1 /* 2 * WPA Supplicant / Network configuration structures 3 * Copyright (c) 2003-2006, Jouni Malinen <j (at) w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #ifndef CONFIG_SSID_H 16 #define CONFIG_SSID_H 17 18 #ifndef BIT 19 #define BIT(n) (1 << (n)) 20 #endif 21 22 #define WPA_CIPHER_NONE BIT(0) 23 #define WPA_CIPHER_WEP40 BIT(1) 24 #define WPA_CIPHER_WEP104 BIT(2) 25 #define WPA_CIPHER_TKIP BIT(3) 26 #define WPA_CIPHER_CCMP BIT(4) 27 #ifdef CONFIG_IEEE80211W 28 #define WPA_CIPHER_AES_128_CMAC BIT(5) 29 #endif /* CONFIG_IEEE80211W */ 30 31 #define WPA_KEY_MGMT_IEEE8021X BIT(0) 32 #define WPA_KEY_MGMT_PSK BIT(1) 33 #define WPA_KEY_MGMT_NONE BIT(2) 34 #define WPA_KEY_MGMT_IEEE8021X_NO_WPA BIT(3) 35 #define WPA_KEY_MGMT_WPA_NONE BIT(4) 36 37 #define WPA_PROTO_WPA BIT(0) 38 #define WPA_PROTO_RSN BIT(1) 39 40 #define WPA_AUTH_ALG_OPEN BIT(0) 41 #define WPA_AUTH_ALG_SHARED BIT(1) 42 #define WPA_AUTH_ALG_LEAP BIT(2) 43 44 #define MAX_SSID_LEN 32 45 #define PMK_LEN 32 46 #define EAP_PSK_LEN_MIN 16 47 #define EAP_PSK_LEN_MAX 32 48 49 50 #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1) 51 #define DEFAULT_EAPOL_FLAGS (EAPOL_FLAG_REQUIRE_KEY_UNICAST | \ 52 EAPOL_FLAG_REQUIRE_KEY_BROADCAST) 53 #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN) 54 #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X) 55 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP) 56 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \ 57 WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40) 58 #define DEFAULT_FRAGMENT_SIZE 1398 59 60 /** 61 * struct wpa_ssid - Network configuration data 62 * 63 * This structure includes all the configuration variables for a network. This 64 * data is included in the per-interface configuration data as an element of 65 * the network list, struct wpa_config::ssid. Each network block in the 66 * configuration is mapped to a struct wpa_ssid instance. 67 */ 68 struct wpa_ssid { 69 /** 70 * next - Next network in global list 71 * 72 * This pointer can be used to iterate over all networks. The head of 73 * this list is stored in the ssid field of struct wpa_config. 74 */ 75 struct wpa_ssid *next; 76 77 /** 78 * pnext - Next network in per-priority list 79 * 80 * This pointer can be used to iterate over all networks in the same 81 * priority class. The heads of these list are stored in the pssid 82 * fields of struct wpa_config. 83 */ 84 struct wpa_ssid *pnext; 85 86 /** 87 * id - Unique id for the network 88 * 89 * This identifier is used as a unique identifier for each network 90 * block when using the control interface. Each network is allocated an 91 * id when it is being created, either when reading the configuration 92 * file or when a new network is added through the control interface. 93 */ 94 int id; 95 96 /** 97 * priority - Priority group 98 * 99 * By default, all networks will get same priority group (0). If some 100 * of the networks are more desirable, this field can be used to change 101 * the order in which wpa_supplicant goes through the networks when 102 * selecting a BSS. The priority groups will be iterated in decreasing 103 * priority (i.e., the larger the priority value, the sooner the 104 * network is matched against the scan results). Within each priority 105 * group, networks will be selected based on security policy, signal 106 * strength, etc. 107 * 108 * Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are 109 * not using this priority to select the order for scanning. Instead, 110 * they try the networks in the order that used in the configuration 111 * file. 112 */ 113 int priority; 114 115 /** 116 * ssid - Service set identifier (network name) 117 * 118 * This is the SSID for the network. For wireless interfaces, this is 119 * used to select which network will be used. If set to %NULL (or 120 * ssid_len=0), any SSID can be used. For wired interfaces, this must 121 * be set to %NULL. Note: SSID may contain any characters, even nul 122 * (ASCII 0) and as such, this should not be assumed to be a nul 123 * terminated string. ssid_len defines how many characters are valid 124 * and the ssid field is not guaranteed to be nul terminated. 125 */ 126 u8 *ssid; 127 128 /** 129 * ssid_len - Length of the SSID 130 */ 131 size_t ssid_len; 132 133 /** 134 * bssid - BSSID 135 * 136 * If set, this network block is used only when associating with the AP 137 * using the configured BSSID 138 */ 139 u8 bssid[ETH_ALEN]; 140 141 /** 142 * bssid_set - Whether BSSID is configured for this network 143 */ 144 int bssid_set; 145 146 /** 147 * psk - WPA pre-shared key (256 bits) 148 */ 149 u8 psk[PMK_LEN]; 150 151 /** 152 * psk_set - Whether PSK field is configured 153 */ 154 int psk_set; 155 156 /** 157 * passphrase - WPA ASCII passphrase 158 * 159 * If this is set, psk will be generated using the SSID and passphrase 160 * configured for the network. ASCII passphrase must be between 8 and 161 * 63 characters (inclusive). 162 */ 163 char *passphrase; 164 165 /** 166 * pairwise_cipher - Bitfield of allowed pairwise ciphers, WPA_CIPHER_* 167 */ 168 int pairwise_cipher; 169 170 /** 171 * group_cipher - Bitfield of allowed group ciphers, WPA_CIPHER_* 172 */ 173 int group_cipher; 174 175 /** 176 * key_mgmt - Bitfield of allowed key management protocols 177 * 178 * WPA_KEY_MGMT_* 179 */ 180 int key_mgmt; 181 182 /** 183 * proto - Bitfield of allowed protocols, WPA_PROTO_* 184 */ 185 int proto; 186 187 /** 188 * auth_alg - Bitfield of allowed authentication algorithms 189 * 190 * WPA_AUTH_ALG_* 191 */ 192 int auth_alg; 193 194 /** 195 * scan_ssid - Scan this SSID with Probe Requests 196 * 197 * scan_ssid can be used to scan for APs using hidden SSIDs. 198 * Note: Many drivers do not support this. ap_mode=2 can be used with 199 * such drivers to use hidden SSIDs. 200 */ 201 int scan_ssid; 202 203 #ifdef IEEE8021X_EAPOL 204 205 /** 206 * identity - EAP Identity 207 */ 208 u8 *identity; 209 210 /** 211 * identity_len - EAP Identity length 212 */ 213 size_t identity_len; 214 215 /** 216 * anonymous_identity - Anonymous EAP Identity 217 * 218 * This field is used for unencrypted use with EAP types that support 219 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the 220 * real identity (identity field) only to the authentication server. 221 */ 222 u8 *anonymous_identity; 223 224 /** 225 * anonymous_identity_len - Length of anonymous_identity 226 */ 227 size_t anonymous_identity_len; 228 229 /** 230 * eappsk - EAP-PSK/PAX/SAKE pre-shared key 231 */ 232 u8 *eappsk; 233 234 /** 235 * eappsk_len - EAP-PSK/PAX/SAKE pre-shared key length 236 * 237 * This field is always 16 for the current version of EAP-PSK/PAX and 238 * 32 for EAP-SAKE. 239 */ 240 size_t eappsk_len; 241 242 /** 243 * nai - User NAI (for EAP-PSK/PAX/SAKE) 244 */ 245 u8 *nai; 246 247 /** 248 * nai_len - Length of nai field 249 */ 250 size_t nai_len; 251 252 /** 253 * password - Password string for EAP 254 */ 255 u8 *password; 256 257 /** 258 * password_len - Length of password field 259 */ 260 size_t password_len; 261 262 /** 263 * ca_cert - File path to CA certificate file (PEM/DER) 264 * 265 * This file can have one or more trusted CA certificates. If ca_cert 266 * and ca_path are not included, server certificate will not be 267 * verified. This is insecure and a trusted CA certificate should 268 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the 269 * file should be used since working directory may change when 270 * wpa_supplicant is run in the background. 271 * 272 * Alternatively, a named configuration blob can be used by setting 273 * this to blob://<blob name>. 274 * 275 * On Windows, trusted CA certificates can be loaded from the system 276 * certificate store by setting this to cert_store://<name>, e.g., 277 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 278 * Note that when running wpa_supplicant as an application, the user 279 * certificate store (My user account) is used, whereas computer store 280 * (Computer account) is used when running wpasvc as a service. 281 */ 282 u8 *ca_cert; 283 284 /** 285 * ca_path - Directory path for CA certificate files (PEM) 286 * 287 * This path may contain multiple CA certificates in OpenSSL format. 288 * Common use for this is to point to system trusted CA list which is 289 * often installed into directory like /etc/ssl/certs. If configured, 290 * these certificates are added to the list of trusted CAs. ca_cert 291 * may also be included in that case, but it is not required. 292 */ 293 u8 *ca_path; 294 295 /** 296 * client_cert - File path to client certificate file (PEM/DER) 297 * 298 * This field is used with EAP method that use TLS authentication. 299 * Usually, this is only configured for EAP-TLS, even though this could 300 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the 301 * file should be used since working directory may change when 302 * wpa_supplicant is run in the background. 303 * 304 * Alternatively, a named configuration blob can be used by setting 305 * this to blob://<blob name>. 306 */ 307 u8 *client_cert; 308 309 /** 310 * private_key - File path to client private key file (PEM/DER/PFX) 311 * 312 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 313 * commented out. Both the private key and certificate will be read 314 * from the PKCS#12 file in this case. Full path to the file should be 315 * used since working directory may change when wpa_supplicant is run 316 * in the background. 317 * 318 * Windows certificate store can be used by leaving client_cert out and 319 * configuring private_key in one of the following formats: 320 * 321 * cert://substring_to_match 322 * 323 * hash://certificate_thumbprint_in_hex 324 * 325 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 326 * 327 * Note that when running wpa_supplicant as an application, the user 328 * certificate store (My user account) is used, whereas computer store 329 * (Computer account) is used when running wpasvc as a service. 330 * 331 * Alternatively, a named configuration blob can be used by setting 332 * this to blob://<blob name>. 333 */ 334 u8 *private_key; 335 336 /** 337 * private_key_passwd - Password for private key file 338 * 339 * If left out, this will be asked through control interface. 340 */ 341 u8 *private_key_passwd; 342 343 /** 344 * dh_file - File path to DH/DSA parameters file (in PEM format) 345 * 346 * This is an optional configuration file for setting parameters for an 347 * ephemeral DH key exchange. In most cases, the default RSA 348 * authentication does not use this configuration. However, it is 349 * possible setup RSA to use ephemeral DH key exchange. In addition, 350 * ciphers with DSA keys always use ephemeral DH keys. This can be used 351 * to achieve forward secrecy. If the file is in DSA parameters format, 352 * it will be automatically converted into DH params. Full path to the 353 * file should be used since working directory may change when 354 * wpa_supplicant is run in the background. 355 * 356 * Alternatively, a named configuration blob can be used by setting 357 * this to blob://<blob name>. 358 */ 359 u8 *dh_file; 360 361 /** 362 * subject_match - Constraint for server certificate subject 363 * 364 * This substring is matched against the subject of the authentication 365 * server certificate. If this string is set, the server sertificate is 366 * only accepted if it contains this string in the subject. The subject 367 * string is in following format: 368 * 369 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as (at) n.example.com 370 */ 371 u8 *subject_match; 372 373 /** 374 * altsubject_match - Constraint for server certificate alt. subject 375 * 376 * Semicolon separated string of entries to be matched against the 377 * alternative subject name of the authentication server certificate. 378 * If this string is set, the server sertificate is only accepted if it 379 * contains one of the entries in an alternative subject name 380 * extension. 381 * 382 * altSubjectName string is in following format: TYPE:VALUE 383 * 384 * Example: EMAIL:server (at) example.com 385 * Example: DNS:server.example.com;DNS:server2.example.com 386 * 387 * Following types are supported: EMAIL, DNS, URI 388 */ 389 u8 *altsubject_match; 390 391 /** 392 * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2) 393 * 394 * This file can have one or more trusted CA certificates. If ca_cert2 395 * and ca_path2 are not included, server certificate will not be 396 * verified. This is insecure and a trusted CA certificate should 397 * always be configured. Full path to the file should be used since 398 * working directory may change when wpa_supplicant is run in the 399 * background. 400 * 401 * This field is like ca_cert, but used for phase 2 (inside 402 * EAP-TTLS/PEAP/FAST tunnel) authentication. 403 * 404 * Alternatively, a named configuration blob can be used by setting 405 * this to blob://<blob name>. 406 */ 407 u8 *ca_cert2; 408 409 /** 410 * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2) 411 * 412 * This path may contain multiple CA certificates in OpenSSL format. 413 * Common use for this is to point to system trusted CA list which is 414 * often installed into directory like /etc/ssl/certs. If configured, 415 * these certificates are added to the list of trusted CAs. ca_cert 416 * may also be included in that case, but it is not required. 417 * 418 * This field is like ca_path, but used for phase 2 (inside 419 * EAP-TTLS/PEAP/FAST tunnel) authentication. 420 */ 421 u8 *ca_path2; 422 423 /** 424 * client_cert2 - File path to client certificate file 425 * 426 * This field is like client_cert, but used for phase 2 (inside 427 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 428 * file should be used since working directory may change when 429 * wpa_supplicant is run in the background. 430 * 431 * Alternatively, a named configuration blob can be used by setting 432 * this to blob://<blob name>. 433 */ 434 u8 *client_cert2; 435 436 /** 437 * private_key2 - File path to client private key file 438 * 439 * This field is like private_key, but used for phase 2 (inside 440 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 441 * file should be used since working directory may change when 442 * wpa_supplicant is run in the background. 443 * 444 * Alternatively, a named configuration blob can be used by setting 445 * this to blob://<blob name>. 446 */ 447 u8 *private_key2; 448 449 /** 450 * private_key2_passwd - Password for private key file 451 * 452 * This field is like private_key_passwd, but used for phase 2 (inside 453 * EAP-TTLS/PEAP/FAST tunnel) authentication. 454 */ 455 u8 *private_key2_passwd; 456 457 /** 458 * dh_file2 - File path to DH/DSA parameters file (in PEM format) 459 * 460 * This field is like dh_file, but used for phase 2 (inside 461 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the 462 * file should be used since working directory may change when 463 * wpa_supplicant is run in the background. 464 * 465 * Alternatively, a named configuration blob can be used by setting 466 * this to blob://<blob name>. 467 */ 468 u8 *dh_file2; 469 470 /** 471 * subject_match2 - Constraint for server certificate subject 472 * 473 * This field is like subject_match, but used for phase 2 (inside 474 * EAP-TTLS/PEAP/FAST tunnel) authentication. 475 */ 476 u8 *subject_match2; 477 478 /** 479 * altsubject_match2 - Constraint for server certificate alt. subject 480 * 481 * This field is like altsubject_match, but used for phase 2 (inside 482 * EAP-TTLS/PEAP/FAST tunnel) authentication. 483 */ 484 u8 *altsubject_match2; 485 486 /** 487 * eap_methods - Allowed EAP methods 488 * 489 * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of 490 * allowed EAP methods or %NULL if all methods are accepted. 491 */ 492 struct eap_method_type *eap_methods; 493 494 /** 495 * phase1 - Phase 1 (outer authentication) parameters 496 * 497 * String with field-value pairs, e.g., "peapver=0" or 498 * "peapver=1 peaplabel=1". 499 * 500 * 'peapver' can be used to force which PEAP version (0 or 1) is used. 501 * 502 * 'peaplabel=1' can be used to force new label, "client PEAP 503 * encryption", to be used during key derivation when PEAPv1 or newer. 504 * 505 * Most existing PEAPv1 implementation seem to be using the old label, 506 * "client EAP encryption", and wpa_supplicant is now using that as the 507 * default value. 508 * 509 * Some servers, e.g., Radiator, may require peaplabel=1 configuration 510 * to interoperate with PEAPv1; see eap_testing.txt for more details. 511 * 512 * 'peap_outer_success=0' can be used to terminate PEAP authentication 513 * on tunneled EAP-Success. This is required with some RADIUS servers 514 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 515 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode). 516 * 517 * include_tls_length=1 can be used to force wpa_supplicant to include 518 * TLS Message Length field in all TLS messages even if they are not 519 * fragmented. 520 * 521 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three 522 * challenges (by default, it accepts 2 or 3). 523 * 524 * fast_provisioning=1 can be used to enable in-line provisioning of 525 * EAP-FAST credentials (PAC) 526 */ 527 char *phase1; 528 529 /** 530 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters 531 * 532 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 533 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. 534 */ 535 char *phase2; 536 537 /** 538 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM 539 * 540 * This field is used to configure PC/SC smartcard interface. 541 * Currently, the only configuration is whether this field is %NULL (do 542 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC. 543 * 544 * This field is used for EAP-SIM and EAP-AKA. 545 */ 546 char *pcsc; 547 548 /** 549 * pin - PIN for USIM, GSM SIM, and smartcards 550 * 551 * This field is used to configure PIN for SIM and smartcards for 552 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a 553 * smartcard is used for private key operations. 554 * 555 * If left out, this will be asked through control interface. 556 */ 557 char *pin; 558 559 /** 560 * engine - Enable OpenSSL engine (e.g., for smartcard access) 561 * 562 * This is used if private key operations for EAP-TLS are performed 563 * using a smartcard. 564 */ 565 int engine; 566 567 /** 568 * engine_id - Engine ID for OpenSSL engine 569 * 570 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11 571 * engine. 572 * 573 * This is used if private key operations for EAP-TLS are performed 574 * using a smartcard. 575 */ 576 char *engine_id; 577 578 /** 579 * key_id - Key ID for OpenSSL engine 580 * 581 * This is used if private key operations for EAP-TLS are performed 582 * using a smartcard. 583 */ 584 char *key_id; 585 586 #define EAPOL_FLAG_REQUIRE_KEY_UNICAST BIT(0) 587 #define EAPOL_FLAG_REQUIRE_KEY_BROADCAST BIT(1) 588 /** 589 * eapol_flags - Bit field of IEEE 802.1X/EAPOL options (EAPOL_FLAG_*) 590 */ 591 int eapol_flags; 592 593 #endif /* IEEE8021X_EAPOL */ 594 595 #define NUM_WEP_KEYS 4 596 #define MAX_WEP_KEY_LEN 16 597 /** 598 * wep_key - WEP keys 599 */ 600 u8 wep_key[NUM_WEP_KEYS][MAX_WEP_KEY_LEN]; 601 602 /** 603 * wep_key_len - WEP key lengths 604 */ 605 size_t wep_key_len[NUM_WEP_KEYS]; 606 607 /** 608 * wep_tx_keyidx - Default key index for TX frames using WEP 609 */ 610 int wep_tx_keyidx; 611 612 /** 613 * proactive_key_caching - Enable proactive key caching 614 * 615 * This field can be used to enable proactive key caching which is also 616 * known as opportunistic PMKSA caching for WPA2. This is disabled (0) 617 * by default. Enable by setting this to 1. 618 * 619 * Proactive key caching is used to make supplicant assume that the APs 620 * are using the same PMK and generate PMKSA cache entries without 621 * doing RSN pre-authentication. This requires support from the AP side 622 * and is normally used with wireless switches that co-locate the 623 * authenticator. 624 */ 625 int proactive_key_caching; 626 627 /** 628 * mixed_cell - Whether mixed cells are allowed 629 * 630 * This option can be used to configure whether so called mixed cells, 631 * i.e., networks that use both plaintext and encryption in the same 632 * SSID, are allowed. This is disabled (0) by default. Enable by 633 * setting this to 1. 634 */ 635 int mixed_cell; 636 637 #ifdef IEEE8021X_EAPOL 638 639 /** 640 * otp - One-time-password 641 * 642 * This field should not be set in configuration step. It is only used 643 * internally when OTP is entered through the control interface. 644 */ 645 u8 *otp; 646 647 /** 648 * otp_len - Length of the otp field 649 */ 650 size_t otp_len; 651 652 /** 653 * pending_req_identity - Whether there is a pending identity request 654 * 655 * This field should not be set in configuration step. It is only used 656 * internally when control interface is used to request needed 657 * information. 658 */ 659 int pending_req_identity; 660 661 /** 662 * pending_req_password - Whether there is a pending password request 663 * 664 * This field should not be set in configuration step. It is only used 665 * internally when control interface is used to request needed 666 * information. 667 */ 668 int pending_req_password; 669 670 /** 671 * pending_req_pin - Whether there is a pending PIN request 672 * 673 * This field should not be set in configuration step. It is only used 674 * internally when control interface is used to request needed 675 * information. 676 */ 677 int pending_req_pin; 678 679 /** 680 * pending_req_new_password - Pending password update request 681 * 682 * This field should not be set in configuration step. It is only used 683 * internally when control interface is used to request needed 684 * information. 685 */ 686 int pending_req_new_password; 687 688 /** 689 * pending_req_passphrase - Pending passphrase request 690 * 691 * This field should not be set in configuration step. It is only used 692 * internally when control interface is used to request needed 693 * information. 694 */ 695 int pending_req_passphrase; 696 697 /** 698 * pending_req_otp - Whether there is a pending OTP request 699 * 700 * This field should not be set in configuration step. It is only used 701 * internally when control interface is used to request needed 702 * information. 703 */ 704 char *pending_req_otp; 705 706 /** 707 * pending_req_otp_len - Length of the pending OTP request 708 */ 709 size_t pending_req_otp_len; 710 711 /** 712 * leap - Number of EAP methods using LEAP 713 * 714 * This field should be set to 1 if LEAP is enabled. This is used to 715 * select IEEE 802.11 authentication algorithm. 716 */ 717 int leap; 718 719 /** 720 * non_leap - Number of EAP methods not using LEAP 721 * 722 * This field should be set to >0 if any EAP method other than LEAP is 723 * enabled. This is used to select IEEE 802.11 authentication 724 * algorithm. 725 */ 726 int non_leap; 727 728 /** 729 * eap_workaround - EAP workarounds enabled 730 * 731 * wpa_supplicant supports number of "EAP workarounds" to work around 732 * interoperability issues with incorrectly behaving authentication 733 * servers. This is recommended to be enabled by default because some 734 * of the issues are present in large number of authentication servers. 735 * 736 * Strict EAP conformance mode can be configured by disabling 737 * workarounds with eap_workaround = 0. 738 */ 739 unsigned int eap_workaround; 740 741 /** 742 * pac_file - File path or blob name for the PAC entries (EAP-FAST) 743 * 744 * wpa_supplicant will need to be able to create this file and write 745 * updates to it when PAC is being provisioned or refreshed. Full path 746 * to the file should be used since working directory may change when 747 * wpa_supplicant is run in the background. 748 * Alternatively, a named configuration blob can be used by setting 749 * this to blob://<blob name>. 750 */ 751 char *pac_file; 752 753 #endif /* IEEE8021X_EAPOL */ 754 755 /** 756 * mode - IEEE 802.11 operation mode (Infrastucture/IBSS) 757 * 758 * 0 = infrastructure (Managed) mode, i.e., associate with an AP. 759 * 760 * 1 = IBSS (ad-hoc, peer-to-peer) 761 * 762 * Note: IBSS can only be used with key_mgmt NONE (plaintext and 763 * static WEP) and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In 764 * addition, ap_scan has to be set to 2 for IBSS. WPA-None requires 765 * following network block options: proto=WPA, key_mgmt=WPA-NONE, 766 * pairwise=NONE, group=TKIP (or CCMP, but not both), and psk must also 767 * be set (either directly or using ASCII passphrase). 768 */ 769 int mode; 770 771 #ifdef IEEE8021X_EAPOL 772 773 /** 774 * mschapv2_retry - MSCHAPv2 retry in progress 775 * 776 * This field is used internally by EAP-MSCHAPv2 and should not be set 777 * as part of configuration. 778 */ 779 int mschapv2_retry; 780 781 /** 782 * new_password - New password for password update 783 * 784 * This field is used during MSCHAPv2 password update. This is normally 785 * requested from the user through the control interface and not set 786 * from configuration. 787 */ 788 u8 *new_password; 789 790 /** 791 * new_password_len - Length of new_password field 792 */ 793 size_t new_password_len; 794 795 #endif /* IEEE8021X_EAPOL */ 796 797 /** 798 * disabled - Whether this network is currently disabled 799 * 800 * 0 = this network can be used (default). 801 * 1 = this network block is disabled (can be enabled through 802 * ctrl_iface, e.g., with wpa_cli or wpa_gui). 803 */ 804 int disabled; 805 806 /** 807 * peerkey - Whether PeerKey handshake for direct links is allowed 808 * 809 * This is only used when both RSN/WPA2 and IEEE 802.11e (QoS) are 810 * enabled. 811 * 812 * 0 = disabled (default) 813 * 1 = enabled 814 */ 815 int peerkey; 816 817 #ifdef IEEE8021X_EAPOL 818 819 /** 820 * fragment_size - Maximum EAP fragment size in bytes (default 1398) 821 * 822 * This value limits the fragment size for EAP methods that support 823 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 824 * small enough to make the EAP messages fit in MTU of the network 825 * interface used for EAPOL. The default value is suitable for most 826 * cases. 827 */ 828 int fragment_size; 829 830 #endif /* IEEE8021X_EAPOL */ 831 832 /** 833 * id_str - Network identifier string for external scripts 834 * 835 * This value is passed to external ctrl_iface monitors in 836 * WPA_EVENT_CONNECTED event and wpa_cli sets this as WPA_ID_STR 837 * environment variable for action scripts. 838 */ 839 char *id_str; 840 841 #ifdef CONFIG_IEEE80211W 842 /** 843 * ieee80211w - Whether management frame protection is enabled 844 * 845 * This value is used to configure policy for management frame 846 * protection (IEEE 802.11w). 0 = disabled, 1 = optional, 2 = required. 847 */ 848 enum { 849 NO_IEEE80211W = 0, 850 IEEE80211W_OPTIONAL = 1, 851 IEEE80211W_REQUIRED = 2 852 } ieee80211w; 853 #endif /* CONFIG_IEEE80211W */ 854 855 /** 856 * frequency - Channel frequency in megahertz (MHz) for IBSS 857 * 858 * This value is used to configure the initial channel for IBSS (adhoc) 859 * networks, e.g., 2412 = IEEE 802.11b/g channel 1. It is ignored in 860 * the infrastructure mode. In addition, this value is only used by the 861 * station that creates the IBSS. If an IBSS network with the 862 * configured SSID is already present, the frequency of the network 863 * will be used instead of this configured value. 864 */ 865 int frequency; 866 }; 867 868 int wpa_config_allowed_eap_method(struct wpa_ssid *ssid, int vendor, 869 u32 method); 870 871 #endif /* CONFIG_SSID_H */ 872