path: root/wpa_supplicant/wpa_supplicant.conf
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+5
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Ignore pmf=1/2 parameter for non-RSN networksJouni Malinen2016-05-051-4/+6
| | | | | | | | | PMF is available only with RSN and pmf=2 could have prevented open network connections. Change the global wpa_supplicant pmf parameter to be interpreted as applying only to RSN cases to allow it to be used with open networks. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: "don't care" value for pbss in ssid structureLior David2016-04-081-2/+6
| | | | | | | | | | Add a new value 2 to the pbss parameter of wpa_ssid structure, which means "don't care". This value is used in infrastructure mode to request connection to either AP or PCP, whichever is available in the scan results. The value is also used in regular WPS (not P2P group formation) to make WPS work with devices running as either AP or PCP. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* MBO: Add cellular capability to MBO IEDavid Spinadel2016-02-221-0/+6
| | | | | | | | Add cellular capability attribute to MBO IE and add MBO IE with cellular capabilities to Probe Request frames. By default, cellular capability value is set to Not Cellular capable (3). Signed-off-by: David Spinadel <david.spinadel@intel.com>
* MBO: Add non-preferred channel configuration in wpa_supplicantDavid Spinadel2016-02-211-0/+8
| | | | | | Add non-preferred channel configuration to wpa_config for MBO. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* wpa_supplicant: Basic support for PBSS/PCPLior David2016-02-081-0/+7
| | | | | | | | | | | | | | | | | | | | | PBSS (Personal Basic Service Set) is a new BSS type for DMG networks. It is similar to infrastructure BSS, having an AP-like entity called PCP (PBSS Control Point), but it has few differences. PBSS support is mandatory for IEEE 802.11ad devices. Add a new "pbss" argument to network block. The argument is used in the following scenarios: 1. When network has mode=2 (AP), when pbss flag is set will start as a PCP instead of an AP. 2. When network has mode=0 (station), when pbss flag is set will connect to PCP instead of AP. The function wpa_scan_res_match() was modified to match BSS according to the pbss flag in the network block (wpa_ssid structure). When pbss flag is set it will match only PCPs, and when it is clear it will match only APs. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* HS 2.0: Add some documentation for OSEN and network block useJouni Malinen2016-01-041-0/+4
| | | | | | | | | This adds notes on how wpa_supplicant can be configured for OSEN for a link-layer protected online signup connection and how network profiles can be set for a Hotspot 2.0 data connection when using external Interworking network selection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add ocsp=3 configuration parameter for multi-OCSPJouni Malinen2015-12-231-0/+4
| | | | | | | | | | ocsp=3 extends ocsp=2 by require all not-trusted certificates in the server certificate chain to receive a good OCSP status. This requires support for ocsp_multi (RFC 6961). This commit is only adding the configuration value, but all the currently included TLS library wrappers are rejecting this as unsupported for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Document previously missing key_mgmt valuesJouni Malinen2015-12-211-0/+10
| | | | | | Number of key_mgmt options were missing from the documentation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: External server certificate chain validationJouni Malinen2015-12-121-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add support for configuring scheduled scan plansAvraham Stern2015-11-301-1/+24
| | | | | | | | | | | | Add the option to configure scheduled scan plans in the config file. Each scan plan specifies the interval between scans and the number of scan iterations. The last plan will run infinitely and thus specifies only the interval between scan iterations. usage: sched_scan_plans=<interval:iterations> <interval2:iterations2> ... <interval> Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* Document passive_scan option for wpa_supplicant.confBen Greear2015-11-151-0/+19
| | | | | | This should save the next person to need this behavior some time. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Make it clearer that ap_scan=2 mode should not be used with nl80211Jouni Malinen2015-09-041-0/+4
| | | | | | | Add more details into configuration comments and a runtime info message if ap_scan=2 is used with the nl80211 driver interface. Signed-off-by: Jouni Malinen <j@w1.fi>
* FST: wpa_supplicant configuration parametersAnton Nayshtut2015-07-161-0/+26
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Add option to disable use of TLSv1.0Jouni Malinen2015-07-081-0/+1
| | | | | | | | | | The new phase1 config parameter value tls_disable_tlsv1_0=1 can now be used to disable use of TLSv1.0 for a network configuration. This can be used to force a newer TLS version to be used. For example, phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" would indicate that only TLS v1.2 is accepted. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow the priority for the WPS networks to be configuredSunil Dutt2015-06-041-0/+5
| | | | | | | This commit adds a configurable parameter (wps_priority) to specify the priority for the networks derived through WPS connection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Document p2p_disabled option in wpa_supplicant.confBen Greear2015-04-231-0/+4
| | | | | | | I needed this option to disable P2P on a buggy system. Document this so someone else finds it quicker next time. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Fix a typo in configuration parameter documentationJouni Malinen2015-04-011-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow PSK/passphrase to be set only when neededJouni Malinen2015-03-281-0/+5
| | | | | | | | | | | | | | | | | | | | | The new network profile parameter mem_only_psk=1 can be used to specify that the PSK/passphrase for that network is requested over the control interface (ctrl_iface or D-Bus) similarly to the EAP network parameter requests. The PSK/passphrase can then be configured temporarily in a way that prevents it from getting stored to the configuration file. For example: Event: CTRL-REQ-PSK_PASSPHRASE-0:PSK or passphrase needed for SSID test-wpa2-psk Response: CTRL-RSP-PSK_PASSPHRASE-0:"qwertyuiop" Note: The response value uses the same encoding as the psk network profile parameter, i.e., passphrase is within double quotation marks. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add an option allow canned EAP-Success for wired IEEE 802.1XJouni Malinen2015-02-011-0/+10
| | | | | | | | | | | | | | | | | | | For wired IEEE 802.1X authentication, phase1="allow_canned_success=1" can now be used to configure a mode that allows EAP-Success (and EAP-Failure) without going through authentication step. Some switches use such sequence when forcing the port to be authorized/unauthorized or as a fallback option if the authentication server is unreachable. By default, wpa_supplicant discards such frames to protect against potential attacks by rogue devices, but this option can be used to disable that protection for cases where the server/authenticator does not need to be authenticated. When enabled, this mode allows EAP-Success/EAP-Failure as an immediate response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is also allowed immediately after EAP-Identity exchange (fallback case for authenticator not being able to connect to authentication server). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-MSCHAPv2 peer: Add option to disable password retry queryJouni Malinen2015-02-011-1/+2
| | | | | | | | | | | | | | | | wpa_supplicant used to request user to re-enter username/password if the server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2) authentication failed (E=691), but retry is allowed (R=1). This is a reasonable default behavior, but there may be cases where it is more convenient to close the authentication session immediately rather than wait for user to do something. Add a new "mschapv2_retry=0" option to the phase2 field to allow the retry behavior to be disabled. This will make wpa_supplicant abort authentication attempt on E=691 regardless of whether the server allows retry. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Make inactivity timer configurableMasashi Honma2015-01-191-0/+5
| | | | | | | | | | | Current mesh code uses ap_max_inactivity as inactivity timer. This patch makes it configurable. There is another mesh inactivity timer in mac80211. The timer works even if user_mpm=1. So this patch sets the max value to the timer for workaround. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Add domain_match network profile parameterJouni Malinen2015-01-141-1/+12
| | | | | | | | This is similar with domain_suffix_match, but required a full match of the domain name rather than allowing suffix match (subdomains) or wildcard certificates. Signed-off-by: Jouni Malinen <j@w1.fi>
* Include peer certificate always in EAP eventsJouni Malinen2015-01-141-0/+6
| | | | | | | | | | | | | | | | This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi>
* Improve subject_match and domain_suffix_match documentationJouni Malinen2015-01-101-3/+23
| | | | | | | | | | These were already covered in both README-HS20 for credentials and in header files for developers' documentation, but the copy in wpa_supplicant.conf did not include all the details. In addition, add a clearer note pointing at subject_match not being suitable for suffix matching domain names; domain_suffix_match must be used for that. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add address masks to BSSID listsStefan Tomanek2015-01-101-2/+2
| | | | | | | | | | | | In many applications it is useful not just to enumerate a group of well known access points, but to use a address/mask notation to match an entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00). This change expands the data structures used by MAC lists to include a mask indicating the significant (non-masked) portions of an address and extends the list parser to recognize mask suffixes. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
* Add network specific BSSID black and white listsStefan Tomanek2015-01-101-0/+15
| | | | | | | | | | | | This change adds the configuration options "bssid_whitelist" and "bssid_blacklist" used to limit the AP selection of a network to a specified (finite) set or discard certain APs. This can be useful for environments where multiple networks operate using the same SSID and roaming between those is not desired. It is also useful to ignore a faulty or otherwise unwanted AP. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
* mesh: Make maximum number of peer links configurableMasashi Honma2014-12-211-0/+4
| | | | | | | | Maximum number of peer links is maximum number of connecting mesh peers at the same time. This value is 0..255 based on the dot11MeshNumberOfPeerings range. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* ERP: Add support for ERP on EAP peerJouni Malinen2014-12-041-0/+2
| | | | | | | | | | | | | | Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant network configuration parameter erp=1 can now be used to configure the EAP peer to derive EMSK, rRK, and rIK at the successful completion of an EAP authentication method. This functionality is not included in the default build and can be enabled with CONFIG_ERP=y. If EAP authenticator indicates support for re-authentication protocol, initiate this with EAP-Initiate/Re-auth and complete protocol when receiving EAP-Finish/Re-auth. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add examples of new mesh options into wpa_supplicant.confThomas Pedersen2014-11-201-0/+17
| | | | | | Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Thomas Pedersen <thomas@noack.us>
* mesh: Add user_mpm config optionThomas Pedersen2014-10-251-0/+9
| | | | | | | | | | Add user_mpm config parameter, when this is set to 1 (the default) the peer link management is done on userspace, otherwise the peer management will be done by the kernel. Signed-off-by: Javier Lopez <jlopex@gmail.com> Signed-off-by: Jason Mobarak <x@jason.mobarak.name> Signed-off-by: Thomas Pedersen <thomas@noack.us>
* wpa_supplicant: Allow OpenSSL cipherlist string to be configuredJouni Malinen2014-10-121-0/+14
| | | | | | | | | | | The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
* Extend random MAC address support to allow OUI to be keptJouni Malinen2014-09-291-0/+3
| | | | | | | | | | mac_addr=2 and preassoc_mac_addr=2 parameters can now be used to configure random MAC address to be generated by maintaining the OUI part of the permanent MAC address (but with locally administered bit set to 1). Other than that, these values result in similar behavior with mac_addr=1 and preassoc_mac_addr=1, respectively. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add support for using random local MAC addressJouni Malinen2014-09-271-0/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds experimental support for wpa_supplicant to assign random local MAC addresses for both pre-association cases (scan, GAS/ANQP) and for connections. MAC address policy for each part can be controlled separately and the connection part can be set per network block. This requires support from the driver to allow local MAC address to be changed if random address policy is enabled. It should also be noted that number of drivers would not support concurrent operations (e.g., P2P and station association) with random addresses in use for one or both. This functionality can be controlled with the global configuration parameters mac_addr and preassoc_mac_addr which set the default MAC address policies for connections and pre-association operations (scan and GAS/ANQP while not connected). The global rand_addr_lifetime parameter can be used to set the lifetime of a random MAC address in seconds (default: 60 seconds). This is used to avoid unnecessarily frequent MAC address changes since those are likely to result in driver clearing most of its state. It should be noted that the random MAC address does not expire during an ESS connection, i.e., this lifetime is only for the case where the device is disconnected. The mac_addr parameter can also be set in the network blocks to define different behavior per network. For example, the global mac_addr=1 and preassoc_mac_addr=1 settings and mac_addr=0 in a home network profile would result in behavior where all scanning is performed using a random MAC address while connections to new networks (e.g., Interworking/Hotspot 2.0) would use random address and connections to the home network would use the permanent MAC address. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Allow passphrase length to be configuredJouni Malinen2014-06-211-0/+6
| | | | | | | | | | Previously, eight character random passphrase was generated automatically for P2P GO. The new p2p_passphrase_len parameter can be used to increase this length to generate a stronger passphrase for cases where practicality of manual configuration of legacy devices is not a concern. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Make the default p2p_find delay value configurableNirav Shah2014-06-091-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | This makes the p2p_find default delay value configurable as p2p_search_delay parameter through the configuration file (and through control interface "SET p2p_search_delay <value>" on the P2P management interface. This parameter controls the number milliseconds of extra delay that is added between search iterations when there is a concurrent operation in progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find friendlier to concurrent operations by avoiding it from taking 100% of the radio resources. The default value is the previous default, i.e., 500 ms. Smaller values can be used to find peers more quickly at the cost of larger effect to concurrent operations while a larger value leaves more time for the concurrent operations at the cost of making device discovery take longer time. The optional p2p_find delay argument can still be used to override the search delay for each search operation. Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the driver specific build parameter for bcmdhd from Android.mk is also removed. Similar configuration can now be achieved with p2p_search_delay=0 in the p2p0 interface configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MACsec: wpa_supplicant integrationHu Wang2014-05-091-2/+28
| | | | | | Add MACsec to the wpa_supplicant build system and configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add SIM identifier to the network profile and cred blockNaresh Jayaram2014-04-241-0/+2
| | | | | | | | | | This allows the specific SIM to be identified for authentication purposes in multi-SIM devices. This SIM number represents the index of the SIM slot. This SIM number shall be used for the authentication using the respective SIM for the Wi-Fi connection to the corresponding network. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow HT 40 MHz intolerant flag to be set for associationJouni Malinen2014-04-171-0/+4
| | | | | | | This extends HT overrides to allow HT 40 MHz intolerant flag to be set with ht40_intolerant=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add forgotten ampdu_factor into wpa_supplicant.confJouni Malinen2014-04-131-0/+3
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling LDPCPawel Kulakowski2014-04-011-0/+4
| | | | | | | Allows user to disable LDPC coding. This possibility is useful for testing purpose. Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
* bgscan: Do not initialize bgscan if disabled by userDavid Spinadel2014-03-041-0/+2
| | | | | | | | Do not initialize bgscan if the user explicitly set bgscan to an empty string. Without this patch wpa_supplicant tries to initialize bgscan to the first option if the string is empty. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* Interworking: Add OCSP parameter to the cred blockJouni Malinen2014-02-251-0/+5
| | | | | | | This new parameter can be used to configure credentials to mandate use of OCSP stapling for AAA server authentication. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Add support for Policy/RequiredProtoPortTupleJouni Malinen2014-02-251-0/+15
| | | | | | | | The new credential parameter req_conn_capab can be used to specify restrictions on roaming networks providing connectivity for a set of protocols/ports. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Add support for Policy/MaximumBSSLoadValueJouni Malinen2014-02-251-0/+7
| | | | | | | The new credential parameter max_bss_load can be used to specify restrictions on BSS Load in the home network. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Add support for Policy/MinBackhaulThresholdJouni Malinen2014-02-251-0/+10
| | | | | | | The new credential parameters min_{dl,ul}_bandwidth_{home,roaming} can be used to specify restrictions on available backhaul bandwidth. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Add tracking of provisioning SPJouni Malinen2014-02-251-0/+4
| | | | | | | | The new provisioning_sp cred field can now be used to track which SP provisioned the credential. This makes it easier to find the matching PPS MO from the management tree (./Wi-Fi/<provisioning_sp>). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2: Update Indication element to Release 2Jouni Malinen2014-02-251-0/+3
| | | | | | | | | | | | The HS 2.0 Indication element from wpa_supplicant now includes the release number field and wpa_supplicant shows the release number of the AP in STATUS command (hs20=1 replaced with hs20=<release>). The new update_identifier field in the cred block can now be used to configure the PPS MO ID so that wpa_supplicant adds it to the Indication element in Association Request frames. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Interworking: Allow roaming partner configurationJouni Malinen2014-02-251-0/+7
| | | | | | | The new roaming_partner parameter within a cred block can be used to configure priorities for roaming partners. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TLS: Add tls_disable_tlsv1_1 and tls_disable_tlsv1_2 phase1 paramsDmitry Shmidt2014-02-201-0/+4
| | | | | | | These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA servers that have issues interoperating with newer TLS versions. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>