aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/config_file.c
Commit message (Collapse)AuthorAgeFilesLines
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-261-0/+2
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* wpa_supplicant: Allow overriding HT STBC capabilitiesSergey Matyukevich2018-12-231-0/+2
| | | | | | | Allow user to override STBC configuration for Rx and Tx spatial streams. Add new configuration options to test for HT capability overrides. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-161-0/+9
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* WNM: Collocated Interference ReportingJouni Malinen2018-10-301-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for negotiating WNM Collocated Interference Reporting. This allows hostapd to request associated STAs to report their collocated interference information and wpa_supplicant to process such request and reporting. The actual values (Collocated Interference Report Elements) are out of scope of hostapd and wpa_supplicant, i.e., external components are expected to generated and process these. For hostapd/AP, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration. STAs are requested to perform reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report Timeout>" control interface command. The received reports are indicated as control interface events "COLOC-INTF-REPORT <addr> <dialog token> <hexdump of report elements>". For wpa_supplicant/STA, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration and setting Collocated Interference Report Elements as a hexdump with "SET coloc_intf_elems <hexdump>" control interface command. The hexdump can contain one or more Collocated Interference Report Elements (each including the information element header). For additional testing purposes, received requests are reported with "COLOC-INTF-REQ <dialog token> <automatic report enabled> <report timeout>" control interface events and unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>". This commit adds support for reporting changes in the collocated interference (Automatic Report Enabled == 1 and partial 3), but not for periodic reports (2 and other part of 3). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-0/+1
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabledJouni Malinen2018-04-231-2/+3
| | | | | | | | | | | | | | | | CCMP group cipher was removed if CCMP was not allowed as a pairwise cipher when loading a configuration file (but not actually when changing configuration during runtime). This is needed to avoid issues with configurations that use the default group cipher (TKIP CCMP) while modifying pairwise cipher from the default CCMP TKIP) to TKIP. However, there is not really a need to remove the CCMP group cipher if any GCMP or CCMP cipher is enabled as a pairwise cipher. Change the network profile validation routine to not remove CCMP as group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise cipher even if CCMP is not. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-171-0/+1
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add a new cred block parameter roaming_consortiumsJouni Malinen2018-04-171-0/+14
| | | | | | | | | | This new string parameter contains a comma delimited list of OIs (hexdump) in a string. This is used to store Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit includes the configuration changes to parse and write the parameter. The actual values are not yet used in Interworking network selection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add ap_isolate configuration option for wpa_supplicant AP modeDanilo Ravotto2018-02-171-0/+2
| | | | | | | Allow client isolation to be configured with ap_isolate inside wpa_supplicant configuration file. Signed-off-by: Danilo Ravotto <danilo.ravotto@zirak.it>
* wpa_supplicant: Fix parsing errors on additional config fileJouni Malinen2018-02-041-1/+2
| | | | | | | | | | If the -I<config> argument is used and the referenced configuration file cannot be parsed, wpa_config_read() ended up freeing the main configuration data structure and that resulted in use of freed memory in such an error case. Fix this by not freeing the main config data and handling the error case in the caller. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Free config only if it was allocated in same callDmitry Shmidt2018-02-041-1/+2
| | | | | | | | If option -I:config points to a non-existing file, the the previously allocated config must not be freed. Avoid use of freed memory in such an error case by skipping the incorrect freeing operation. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* EAP-SIM/AKA: Separate identity for MK derivationJouni Malinen2018-01-211-0/+1
| | | | | | | | | | | | | This allows a separate configuration parameter (imsi_identity) to be used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK derivation for the case where the identity is expected to be from the last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was not used). This may be needed to avoid sending out an unprotected permanent identity information over-the-air and if the EAP-SIM/AKA server ends up using a value based on the real IMSI during the internal key derivation operation (that does not expose the data to others). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow station in transition mode to connect to an open BSSJouni Malinen2018-01-211-0/+1
| | | | | | | | | If the OWE network profile matches an open network which does not advertise OWE BSS, allow open connection. The new owe_only=1 network profile parameter can be used to disable this transition mode and enforce connection only with OWE networks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-0/+1
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-091-1/+0
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in stationJouni Malinen2017-10-081-0/+1
| | | | | | | | This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Allow GO to advertise Interworking elementSunil Dutt2017-10-051-0/+11
| | | | | | | | | This adds new wpa_supplicant configuration parameters (go_interworking, go_access_network_type, go_internet, go_venue_group, go_venue_type) to add a possibility of configuring the P2P GO to advertise Interworking element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+17
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Move writing of mesh_rssi_threshold inside CONFIG_MESHLior David2017-09-121-1/+1
| | | | | | | | | | | | | | | Previously, the code that writes mesh_rssi_threshold to a network block always executes, but the code that reads it from network block and the code that initializes it to a default value in a new network block are inside #ifdef CONFIG_MESH. As a result when writing a config file it will write mesh_rssi_threshold (since it has a non-default value) and later fail to read the network block. Fix this by moving the write code under #ifdef CONFIG_MESH as well. Note, network blocks which already have mesh_rssi_threshold because of the bug will still fail to read after the fix. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* STA: Add OCE capability indication attributeAshwini Patil2017-07-141-0/+2
| | | | | | | Add OCE capability indication attribute in Probe Request and (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix configuration item listJouni Malinen2017-07-021-5/+5
| | | | | | This was supposed to use semicolons, not commas.. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Automatic network profile creationJouni Malinen2017-06-211-0/+3
| | | | | | | | | | | | | | | | | wpa_supplicant can now be configured to generate a network profile automatically based on DPP configuration. The following dpp_config_processing values can be used to specify the behavior: 0 = report received configuration to an external program for processing; do not generate any network profile internally (default) 1 = report received configuration to an external program and generate a network profile internally, but do not automatically connect to the created (disabled) profile; the network profile id is reported to external programs 2 = report received configuration to an external program, generate a network profile internally, try to connect to the created profile automatically Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Make wpa_config_read_blob() easier for static analyzersJouni Malinen2017-06-191-1/+1
| | | | | | | | | | While encoded == NULL could happen in the case of an empty blob, that will result in encoded_len == 0 and base64_decode() not derefencing the src argument. That seems to be too difficult for some static analyzers, so to avoid false warnings, explicitly reject the encoded == NULL case without even trying to base64 decode it. (CID 164709) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Network profile parameters for DPP AKMJouni Malinen2017-06-191-0/+7
| | | | | | | | Extend wpa_supplicant network profile to include parameters needed for the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry, dpp_csign, dpp_csign_expiry. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Provide option to configure BSSID hint for a networkPurushottam Kushwaha2017-05-111-0/+12
| | | | | | | | | | This exposes user configurable option to set bssid_hint for a network. bssid_hint indicates which BSS has been found a suitable candidate for initial association for drivers that use driver/firmware-based BSS selection. Unlike the bssid parameter, bssid_hint does not limit the driver from selecting other BSSs in the ESS. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Make NL80211_MESHCONF_RSSI_THRESHOLD configurableMasashi Honma2017-05-081-0/+1
| | | | | | | | In some practical cases, it is useful to suppress joining to node in the distance. The new field mesh_rssi_threshold could be used as RSSI threshold for joining. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* WPS: Add option for using random UUIDJouni Malinen2017-04-131-0/+2
| | | | | | | | | | | If the uuid configuration parameter is not set, wpa_supplicant generates an UUID automatically to allow WPS operations to proceed. This was previously always using an UUID generated from the MAC address. This commit adds an option to use a random UUID instead. The type of the automatically generated UUID is set with the auto_uuid parameter: 0 = based on MAC address (default; old behavior), 1 = random UUID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-0/+1
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling HT in AP mode without HT overridesJohannes Berg2017-03-111-0/+1
| | | | | | | | Since VHT can be toggled explicitly, also expose being able to disable HT explicitly, without requiring HT overrides. Continue making it default to enabled though. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* wpa_supplicant: Allow explicit wide channel configuration for AP modeJohannes Berg2017-03-111-0/+4
| | | | | | | | | | | Instead of deducing the wide (HT, VHT) channel configuration only automatically in P2P mode, allow it to be configured in the network in non-P2P mode. Also allow all of these parameters to be configured through the control interface or the configuration file. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* nl80211: Add option to delay start of schedule scan plansPurushottam Kushwaha2017-03-091-0/+4
| | | | | | | | | | | | The userspace may want to delay the the first scheduled scan. This enhances sched_scan to add initial delay (in seconds) before starting first scan cycle. The driver may optionally choose to ignore this parameter and start immediately (or at any other time). This uses NL80211_ATTR_SCHED_SCAN_DELAY to add this via user global configurable option: sched_scan_start_delay. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MBO: Add support for transition reject reason codeKanchanapally, Vidyullatha2017-03-061-0/+4
| | | | | | | | | | Add support for rejecting a BSS transition request using MBO reject reason codes. A candidate is selected or rejected based on whether it is found acceptable by both wpa_supplicant and the driver. Also accept any candidate meeting a certain threshold if disassoc imminent is set in BTM Request frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* GAS: Add support to randomize transmitter addressVamsi Krishna2017-02-071-0/+7
| | | | | | | | | | | | | | | | | Add support to send GAS requests with a randomized transmitter address if supported by the driver. The following control interface commands (and matching configuration file parameters) can be used to configure different types of randomization: "SET gas_rand_mac_addr 0" to disable randomizing TX MAC address, "SET gas_rand_mac_addr 1" to randomize the complete TX MAC address, "SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI. A new random MAC address will be generated for every gas_rand_addr_lifetime seconds and this can be configured with "SET gas_rand_addr_lifetime <timeout>". Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Store FST parameters to configuration fileJouni Malinen2017-01-071-0/+7
| | | | | | This was forgotten when the parameters were added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store osu_dir to configuration fileJouni Malinen2017-01-071-0/+3
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store autoscan to configuration fileJouni Malinen2017-01-071-0/+3
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store filter_rssi to configuration fileJouni Malinen2017-01-071-0/+2
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Write sec_device_type to configuration fileJouni Malinen2017-01-071-0/+11
| | | | | | This is more consistent with other global configuration parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix writing of wpa_supplicant sae_groups configuration parameterJouni Malinen2017-01-071-1/+1
| | | | | | | This integer array is zero terminated, so need to check the value is greater than 0 when writing the parameter. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Make MKA actor priority configurableBadrish Adiga H R2016-12-251-0/+2
| | | | | | | This adds a new wpa_supplicant network profile parameter mka_priority=0..255 to set the priority of the MKA Actor. Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
* P2P: Set p2p_persistent_group=1 at the time of reading disabled=2Avichal Agarwal2016-12-121-0/+3
| | | | | | | | | | Configuration file network block with disabled=2 is used for storing information about a persistent group, so p2p_persitent_group should be updated according to this when creating a struct wpa_ssid instance. This will end up using D-Bus persistent network object path for the network. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
* wpa_supplicant: Allow configuring the MACsec port for MKASabrina Dubroca2016-11-191-0/+1
| | | | | | | Previously, wpa_supplicant only supported hardcoded port == 1 in the SCI, but users may want to choose a different port. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Add macsec_integ_only setting for MKASabrina Dubroca2016-11-191-0/+1
| | | | | | | | | So that the user can turn encryption on (MACsec provides confidentiality+integrity) or off (MACsec provides integrity only). This commit adds the configuration parameter while the actual behavior change to disable encryption in the driver is handled in the following commit. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKASabrina Dubroca2016-11-191-0/+36
| | | | | | | | | | | | This enables configuring key_mgmt=NONE + mka_ckn + mka_cak. This allows wpa_supplicant to work in a peer-to-peer mode, where peers are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers can act as key server to distribute keys for the MACsec instances. This is what some MACsec switches support, and even without HW support, it's a convenient way to setup a network. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow FTM functionality to be publishedLior David2016-09-051-0/+5
| | | | | | | | | | | | Add configuration options that control publishing of fine timing measurement (FTM) responder and initiator functionality via bits 70, 71 of Extended Capabilities element. Typically, FTM functionality is controlled by a location framework outside wpa_supplicant. When framework is activated, it will use wpa_supplicant to configure the STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Add group_rekey parameter for IBSSJouni Malinen2016-08-131-0/+1
| | | | | | | The new network profile parameter group_rekey can now be used to specify the group rekeying internal in seconds for IBSS. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Make GAS Address3 field selection behavior configurableJouni Malinen2016-06-101-0/+2
| | | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies that the wildcard BSSID value is used in Public Action frames that are transmitted to a STA that is not a member of the same BSS. wpa_supplicant used to use the actual BSSID value for all such frames regardless of whether the destination STA is a member of the BSS. P2P does not follow this rule, so P2P Public Action frame construction must not be changed. However, the cases using GAS/ANQP for non-P2P purposes should follow the standard requirements. Unfortunately, there are deployed AP implementations that do not reply to a GAS request sent using the wildcard BSSID value. The previously used behavior (Address3 = AP BSSID even when not associated) continues to be the default, but the IEEE 802.11 standard compliant addressing behavior can now be configured with gas_address3=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+1
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* MBO: Add cellular capability to MBO IEDavid Spinadel2016-02-221-0/+2
| | | | | | | | Add cellular capability attribute to MBO IE and add MBO IE with cellular capabilities to Probe Request frames. By default, cellular capability value is set to Not Cellular capable (3). Signed-off-by: David Spinadel <david.spinadel@intel.com>