aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/wpa_supplicant.conf
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Add EDMG channel configuration parametersAlexei Avshalom Lazar7 days1-0/+10
| | | | | | | | | | Add two new configuration parameters for wpa_supplicant: enable_edmg: Enable EDMG capability for STA/AP mode edmg_channel: Configure channel bonding. In AP mode it defines the EDMG channel to start the AP on. In STA mode it defines the EDMG channel to use for connection. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-181-0/+20
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP peer: Add support for machine credentials using certificatesJouni Malinen2019-09-011-0/+5
| | | | | | | | | This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is an explicit request for machine credentials. The network profile parameters are otherwise same as the Phase 1 parameters, but each one uses a "machine_" prefix for the parameter name. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer config: Move ocsp param to phase1/phase2Jouni Malinen2019-09-011-0/+1
| | | | | | | | | OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Provide option to disable/enable BTM support in STAAnkita Bajaj2019-06-141-0/+6
| | | | | | | Add support to disable/enable BTM support using configuration and wpa_cli command. This is useful mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Allow PMKSA caching to be enabled with FT-EAPJouni Malinen2019-04-281-0/+8
| | | | | | | | | | The new wpa_supplicant network profile configuration parameter ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with FT-EAP for FT initial mobility domain association. This is still disabled by default (i.e., maintaining previous behavior) to avoid likely interoperability issues. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Document BSS expiration configurablesBen Greear2019-04-131-0/+9
| | | | | | | Help the user be aware of the options to configure when wpa_supplicant will remove a BSS due to expiration. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Extend domain_match and domain_suffix_match to allow list of valuesJouni Malinen2019-04-091-0/+12
| | | | | | | | | | | | | These wpa_supplicant network profile parameters could be used to specify a single match string that would be used against the dNSName items in subjectAltName or CN. There may be use cases where more than one alternative match string would be useful, so extend these to allow a semicolon delimited list of values to be used (e.g., "example.org;example.com"). If any of the specified values matches any of the dNSName/CN values in the server certificate, consider the certificate as meeting this requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS: Allow SAE configuration to be added automatically for PSKJouni Malinen2019-03-061-0/+8
| | | | | | | | | | The new wpa_supplicant configuration parameter wps_cred_add_sae=1 can be used to request wpa_supplicant to add SAE configuration whenever WPS is used to provision WPA2-PSK credentials and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and also with PMF enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Enable only groups 19, 20, and 21 in station modeJouni Malinen2019-03-051-4/+9
| | | | | | | | | | | | | Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP Group) from the default SAE groups in station mode since those groups are not as strong as the mandatory group 19 (NIST P-256). In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24 based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the MODP groups were already disabled by default and would have needed explicit configuration to be allowed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Allow systemwide policies to be overriddenJouni Malinen2019-01-051-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow 256-bit CAK to be configured for PSK modeJouni Malinen2018-12-261-3/+4
| | | | | | | This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-261-0/+16
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* wpa_supplicant: Allow overriding HT STBC capabilitiesSergey Matyukevich2018-12-231-0/+14
| | | | | | | Allow user to override STBC configuration for Rx and Tx spatial streams. Add new configuration options to test for HT capability overrides. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* wpa_supplicant: Add Multi-AP backhaul STA supportVenkateswara Naralasetty2018-12-201-0/+7
| | | | | | | | | | | | | | | | | | | | | Advertise vendor specific Multi-AP IE in (Re)Association Request frames and process Multi-AP IE from (Re)Association Response frames if the user enables Multi-AP fuctionality. If the (Re)Association Response frame does not contain the Multi-AP IE, disassociate. This adds a new configuration parameter 'multi_ap_backhaul_sta' to enable/disable Multi-AP functionality. Enable 4-address mode after association (if the Association Response frame contains the Multi-AP IE). Also enable the bridge in that case. This is necessary because wpa_supplicant only enables the bridge in wpa_drv_if_add(), which only gets called when an interface is added through the control interface, not when it is configured from the command line. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-161-0/+7
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Provide more details of WPA3 modes in wpa_supplicant.confJouni Malinen2018-08-011-1/+4
| | | | | | | Clarify that proto=RSN is used for WPA3 and add the WPA3-Personal name for SAE and include OWE as a possible key_mgmt value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Add key management value FT-EAP-SHA384 for wpa_supplicantJouni Malinen2018-06-051-0/+2
| | | | | | | This allows wpa_supplicant to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-0/+5
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-171-0/+4
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add a new cred block parameter roaming_consortiumsJouni Malinen2018-04-171-0/+9
| | | | | | | | | | This new string parameter contains a comma delimited list of OIs (hexdump) in a string. This is used to store Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit includes the configuration changes to parse and write the parameter. The actual values are not yet used in Interworking network selection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Document credential parameter required_roaming_consortiumJouni Malinen2018-04-171-0/+5
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix sae_password documentation in wpa_supplicant to refer correct fieldJouni Malinen2018-04-131-3/+3
| | | | | | sae_password replaces psk, not passphrase, parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add config information related to MACsecJaap Keuter2018-04-011-12/+23
| | | | | | | | | | Add examples of relevant top level CONFIG clauses for wpa_supplicant MACsec support to defconfig. Extend the example of MACsec related network configuration. Also bring them in line with the format of the other example network configurations. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-0/+6
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Allow GO to advertise Interworking elementSunil Dutt2017-10-051-0/+30
| | | | | | | | | This adds new wpa_supplicant configuration parameters (go_interworking, go_access_network_type, go_internet, go_venue_group, go_venue_type) to add a possibility of configuring the P2P GO to advertise Interworking element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+8
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Suite B: Add tls_suiteb=1 parameter for RSA 3k key caseJouni Malinen2017-09-161-0/+3
| | | | | | | | This adds phase1 parameter tls_suiteb=1 into wpa_supplicant configuration to allow TLS library (only OpenSSL supported for now) to use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Add build option to select default ciphersBeniamino Galvani2017-07-171-2/+2
| | | | | | | | | | | | | | Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* STA: Add OCE capability indication attributeAshwini Patil2017-07-141-0/+7
| | | | | | | Add OCE capability indication attribute in Probe Request and (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Add option for using random UUIDJouni Malinen2017-04-131-1/+7
| | | | | | | | | | | If the uuid configuration parameter is not set, wpa_supplicant generates an UUID automatically to allow WPS operations to proceed. This was previously always using an UUID generated from the MAC address. This commit adds an option to use a random UUID instead. The type of the automatically generated UUID is set with the auto_uuid parameter: 0 = based on MAC address (default; old behavior), 1 = random UUID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-0/+5
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Fix non_pref_chan exampleAvraham Stern2017-03-061-1/+1
| | | | | | | | The parsing code expects non_pref_chan to be non-quoted. Fix the example in wpa_supplicant.conf not to include quotes. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* GAS: Add support to randomize transmitter addressVamsi Krishna2017-02-071-0/+9
| | | | | | | | | | | | | | | | | Add support to send GAS requests with a randomized transmitter address if supported by the driver. The following control interface commands (and matching configuration file parameters) can be used to configure different types of randomization: "SET gas_rand_mac_addr 0" to disable randomizing TX MAC address, "SET gas_rand_mac_addr 1" to randomize the complete TX MAC address, "SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI. A new random MAC address will be generated for every gas_rand_addr_lifetime seconds and this can be configured with "SET gas_rand_addr_lifetime <timeout>". Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Clarify group_rekey documentationJohannes Berg2017-01-131-1/+1
| | | | | | This is also used in mesh and AP modes. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* mka: Make MKA actor priority configurableBadrish Adiga H R2016-12-251-3/+5
| | | | | | | This adds a new wpa_supplicant network profile parameter mka_priority=0..255 to set the priority of the MKA Actor. Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
* mka: Remove references to macsec_qca from wpa_supplicant.confSabrina Dubroca2016-11-301-6/+4
| | | | | | | Make the documentation generic, as this is no longer the only macsec driver. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow configuring the MACsec port for MKASabrina Dubroca2016-11-191-0/+4
| | | | | | | Previously, wpa_supplicant only supported hardcoded port == 1 in the SCI, but users may want to choose a different port. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Add macsec_integ_only setting for MKASabrina Dubroca2016-11-191-0/+7
| | | | | | | | | So that the user can turn encryption on (MACsec provides confidentiality+integrity) or off (MACsec provides integrity only). This commit adds the configuration parameter while the actual behavior change to disable encryption in the driver is handled in the following commit. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKASabrina Dubroca2016-11-191-0/+8
| | | | | | | | | | | | This enables configuring key_mgmt=NONE + mka_ckn + mka_cak. This allows wpa_supplicant to work in a peer-to-peer mode, where peers are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers can act as key server to distribute keys for the MACsec instances. This is what some MACsec switches support, and even without HW support, it's a convenient way to setup a network. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* FILS: Add wpa_supplicant configuration optionsJouni Malinen2016-10-101-0/+4
| | | | | | | This adds CONFIG_FILS=y build configuration option and new key management options for FILS authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MBO: Do not add reason_detail in non_pref_chan attr (STA)vamsi krishna2016-09-251-3/+3
| | | | | | | | The reason detail field in non_pref_chan attribute was removed from MBO draft v0.0_r25, so the STA should not include this field to be compliant with the latest draft. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix typos in wpa_supplicant configuration parameter documentationJouni Malinen2016-09-101-9/+9
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow FTM functionality to be publishedLior David2016-09-051-0/+16
| | | | | | | | | | | | Add configuration options that control publishing of fine timing measurement (FTM) responder and initiator functionality via bits 70, 71 of Extended Capabilities element. Typically, FTM functionality is controlled by a location framework outside wpa_supplicant. When framework is activated, it will use wpa_supplicant to configure the STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* Add group_rekey parameter for IBSSJouni Malinen2016-08-131-0/+4
| | | | | | | The new network profile parameter group_rekey can now be used to specify the group rekeying internal in seconds for IBSS. Signed-off-by: Jouni Malinen <j@w1.fi>
* Update PKCS#11 references in template wpa_supplicant.confDavid Woodhouse2016-06-111-17/+15
| | | | | | | | Ditch the legacy syntax and manual engine mangling and just give an example using simple PKCS#11 URIs that'll work with both GnuTLS and OpenSSL. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
* wpa_supplicant: Make GAS Address3 field selection behavior configurableJouni Malinen2016-06-101-0/+6
| | | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies that the wildcard BSSID value is used in Public Action frames that are transmitted to a STA that is not a member of the same BSS. wpa_supplicant used to use the actual BSSID value for all such frames regardless of whether the destination STA is a member of the BSS. P2P does not follow this rule, so P2P Public Action frame construction must not be changed. However, the cases using GAS/ANQP for non-P2P purposes should follow the standard requirements. Unfortunately, there are deployed AP implementations that do not reply to a GAS request sent using the wildcard BSSID value. The previously used behavior (Address3 = AP BSSID even when not associated) continues to be the default, but the IEEE 802.11 standard compliant addressing behavior can now be configured with gas_address3=1. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+5
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>