2 * WPA Supplicant / Network configuration structures
3 * Copyright (c) 2003-2005, Jouni Malinen <jkmaline@cc.hut.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #define WPA_CIPHER_NONE BIT(0)
19 #define WPA_CIPHER_WEP40 BIT(1)
20 #define WPA_CIPHER_WEP104 BIT(2)
21 #define WPA_CIPHER_TKIP BIT(3)
22 #define WPA_CIPHER_CCMP BIT(4)
24 #define WPA_KEY_MGMT_IEEE8021X BIT(0)
25 #define WPA_KEY_MGMT_PSK BIT(1)
26 #define WPA_KEY_MGMT_NONE BIT(2)
27 #define WPA_KEY_MGMT_IEEE8021X_NO_WPA BIT(3)
28 #define WPA_KEY_MGMT_WPA_NONE BIT(4)
30 #define WPA_PROTO_WPA BIT(0)
31 #define WPA_PROTO_RSN BIT(1)
33 #define WPA_AUTH_ALG_OPEN BIT(0)
34 #define WPA_AUTH_ALG_SHARED BIT(1)
35 #define WPA_AUTH_ALG_LEAP BIT(2)
37 #define MAX_SSID_LEN 32
39 #define EAP_PSK_LEN 16
42 #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
43 #define DEFAULT_EAPOL_FLAGS (EAPOL_FLAG_REQUIRE_KEY_UNICAST | \
44 EAPOL_FLAG_REQUIRE_KEY_BROADCAST)
45 #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
46 #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
47 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
48 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP | \
49 WPA_CIPHER_WEP104 | WPA_CIPHER_WEP40)
52 * struct wpa_ssid - Network configuration data
54 * This structure includes all the configuration variables for a network. This
55 * data is included in the per-interface configuration data as an element of
56 * the network list, struct wpa_config::ssid. Each network block in the
57 * configuration is mapped to a struct wpa_ssid instance.
61 * next - Next network in global list
63 * This pointer can be used to iterate over all networks. The head of
64 * this list is stored in the ssid field of struct wpa_config.
66 struct wpa_ssid *next;
69 * pnext - Next network in per-priority list
71 * This pointer can be used to iterate over all networks in the same
72 * priority class. The heads of these list are stored in the pssid
73 * fields of struct wpa_config.
75 struct wpa_ssid *pnext;
78 * id - Unique id for the network
80 * This identifier is used as a unique identifier for each network
81 * block when using the control interface. Each network is allocated an
82 * id when it is being created, either when reading the configuration
83 * file or when a new network is added through the control interface.
88 * priority - Priority group
90 * By default, all networks will get same priority group (0). If some
91 * of the networks are more desirable, this field can be used to change
92 * the order in which wpa_supplicant goes through the networks when
93 * selecting a BSS. The priority groups will be iterated in decreasing
94 * priority (i.e., the larger the priority value, the sooner the
95 * network is matched against the scan results). Within each priority
96 * group, networks will be selected based on security policy, signal
99 * Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are
100 * not using this priority to select the order for scanning. Instead,
101 * they try the networks in the order that used in the configuration
107 * ssid - Service set identifier (network name)
109 * This is the SSID for the network. For wireless interfaces, this is
110 * used to select which network will be used. If set to %NULL (or
111 * ssid_len=0), any SSID can be used. For wired interfaces, this must
112 * be set to %NULL. Note: SSID may contain any characters, even nul
113 * (ASCII 0) and as such, this should not be assumed to be a nul
114 * terminated string. ssid_len defines how many characters are valid
115 * and the ssid field is not guaranteed to be nul terminated.
120 * ssid_len - Length of the SSID
127 * If set, this network block is used only when associating with the AP
128 * using the configured BSSID
133 * bssid_set - Whether BSSID is configured for this network
138 * psk - WPA pre-shared key (256 bits)
143 * psk_set - Whether PSK field is configured
148 * passphrase - WPA ASCII passphrase
150 * If this is set, psk will be generated using the SSID and passphrase
151 * configured for the network. ASCII passphrase must be between 8 and
152 * 63 characters (inclusive).
157 * pairwise_cipher - Bitfield of allowed pairwise ciphers, WPA_CIPHER_*
162 * group_cipher - Bitfield of allowed group ciphers, WPA_CIPHER_*
167 * key_mgmt - Bitfield of allowed key management protocols
174 * proto - Bitfield of allowed protocols, WPA_PROTO_*
179 * auth_alg - Bitfield of allowed authentication algorithms
186 * scan_ssid - Scan this SSID with Probe Requests
188 * scan_ssid can be used to scan for APs using hidden SSIDs.
189 * Note: Many drivers do not support this. ap_mode=2 can be used with
190 * such drivers to use hidden SSIDs.
195 * identity - EAP Identity
200 * identity_len - EAP Identity length
205 * anonymous_identity - Anonymous EAP Identity
207 * This field is used for unencrypted use with EAP types that support
208 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
209 * real identity (identity field) only to the authentication server.
211 u8 *anonymous_identity;
214 * anonymous_identity_len - Length of anonymous_identity
216 size_t anonymous_identity_len;
219 * eappsk - EAP-PSK pre-shared key
224 * eappsk_len - EAP-PSK pre-shared key length
226 * This field is always 16 for the current version of EAP-PSK.
231 * nai - User NAI (for EAP-PSK)
236 * nai_len - Length of nai field
241 * password - Password string for EAP
246 * password_len - Length of password field
251 * ca_cert - File path to CA certificate file (PEM/DER)
253 * This file can have one or more trusted CA certificates. If ca_cert
254 * and ca_path are not included, server certificate will not be
255 * verified. This is insecure and a trusted CA certificate should
256 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
257 * file should be used since working directory may change when
258 * wpa_supplicant is run in the background.
260 * Alternatively, a named configuration blob can be used by setting
261 * this to blob://<blob name>.
263 * On Windows, trusted CA certificates can be loaded from the system
264 * certificate store by setting this to cert_store://<name>, e.g.,
265 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
270 * ca_path - Directory path for CA certificate files (PEM)
272 * This path may contain multiple CA certificates in OpenSSL format.
273 * Common use for this is to point to system trusted CA list which is
274 * often installed into directory like /etc/ssl/certs. If configured,
275 * these certificates are added to the list of trusted CAs. ca_cert
276 * may also be included in that case, but it is not required.
281 * client_cert - File path to client certificate file (PEM/DER)
283 * This field is used with EAP method that use TLS authentication.
284 * Usually, this is only configured for EAP-TLS, even though this could
285 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
286 * file should be used since working directory may change when
287 * wpa_supplicant is run in the background.
289 * Alternatively, a named configuration blob can be used by setting
290 * this to blob://<blob name>.
295 * private_key - File path to client private key file (PEM/DER/PFX)
297 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
298 * commented out. Both the private key and certificate will be read
299 * from the PKCS#12 file in this case. Full path to the file should be
300 * used since working directory may change when wpa_supplicant is run
303 * Windows certificate store can be used by leaving client_cert out and
304 * configuring private_key in one of the following formats:
306 * cert://substring_to_match
308 * hash://certificate_thumbprint_in_hex
310 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
312 * Alternatively, a named configuration blob can be used by setting
313 * this to blob://<blob name>.
318 * private_key_passwd - Password for private key file
320 * If left out, this will be asked through control interface.
322 u8 *private_key_passwd;
325 * dh_file - File path to DH/DSA parameters file (in PEM format)
327 * This is an optional configuration file for setting parameters for an
328 * ephemeral DH key exchange. In most cases, the default RSA
329 * authentication does not use this configuration. However, it is
330 * possible setup RSA to use ephemeral DH key exchange. In addition,
331 * ciphers with DSA keys always use ephemeral DH keys. This can be used
332 * to achieve forward secrecy. If the file is in DSA parameters format,
333 * it will be automatically converted into DH params. Full path to the
334 * file should be used since working directory may change when
335 * wpa_supplicant is run in the background.
337 * Alternatively, a named configuration blob can be used by setting
338 * this to blob://<blob name>.
343 * subject_match - Constraint for server certificate subject
345 * This substring is matched against the subject of the authentication
346 * server certificate. If this string is set, the server sertificate is
347 * only accepted if it contains this string in the subject. The subject
348 * string is in following format:
350 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com
355 * altsubject_match - Constraint for server certificate alt. subject
357 * This substring is matched against the alternative subject name of
358 * the authentication server certificate. If this string is set, the
359 * server sertificate is only accepted if it contains this string in an
360 * alternative subject name extension.
362 * altSubjectName string is in following format: TYPE:VALUE
364 * Example: DNS:server.example.com
366 * Following types are supported: EMAIL, DNS, URI
368 u8 *altsubject_match;
371 * ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
373 * This file can have one or more trusted CA certificates. If ca_cert2
374 * and ca_path2 are not included, server certificate will not be
375 * verified. This is insecure and a trusted CA certificate should
376 * always be configured. Full path to the file should be used since
377 * working directory may change when wpa_supplicant is run in the
380 * This field is like ca_cert, but used for phase 2 (inside
381 * EAP-TTLS/PEAP/FAST tunnel) authentication.
383 * Alternatively, a named configuration blob can be used by setting
384 * this to blob://<blob name>.
389 * ca_path2 - Directory path for CA certificate files (PEM) (Phase 2)
391 * This path may contain multiple CA certificates in OpenSSL format.
392 * Common use for this is to point to system trusted CA list which is
393 * often installed into directory like /etc/ssl/certs. If configured,
394 * these certificates are added to the list of trusted CAs. ca_cert
395 * may also be included in that case, but it is not required.
397 * This field is like ca_path, but used for phase 2 (inside
398 * EAP-TTLS/PEAP/FAST tunnel) authentication.
403 * client_cert2 - File path to client certificate file
405 * This field is like client_cert, but used for phase 2 (inside
406 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
407 * file should be used since working directory may change when
408 * wpa_supplicant is run in the background.
410 * Alternatively, a named configuration blob can be used by setting
411 * this to blob://<blob name>.
416 * private_key2 - File path to client private key file
418 * This field is like private_key, but used for phase 2 (inside
419 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
420 * file should be used since working directory may change when
421 * wpa_supplicant is run in the background.
423 * Alternatively, a named configuration blob can be used by setting
424 * this to blob://<blob name>.
429 * private_key2_passwd - Password for private key file
431 * This field is like private_key_passwd, but used for phase 2 (inside
432 * EAP-TTLS/PEAP/FAST tunnel) authentication.
434 u8 *private_key2_passwd;
437 * dh_file2 - File path to DH/DSA parameters file (in PEM format)
439 * This field is like dh_file, but used for phase 2 (inside
440 * EAP-TTLS/PEAP/FAST tunnel) authentication. Full path to the
441 * file should be used since working directory may change when
442 * wpa_supplicant is run in the background.
444 * Alternatively, a named configuration blob can be used by setting
445 * this to blob://<blob name>.
450 * subject_match2 - Constraint for server certificate subject
452 * This field is like subject_match, but used for phase 2 (inside
453 * EAP-TTLS/PEAP/FAST tunnel) authentication.
458 * altsubject_match2 - Constraint for server certificate alt. subject
460 * This field is like altsubject_match, but used for phase 2 (inside
461 * EAP-TTLS/PEAP/FAST tunnel) authentication.
463 u8 *altsubject_match2;
466 * eap_methods - Allowed EAP methods
468 * Zero (EAP_TYPE_NONE) terminated list of allowed EAP methods or %NULL
469 * if all methods are accepted.
474 * phase1 - Phase 1 (outer authentication) parameters
476 * String with field-value pairs, e.g., "peapver=0" or
477 * "peapver=1 peaplabel=1".
479 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
481 * 'peaplabel=1' can be used to force new label, "client PEAP
482 * encryption", to be used during key derivation when PEAPv1 or newer.
484 * Most existing PEAPv1 implementation seem to be using the old label,
485 * "client EAP encryption", and wpa_supplicant is now using that as the
488 * Some servers, e.g., Radiator, may require peaplabel=1 configuration
489 * to interoperate with PEAPv1; see eap_testing.txt for more details.
491 * 'peap_outer_success=0' can be used to terminate PEAP authentication
492 * on tunneled EAP-Success. This is required with some RADIUS servers
493 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
494 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
496 * include_tls_length=1 can be used to force wpa_supplicant to include
497 * TLS Message Length field in all TLS messages even if they are not
500 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
501 * challenges (by default, it accepts 2 or 3).
503 * fast_provisioning=1 can be used to enable in-line provisioning of
504 * EAP-FAST credentials (PAC)
509 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
511 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
512 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
517 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
519 * This field is used to configure PC/SC smartcard interface.
520 * Currently, the only configuration is whether this field is %NULL (do
521 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
523 * This field is used for EAP-SIM and EAP-AKA.
528 * pin - PIN for USIM, GSM SIM, and smartcards
530 * This field is used to configure PIN for SIM and smartcards for
531 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
532 * smartcard is used for private key operations.
534 * If left out, this will be asked through control interface.
539 * engine - Enable OpenSSL engine (e.g., for smartcard access)
541 * This is used if private key operations for EAP-TLS are performed
547 * engine_id - Engine ID for OpenSSL engine
549 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
552 * This is used if private key operations for EAP-TLS are performed
558 * key_id - Key ID for OpenSSL engine
560 * This is used if private key operations for EAP-TLS are performed
565 #define EAPOL_FLAG_REQUIRE_KEY_UNICAST BIT(0)
566 #define EAPOL_FLAG_REQUIRE_KEY_BROADCAST BIT(1)
568 * eapol_flags - Bit field of IEEE 802.1X/EAPOL options (EAPOL_FLAG_*)
572 #define NUM_WEP_KEYS 4
573 #define MAX_WEP_KEY_LEN 16
577 u8 wep_key[NUM_WEP_KEYS][MAX_WEP_KEY_LEN];
580 * wep_key_len - WEP key lengths
582 size_t wep_key_len[NUM_WEP_KEYS];
585 * wep_tx_keyidx - Default key index for TX frames using WEP
590 * proactive_key_caching - Enable proactive key caching
592 * This field can be used to enable proactive key caching which is also
593 * known as opportunistic PMKSA caching for WPA2. This is disabled (0)
594 * by default. Enable by setting this to 1.
596 * Proactive key caching is used to make supplicant assume that the APs
597 * are using the same PMK and generate PMKSA cache entries without
598 * doing RSN pre-authentication. This requires support from the AP side
599 * and is normally used with wireless switches that co-locate the
602 int proactive_key_caching;
605 * otp - One-time-password
607 * This field should not be set in configuration step. It is only used
608 * internally when OTP is entered through the control interface.
613 * otp_len - Length of the otp field
618 * pending_req_identity - Whether there is a pending identity request
620 * This field should not be set in configuration step. It is only used
621 * internally when control interface is used to request needed
624 int pending_req_identity;
627 * pending_req_password - Whether there is a pending password request
629 * This field should not be set in configuration step. It is only used
630 * internally when control interface is used to request needed
633 int pending_req_password;
636 * pending_req_pin - Whether there is a pending PIN request
638 * This field should not be set in configuration step. It is only used
639 * internally when control interface is used to request needed
645 * pending_req_new_password - Pending password update request
647 * This field should not be set in configuration step. It is only used
648 * internally when control interface is used to request needed
651 int pending_req_new_password;
654 * pending_req_passphrase - Pending passphrase request
656 * This field should not be set in configuration step. It is only used
657 * internally when control interface is used to request needed
660 int pending_req_passphrase;
663 * pending_req_otp - Whether there is a pending OTP request
665 * This field should not be set in configuration step. It is only used
666 * internally when control interface is used to request needed
669 char *pending_req_otp;
672 * pending_req_otp_len - Length of the pending OTP request
674 size_t pending_req_otp_len;
677 * leap - Number of EAP methods using LEAP
679 * This field should be set to 1 if LEAP is enabled. This is used to
680 * select IEEE 802.11 authentication algorithm.
685 * non_leap - Number of EAP methods not using LEAP
687 * This field should be set to >0 if any EAP method other than LEAP is
688 * enabled. This is used to select IEEE 802.11 authentication
694 * eap_workaround - EAP workarounds enabled
696 * wpa_supplicant supports number of "EAP workarounds" to work around
697 * interoperability issues with incorrectly behaving authentication
698 * servers. This is recommended to be enabled by default because some
699 * of the issues are present in large number of authentication servers.
701 * Strict EAP conformance mode can be configured by disabling
702 * workarounds with eap_workaround = 0.
704 unsigned int eap_workaround;
707 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
709 * wpa_supplicant will need to be able to create this file and write
710 * updates to it when PAC is being provisioned or refreshed. Full path
711 * to the file should be used since working directory may change when
712 * wpa_supplicant is run in the background.
713 * Alternatively, a named configuration blob can be used by setting
714 * this to blob://<blob name>.
719 * mode - IEEE 802.11 operation mode (Infrastucture/IBSS)
721 * 0 = infrastructure (Managed) mode, i.e., associate with an AP.
723 * 1 = IBSS (ad-hoc, peer-to-peer)
725 * Note: IBSS can only be used with key_mgmt NONE (plaintext and
726 * static WEP) and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In
727 * addition, ap_scan has to be set to 2 for IBSS. WPA-None requires
728 * following network block options: proto=WPA, key_mgmt=WPA-NONE,
729 * pairwise=NONE, group=TKIP (or CCMP, but not both), and psk must also
730 * be set (either directly or using ASCII passphrase).
735 * mschapv2_retry - MSCHAPv2 retry in progress
737 * This field is used internally by EAP-MSCHAPv2 and should not be set
738 * as part of configuration.
743 * new_password - New password for password update
745 * This field is used during MSCHAPv2 password update. This is normally
746 * requested from the user through the control interface and not set
747 * from configuration.
752 * new_password_len - Length of new_password field
754 size_t new_password_len;
757 * disabled - Whether this network is currently disabled
759 * 0 = this network can be used (default).
760 * 1 = this network block is disabled (can be enabled through
761 * ctrl_iface, e.g., with wpa_cli or wpa_gui).
766 int wpa_config_allowed_eap_method(struct wpa_ssid *ssid, int method);
768 #endif /* CONFIG_SSID_H */