path: root/wpa_supplicant/wpa_supplicant.conf
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKASabrina Dubroca2016-11-191-0/+8
| | | | | | | | | | | | This enables configuring key_mgmt=NONE + mka_ckn + mka_cak. This allows wpa_supplicant to work in a peer-to-peer mode, where peers are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers can act as key server to distribute keys for the MACsec instances. This is what some MACsec switches support, and even without HW support, it's a convenient way to setup a network. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* FILS: Add wpa_supplicant configuration optionsJouni Malinen2016-10-101-0/+4
| | | | | | | This adds CONFIG_FILS=y build configuration option and new key management options for FILS authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MBO: Do not add reason_detail in non_pref_chan attr (STA)vamsi krishna2016-09-251-3/+3
| | | | | | | | The reason detail field in non_pref_chan attribute was removed from MBO draft v0.0_r25, so the STA should not include this field to be compliant with the latest draft. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix typos in wpa_supplicant configuration parameter documentationJouni Malinen2016-09-101-9/+9
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow FTM functionality to be publishedLior David2016-09-051-0/+16
| | | | | | | | | | | | Add configuration options that control publishing of fine timing measurement (FTM) responder and initiator functionality via bits 70, 71 of Extended Capabilities element. Typically, FTM functionality is controlled by a location framework outside wpa_supplicant. When framework is activated, it will use wpa_supplicant to configure the STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0, Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Add group_rekey parameter for IBSSJouni Malinen2016-08-131-0/+4
| | | | | | | The new network profile parameter group_rekey can now be used to specify the group rekeying internal in seconds for IBSS. Signed-off-by: Jouni Malinen <j@w1.fi>
* Update PKCS#11 references in template wpa_supplicant.confDavid Woodhouse2016-06-111-17/+15
| | | | | | | | Ditch the legacy syntax and manual engine mangling and just give an example using simple PKCS#11 URIs that'll work with both GnuTLS and OpenSSL. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* wpa_supplicant: Make GAS Address3 field selection behavior configurableJouni Malinen2016-06-101-0/+6
| | | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies that the wildcard BSSID value is used in Public Action frames that are transmitted to a STA that is not a member of the same BSS. wpa_supplicant used to use the actual BSSID value for all such frames regardless of whether the destination STA is a member of the BSS. P2P does not follow this rule, so P2P Public Action frame construction must not be changed. However, the cases using GAS/ANQP for non-P2P purposes should follow the standard requirements. Unfortunately, there are deployed AP implementations that do not reply to a GAS request sent using the wildcard BSSID value. The previously used behavior (Address3 = AP BSSID even when not associated) continues to be the default, but the IEEE 802.11 standard compliant addressing behavior can now be configured with gas_address3=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+5
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Ignore pmf=1/2 parameter for non-RSN networksJouni Malinen2016-05-051-4/+6
| | | | | | | | | PMF is available only with RSN and pmf=2 could have prevented open network connections. Change the global wpa_supplicant pmf parameter to be interpreted as applying only to RSN cases to allow it to be used with open networks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: "don't care" value for pbss in ssid structureLior David2016-04-081-2/+6
| | | | | | | | | | Add a new value 2 to the pbss parameter of wpa_ssid structure, which means "don't care". This value is used in infrastructure mode to request connection to either AP or PCP, whichever is available in the scan results. The value is also used in regular WPS (not P2P group formation) to make WPS work with devices running as either AP or PCP. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* MBO: Add cellular capability to MBO IEDavid Spinadel2016-02-221-0/+6
| | | | | | | | Add cellular capability attribute to MBO IE and add MBO IE with cellular capabilities to Probe Request frames. By default, cellular capability value is set to Not Cellular capable (3). Signed-off-by: David Spinadel <david.spinadel@intel.com>
* MBO: Add non-preferred channel configuration in wpa_supplicantDavid Spinadel2016-02-211-0/+8
| | | | | | Add non-preferred channel configuration to wpa_config for MBO. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* wpa_supplicant: Basic support for PBSS/PCPLior David2016-02-081-0/+7
| | | | | | | | | | | | | | | | | | | | | PBSS (Personal Basic Service Set) is a new BSS type for DMG networks. It is similar to infrastructure BSS, having an AP-like entity called PCP (PBSS Control Point), but it has few differences. PBSS support is mandatory for IEEE 802.11ad devices. Add a new "pbss" argument to network block. The argument is used in the following scenarios: 1. When network has mode=2 (AP), when pbss flag is set will start as a PCP instead of an AP. 2. When network has mode=0 (station), when pbss flag is set will connect to PCP instead of AP. The function wpa_scan_res_match() was modified to match BSS according to the pbss flag in the network block (wpa_ssid structure). When pbss flag is set it will match only PCPs, and when it is clear it will match only APs. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* HS 2.0: Add some documentation for OSEN and network block useJouni Malinen2016-01-041-0/+4
| | | | | | | | | This adds notes on how wpa_supplicant can be configured for OSEN for a link-layer protected online signup connection and how network profiles can be set for a Hotspot 2.0 data connection when using external Interworking network selection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add ocsp=3 configuration parameter for multi-OCSPJouni Malinen2015-12-231-0/+4
| | | | | | | | | | ocsp=3 extends ocsp=2 by require all not-trusted certificates in the server certificate chain to receive a good OCSP status. This requires support for ocsp_multi (RFC 6961). This commit is only adding the configuration value, but all the currently included TLS library wrappers are rejecting this as unsupported for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Document previously missing key_mgmt valuesJouni Malinen2015-12-211-0/+10
| | | | | | Number of key_mgmt options were missing from the documentation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: External server certificate chain validationJouni Malinen2015-12-121-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add support for configuring scheduled scan plansAvraham Stern2015-11-301-1/+24
| | | | | | | | | | | | Add the option to configure scheduled scan plans in the config file. Each scan plan specifies the interval between scans and the number of scan iterations. The last plan will run infinitely and thus specifies only the interval between scan iterations. usage: sched_scan_plans=<interval:iterations> <interval2:iterations2> ... <interval> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* Document passive_scan option for wpa_supplicant.confBen Greear2015-11-151-0/+19
| | | | | | This should save the next person to need this behavior some time. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Make it clearer that ap_scan=2 mode should not be used with nl80211Jouni Malinen2015-09-041-0/+4
| | | | | | | Add more details into configuration comments and a runtime info message if ap_scan=2 is used with the nl80211 driver interface. Signed-off-by: Jouni Malinen <j@w1.fi>
* FST: wpa_supplicant configuration parametersAnton Nayshtut2015-07-161-0/+26
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Add option to disable use of TLSv1.0Jouni Malinen2015-07-081-0/+1
| | | | | | | | | | The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be used to disable use of TLSv1.0 for a network configuration. This can be used to force a newer TLS version to be used. For example, phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that only TLS v1.2 is accepted. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow the priority for the WPS networks to be configuredSunil Dutt2015-06-041-0/+5
| | | | | | | This commit adds a configurable parameter (wps_priority) to specify the priority for the networks derived through WPS connection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Document p2p_disabled option in wpa_supplicant.confBen Greear2015-04-231-0/+4
| | | | | | | I needed this option to disable P2P on a buggy system. Document this so someone else finds it quicker next time. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Fix a typo in configuration parameter documentationJouni Malinen2015-04-011-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow PSK/passphrase to be set only when neededJouni Malinen2015-03-281-0/+5
| | | | | | | | | | | | | | | | | | | | | The new network profile parameter mem_only_psk=1 can be used to specify that the PSK/passphrase for that network is requested over the control interface (ctrl_iface or D-Bus) similarly to the EAP network parameter requests. The PSK/passphrase can then be configured temporarily in a way that prevents it from getting stored to the configuration file. For example: Event: CTRL-REQ-PSK_PASSPHRASE-0:PSK or passphrase needed for SSID test-wpa2-psk Response: CTRL-RSP-PSK_PASSPHRASE-0:"qwertyuiop" Note: The response value uses the same encoding as the psk network profile parameter, i.e., passphrase is within double quotation marks. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add an option allow canned EAP-Success for wired IEEE 802.1XJouni Malinen2015-02-011-0/+10
| | | | | | | | | | | | | | | | | | | For wired IEEE 802.1X authentication, phase1="allow_canned_success=1" can now be used to configure a mode that allows EAP-Success (and EAP-Failure) without going through authentication step. Some switches use such sequence when forcing the port to be authorized/unauthorized or as a fallback option if the authentication server is unreachable. By default, wpa_supplicant discards such frames to protect against potential attacks by rogue devices, but this option can be used to disable that protection for cases where the server/authenticator does not need to be authenticated. When enabled, this mode allows EAP-Success/EAP-Failure as an immediate response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is also allowed immediately after EAP-Identity exchange (fallback case for authenticator not being able to connect to authentication server). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-MSCHAPv2 peer: Add option to disable password retry queryJouni Malinen2015-02-011-1/+2
| | | | | | | | | | | | | | | | wpa_supplicant used to request user to re-enter username/password if the server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2) authentication failed (E=691), but retry is allowed (R=1). This is a reasonable default behavior, but there may be cases where it is more convenient to close the authentication session immediately rather than wait for user to do something. Add a new "mschapv2_retry=0" option to the phase2 field to allow the retry behavior to be disabled. This will make wpa_supplicant abort authentication attempt on E=691 regardless of whether the server allows retry. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Make inactivity timer configurableMasashi Honma2015-01-191-0/+5
| | | | | | | | | | | Current mesh code uses ap_max_inactivity as inactivity timer. This patch makes it configurable. There is another mesh inactivity timer in mac80211. The timer works even if user_mpm=1. So this patch sets the max value to the timer for workaround. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Add domain_match network profile parameterJouni Malinen2015-01-141-1/+12
| | | | | | | | This is similar with domain_suffix_match, but required a full match of the domain name rather than allowing suffix match (subdomains) or wildcard certificates. Signed-off-by: Jouni Malinen <j@w1.fi>
* Include peer certificate always in EAP eventsJouni Malinen2015-01-141-0/+6
| | | | | | | | | | | | | | | | This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi>
* Improve subject_match and domain_suffix_match documentationJouni Malinen2015-01-101-3/+23
| | | | | | | | | | These were already covered in both README-HS20 for credentials and in header files for developers' documentation, but the copy in wpa_supplicant.conf did not include all the details. In addition, add a clearer note pointing at subject_match not being suitable for suffix matching domain names; domain_suffix_match must be used for that. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add address masks to BSSID listsStefan Tomanek2015-01-101-2/+2
| | | | | | | | | | | | In many applications it is useful not just to enumerate a group of well known access points, but to use a address/mask notation to match an entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00). This change expands the data structures used by MAC lists to include a mask indicating the significant (non-masked) portions of an address and extends the list parser to recognize mask suffixes. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
* Add network specific BSSID black and white listsStefan Tomanek2015-01-101-0/+15
| | | | | | | | | | | | This change adds the configuration options "bssid_whitelist" and "bssid_blacklist" used to limit the AP selection of a network to a specified (finite) set or discard certain APs. This can be useful for environments where multiple networks operate using the same SSID and roaming between those is not desired. It is also useful to ignore a faulty or otherwise unwanted AP. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
* mesh: Make maximum number of peer links configurableMasashi Honma2014-12-211-0/+4
| | | | | | | | Maximum number of peer links is maximum number of connecting mesh peers at the same time. This value is 0..255 based on the dot11MeshNumberOfPeerings range. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* ERP: Add support for ERP on EAP peerJouni Malinen2014-12-041-0/+2
| | | | | | | | | | | | | | Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant network configuration parameter erp=1 can now be used to configure the EAP peer to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. If EAP authenticator indicates support for re-authentication protocol, initiate this with EAP-Initiate/Re-auth and complete protocol when receiving EAP-Finish/Re-auth. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add examples of new mesh options into wpa_supplicant.confThomas Pedersen2014-11-201-0/+17
| | | | | | Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Thomas Pedersen <thomas@noack.us>
* mesh: Add user_mpm config optionThomas Pedersen2014-10-251-0/+9
| | | | | | | | | | Add user_mpm config parameter, when this is set to 1 (the default) the peer link management is done on userspace, otherwise the peer management will be done by the kernel. Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Thomas Pedersen <thomas@noack.us>
* wpa_supplicant: Allow OpenSSL cipherlist string to be configuredJouni Malinen2014-10-121-0/+14
| | | | | | | | | | | The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
* Extend random MAC address support to allow OUI to be keptJouni Malinen2014-09-291-0/+3
| | | | | | | | | | mac_addr=2 and preassoc_mac_addr=2 parameters can now be used to configure random MAC address to be generated by maintaining the OUI part of the permanent MAC address (but with locally administered bit set to 1). Other than that, these values result in similar behavior with mac_addr=1 and preassoc_mac_addr=1, respectively. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add support for using random local MAC addressJouni Malinen2014-09-271-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds experimental support for wpa_supplicant to assign random local MAC addresses for both pre-association cases (scan, GAS/ANQP) and for connections. MAC address policy for each part can be controlled separately and the connection part can be set per network block. This requires support from the driver to allow local MAC address to be changed if random address policy is enabled. It should also be noted that number of drivers would not support concurrent operations (e.g., P2P and station association) with random addresses in use for one or both. This functionality can be controlled with the global configuration parameters mac_addr and preassoc_mac_addr which set the default MAC address policies for connections and pre-association operations (scan and GAS/ANQP while not connected). The global rand_addr_lifetime parameter can be used to set the lifetime of a random MAC address in seconds (default: 60 seconds). This is used to avoid unnecessarily frequent MAC address changes since those are likely to result in driver clearing most of its state. It should be noted that the random MAC address does not expire during an ESS connection, i.e., this lifetime is only for the case where the device is disconnected. The mac_addr parameter can also be set in the network blocks to define different behavior per network. For example, the global mac_addr=1 and preassoc_mac_addr=1 settings and mac_addr=0 in a home network profile would result in behavior where all scanning is performed using a random MAC address while connections to new networks (e.g., Interworking/Hotspot 2.0) would use random address and connections to the home network would use the permanent MAC address. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Allow passphrase length to be configuredJouni Malinen2014-06-211-0/+6
| | | | | | | | | | Previously, eight character random passphrase was generated automatically for P2P GO. The new p2p_passphrase_len parameter can be used to increase this length to generate a stronger passphrase for cases where practicality of manual configuration of legacy devices is not a concern. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Make the default p2p_find delay value configurableNirav Shah2014-06-091-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | This makes the p2p_find default delay value configurable as p2p_search_delay parameter through the configuration file (and through control interface "SET p2p_search_delay <value>" on the P2P management interface. This parameter controls the number milliseconds of extra delay that is added between search iterations when there is a concurrent operation in progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find friendlier to concurrent operations by avoiding it from taking 100% of the radio resources. The default value is the previous default, i.e., 500 ms. Smaller values can be used to find peers more quickly at the cost of larger effect to concurrent operations while a larger value leaves more time for the concurrent operations at the cost of making device discovery take longer time. The optional p2p_find delay argument can still be used to override the search delay for each search operation. Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the driver specific build parameter for bcmdhd from Android.mk is also removed. Similar configuration can now be achieved with p2p_search_delay=0 in the p2p0 interface configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MACsec: wpa_supplicant integrationHu Wang2014-05-091-2/+28
| | | | | | Add MACsec to the wpa_supplicant build system and configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add SIM identifier to the network profile and cred blockNaresh Jayaram2014-04-241-0/+2
| | | | | | | | | | This allows the specific SIM to be identified for authentication purposes in multi-SIM devices. This SIM number represents the index of the SIM slot. This SIM number shall be used for the authentication using the respective SIM for the Wi-Fi connection to the corresponding network. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow HT 40 MHz intolerant flag to be set for associationJouni Malinen2014-04-171-0/+4
| | | | | | | This extends HT overrides to allow HT 40 MHz intolerant flag to be set with ht40_intolerant=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add forgotten ampdu_factor into wpa_supplicant.confJouni Malinen2014-04-131-0/+3
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling LDPCPawel Kulakowski2014-04-011-0/+4
| | | | | | | Allows user to disable LDPC coding. This possibility is useful for testing purpose. Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
* bgscan: Do not initialize bgscan if disabled by userDavid Spinadel2014-03-041-0/+2
| | | | | | | | Do not initialize bgscan if the user explicitly set bgscan to an empty string. Without this patch wpa_supplicant tries to initialize bgscan to the first option if the string is empty. Signed-off-by: David Spinadel <david.spinadel@intel.com>