211W
843
* ieee80211w - Whether management frame protection is enabled
845
* This value is used to configure policy for management frame
846
* protection (IEEE 802.11w). 0 = disabled, 1 = optional, 2 = required.
850
IEEE80211W_OPTIONAL = 1,
851
IEEE80211W_REQUIRED = 2
853
#endif /* CONFIG_IEEE80211W */
856
int wpa_config_allowed_eap_method(struct wpa_ssid *ssid, int vendor,
859
#endif /* CONFIG_SSID_H */