Home | History | Annotate | Download | only in wpa_supplicant
      1 /*
      2  * WPA Supplicant / Network configuration structures
      3  * Copyright (c) 2003-2006, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License version 2 as
      7  * published by the Free Software Foundation.
      8  *
      9  * Alternatively, this software may be distributed under the terms of BSD
     10  * license.
     11  *
     12  * See README and COPYING for more details.
     13  */
     14 
     15 #ifndef CONFIG_SSID_H
     16 #define CONFIG_SSID_H
     17 
     18 #ifndef BIT
     19 #define BIT(n) (1 << (n))
     20 #endif
     21 
     22 #define WPA_CIPHER_NONE BIT(0)
     23 #define WPA_CIPHER_WEP40 BIT(1)
     24 #define WPA_CIPHER_WEP104 BIT(2)
     25 #define WPA_CIPHER_TKIP BIT(3)
     26 #define WPA_CIPHER_CCMP BIT(4)
     27 #ifdef CONFIG_IEEE80211W
     28 #define WPA_CIPHER_AES_128_CMAC BIT(5)
     29 #endif /* CONFIG_IEEE80211W */
     30 
     31 #define WPA_KEY_MGMT_IEEE8021X BIT(0)
     32 #define WPA_KEY_MGMT_PSK BIT(1)
     33 #define WPA_KEY_MGMT_NONE BIT(2)
     34 #define WPA_KEY_MGMT_IEEE8021X_NO_WPA BIT(3)
     35 #define WPA_KEY_MGMT_WPA_NONE BIT(4)
     36 
     37 #define WPA_PROTO_WPA BIT(0)
     38 #define WPA_PROTO_RSN BIT(1)
     39 
     40 #define WPA_AUTH_ALG_OPEN BIT(0)
     41 #define WPA_AUTH_ALG_SHARED BIT(1)
     42 #define WPA_AUTH_ALG_LEAP BIT(2)
     43 
     44 #define MAX_SSID_LEN 32
     45 #define PMK_LEN 32
     46 #define EAP_PSK_LEN_MIN 16
     47 #define EAP_PSK_LEN_MAX 32
     48 
     49 
     50 #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
     51 #define DEFAULT_EAPOL_FLAGS (EAPOL_FLAG_REQUIRE_KEY_UNICAST | \
     52 			     EAPOL_FLAG_REQUIRE_KEY_BROADCAST)
     53 #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
     54 #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
     55 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
     56 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \
     57 		       WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
     58 #define DEFAULT_FRAGMENT_SIZE 1398
     59 
     60 /**
     61  * struct wpa_ssid - Network configuration data
     62  *
     63  * This structure includes all the configuration variables for a network. This
     64  * data is included in the per-interface configuration data as an element of
     65  * the network list, struct wpa_config::ssid. Each network block in the
     66  * configuration is mapped to a struct wpa_ssid instance.
     67  */
     68 struct wpa_ssid {
     69 	/**
     70 	 * next - Next network in global list
     71 	 *
     72 	 * This pointer can be used to iterate over all networks. The head of
     73 	 * this list is stored in the ssid field of struct wpa_config.
     74 	 */
     75 	struct wpa_ssid *next;
     76 
     77 	/**
     78 	 * pnext - Next network in per-priority list
     79 	 *
     80 	 * This pointer can be used to iterate over all networks in the same
     81 	 * priority class. The heads of these list are stored in the pssid
     82 	 * fields of struct wpa_config.
     83 	 */
     84 	struct wpa_ssid *pnext;
     85 
     86 	/**
     87 	 * id - Unique id for the network
     88 	 *
     89 	 * This identifier is used as a unique identifier for each network
     90 	 * block when using the control interface. Each network is allocated an
     91 	 * id when it is being created, either when reading the configuration
     92 	 * file or when a new network is added through the control interface.
     93 	 */
     94 	int id;
     95 
     96 	/**
     97 	 * priority - Priority group
     98 	 *
     99 	 * By default, all networks will get same priority group (0). If some
    100 	 * of the networks are more desirable, this field can be used to change
    101 	 * the order in which wpa_supplicant goes through the networks when
    102 	 * selecting a BSS. The priority groups will be iterated in decreasing
    103 	 * priority (i.e., the larger the priority value, the sooner the
    104 	 * network is matched against the scan results). Within each priority
    105 	 * group, networks will be selected based on security policy, signal
    106 	 * strength, etc.
    107 	 *
    108 	 * Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are
    109 	 * not using this priority to select the order for scanning. Instead,
    110 	 * they try the networks in the order that used in the configuration
    111 	 * file.
    112 	 */
    113 	int priority;
    114 
    115 	/**
    116 	 * ssid - Service set identifier (network name)
    117 	 *
    118 	 * This is the SSID for the network. For wireless interfaces, this is
    119 	 * used to select which network will be used. If set to %NULL (or
    120 	 * ssid_len=0), any SSID can be used. For wired interfaces, this must
    121 	 * be set to %NULL. Note: SSID may contain any characters, even nul
    122 	 * (ASCII 0) and as such, this should not be assumed to be a nul
    123 	 * terminated string. ssid_len defines how many characters are valid
    124 	 * and the ssid field is not guaranteed to be nul terminated.
    125 	 */
    126 	u8 *ssid;
    127 
    128 	/**
    129 	 * ssid_len - Length of the SSID
    130 	 */
    131 	size_t ssid_len;
    132 
    133 	/**
    134 	 * bssid - BSSID
    135 	 *
    136 	 * If set, this network block is used only when associating with the AP
    137 	 * using the configured BSSID
    138 	 */
    139 	u8 bssid[ETH_ALEN];
    140 
    141 	/**
    142 	 * bssid_set - Whether BSSID is configured for this network
    143 	 */
    144 	int bssid_set;
    145 
    146 	/**
    147 	 * psk - WPA pre-shared key (256 bits)
    148 	 */
    149 	u8 psk[PMK_LEN];
    150 
    151 	/**
    152 	 * psk_set - Whether PSK field is configured
    153 	 */
    154 	int psk_set;
    155 
    156 	/**
    157 	 * passphrase - WPA ASCII passphrase
    158 	 *
    159 	 * If this is set, psk will be generated using the SSID and passphrase
    160 	 * configured for the network. ASCII passphrase must be between 8 and
    161 	 * 63 characters (inclusive).
    162 	 */
    163 	char *passphrase;
    164 
    165 	/**
    166 	 * pairwise_cipher - Bitfield of allowed pairwise ciphers, WPA_CIPHER_*
    167 	 */
    168 	int pairwise_cipher;
    169 
    170 	/**
    171 	 * group_cipher - Bitfield of allowed group ciphers, WPA_CIPHER_*
    172 	 */
    173 	int group_cipher;
    174 
    175 	/**
    176 	 * key_mgmt - Bitfield of allowed key management protocols
    177 	 *
    178 	 * WPA_KEY_MGMT_*
    179 	 */
    180 	int key_mgmt;
    181 
    182 	/**
    183 	 * proto - Bitfield of allowed protocols, WPA_PROTO_*
    184 	 */
    185 	int proto;
    186 
    187 	/**
    188 	 * auth_alg -  Bitfield of allowed authentication algorithms
    189 	 *
    190 	 * WPA_AUTH_ALG_*
    191 	 */
    192 	int auth_alg;
    193 
    194 	/**
    195 	 * scan_ssid - Scan this SSID with Probe Requests
    196 	 *
    197 	 * scan_ssid can be used to scan for APs using hidden SSIDs.
    198 	 * Note: Many drivers do not support this. ap_mode=2 can be used with
    199 	 * such drivers to use hidden SSIDs.
    200 	 */
    201 	int scan_ssid;
    202 
    203 #ifdef IEEE8021X_EAPOL
    204 
    205 	/**
    206 	 * identity - EAP Identity
    207 	 */
    208 	u8 *identity;
    209 
    210 	/**
    211 	 * identity_len - EAP Identity length
    212 	 */
    213 	size_t identity_len;
    214 
    215 	/**
    216 	 * anonymous_identity -  Anonymous EAP Identity
    217 	 *
    218 	 * This field is used for unencrypted use with EAP types that support
    219 	 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
    220 	 * real identity (identity field) only to the authentication server.
    221 	 */
    222 	u8 *anonymous_identity;
    223 
    224 	/**
    225 	 * anonymous_identity_len - Length of anonymous_identity
    226 	 */
    227 	size_t anonymous_identity_len;
    228 
    229 	/**
    230 	 * eappsk - EAP-PSK/PAX/SAKE pre-shared key
    231 	 */
    232 	u8 *eappsk;
    233 
    234 	/**
    235 	 * eappsk_len - EAP-PSK/PAX/SAKE pre-shared key length
    236 	 *
    237 	 * This field is always 16 for the current version of EAP-PSK/PAX and
    238 	 * 32 for EAP-SAKE.
    239 	 */
    240 	size_t eappsk_len;
    241 
    242 	/**
    243 	 * nai - User NAI (for EAP-PSK/PAX/SAKE)
    244 	 */
    245 	u8 *nai;
    246 
    247 	/**
    248 	 * nai_len - Length of nai field
    249 	 */
    250 	size_t nai_len;
    251 
    252 	/**
    253 	 * password - Password string for EAP
    254 	 */
    255 	u8 *password;
    256 
    257 	/**
    258 	 * password_len - Length of password field
    259 	 */
    260 	size_t password_len;
    261 
    262 	/**
    263 	 * ca_cert - File path to CA certificate file (PEM/DER)
    264 	 *
    265 	 * This file can have one or more trusted CA certificates. If ca_cert
    266 	 * and ca_path are not included, server certificate will not be
    267 	 * verified. This is insecure and a trusted CA certificate should
    268 	 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
    269 	 * file should be used since working directory may change when
    270 	 * wpa_supplicant is run in the background.
    271 	 *
    272 	 * Alternatively, a named configuration blob can be used by setting
    273 	 * this to blob://<blob name>.
    274 	 *
    275 	 * On Windows, trusted CA certificates can be loaded from the system
    276 	 * certificate store by setting this to cert_store://<name>, e.g.,
    277 	 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
    278 	 * Note that when running wpa_supplicant as an application, the user
    279 	 * certificate store (My user account) is used, whereas computer store
    280 	 * (Computer account) is used when running wpasvc as a service.
    281 	 */
    282 	u8 *ca_cert;
    283 
    284 	/**
    285 	 * ca_path - Directory path for CA certificate files (PEM)
    286 	 *
    287 	 * This path may contain multiple CA certificates in OpenSSL format.
    288 	 * Common use for this is to point to system trusted CA list which is
    289 	 * often installed into directory like /etc/ssl/certs. If configured,
    290 	 * these certificates are added to the list of trusted CAs. ca_cert
    291 	 * may also be included in that case, but it is not required.
    292 	 */
    293 	u8 *ca_path;
    294 
    295 	/**
    296 	 * client_cert - File path to client certificate file (PEM/DER)
    297 	 *
    298 	 * This field is used with EAP method that use TLS authentication.
    299 	 * Usually, this is only configured for EAP-TLS, even though this could
    300 	 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
    301 	 * file should be used since working directory may change when
    302 	 * wpa_supplicant is run in the background.
    303 	 *
    304 	 * Alternatively, a named configuration blob can be used by setting
    305 	 * this to blob://<blob name>.
    306 	 */
    307 	u8 *client_cert;
    308 
    309 	/**
    310 	 * private_key - File path to client private key file (PEM/DER/PFX)
    311 	 *
    312 	 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
    313 	 * commented out. Both the private key and certificate will be read
    314 	 * from the PKCS#12 file in this case. Full path to the file should be
    315 	 * used since working directory may change when wpa_supplicant is run
    316 	 * in the background.
    317 	 *
    318 	 * Windows certificate store can be used by leaving client_cert out and
    319 	 * configuring private_key in one of the following formats:
    320 	 *
    321 	 * cert://substring_to_match
    322 	 *
    323 	 * hash://certificate_thumbprint_in_hex
    324 	 *
    325 	 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
    326 	 *
    327 	 * Note that when running wpa_supplicant as an application, the user
    328 	 * certificate store (My user account) is used, whereas computer store
    329 	 * (Computer account) is used when running wpasvc as a service.
    330 	 *
    331 	 * Alternatively, a named configuration blob can be used by setting
    332 	 * this to blob://<blob name>.
    333 	 */
    334 	u8 *private_key;
    335 
    336 	/**
    337 	 * private_key_passwd - Password for private key file
    338 	 *
    339 	 * If left out, this will be asked through control interface.
    340 	 */
    341 	u8 *private_key_passwd;
    342 
    343 	/**
    344 	 * dh_file - File path to DH/DSA parameters file (in PEM format)
    345 	 *
    346 	 * This is an optional configuration file for setting parameters for an
    347 	 * ephemeral DH key exchange. In most cases, the default RSA
    348 	 * authentication does not use this configuration. However, it is
    349 	 * possible setup RSA to use ephemeral DH key exchange. In addition,
    350 	 * ciphers with DSA keys always use ephemeral DH keys. This can be used
    351 	 * to achieve forward secrecy. If the file is in DSA parameters format,
    352 	 * it will be automatically converted into DH params. Full path to the
    353 	 * file should be used since working directory may change when
    354 	 * wpa_supplicant is run in the background.
    355 	 *
    356 	 * Alternatively, a named configuration blob can be used by setting
    357 	 * this to blob://<blob name>.
    358 	 */
    359 	u8 *dh_file;
    360 
    361 	/**
    362 	 * subject_match - Constraint for server certificate subject
    363 	 *
    364 	 * This substring is matched against the subject of the authentication
    365 	 * server certificate. If this string is set, the server sertificate is
    366 	 * only accepted if it contains this string in the subject. The subject
    367 	 * string is in following format:
    368 	 *
    369 	 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as (at) n.example.com
    370 	 */
    371 	u8 *subject_match;
    372 
    373 	/**
    374 	 * altsubject_match - Constraint for server certificate alt. subject
    375 	 *
    376 	 * Semicolon separated string of entries to be matched against the
    377 	 * alternative subject name of the authentication server certificate.
    378 	 * If this string is set, the server sertificate is only accepted if it
    379 	 * contains one of the entries in an alternative subject name
    380 	 * extension.
    381 	 *
    382 	 * altSubjectName string is in following format: TYPE:VALUE
    383 	 *
    384 	 * Example: EMAIL:server (at) example.com
    385 	 * Example: DNS:server.example.com;DNS:server2.example.com
    386 	 *
    387 	 * Following types are supported: EMAIL, DNS, URI
    388 	 */
    389 	u8 *altsubject_match;
    390 
    391 	/**
    392 	 * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
    393 	 *
    394 	 * This file can have one or more trusted CA certificates. If ca_cert2
    395 	 * and ca_path2 are not included, server certificate will not be
    396 	 * verified. This is insecure and a trusted CA certificate should
    397 	 * always be configured. Full path to the file should be used since
    398 	 * working directory may change when wpa_supplicant is run in the
    399 	 * background.
    400 	 *
    401 	 * This field is like ca_cert, but used for phase 2 (inside
    402 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
    403 	 *
    404 	 * Alternatively, a named configuration blob can be used by setting
    405 	 * this to blob://<blob name>.
    406 	 */
    407 	u8 *ca_cert2;
    408 
    409 	/**
    410 	 * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2)
    411 	 *
    412 	 * This path may contain multiple CA certificates in OpenSSL format.
    413 	 * Common use for this is to point to system trusted CA list which is
    414 	 * often installed into directory like /etc/ssl/certs. If configured,
    415 	 * these certificates are added to the list of trusted CAs. ca_cert
    416 	 * may also be included in that case, but it is not required.
    417 	 *
    418 	 * This field is like ca_path, but used for phase 2 (inside
    419 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
    420 	 */
    421 	u8 *ca_path2;
    422 
    423 	/**
    424 	 * client_cert2 - File path to client certificate file
    425 	 *
    426 	 * This field is like client_cert, but used for phase 2 (inside
    427 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
    428 	 * file should be used since working directory may change when
    429 	 * wpa_supplicant is run in the background.
    430 	 *
    431 	 * Alternatively, a named configuration blob can be used by setting
    432 	 * this to blob://<blob name>.
    433 	 */
    434 	u8 *client_cert2;
    435 
    436 	/**
    437 	 * private_key2 - File path to client private key file
    438 	 *
    439 	 * This field is like private_key, but used for phase 2 (inside
    440 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
    441 	 * file should be used since working directory may change when
    442 	 * wpa_supplicant is run in the background.
    443 	 *
    444 	 * Alternatively, a named configuration blob can be used by setting
    445 	 * this to blob://<blob name>.
    446 	 */
    447 	u8 *private_key2;
    448 
    449 	/**
    450 	 * private_key2_passwd -  Password for private key file
    451 	 *
    452 	 * This field is like private_key_passwd, but used for phase 2 (inside
    453 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
    454 	 */
    455 	u8 *private_key2_passwd;
    456 
    457 	/**
    458 	 * dh_file2 - File path to DH/DSA parameters file (in PEM format)
    459 	 *
    460 	 * This field is like dh_file, but used for phase 2 (inside
    461 	 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
    462 	 * file should be used since working directory may change when
    463 	 * wpa_supplicant is run in the background.
    464 	 *
    465 	 * Alternatively, a named configuration blob can be used by setting
    466 	 * this to blob://<blob name>.
    467 	 */
    468 	u8 *dh_file2;
    469 
    470 	/**
    471 	 * subject_match2 - Constraint for server certificate subject
    472 	 *
    473 	 * This field is like subject_match, but used for phase 2 (inside
    474 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
    475 	 */
    476 	u8 *subject_match2;
    477 
    478 	/**
    479 	 * altsubject_match2 - Constraint for server certificate alt. subject
    480 	 *
    481 	 * This field is like altsubject_match, but used for phase 2 (inside
    482 	 * EAP-TTLS/PEAP/FAST tunnel) authentication.
    483 	 */
    484 	u8 *altsubject_match2;
    485 
    486 	/**
    487 	 * eap_methods - Allowed EAP methods
    488 	 *
    489 	 * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
    490 	 * allowed EAP methods or %NULL if all methods are accepted.
    491 	 */
    492 	struct eap_method_type *eap_methods;
    493 
    494 	/**
    495 	 * phase1 - Phase 1 (outer authentication) parameters
    496 	 *
    497 	 * String with field-value pairs, e.g., "peapver=0" or
    498 	 * "peapver=1 peaplabel=1".
    499 	 *
    500 	 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
    501 	 *
    502 	 * 'peaplabel=1' can be used to force new label, "client PEAP
    503 	 * encryption",	to be used during key derivation when PEAPv1 or newer.
    504 	 *
    505 	 * Most existing PEAPv1 implementation seem to be using the old label,
    506 	 * "client EAP encryption", and wpa_supplicant is now using that as the
    507 	 * default value.
    508 	 *
    509 	 * Some servers, e.g., Radiator, may require peaplabel=1 configuration
    510 	 * to interoperate with PEAPv1; see eap_testing.txt for more details.
    511 	 *
    512 	 * 'peap_outer_success=0' can be used to terminate PEAP authentication
    513 	 * on tunneled EAP-Success. This is required with some RADIUS servers
    514 	 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
    515 	 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
    516 	 *
    517 	 * include_tls_length=1 can be used to force wpa_supplicant to include
    518 	 * TLS Message Length field in all TLS messages even if they are not
    519 	 * fragmented.
    520 	 *
    521 	 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
    522 	 * challenges (by default, it accepts 2 or 3).
    523 	 *
    524 	 * fast_provisioning=1 can be used to enable in-line provisioning of
    525 	 * EAP-FAST credentials (PAC)
    526 	 */
    527 	char *phase1;
    528 
    529 	/**
    530 	 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
    531 	 *
    532 	 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
    533 	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
    534 	 */
    535 	char *phase2;
    536 
    537 	/**
    538 	 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
    539 	 *
    540 	 * This field is used to configure PC/SC smartcard interface.
    541 	 * Currently, the only configuration is whether this field is %NULL (do
    542 	 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
    543 	 *
    544 	 * This field is used for EAP-SIM and EAP-AKA.
    545 	 */
    546 	char *pcsc;
    547 
    548 	/**
    549 	 * pin - PIN for USIM, GSM SIM, and smartcards
    550 	 *
    551 	 * This field is used to configure PIN for SIM and smartcards for
    552 	 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
    553 	 * smartcard is used for private key operations.
    554 	 *
    555 	 * If left out, this will be asked through control interface.
    556 	 */
    557 	char *pin;
    558 
    559 	/**
    560 	 * engine - Enable OpenSSL engine (e.g., for smartcard access)
    561 	 *
    562 	 * This is used if private key operations for EAP-TLS are performed
    563 	 * using a smartcard.
    564 	 */
    565 	int engine;
    566 
    567 	/**
    568 	 * engine_id - Engine ID for OpenSSL engine
    569 	 *
    570 	 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
    571 	 * engine.
    572 	 *
    573 	 * This is used if private key operations for EAP-TLS are performed
    574 	 * using a smartcard.
    575 	 */
    576 	char *engine_id;
    577 
    578 	/**
    579 	 * key_id - Key ID for OpenSSL engine
    580 	 *
    581 	 * This is used if private key operations for EAP-TLS are performed
    582 	 * using a smartcard.
    583 	 */
    584 	char *key_id;
    585 
    586 #define EAPOL_FLAG_REQUIRE_KEY_UNICAST BIT(0)
    587 #define EAPOL_FLAG_REQUIRE_KEY_BROADCAST BIT(1)
    588 	/**
    589 	 * eapol_flags - Bit field of IEEE 802.1X/EAPOL options (EAPOL_FLAG_*)
    590 	 */
    591 	int eapol_flags;
    592 
    593 #endif /* IEEE8021X_EAPOL */
    594 
    595 #define NUM_WEP_KEYS 4
    596 #define MAX_WEP_KEY_LEN 16
    597 	/**
    598 	 * wep_key - WEP keys
    599 	 */
    600 	u8 wep_key[NUM_WEP_KEYS][MAX_WEP_KEY_LEN];
    601 
    602 	/**
    603 	 * wep_key_len - WEP key lengths
    604 	 */
    605 	size_t wep_key_len[NUM_WEP_KEYS];
    606 
    607 	/**
    608 	 * wep_tx_keyidx - Default key index for TX frames using WEP
    609 	 */
    610 	int wep_tx_keyidx;
    611 
    612 	/**
    613 	 * proactive_key_caching - Enable proactive key caching
    614 	 *
    615 	 * This field can be used to enable proactive key caching which is also
    616 	 * known as opportunistic PMKSA caching for WPA2. This is disabled (0)
    617 	 * by default. Enable by setting this to 1.
    618 	 *
    619 	 * Proactive key caching is used to make supplicant assume that the APs
    620 	 * are using the same PMK and generate PMKSA cache entries without
    621 	 * doing RSN pre-authentication. This requires support from the AP side
    622 	 * and is normally used with wireless switches that co-locate the
    623 	 * authenticator.
    624 	 */
    625 	int proactive_key_caching;
    626 
    627 	/**
    628 	 * mixed_cell - Whether mixed cells are allowed
    629 	 *
    630 	 * This option can be used to configure whether so called mixed cells,
    631 	 * i.e., networks that use both plaintext and encryption in the same
    632 	 * SSID, are allowed. This is disabled (0) by default. Enable by
    633 	 * setting this to 1.
    634 	 */
    635 	int mixed_cell;
    636 
    637 #ifdef IEEE8021X_EAPOL
    638 
    639 	/**
    640 	 * otp - One-time-password
    641 	 *
    642 	 * This field should not be set in configuration step. It is only used
    643 	 * internally when OTP is entered through the control interface.
    644 	 */
    645 	u8 *otp;
    646 
    647 	/**
    648 	 * otp_len - Length of the otp field
    649 	 */
    650 	size_t otp_len;
    651 
    652 	/**
    653 	 * pending_req_identity - Whether there is a pending identity request
    654 	 *
    655 	 * This field should not be set in configuration step. It is only used
    656 	 * internally when control interface is used to request needed
    657 	 * information.
    658 	 */
    659 	int pending_req_identity;
    660 
    661 	/**
    662 	 * pending_req_password - Whether there is a pending password request
    663 	 *
    664 	 * This field should not be set in configuration step. It is only used
    665 	 * internally when control interface is used to request needed
    666 	 * information.
    667 	 */
    668 	int pending_req_password;
    669 
    670 	/**
    671 	 * pending_req_pin - Whether there is a pending PIN request
    672 	 *
    673 	 * This field should not be set in configuration step. It is only used
    674 	 * internally when control interface is used to request needed
    675 	 * information.
    676 	 */
    677 	int pending_req_pin;
    678 
    679 	/**
    680 	 * pending_req_new_password - Pending password update request
    681 	 *
    682 	 * This field should not be set in configuration step. It is only used
    683 	 * internally when control interface is used to request needed
    684 	 * information.
    685 	 */
    686 	int pending_req_new_password;
    687 
    688 	/**
    689 	 * pending_req_passphrase - Pending passphrase request
    690 	 *
    691 	 * This field should not be set in configuration step. It is only used
    692 	 * internally when control interface is used to request needed
    693 	 * information.
    694 	 */
    695 	int pending_req_passphrase;
    696 
    697 	/**
    698 	 * pending_req_otp - Whether there is a pending OTP request
    699 	 *
    700 	 * This field should not be set in configuration step. It is only used
    701 	 * internally when control interface is used to request needed
    702 	 * information.
    703 	 */
    704 	char *pending_req_otp;
    705 
    706 	/**
    707 	 * pending_req_otp_len - Length of the pending OTP request
    708 	 */
    709 	size_t pending_req_otp_len;
    710 
    711 	/**
    712 	 * leap - Number of EAP methods using LEAP
    713 	 *
    714 	 * This field should be set to 1 if LEAP is enabled. This is used to
    715 	 * select IEEE 802.11 authentication algorithm.
    716 	 */
    717 	int leap;
    718 
    719 	/**
    720 	 * non_leap - Number of EAP methods not using LEAP
    721 	 *
    722 	 * This field should be set to >0 if any EAP method other than LEAP is
    723 	 * enabled. This is used to select IEEE 802.11 authentication
    724 	 * algorithm.
    725 	 */
    726 	int non_leap;
    727 
    728 	/**
    729 	 * eap_workaround - EAP workarounds enabled
    730 	 *
    731 	 * wpa_supplicant supports number of "EAP workarounds" to work around
    732 	 * interoperability issues with incorrectly behaving authentication
    733 	 * servers. This is recommended to be enabled by default because some
    734 	 * of the issues are present in large number of authentication servers.
    735 	 *
    736 	 * Strict EAP conformance mode can be configured by disabling
    737 	 * workarounds with eap_workaround = 0.
    738 	 */
    739 	unsigned int eap_workaround;
    740 
    741 	/**
    742 	 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
    743 	 *
    744 	 * wpa_supplicant will need to be able to create this file and write
    745 	 * updates to it when PAC is being provisioned or refreshed. Full path
    746 	 * to the file should be used since working directory may change when
    747 	 * wpa_supplicant is run in the background.
    748 	 * Alternatively, a named configuration blob can be used by setting
    749 	 * this to blob://<blob name>.
    750 	 */
    751 	char *pac_file;
    752 
    753 #endif /* IEEE8021X_EAPOL */
    754 
    755 	/**
    756 	 * mode - IEEE 802.11 operation mode (Infrastucture/IBSS)
    757 	 *
    758 	 * 0 = infrastructure (Managed) mode, i.e., associate with an AP.
    759 	 *
    760 	 * 1 = IBSS (ad-hoc, peer-to-peer)
    761 	 *
    762 	 * Note: IBSS can only be used with key_mgmt NONE (plaintext and
    763 	 * static WEP) and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In
    764 	 * addition, ap_scan has to be set to 2 for IBSS. WPA-None requires
    765 	 * following network block options: proto=WPA, key_mgmt=WPA-NONE,
    766 	 * pairwise=NONE, group=TKIP (or CCMP, but not both), and psk must also
    767 	 * be set (either directly or using ASCII passphrase).
    768 	 */
    769 	int mode;
    770 
    771 #ifdef IEEE8021X_EAPOL
    772 
    773 	/**
    774 	 * mschapv2_retry - MSCHAPv2 retry in progress
    775 	 *
    776 	 * This field is used internally by EAP-MSCHAPv2 and should not be set
    777 	 * as part of configuration.
    778 	 */
    779 	int mschapv2_retry;
    780 
    781 	/**
    782 	 * new_password - New password for password update
    783 	 *
    784 	 * This field is used during MSCHAPv2 password update. This is normally
    785 	 * requested from the user through the control interface and not set
    786 	 * from configuration.
    787 	 */
    788 	u8 *new_password;
    789 
    790 	/**
    791 	 * new_password_len - Length of new_password field
    792 	 */
    793 	size_t new_password_len;
    794 
    795 #endif /* IEEE8021X_EAPOL */
    796 
    797 	/**
    798 	 * disabled - Whether this network is currently disabled
    799 	 *
    800 	 * 0 = this network can be used (default).
    801 	 * 1 = this network block is disabled (can be enabled through
    802 	 * ctrl_iface, e.g., with wpa_cli or wpa_gui).
    803 	 */
    804 	int disabled;
    805 
    806 	/**
    807 	 * peerkey -  Whether PeerKey handshake for direct links is allowed
    808 	 *
    809 	 * This is only used when both RSN/WPA2 and IEEE 802.11e (QoS) are
    810 	 * enabled.
    811 	 *
    812 	 * 0 = disabled (default)
    813 	 * 1 = enabled
    814 	 */
    815 	int peerkey;
    816 
    817 #ifdef IEEE8021X_EAPOL
    818 
    819 	/**
    820 	 * fragment_size - Maximum EAP fragment size in bytes (default 1398)
    821 	 *
    822 	 * This value limits the fragment size for EAP methods that support
    823 	 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
    824 	 * small enough to make the EAP messages fit in MTU of the network
    825 	 * interface used for EAPOL. The default value is suitable for most
    826 	 * cases.
    827 	 */
    828 	int fragment_size;
    829 
    830 #endif /* IEEE8021X_EAPOL */
    831 
    832 	/**
    833 	 * id_str - Network identifier string for external scripts
    834 	 *
    835 	 * This value is passed to external ctrl_iface monitors in
    836 	 * WPA_EVENT_CONNECTED event and wpa_cli sets this as WPA_ID_STR
    837 	 * environment variable for action scripts.
    838 	 */
    839 	char *id_str;
    840 
    841 #ifdef CONFIG_IEEE80211W
    842 	/**
    843 	 * ieee80211w - Whether management frame protection is enabled
    844 	 *
    845 	 * This value is used to configure policy for management frame
    846 	 * protection (IEEE 802.11w). 0 = disabled, 1 = optional, 2 = required.
    847 	 */
    848 	enum {
    849 		NO_IEEE80211W = 0,
    850 		IEEE80211W_OPTIONAL = 1,
    851 		IEEE80211W_REQUIRED = 2
    852 	} ieee80211w;
    853 #endif /* CONFIG_IEEE80211W */
    854 
    855 	/**
    856 	 * frequency - Channel frequency in megahertz (MHz) for IBSS
    857 	 *
    858 	 * This value is used to configure the initial channel for IBSS (adhoc)
    859 	 * networks, e.g., 2412 = IEEE 802.11b/g channel 1. It is ignored in
    860 	 * the infrastructure mode. In addition, this value is only used by the
    861 	 * station that creates the IBSS. If an IBSS network with the
    862 	 * configured SSID is already present, the frequency of the network
    863 	 * will be used instead of this configured value.
    864 	 */
    865 	int frequency;
    866 };
    867 
    868 int wpa_config_allowed_eap_method(struct wpa_ssid *ssid, int vendor,
    869 				  u32 method);
    870 
    871 #endif /* CONFIG_SSID_H */
    872