aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wpa_supplicant.conf
Commit message (Collapse)AuthorAgeFilesLines
* SAE-PK: Allow automatic SAE-PK to be disabledJouni Malinen2020-06-071-4/+7
| | | | | | | | | | | This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Document more network profile parametersJouni Malinen2020-06-061-0/+44
| | | | | | | | Some of the recently added wpa_supplicant network profile parameters were not documented in wpa_supplicant.conf. Add these there based on the documentation in config_ssid.h. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Allow SAE authentication without PK to be disabledJouni Malinen2020-06-061-0/+5
| | | | | | | The new wpa_supplicant network profile parameter sae_pk_only=1 can now be used to disable use of SAE authentication without SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix config exchange with gas_rand_mac_addrJouni Malinen2020-04-221-0/+5
| | | | | | | | | | | | | | | | | | | | Do not use a random MAC address for the GAS exchange that is used as part of the DPP protocol exchange since that would break DPP. Configurator expects the same MAC address to be used for DPP Authentication exchange and DPP Configuration exchange (GAS). Since the DPP Authentication exchange has already used the MAC address configured on the interface, use of a random address for the GAS exchange would not provide any additional privacy protection. If a random MAC address needs to be used for this type of an exchange, that random address would need to be first configured on the interface before starting DPP exchange. This does not change GAS query behavior for any other use case, i.e., the gas_rand_mac_addr configuration continues to apply to all the Interworking/Hotspot 2.0 uses. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Allow station to require or not allow PFSJouni Malinen2020-03-281-0/+6
| | | | | | | | | | | | | | | | | | | | The new wpa_supplicant network profile parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., try to use PFS if the AP supports it. PFS use can now be required (dpp_pfs=1) or disabled (dpp_pfs=2). This is also working around an interoperability issue of DPP R2 STA with certain hostapd builds that included both OWE and DPP functionality. That issue was introduced by commit 09368515d130 ("OWE: Process Diffie-Hellman Parameter element in AP mode") and removed by commit 16a4e931f03e ("OWE: Allow Diffie-Hellman Parameter element to be included with DPP"). hostapd builds between those two commits would reject DPP association attempt with PFS. The new wpa_supplicant default (dpp_pfs=0) behavior is to automatically try to connect again with PFS disabled if that happens. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* STA: Support Extended Key IDAlexander Wetzel2020-03-231-0/+5
| | | | | | | | | | | Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Simplify wpa_deny_ptk0_rekey documentationAlexander Wetzel2020-02-231-19/+5
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-231-0/+26
| | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Remove deprecated text for ap_scan=0Chaitanya Tata2020-01-211-7/+4
| | | | | | | | | | | Users might be tempted to try ap_scan=0 for offloading scan, ap_selection and, WPA to driver. Update the text to reflect that this is deprecated. Jouni confirmed deprecation in https://www.spinics.net/lists/hostap/msg06482.html Signed-off-by: Chaitanya Tata <chaitanya.tata@bluwireless.com>
* SAE: Use H2E whenever Password Identifier is usedJouni Malinen2020-01-211-2/+4
| | | | | | | | | | IEEE P802.11-REVmd was modified to require H2E to be used whenever Password Identifier is used with SAE. See this document for more details of the approved changes: https://mentor.ieee.org/802.11/dcn/19/11-19-2154-02-000m-sae-anti-clogging-token.docx Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* More detailed documentation on ieee80211w configuration parameterJouni Malinen2019-12-231-1/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add sae_pwe configuration parameter for wpa_supplicantJouni Malinen2019-10-151-0/+8
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add EDMG channel configuration parametersAlexei Avshalom Lazar2019-10-071-0/+10
| | | | | | | | | | Add two new configuration parameters for wpa_supplicant: enable_edmg: Enable EDMG capability for STA/AP mode edmg_channel: Configure channel bonding. In AP mode it defines the EDMG channel to start the AP on. In STA mode it defines the EDMG channel to use for connection. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-181-0/+20
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP peer: Add support for machine credentials using certificatesJouni Malinen2019-09-011-0/+5
| | | | | | | | | This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is an explicit request for machine credentials. The network profile parameters are otherwise same as the Phase 1 parameters, but each one uses a "machine_" prefix for the parameter name. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer config: Move ocsp param to phase1/phase2Jouni Malinen2019-09-011-0/+1
| | | | | | | | | OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Provide option to disable/enable BTM support in STAAnkita Bajaj2019-06-141-0/+6
| | | | | | | Add support to disable/enable BTM support using configuration and wpa_cli command. This is useful mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Allow PMKSA caching to be enabled with FT-EAPJouni Malinen2019-04-281-0/+8
| | | | | | | | | | The new wpa_supplicant network profile configuration parameter ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with FT-EAP for FT initial mobility domain association. This is still disabled by default (i.e., maintaining previous behavior) to avoid likely interoperability issues. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Document BSS expiration configurablesBen Greear2019-04-131-0/+9
| | | | | | | Help the user be aware of the options to configure when wpa_supplicant will remove a BSS due to expiration. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Extend domain_match and domain_suffix_match to allow list of valuesJouni Malinen2019-04-091-0/+12
| | | | | | | | | | | | | These wpa_supplicant network profile parameters could be used to specify a single match string that would be used against the dNSName items in subjectAltName or CN. There may be use cases where more than one alternative match string would be useful, so extend these to allow a semicolon delimited list of values to be used (e.g., "example.org;example.com"). If any of the specified values matches any of the dNSName/CN values in the server certificate, consider the certificate as meeting this requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS: Allow SAE configuration to be added automatically for PSKJouni Malinen2019-03-061-0/+8
| | | | | | | | | | The new wpa_supplicant configuration parameter wps_cred_add_sae=1 can be used to request wpa_supplicant to add SAE configuration whenever WPS is used to provision WPA2-PSK credentials and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and also with PMF enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Enable only groups 19, 20, and 21 in station modeJouni Malinen2019-03-051-4/+9
| | | | | | | | | | | | | Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP Group) from the default SAE groups in station mode since those groups are not as strong as the mandatory group 19 (NIST P-256). In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24 based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the MODP groups were already disabled by default and would have needed explicit configuration to be allowed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Allow systemwide policies to be overriddenJouni Malinen2019-01-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow 256-bit CAK to be configured for PSK modeJouni Malinen2018-12-261-3/+4
| | | | | | | This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-261-0/+16
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* wpa_supplicant: Allow overriding HT STBC capabilitiesSergey Matyukevich2018-12-231-0/+14
| | | | | | | Allow user to override STBC configuration for Rx and Tx spatial streams. Add new configuration options to test for HT capability overrides. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* wpa_supplicant: Add Multi-AP backhaul STA supportVenkateswara Naralasetty2018-12-201-0/+7
| | | | | | | | | | | | | | | | | | | | | Advertise vendor specific Multi-AP IE in (Re)Association Request frames and process Multi-AP IE from (Re)Association Response frames if the user enables Multi-AP fuctionality. If the (Re)Association Response frame does not contain the Multi-AP IE, disassociate. This adds a new configuration parameter 'multi_ap_backhaul_sta' to enable/disable Multi-AP functionality. Enable 4-address mode after association (if the Association Response frame contains the Multi-AP IE). Also enable the bridge in that case. This is necessary because wpa_supplicant only enables the bridge in wpa_drv_if_add(), which only gets called when an interface is added through the control interface, not when it is configured from the command line. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-161-0/+7
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Provide more details of WPA3 modes in wpa_supplicant.confJouni Malinen2018-08-011-1/+4
| | | | | | | Clarify that proto=RSN is used for WPA3 and add the WPA3-Personal name for SAE and include OWE as a possible key_mgmt value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Add key management value FT-EAP-SHA384 for wpa_supplicantJouni Malinen2018-06-051-0/+2
| | | | | | | This allows wpa_supplicant to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-0/+5
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-171-0/+4
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add a new cred block parameter roaming_consortiumsJouni Malinen2018-04-171-0/+9
| | | | | | | | | | This new string parameter contains a comma delimited list of OIs (hexdump) in a string. This is used to store Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit includes the configuration changes to parse and write the parameter. The actual values are not yet used in Interworking network selection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Document credential parameter required_roaming_consortiumJouni Malinen2018-04-171-0/+5
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix sae_password documentation in wpa_supplicant to refer correct fieldJouni Malinen2018-04-131-3/+3
| | | | | | sae_password replaces psk, not passphrase, parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add config information related to MACsecJaap Keuter2018-04-011-12/+23
| | | | | | | | | | Add examples of relevant top level CONFIG clauses for wpa_supplicant MACsec support to defconfig. Extend the example of MACsec related network configuration. Also bring them in line with the format of the other example network configurations. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-0/+6
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Allow GO to advertise Interworking elementSunil Dutt2017-10-051-0/+30
| | | | | | | | | This adds new wpa_supplicant configuration parameters (go_interworking, go_access_network_type, go_internet, go_venue_group, go_venue_type) to add a possibility of configuring the P2P GO to advertise Interworking element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+8
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Suite B: Add tls_suiteb=1 parameter for RSA 3k key caseJouni Malinen2017-09-161-0/+3
| | | | | | | | This adds phase1 parameter tls_suiteb=1 into wpa_supplicant configuration to allow TLS library (only OpenSSL supported for now) to use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Add build option to select default ciphersBeniamino Galvani2017-07-171-2/+2
| | | | | | | | | | | | | | Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* STA: Add OCE capability indication attributeAshwini Patil2017-07-141-0/+7
| | | | | | | Add OCE capability indication attribute in Probe Request and (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Add option for using random UUIDJouni Malinen2017-04-131-1/+7
| | | | | | | | | | | If the uuid configuration parameter is not set, wpa_supplicant generates an UUID automatically to allow WPS operations to proceed. This was previously always using an UUID generated from the MAC address. This commit adds an option to use a random UUID instead. The type of the automatically generated UUID is set with the auto_uuid parameter: 0 = based on MAC address (default; old behavior), 1 = random UUID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-0/+5
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Fix non_pref_chan exampleAvraham Stern2017-03-061-1/+1
| | | | | | | | The parsing code expects non_pref_chan to be non-quoted. Fix the example in wpa_supplicant.conf not to include quotes. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* GAS: Add support to randomize transmitter addressVamsi Krishna2017-02-071-0/+9
| | | | | | | | | | | | | | | | | Add support to send GAS requests with a randomized transmitter address if supported by the driver. The following control interface commands (and matching configuration file parameters) can be used to configure different types of randomization: "SET gas_rand_mac_addr 0" to disable randomizing TX MAC address, "SET gas_rand_mac_addr 1" to randomize the complete TX MAC address, "SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI. A new random MAC address will be generated for every gas_rand_addr_lifetime seconds and this can be configured with "SET gas_rand_addr_lifetime <timeout>". Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Clarify group_rekey documentationJohannes Berg2017-01-131-1/+1
| | | | | | This is also used in mesh and AP modes. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* mka: Make MKA actor priority configurableBadrish Adiga H R2016-12-251-3/+5
| | | | | | | This adds a new wpa_supplicant network profile parameter mka_priority=0..255 to set the priority of the MKA Actor. Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>