Commit Graph

135 Commits

Author SHA1 Message Date
Jouni Malinen
c267753ba2 Add support for using random local MAC address
This adds experimental support for wpa_supplicant to assign random local
MAC addresses for both pre-association cases (scan, GAS/ANQP) and for
connections. MAC address policy for each part can be controlled
separately and the connection part can be set per network block.

This requires support from the driver to allow local MAC address to be
changed if random address policy is enabled. It should also be noted
that number of drivers would not support concurrent operations (e.g.,
P2P and station association) with random addresses in use for one or
both.

This functionality can be controlled with the global configuration
parameters mac_addr and preassoc_mac_addr which set the default MAC
address policies for connections and pre-association operations (scan
and GAS/ANQP while not connected). The global rand_addr_lifetime
parameter can be used to set the lifetime of a random MAC address in
seconds (default: 60 seconds). This is used to avoid unnecessarily
frequent MAC address changes since those are likely to result in driver
clearing most of its state. It should be noted that the random MAC
address does not expire during an ESS connection, i.e., this lifetime is
only for the case where the device is disconnected.

The mac_addr parameter can also be set in the network blocks to define
different behavior per network. For example, the global mac_addr=1 and
preassoc_mac_addr=1 settings and mac_addr=0 in a home network profile
would result in behavior where all scanning is performed using a random
MAC address while connections to new networks (e.g.,
Interworking/Hotspot 2.0) would use random address and connections to
the home network would use the permanent MAC address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-09-27 20:07:19 +03:00
Jouni Malinen
1b928f96b6 P2P: Allow passphrase length to be configured
Previously, eight character random passphrase was generated
automatically for P2P GO. The new p2p_passphrase_len parameter can be
used to increase this length to generate a stronger passphrase for cases
where practicality of manual configuration of legacy devices is not a
concern.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-22 00:15:53 +03:00
Nirav Shah
d3b204694a P2P: Make the default p2p_find delay value configurable
This makes the p2p_find default delay value configurable as
p2p_search_delay parameter through the configuration file (and through
control interface "SET p2p_search_delay <value>" on the P2P management
interface.

This parameter controls the number milliseconds of extra delay that is
added between search iterations when there is a concurrent operation in
progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find
friendlier to concurrent operations by avoiding it from taking 100% of
the radio resources. The default value is the previous default, i.e.,
500 ms. Smaller values can be used to find peers more quickly at the
cost of larger effect to concurrent operations while a larger value
leaves more time for the concurrent operations at the cost of making
device discovery take longer time.

The optional p2p_find delay argument can still be used to override the
search delay for each search operation.

Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the
driver specific build parameter for bcmdhd from Android.mk is also
removed. Similar configuration can now be achieved with
p2p_search_delay=0 in the p2p0 interface configuration file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-09 19:43:26 +03:00
Hu Wang
dd10abccc8 MACsec: wpa_supplicant integration
Add MACsec to the wpa_supplicant build system and configuration file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-05-09 20:42:44 +03:00
Naresh Jayaram
13f6a07efc Add SIM identifier to the network profile and cred block
This allows the specific SIM to be identified for authentication
purposes in multi-SIM devices. This SIM number represents the index of
the SIM slot. This SIM number shall be used for the authentication using
the respective SIM for the Wi-Fi connection to the corresponding
network.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-24 12:15:32 +03:00
Jouni Malinen
d41cc8ccf6 Allow HT 40 MHz intolerant flag to be set for association
This extends HT overrides to allow HT 40 MHz intolerant flag to be set
with ht40_intolerant=1.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-17 17:11:17 +03:00
Jouni Malinen
e74dd0e55b Add forgotten ampdu_factor into wpa_supplicant.conf
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-13 10:26:53 +03:00
Pawel Kulakowski
39a5800f7c wpa_supplicant: Allow disabling LDPC
Allows user to disable LDPC coding.
This possibility is useful for testing purpose.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-04-01 11:20:48 +03:00
David Spinadel
268043d55f bgscan: Do not initialize bgscan if disabled by user
Do not initialize bgscan if the user explicitly set bgscan to an empty
string. Without this patch wpa_supplicant tries to initialize bgscan to
the first option if the string is empty.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2014-03-04 22:26:19 +02:00
Jouni Malinen
cf6d08a63f Interworking: Add OCSP parameter to the cred block
This new parameter can be used to configure credentials to mandate use
of OCSP stapling for AAA server authentication.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
33fb8c526c HS 2.0R2: Add support for Policy/RequiredProtoPortTuple
The new credential parameter req_conn_capab can be used to specify
restrictions on roaming networks providing connectivity for a set of
protocols/ports.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Jouni Malinen
a45b2dc5dc HS 2.0R2: Add support for Policy/MaximumBSSLoadValue
The new credential parameter max_bss_load can be used to specify
restrictions on BSS Load in the home network.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Jouni Malinen
4cad9df15a HS 2.0R2: Add support for Policy/MinBackhaulThreshold
The new credential parameters min_{dl,ul}_bandwidth_{home,roaming} can
be used to specify restrictions on available backhaul bandwidth.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Jouni Malinen
aa26ba68b4 HS 2.0R2: Add tracking of provisioning SP
The new provisioning_sp cred field can now be used to track which SP
provisioned the credential. This makes it easier to find the matching
PPS MO from the management tree (./Wi-Fi/<provisioning_sp>).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:23 +02:00
Jouni Malinen
f9cd147d6b HS 2.0R2: Update Indication element to Release 2
The HS 2.0 Indication element from wpa_supplicant now includes the
release number field and wpa_supplicant shows the release number of the
AP in STATUS command (hs20=1 replaced with hs20=<release>).

The new update_identifier field in the cred block can now be used to
configure the PPS MO ID so that wpa_supplicant adds it to the Indication
element in Association Request frames.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:22 +02:00
Jouni Malinen
bc00053c9d Interworking: Allow roaming partner configuration
The new roaming_partner parameter within a cred block can be used to
configure priorities for roaming partners.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:22 +02:00
Dmitry Shmidt
e9a6f18385 TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 params
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-02-20 15:28:57 +02:00
Jouni Malinen
03ed332407 Interworking: Allow cred blocks not to be saved to a file
The new cred block parameter 'temporary' can be used to indicate that a
cred block is not to be saved to wpa_supplicant configuration file
(e.g., "SET_CRED 0 temporary 1"). This is similar to the concept of
temporary network blocks and allows cred blocks to be managed outside
the wpa_supplicant config file when other parameters are still saved to
the file written by wpa_supplicant.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-30 15:43:55 +02:00
Jouni Malinen
b2838baf6a Update IBSS documentation to include RSN option
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-23 20:21:17 +02:00
Haim Dreyfuss
3139270903 bgscan: Add global bgscan configuration
This option can be used to globally configure bgscan parameters
for all the network blocks.

Note that this configuration will not override a network block
specific bgscan settings, but will only be used in case that
the network block does not have a valid bgscan configuration.

Signed-hostap: Haim Dreyfuss <haim.dreyfuss@intel.com>
2013-11-05 10:26:31 +02:00
Jouni Malinen
65015b2d8e Replace unnecessary UTF-8 characters with ASCII versions
There is no need for using UTF-8 in these files when perfectly fine
ASCII versions of these characters exist.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-11-02 16:01:32 +02:00
Jouni Malinen
463c8ffbd5 Interworking: Add support for multiple home FQDNs
Credentials can now be configured with more than one FQDN ('domain'
field in the cred block) to perform Domain Name List matching against
multiple home domains.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Ben Greear
6124e858fd wpa_supplicant: Allow vifs to scan only current channel
If a VIF is already associated, then only scan on the associated
frequency if user requests such. This is a big help when using
lots of virtual stations.

Signed-hostap: Ben Greear <greearb@candelatech.com>
Signed-off-by: Ben Greear <greearb@candelatech.com>
2013-05-09 12:43:40 +03:00
Ben Greear
f5ffc348dc wpa_supplicant: Allow global scan frequencies configuration
This allows one to limit the channels that wpa_supplicant will
scan. This is a useful addition to the freq_list configurable
in the network {} section.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2013-05-05 11:46:54 +03:00
Jouni Malinen
4342326fc7 Add ignore_old_scan_res configuration parameter
This can be used to configure wpa_supplicant to ignore old scan results
from the driver cache in cases where such results were not updated after
the scan trigger from wpa_supplicant. This can be useful in some cases
where the driver may cache information for a significant time and the AP
configuration is changing. Many such cases are for testing scripts, but
this could potentially be useful for some WPS use cases, too.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-31 18:05:42 +03:00
Jouni Malinen
18a2eaabe3 Add ap_vendor_elements for wpa_supplicant AP/P2P GO mode
This new parameter allows wpa_supplicant AP mode operations to use
similar design to the vendor_elements parameter in hostapd to add
vendor_elements into Beacon/Probe Response IE parameters.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-21 15:52:41 +02:00
Johannes Berg
e9ee8dc394 wpa_supplicant: Support VHT capability overrides
Add support for VHT capability overrides to allow testing connections
with a subset of the VHT capabilities that are actually supported by
the device. The only thing that isn't currently supported (by mac80211
and this code) is the RX/TX highest rate field.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-03-10 18:04:39 +02:00
Jouni Malinen
18206e02c5 Allow wpa_supplicant AP mode to configure Beacon interval
beacon_int (in TU) can now be used to configure Beacon interval for AP
mode operations (including P2P GO) in wpa_supplicant. This can be set
either in a network block or as a global parameter in the configuration
file (or with "SET beacon_int <value>" control interface command) to
apply for all networks that do not include the beacon_int parameter to
override the default.

In addition, this commits extends the dtim_period parameter to be
available as a global parameter to set the default value. dtim_period is
now stored in the configuration file, too, if it was set.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-01 20:50:08 +02:00
Jouni Malinen
625f202a74 SAE: Allow enabled groups to be configured
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
2474ce4542 Document bgscan configuration options
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-25 20:43:07 +02:00
Ben Greear
c8d22af88f wpa_supplicant: Document HT capability overrides
Signed-off-by: Ben Greear <greearb@candelatech.com>
2012-12-18 14:49:35 +02:00
Jouni Malinen
dbea8ac7ab Interworking: Allow SSID-based network exclusion for credentials
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:01:50 +02:00
Jouni Malinen
62d4980331 Allow PMF to be enabled by default
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:21:29 +02:00
Jouni Malinen
6e2020210a Allow OKC to be enabled by default
Previously, OKC (opportunistic key caching, a.k.a. proactive key
caching) could be enabled only with a per-network parameter
(proactive_key_caching). The new global parameter (okc) can now be used
to change the default behavior to be OKC enabled (okc=1) for network
blocks that do not override this with the proactive_key_caching
parameter.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-12 20:07:53 +02:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
4d5bda5fca Interworking: Add optional use of network selection on normal scans
auto_interworking=1 configuration parameter can be used to request
wpa_supplicant to use Interworking network selection automatically as a
part of the normal (non-Interworking) network selection if the scan
results do not match with enabled networks. This makes scanning work
similarly to the "interworking_select auto" command.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-28 16:14:13 +03:00
Jouni Malinen
9af7361b3f Document TLS options in phase1/phase2
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:27:29 +03:00
Eyal Shapira
462a7439e1 Add p2p_go_max_inactivity config option
This enables setting a different max inactivity timeout for P2P GO.
This timeout is used to detect inactive clients. In some scenarios
it may be useful to have control over this and set a shorter timeout
than the default 300s. For example when running STA and P2P GO interfaces
concurrently, the STA interface may perform scans which may cause the
GO to miss a disassoc / deauth frames from a client and keep assuming
that the client is connected until the inactivity detection kicks in.
300 secs is a bit too long for such scenarios and creates a bad user
experience.

Signed-hostap: Eyal Shapira <eyal@wizery.com>
2012-08-10 16:28:38 +03:00
Jouni Malinen
5c4b93d72e Add support for using printf-escaped strings in configuration
P"<escaped string>" can now be used as an alternative method for
specifying non-ASCII strings (including control characters). For
example, ssid=P"abc\x00test".

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 13:50:39 +03:00
Jouni Malinen
0ebb23e340 EXT PW: Add support for password parameter from external storage
This allows the password parameter for EAP methods to be fetched
from an external storage.

Following example can be used for developer testing:

ext_password_backend=test:pw1=password|pw2=testing

network={
    key_mgmt=WPA-EAP
    eap=TTLS
    identity="user"
    password=ext:pw1
    ca_cert="ca.pem"
    phase2="auth=PAP"
}

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
9173b16fd1 EXT PW: Add support for psk parameter from external storage
This allows wpa_supplicant configuration file to be created without
the PSK/passphrase value included in the file when a backend for
external password storage is available.

Following example can be used for developer testing:

ext_password_backend=test:psk1=12345678
network={
    ssid="test-psk"
    key_mgmt=WPA-PSK
    psk=ext:psk1
}

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
306ae22556 EXT PW: Add framework for supporting external password storage
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
955567bc09 Interworking: Add support for using Roaming Consortium OI for matching
Each cred block can now be matched based on Roaming Consortium OI as an
alternative mechanism to using NAI Realm information. This may be
optimized for efficiency in the future since Roaming Consortium
information is available in scan results without having to go through
ANQP queries. In addition, this is easier to support in case there is a
large number of realms that can be used for authentication.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-02 18:48:31 +03:00
Jouni Malinen
8ca93c59e0 Interworking: Allow pre-configuration of EAP parameters
The new cred block parameters eap, phase1, and phase2 can be used to
select which EAP method is used with network selection instead of using
the value specified in ANQP information (e.g., NAI Realm).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-02 18:40:45 +03:00
Jouni Malinen
51ca03f470 WPS: Document NFC use cases with password/config token
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-06-28 21:28:49 +03:00
Tomasz Bursztyka
e3659c89d2 Add a simple periodic autoscan module
This module will sets a fixed scanning interval. Thus, the parameter to
this module is following this format: <fixed interval>

Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2012-06-26 19:28:21 +03:00
Tomasz Bursztyka
c0fba2b38d Add autoscan module named exponential
This module will compute the interval on a base exponential. Thus,
params to this module are following this format: <base>:<limit>

Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2012-06-26 19:22:56 +03:00
Tomasz Bursztyka
b0786fba71 Add autoscan parameters support in config file
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
2012-06-26 18:09:57 +03:00
Etay Luz
fdfb1c8bcf wpa_supplicant: Support dtim_period configuration for AP mode
Signed-off-by: Etay Luz <eluz@qca.qualcomm.com>
2012-06-04 17:52:37 +03:00
Jay Katabathuni
66aadbd7bf HS 2.0: Add runtime configuration of Hotspot 2.0 station
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-05-08 23:29:45 +03:00
Jouni Malinen
4732ee3a87 Add more documentation for IEEE 802.11w/PMF configuration
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-05-05 16:48:23 +03:00
Anirban Sirkhell
71dd3b78f9 WPS: Allow vendor specific attribute to be added into M1
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-04-04 00:08:57 +03:00
Vasanthakumar Thiagarajan
07f53b8cc7 wpa_supplicant: Add provision to configure inactivity period in AP mode
This patch adds a configuration in network block, ap_max_inactivity, for
station's inactivity period when in AP mode. The time period is
configured in seconds, by default 300 seconds.

Signed-hostap: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
2012-03-27 20:49:44 +03:00
Jouni Malinen
d7b01abd5e Interworking: Support real SIM/USIM card for network selection
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-03-04 16:02:56 +02:00
Jouni Malinen
817bb3e1c1 Interworking: Fix credential block example
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-03-04 11:24:24 +02:00
Jouni Malinen
400020cbe8 Interworking: Update configuration file documentation for credentials
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-03-03 10:49:02 +02:00
Jouni Malinen
2a4b98a912 Interworking: Document network selection parameters 2011-10-16 23:55:34 +03:00
Jouni Malinen
46ee0427b1 IEEE 802.11u: Allow Interworking and HESSID to be configured
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
2011-10-16 23:55:34 +03:00
Pavel Roskin
ffbf1eaa26 Fix typos found by codespell
Signed-off-by: Pavel Roskin <proski@gnu.org>
2011-09-22 00:43:59 +03:00
Jouni Malinen
53587ec183 WPS 2.0: Make WSC 2.0 support to be build option (CONFIG_WPS2)
For now, the default build will only include WSC 1.0 support.
CONFIG_WPS2=y can be used to add support for WSC 2.0.
2010-09-09 06:07:48 -07:00
Jouni Malinen
6a857074f4 WPS 2.0: Add virtual/physical display and pushbutton config methods 2010-09-09 06:07:47 -07:00
Jouni Malinen
b766a9a293 Add freq_list network configuration parameter
This can be used to limit which frequencies are considered when
selecting a BSS. This is somewhat similar to scan_freq, but will
also affect any scan results regardless of which program triggered
the scan.
2010-03-26 22:45:50 -07:00
Jouni Malinen
3812464cda Add optional scan result filter based on SSID
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
2010-03-05 21:42:06 +02:00
Jouni Malinen
c9c38b0996 Make maximum BSS table size configurable
New global configuration parameter bss_max_count can now be used to
change the maximum BSS table size. The old fixed size limit (200) is
used as the default value for this parameter.
2010-03-05 20:20:09 +02:00
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
c0e4dd9eeb WPS: Make Config Methods configurable for wpa_supplicant
This adds config_methods configuration option for wpa_supplicant
following the design used in hostapd. In addition, the string is
now parsed in common code from src/wps/wps_common.c and the list
of configurable methods include all the defined methods from
WPS 1.0h spec.
2009-12-21 15:59:25 +02:00
Jouni Malinen
b55aaa5fdf Allow IBSS/AP mode networks to be created in ap_scan=1 mode
If no BSSes/IBSSes matching the enabled networks are found in the scan
results, IBSS/AP mode network (if configured) can be created in
ap_scan=1 mode instead of requiring ap_scan=2 mode to be used whenever
using IBSS or AP mode.
2009-09-29 17:11:36 +03:00
Jouni Malinen
d3a9822542 Add support for specifying subset of enabled frequencies to scan
A new network block parameter, scan_freq, can be used to specify subset
of frequencies to scan. This can speed up scanning process considerably
if it is known that only a small subset of channels is actually used in
the network. A union of configured frequencies for all enabled network
blocks is used in scan requests.

Currently, only driver_nl80211.c has support for this functionality.

For example, following parameter marks 2.4 GHz channels 1, 6, 11 to be
scanned: scan_freq=2412 2437 2462
2009-03-26 21:55:01 +02:00
Jouni Malinen
1581b38b67 Initial step in adding simple AP mode support into wpa_supplicant
This version is adding the configuration option (mode=2) for this and
driver capability reporting to figure out whether AP mode can be used.
However, this does not actually implement any real functionality yet.
2009-03-25 11:38:47 +02:00
Jouni Malinen
f6190d376d Removed an obsolete comment about use of external program for EAP 2009-02-11 22:35:27 +02:00
Jouni Malinen
476621644c WPS: Add configurable option for processing credentials externally
The wps_cred_process option can be used to configure wpa_supplicant to
send received Credential attributes for external processing over
ctrl_iface and dbus. This allows external programs to update their
configuration when WPS is used to provision new networks.
2009-01-18 12:27:12 +02:00
Jouni Malinen
79da74a20c WPS: Generate UUID based on MAC address, if not set
Generate a SHA1 hash -based UUID from the local MAC address if the UUID
was not configured. This makes it easier to prepare for WPS since there
is no need to generate an UUID.
2009-01-01 22:56:52 +02:00
Jouni Malinen
e83a089818 Changed the example device_type value to be Computer/PC 2008-12-22 19:43:44 +02:00
Jouni Malinen
3c0b7aa4fe Added configuration of WPS device parameters for wpa_supplicant 2008-12-13 17:20:46 +02:00
Jouni Malinen
814e925dc4 Added documentation for the new 'country' configuration option 2008-12-09 22:13:35 +02:00
Jouni Malinen
f855f923a7 WPS: Moved UUID configuration from phase1 into global config area 2008-11-26 20:47:24 +02:00
Jouni Malinen
ad08c3633c Added preliminary Wi-Fi Protected Setup (WPS) implementation
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.

Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
2008-11-23 19:34:26 +02:00
Jouni Malinen
c31a11c962 Changed PEAPv0 cryptobinding to be disabled by default
There are some interoperability issues with Windows Server 2008 NPS, so
better disable cryptobinding use by default for now.
2008-11-20 12:49:34 +02:00
Jouni Malinen
581a8cde77 Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).

With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
2008-11-06 19:57:21 +02:00
Jouni Malinen
2e8c9a27f5 Fixed a typo 2008-10-02 12:40:24 +03:00
Jouni Malinen
565861976d Added support for using SHA256-based stronger key derivation for WPA2
IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for
key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new
AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 22:57:28 +03:00
Jouni Malinen
d6888f9e37 PEAPv0: Added crypto_binding configuration option (part of phase1)
crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).
2008-04-08 14:57:39 +03:00
Jouni Malinen
9474b3a4e4 Added a missing '#' to indicate a comment. 2008-03-05 16:06:43 +02:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00