path: root/wpa_supplicant/config_file.c
Commit message (Collapse)AuthorAgeFilesLines
* Remove all PeerKey functionalityJouni Malinen2017-10-151-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-0/+1
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-091-1/+0
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in stationJouni Malinen2017-10-081-0/+1
| | | | | | | | This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Allow GO to advertise Interworking elementSunil Dutt2017-10-051-0/+11
| | | | | | | | | This adds new wpa_supplicant configuration parameters (go_interworking, go_access_network_type, go_internet, go_venue_group, go_venue_type) to add a possibility of configuring the P2P GO to advertise Interworking element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+17
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Move writing of mesh_rssi_threshold inside CONFIG_MESHLior David2017-09-121-1/+1
| | | | | | | | | | | | | | | Previously, the code that writes mesh_rssi_threshold to a network block always executes, but the code that reads it from network block and the code that initializes it to a default value in a new network block are inside #ifdef CONFIG_MESH. As a result when writing a config file it will write mesh_rssi_threshold (since it has a non-default value) and later fail to read the network block. Fix this by moving the write code under #ifdef CONFIG_MESH as well. Note, network blocks which already have mesh_rssi_threshold because of the bug will still fail to read after the fix. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* STA: Add OCE capability indication attributeAshwini Patil2017-07-141-0/+2
| | | | | | | Add OCE capability indication attribute in Probe Request and (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix configuration item listJouni Malinen2017-07-021-5/+5
| | | | | | This was supposed to use semicolons, not commas.. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Automatic network profile creationJouni Malinen2017-06-211-0/+3
| | | | | | | | | | | | | | | | | wpa_supplicant can now be configured to generate a network profile automatically based on DPP configuration. The following dpp_config_processing values can be used to specify the behavior: 0 = report received configuration to an external program for processing; do not generate any network profile internally (default) 1 = report received configuration to an external program and generate a network profile internally, but do not automatically connect to the created (disabled) profile; the network profile id is reported to external programs 2 = report received configuration to an external program, generate a network profile internally, try to connect to the created profile automatically Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Make wpa_config_read_blob() easier for static analyzersJouni Malinen2017-06-191-1/+1
| | | | | | | | | | While encoded == NULL could happen in the case of an empty blob, that will result in encoded_len == 0 and base64_decode() not derefencing the src argument. That seems to be too difficult for some static analyzers, so to avoid false warnings, explicitly reject the encoded == NULL case without even trying to base64 decode it. (CID 164709) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Network profile parameters for DPP AKMJouni Malinen2017-06-191-0/+7
| | | | | | | | Extend wpa_supplicant network profile to include parameters needed for the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry, dpp_csign, dpp_csign_expiry. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Provide option to configure BSSID hint for a networkPurushottam Kushwaha2017-05-111-0/+12
| | | | | | | | | | This exposes user configurable option to set bssid_hint for a network. bssid_hint indicates which BSS has been found a suitable candidate for initial association for drivers that use driver/firmware-based BSS selection. Unlike the bssid parameter, bssid_hint does not limit the driver from selecting other BSSs in the ESS. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Make NL80211_MESHCONF_RSSI_THRESHOLD configurableMasashi Honma2017-05-081-0/+1
| | | | | | | | In some practical cases, it is useful to suppress joining to node in the distance. The new field mesh_rssi_threshold could be used as RSSI threshold for joining. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* WPS: Add option for using random UUIDJouni Malinen2017-04-131-0/+2
| | | | | | | | | | | If the uuid configuration parameter is not set, wpa_supplicant generates an UUID automatically to allow WPS operations to proceed. This was previously always using an UUID generated from the MAC address. This commit adds an option to use a random UUID instead. The type of the automatically generated UUID is set with the auto_uuid parameter: 0 = based on MAC address (default; old behavior), 1 = random UUID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-0/+1
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling HT in AP mode without HT overridesJohannes Berg2017-03-111-0/+1
| | | | | | | | Since VHT can be toggled explicitly, also expose being able to disable HT explicitly, without requiring HT overrides. Continue making it default to enabled though. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* wpa_supplicant: Allow explicit wide channel configuration for AP modeJohannes Berg2017-03-111-0/+4
| | | | | | | | | | | Instead of deducing the wide (HT, VHT) channel configuration only automatically in P2P mode, allow it to be configured in the network in non-P2P mode. Also allow all of these parameters to be configured through the control interface or the configuration file. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* nl80211: Add option to delay start of schedule scan plansPurushottam Kushwaha2017-03-091-0/+4
| | | | | | | | | | | | The userspace may want to delay the the first scheduled scan. This enhances sched_scan to add initial delay (in seconds) before starting first scan cycle. The driver may optionally choose to ignore this parameter and start immediately (or at any other time). This uses NL80211_ATTR_SCHED_SCAN_DELAY to add this via user global configurable option: sched_scan_start_delay. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MBO: Add support for transition reject reason codeKanchanapally, Vidyullatha2017-03-061-0/+4
| | | | | | | | | | Add support for rejecting a BSS transition request using MBO reject reason codes. A candidate is selected or rejected based on whether it is found acceptable by both wpa_supplicant and the driver. Also accept any candidate meeting a certain threshold if disassoc imminent is set in BTM Request frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* GAS: Add support to randomize transmitter addressVamsi Krishna2017-02-071-0/+7
| | | | | | | | | | | | | | | | | Add support to send GAS requests with a randomized transmitter address if supported by the driver. The following control interface commands (and matching configuration file parameters) can be used to configure different types of randomization: "SET gas_rand_mac_addr 0" to disable randomizing TX MAC address, "SET gas_rand_mac_addr 1" to randomize the complete TX MAC address, "SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI. A new random MAC address will be generated for every gas_rand_addr_lifetime seconds and this can be configured with "SET gas_rand_addr_lifetime <timeout>". Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Store FST parameters to configuration fileJouni Malinen2017-01-071-0/+7
| | | | | | This was forgotten when the parameters were added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store osu_dir to configuration fileJouni Malinen2017-01-071-0/+3
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store autoscan to configuration fileJouni Malinen2017-01-071-0/+3
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Store filter_rssi to configuration fileJouni Malinen2017-01-071-0/+2
| | | | | | This was forgotten when the parameter was added. Signed-off-by: Jouni Malinen <j@w1.fi>
* Write sec_device_type to configuration fileJouni Malinen2017-01-071-0/+11
| | | | | | This is more consistent with other global configuration parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix writing of wpa_supplicant sae_groups configuration parameterJouni Malinen2017-01-071-1/+1
| | | | | | | This integer array is zero terminated, so need to check the value is greater than 0 when writing the parameter. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Make MKA actor priority configurableBadrish Adiga H R2016-12-251-0/+2
| | | | | | | This adds a new wpa_supplicant network profile parameter mka_priority=0..255 to set the priority of the MKA Actor. Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
* P2P: Set p2p_persistent_group=1 at the time of reading disabled=2Avichal Agarwal2016-12-121-0/+3
| | | | | | | | | | Configuration file network block with disabled=2 is used for storing information about a persistent group, so p2p_persitent_group should be updated according to this when creating a struct wpa_ssid instance. This will end up using D-Bus persistent network object path for the network. Signed-off-by: Avichal Agarwal <avichal.a@samsung.com> Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
* wpa_supplicant: Allow configuring the MACsec port for MKASabrina Dubroca2016-11-191-0/+1
| | | | | | | Previously, wpa_supplicant only supported hardcoded port == 1 in the SCI, but users may want to choose a different port. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Add macsec_integ_only setting for MKASabrina Dubroca2016-11-191-0/+1
| | | | | | | | | So that the user can turn encryption on (MACsec provides confidentiality+integrity) or off (MACsec provides integrity only). This commit adds the configuration parameter while the actual behavior change to disable encryption in the driver is handled in the following commit. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKASabrina Dubroca2016-11-191-0/+36
| | | | | | | | | | | | This enables configuring key_mgmt=NONE + mka_ckn + mka_cak. This allows wpa_supplicant to work in a peer-to-peer mode, where peers are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers can act as key server to distribute keys for the MACsec instances. This is what some MACsec switches support, and even without HW support, it's a convenient way to setup a network. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow FTM functionality to be publishedLior David2016-09-051-0/+5
| | | | | | | | | | | | Add configuration options that control publishing of fine timing measurement (FTM) responder and initiator functionality via bits 70, 71 of Extended Capabilities element. Typically, FTM functionality is controlled by a location framework outside wpa_supplicant. When framework is activated, it will use wpa_supplicant to configure the STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0, Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Add group_rekey parameter for IBSSJouni Malinen2016-08-131-0/+1
| | | | | | | The new network profile parameter group_rekey can now be used to specify the group rekeying internal in seconds for IBSS. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Make GAS Address3 field selection behavior configurableJouni Malinen2016-06-101-0/+2
| | | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies that the wildcard BSSID value is used in Public Action frames that are transmitted to a STA that is not a member of the same BSS. wpa_supplicant used to use the actual BSSID value for all such frames regardless of whether the destination STA is a member of the BSS. P2P does not follow this rule, so P2P Public Action frame construction must not be changed. However, the cases using GAS/ANQP for non-P2P purposes should follow the standard requirements. Unfortunately, there are deployed AP implementations that do not reply to a GAS request sent using the wildcard BSSID value. The previously used behavior (Address3 = AP BSSID even when not associated) continues to be the default, but the IEEE 802.11 standard compliant addressing behavior can now be configured with gas_address3=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+1
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* MBO: Add cellular capability to MBO IEDavid Spinadel2016-02-221-0/+2
| | | | | | | | Add cellular capability attribute to MBO IE and add MBO IE with cellular capabilities to Probe Request frames. By default, cellular capability value is set to Not Cellular capable (3). Signed-off-by: David Spinadel <david.spinadel@intel.com>
* MBO: Add non-preferred channel configuration in wpa_supplicantDavid Spinadel2016-02-211-0/+6
| | | | | | Add non-preferred channel configuration to wpa_config for MBO. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* wpa_supplicant: Basic support for PBSS/PCPLior David2016-02-081-0/+1
| | | | | | | | | | | | | | | | | | | | | PBSS (Personal Basic Service Set) is a new BSS type for DMG networks. It is similar to infrastructure BSS, having an AP-like entity called PCP (PBSS Control Point), but it has few differences. PBSS support is mandatory for IEEE 802.11ad devices. Add a new "pbss" argument to network block. The argument is used in the following scenarios: 1. When network has mode=2 (AP), when pbss flag is set will start as a PCP instead of an AP. 2. When network has mode=0 (station), when pbss flag is set will connect to PCP instead of AP. The function wpa_scan_res_match() was modified to match BSS according to the pbss flag in the network block (wpa_ssid structure). When pbss flag is set it will match only PCPs, and when it is clear it will match only APs. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Allow re-write of ip_addr* configurations to conf file.Purushottam Kushwaha2016-01-151-0/+16
| | | | | | | | | This patch keeps ip_addr* configuration in conf file while updating supplicant conf file either internally by supplicant or due to save_config command. Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com> Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
* wpa_supplicant: Enable Automatic Channel Selection support for AP modeTomasz Bursztyka2015-12-241-0/+3
| | | | | | | | | | Since hostapd supports ACS now, let's enable its support in wpa_supplicant as well when starting AP mode. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> [u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master] [u.oelmann@pengutronix.de: adjusted added text in defconfig] Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
* Add support for configuring scheduled scan plansAvraham Stern2015-11-301-0/+3
| | | | | | | | | | | | Add the option to configure scheduled scan plans in the config file. Each scan plan specifies the interval between scans and the number of scan iterations. The last plan will run infinitely and thus specifies only the interval between scan iterations. usage: sched_scan_plans=<interval:iterations> <interval2:iterations2> ... <interval> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* IBSS/mesh: Add support for VHT80P80 configurationAhmad Kholaif2015-11-261-0/+1
| | | | | | | | | | | A new network profile configuration parameter max_oper_chwidth=3 can be used to specify preference to enable 80+80 MHz VHT channel for IBSS. If that is set, the first 80 MHz segment is specified based on the frequency parameter in the network profile and the second segment is selected automatically (which will practically be limited to a single possibility due to DFS requirements in most countries). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add GTK RSC relaxation workaroundMax Stepanov2015-11-011-0/+4
| | | | | | | | | | | | | | | | | | | | | | Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
* Make sure configuration is saved to storage deviceMitchell Wills2015-08-271-0/+2
| | | | | | | | | | | | Config file is written to a temp file and then it is renamed to the original config file. However, it is possible that the rename operation will be commited to storage while file data will be still in cache causing original config file to be empty or partially written in case of a system reboot without a clean shutdown. Make this less likely to occur by forcing the data to be written to the storage device before renaming the file. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* P2P: Move a GO from its operating frequencyIlan Peer2015-08-031-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | Upon any change in the currently used channels evaluate if a GO should move to a different operating frequency, where the possible scenarios: 1. The frequency that the GO is currently using is no longer valid, due to regulatory reasons, and thus the GO must be moved to some other frequency. 2. Due to Multi Concurrent Channel (MCC) policy considerations, it would be preferable, based on configuration settings, to prefer Same Channel Mode (SCM) over concurrent operation in multiple channels. The supported policies: - prefer SCM: prefer moving the GO to a frequency used by some other interface. - prefer SCM if Peer supports: prefer moving the GO to a frequency used by some other station interface iff the other station interface is using a frequency that is common between the local and the peer device (based on the GO Negotiation/Invitation signaling). - Stay on the current frequency. Currently, the GO transition to another frequency is handled by a complete tear down and re-setup of the GO. Still need to add CSA flow to the considerations. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* mesh: Fix mesh SAE auth on low spec devicesMasashi Honma2015-08-021-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | The mesh SAE auth often fails with master branch. By bisect I found commit eb5fee0bf50444419ac12d3c7f38f27a47523a47 ('SAE: Add side-channel protection to PWE derivation with ECC') causes this issue. This does not mean the commit has a bug. This is just a CPU resource issue. After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So auth_sae_retransmit_timer() is always called and it can causes continuous frame exchanges. Before the commit, it was 23(msec). On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod is defined as 40(msec). But it looks short because generally mesh functionality will be used on low spec devices. Indeed Raspberry Pi B+ (ARM ARM1176JZF-S 700MHz) requires 287(msec) for new sae_derive_pwe_ecc(). So this patch makes the default to 1000(msec) and makes it configurable. This issue does not occur on infrastructure SAE because the dot11RSNASAERetransPeriod is not used on it. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Use unsigned/signed printf format more consistentlyJouni Malinen2015-06-231-24/+23
| | | | | | | | | These configuration parameters did not use matching printf format string parameters (signed vs. unsigned). While these configuratin values are, in practice, small unsigned integers, the implementation should use matching types to write these. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2PS: Enable Probe Request frame processing by P2P ClientMax Stepanov2015-06-141-0/+3
| | | | | | | | | | | | | | | | 1. Add global p2p_cli_probe property to enable/disable Probe Request frame RX reporting for connected P2P Clients. The property can be set to 0 - disable or 1 - enable. The default value is 0. 2. Enable Probe Request frame RX reporting for P2P Client on WPA_COMPLETED state if p2p_cli_probe property is set to 1. Disable it when an interface state is changing to any other state. 3. Don't cancel Probe Request frame RX reporting on wpa_stop_listen for a connected P2P Client handling Probe Request frames. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com>
* WPS: Allow the priority for the WPS networks to be configuredSunil Dutt2015-06-041-0/+3
| | | | | | | This commit adds a configurable parameter (wps_priority) to specify the priority for the networks derived through WPS connection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>