path: root/wpa_supplicant
diff options
authorJouni Malinen <j@w1.fi>2012-06-28 18:28:49 (GMT)
committerJouni Malinen <j@w1.fi>2012-06-28 18:28:49 (GMT)
commit51ca03f470c72f618c75eb06147da5e52a1319a9 (patch)
treeb6f8c60058e446851ffc899d4b7bbc36514a0d7b /wpa_supplicant
parentbfc62fe1331da4eca6dec70133c5d4cd1d6bc958 (diff)
WPS: Document NFC use cases with password/config token
Signed-hostap: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant')
3 files changed, 56 insertions, 0 deletions
diff --git a/wpa_supplicant/README-WPS b/wpa_supplicant/README-WPS
index bf75cb4..692d5f5 100644
--- a/wpa_supplicant/README-WPS
+++ b/wpa_supplicant/README-WPS
@@ -67,6 +67,10 @@ will also need to add following line:
+Following parameter can be used to enable support for NFC config method:
WPS needs the Universally Unique IDentifier (UUID; see RFC 4122) for
the device. This is configured in the runtime configuration for
@@ -303,3 +307,41 @@ WPS-ER-AP-SETTINGS
- WPS ER learned AP settings
WPS-ER-AP-SETTINGS uuid=fd91b4ec-e3fa-5891-a57d-8c59efeed1d2 ssid=test-wps auth_type=0x0020 encr_type=0x0008 key=12345678
+WPS with NFC
+WPS can be used with NFC-based configuration method. An NFC tag
+containing a password token from the Enrollee can be used to
+authenticate the connection instead of the PIN. In addition, an NFC tag
+with a configuration token can be used to transfer AP settings without
+going through the WPS protocol.
+When the station acts as an Enrollee, a local NFC tag with a password
+token can be used by touching the NFC interface of a Registrar.
+"wps_nfc [BSSID]" command starts WPS protocol run with the local end as
+the Enrollee using the NFC password token that is either pre-configured
+in the configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey,
+wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with
+"wps_nfc_token <WPS|NDEF>" command. The included nfc_pw_token tool
+(build with "make nfc_pw_token") can be used to generate NFC password
+tokens during manufacturing (each station needs to have its own random
+If the station includes NFC interface and reads an NFC tag with a MIME
+media type "application/vnd.wfa.wsc", the NDEF message payload (with or
+without NDEF encapsulation) can be delivered to wpa_supplicant using the
+following wpa_cli command:
+wps_nfc_tag_read <hexdump of payload>
+If the NFC tag contains a configuration token, the network is added to
+wpa_supplicant configuration. If the NFC tag contains a password token,
+the token is added to the WPS Registrar component. This information can
+then be used with wps_reg command (when the NFC password token was from
+an AP) using a special value "nfc-pw" in place of the PIN parameter. If
+the ER functionality has been started (wps_er_start), the NFC password
+token is used to enable enrollment of a new station (that was the source
+of the NFC password token).
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 392d8a8..849f244 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -204,6 +204,8 @@ CONFIG_EAP_LEAP=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
+# Enable WPS support with NFC config method
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index ccde844..b3cacab 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -218,6 +218,18 @@ fast_reauth=1
# The vendor attribute contents to be added in M1 (hex string)
+# NFC password token for WPS
+# These parameters can be used to configure a fixed NFC password token for the
+# station. This can be generated, e.g., with nfc_pw_token. When these
+# parameters are used, the station is assumed to be deployed with a NFC tag
+# that includes the matching NFC password token (e.g., written based on the
+# NDEF record from nfc_pw_token).
+#wps_nfc_dev_pw_id: Device Password ID (16..65535)
+#wps_nfc_dh_pubkey: Hexdump of DH Public Key
+#wps_nfc_dh_privkey: Hexdump of DH Private Key
+#wps_nfc_dev_pw: Hexdump of Device Password
# Maximum number of BSS entries to keep in memory
# Default: 200
# This can be used to limit memory use on the BSS entries (cached scan