path: root/wpa_supplicant/config_ssid.h
Commit message (Collapse)AuthorAgeFilesLines
* SAE-PK: Allow automatic SAE-PK to be disabledJouni Malinen2020-06-071-6/+13
| | | | | | | | | | | This replaces the previously used sae_pk_only configuration parameter with a more generic sae_pk that can be used to specify how SAE-PK is negotiated. The default behavior (sae_pk=0) is to automatically negotiate SAE-PK whenever the AP supports it and the password is in appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2 disables SAE-PK completely. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Allow SAE authentication without PK to be disabledJouni Malinen2020-06-061-0/+9
| | | | | | | The new wpa_supplicant network profile parameter sae_pk_only=1 can now be used to disable use of SAE authentication without SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow TKIP support to be removed from buildDisha Das2020-04-171-0/+5
| | | | | | | | | Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from hostapd and wpa_supplicant builds. This disables use of TKIP as both the pairwise and group cipher. The end result does not interoperate with a WPA(v1)-only device or WPA+WPA2 mixed modes. Signed-off-by: Disha Das <dishad@codeaurora.org>
* wpa_supplicant: Add HE override supportP Praneesh2020-03-301-0/+10
| | | | | | | | | | | | Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y. The disable_he=1 network profile parameter can be used to disable HE. This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4 GHz band. There is no nl80211 support for configuring the driver to disable HE, so for now, this applies only to IBSS and mesh cases. Signed-off-by: P Praneesh <ppranees@codeaurora.org>
* DPP2: Allow station to require or not allow PFSJouni Malinen2020-03-281-0/+16
| | | | | | | | | | | | | | | | | | | | The new wpa_supplicant network profile parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., try to use PFS if the AP supports it. PFS use can now be required (dpp_pfs=1) or disabled (dpp_pfs=2). This is also working around an interoperability issue of DPP R2 STA with certain hostapd builds that included both OWE and DPP functionality. That issue was introduced by commit 09368515d130 ("OWE: Process Diffie-Hellman Parameter element in AP mode") and removed by commit 16a4e931f03e ("OWE: Allow Diffie-Hellman Parameter element to be included with DPP"). hostapd builds between those two commits would reject DPP association attempt with PFS. The new wpa_supplicant default (dpp_pfs=0) behavior is to automatically try to connect again with PFS disabled if that happens. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant AP mode configuration for Transition Disable KDEJouni Malinen2020-03-251-0/+20
| | | | | | | Allow AP mode network profile in wpa_supplicant to be configured to advertise Transition Disable DKE. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Make WEP functionality an optional build parameterJouni Malinen2020-02-291-0/+2
| | | | | | | | | WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-231-0/+13
| | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* wpa_supplicant configuration for Beacon protectionJouni Malinen2020-02-171-0/+8
| | | | | | | Add a new wpa_supplicant network profile configuration parameter beacon_prot=<0/1> to allow Beacon protection to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: PTK derivation workaround in STA modeJouni Malinen2020-01-231-0/+13
| | | | | | | | | | | | Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Derive H2E PT in STA before connectionJouni Malinen2019-10-151-0/+2
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add EDMG channel configuration parametersAlexei Avshalom Lazar2019-10-071-0/+17
| | | | | | | | | | Add two new configuration parameters for wpa_supplicant: enable_edmg: Enable EDMG capability for STA/AP mode edmg_channel: Configure channel bonding. In AP mode it defines the EDMG channel to start the AP on. In STA mode it defines the EDMG channel to use for connection. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-2/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* Avoid nested enum wpas_mode declaration to allow C++ compilationJouni Malinen2019-07-241-8/+10
| | | | | | | | | | Move enum wpas_mode declaration to the global scope to avoid issues with the recently added inline function wpas_mode_to_ieee80211_mode() using it as an argument. This fixes C++ compilation issues with cases that include wpa_supplicant_i.h. Fixes: 3459c54ac78b ("mesh: Add support for HE mode") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Allow PMKSA caching to be enabled with FT-EAPJouni Malinen2019-04-281-0/+10
| | | | | | | | | | The new wpa_supplicant network profile configuration parameter ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with FT-EAP for FT initial mobility domain association. This is still disabled by default (i.e., maintaining previous behavior) to avoid likely interoperability issues. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P: Add 802.11ax support for P2P GOPeng Xu2019-01-121-0/+2
| | | | | | | | An optional parameter "he" is added to p2p_connect, p2p_group_add, and p2p_invite to enable 11ax HE support. The new p2p_go_he=1 configuration parameter can be used to request this to be enabled by default. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mesh: Add VHT_CHANWIDTH_USE_HT to max_oper_chwidthPeter Oh2019-01-061-0/+1
| | | | | | | | | Channel width in VHT mode refers HT capability when the width goes down to below 80 MHz, hence add checking HT channel width to its max operation channel width. So that mesh has capability to select bandwidth below 80 MHz. Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
* mka: Allow 256-bit CAK to be configured for PSK modeJouni Malinen2018-12-261-2/+3
| | | | | | | This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-261-0/+27
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* macsec: Make pre-shared CKN variable lengthmichael-dev2018-12-251-2/+3
| | | | | | | | | | | | | | | | | IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN: "MKA places no restriction on the format of the CKN, save that it comprise an integral number of octets, between 1 and 32 (inclusive), and that all potential members of the CA use the same CKN. No further constraints are placed on the CKNs used with PSKs, ..." Hence do not require a 32 octet long CKN but instead allow a shorter CKN to be configured. This fixes interoperability with some Aruba switches, that do not accept a 32 octet long CKN (only support shorter ones). Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* wpa_supplicant: Allow overriding HT STBC capabilitiesSergey Matyukevich2018-12-231-0/+18
| | | | | | | Allow user to override STBC configuration for Rx and Tx spatial streams. Add new configuration options to test for HT capability overrides. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* wpa_supplicant: Add Multi-AP backhaul STA supportVenkateswara Naralasetty2018-12-201-0/+7
| | | | | | | | | | | | | | | | | | | | | Advertise vendor specific Multi-AP IE in (Re)Association Request frames and process Multi-AP IE from (Re)Association Response frames if the user enables Multi-AP fuctionality. If the (Re)Association Response frame does not contain the Multi-AP IE, disassociate. This adds a new configuration parameter 'multi_ap_backhaul_sta' to enable/disable Multi-AP functionality. Enable 4-address mode after association (if the Association Response frame contains the Multi-AP IE). Also enable the bridge in that case. This is necessary because wpa_supplicant only enables the bridge in wpa_drv_if_add(), which only gets called when an interface is added through the control interface, not when it is configured from the command line. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-161-0/+11
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OWE: Attempt more scans for OWE transition SSID if expected BSS not seenSunil Dutt2018-10-121-0/+10
| | | | | | | | | | | | This commit introduces a threshold for OWE transition BSS selection, which signifies the maximum number of selection attempts (scans) done for finding OWE BSS. This aims to do more scan attempts for OWE BSS and eventually select the open BSS if the selection/scan attempts for OWE BSS exceed the configured threshold. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Fix parsing of max_oper_chwidthSven Eckelmann2018-05-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The max_oper_chwidth is parsed in wpa_config_set as INT_RANGE (see ssid_fields). The actual parsing for INT_RANGE is done by wpa_config_parse_int which can only store the result as full integer. max_oper_chwidth is stored as u8 (a single byte) in wpa_ssid. This means that on little endian systems, the least significant byte of the parsed value are really stored in the max_oper_chwidth. But on big endian system, the only most significant byte is stored as max_oper_chwidth. This means that 0 is always stored because the provided range doesn't allow any other value for systems with multi-byte-wide integers. This also means that for common systems with 4-byte-wide integers, the remaining 3 bytes were written after the actual member of the struct. This should not have influenced the behavior of succeeding members because these bytes would have been part of the padding between the members on most systems. Increasing its size to a full int fixes the write operations outside of the member and allows to use the max_oper_chwidth setting on big endian systems. Fixes: 0f29bc68d18e ("IBSS/mesh: Add support for VHT80P80 configuration") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-0/+8
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-171-0/+13
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Allow station in transition mode to connect to an open BSSJouni Malinen2018-01-211-0/+9
| | | | | | | | | If the OWE network profile matches an open network which does not advertise OWE BSS, allow open connection. The new owe_only=1 network profile parameter can be used to disable this transition mode and enforce connection only with OWE networks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Try all supported DH groups automatically on STAJouni Malinen2017-12-271-1/+2
| | | | | | | | If a specific DH group for OWE is not set with the owe_group parameter, try all supported DH groups (currently 19, 20, 21) one by one if the AP keeps rejecting groups with the status code 77. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-11/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-0/+10
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-091-7/+0
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in stationJouni Malinen2017-10-081-0/+11
| | | | | | | | This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+9
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Network profile parameters for DPP AKMJouni Malinen2017-06-191-0/+39
| | | | | | | | Extend wpa_supplicant network profile to include parameters needed for the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry, dpp_csign, dpp_csign_expiry. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Provide option to configure BSSID hint for a networkPurushottam Kushwaha2017-05-111-0/+13
| | | | | | | | | | This exposes user configurable option to set bssid_hint for a network. bssid_hint indicates which BSS has been found a suitable candidate for initial association for drivers that use driver/firmware-based BSS selection. Unlike the bssid parameter, bssid_hint does not limit the driver from selecting other BSSs in the ESS. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Make NL80211_MESHCONF_RSSI_THRESHOLD configurableMasashi Honma2017-05-081-0/+10
| | | | | | | | In some practical cases, it is useful to suppress joining to node in the distance. The new field mesh_rssi_threshold could be used as RSSI threshold for joining. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-0/+8
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling HT in AP mode without HT overridesJohannes Berg2017-03-111-0/+1
| | | | | | | | Since VHT can be toggled explicitly, also expose being able to disable HT explicitly, without requiring HT overrides. Continue making it default to enabled though. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* wpa_supplicant: Allow explicit wide channel configuration for AP modeJohannes Berg2017-03-111-0/+1
| | | | | | | | | | | Instead of deducing the wide (HT, VHT) channel configuration only automatically in P2P mode, allow it to be configured in the network in non-P2P mode. Also allow all of these parameters to be configured through the control interface or the configuration file. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* mka: Make MKA actor priority configurableBadrish Adiga H R2016-12-251-0/+7
| | | | | | | This adds a new wpa_supplicant network profile parameter mka_priority=0..255 to set the priority of the MKA Actor. Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
* wpa_supplicant: Allow configuring the MACsec port for MKASabrina Dubroca2016-11-191-0/+9
| | | | | | | Previously, wpa_supplicant only supported hardcoded port == 1 in the SCI, but users may want to choose a different port. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Add macsec_integ_only setting for MKASabrina Dubroca2016-11-191-0/+12
| | | | | | | | | So that the user can turn encryption on (MACsec provides confidentiality+integrity) or off (MACsec provides integrity only). This commit adds the configuration parameter while the actual behavior change to disable encryption in the driver is handled in the following commit. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKASabrina Dubroca2016-11-191-0/+20
| | | | | | | | | | | | This enables configuring key_mgmt=NONE + mka_ckn + mka_cak. This allows wpa_supplicant to work in a peer-to-peer mode, where peers are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers can act as key server to distribute keys for the MACsec instances. This is what some MACsec switches support, and even without HW support, it's a convenient way to setup a network. Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
* Add group_rekey parameter for IBSSJouni Malinen2016-08-131-0/+8
| | | | | | | The new network profile parameter group_rekey can now be used to specify the group rekeying internal in seconds for IBSS. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Add wps_disabled parameter to network blockLior David2016-05-141-0/+8
| | | | | | | Add a new parameter wps_disabled to network block (wpa_ssid). This parameter allows WPS functionality to be disabled in AP mode. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* wpa_supplicant: "don't care" value for pbss in ssid structureLior David2016-04-081-2/+6
| | | | | | | | | | Add a new value 2 to the pbss parameter of wpa_ssid structure, which means "don't care". This value is used in infrastructure mode to request connection to either AP or PCP, whichever is available in the scan results. The value is also used in regular WPS (not P2P group formation) to make WPS work with devices running as either AP or PCP. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* wpa_supplicant: Basic support for PBSS/PCPLior David2016-02-081-0/+9
| | | | | | | | | | | | | | | | | | | | | PBSS (Personal Basic Service Set) is a new BSS type for DMG networks. It is similar to infrastructure BSS, having an AP-like entity called PCP (PBSS Control Point), but it has few differences. PBSS support is mandatory for IEEE 802.11ad devices. Add a new "pbss" argument to network block. The argument is used in the following scenarios: 1. When network has mode=2 (AP), when pbss flag is set will start as a PCP instead of an AP. 2. When network has mode=0 (station), when pbss flag is set will connect to PCP instead of AP. The function wpa_scan_res_match() was modified to match BSS according to the pbss flag in the network block (wpa_ssid structure). When pbss flag is set it will match only PCPs, and when it is clear it will match only APs. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* wpa_supplicant: Enable Automatic Channel Selection support for AP modeTomasz Bursztyka2015-12-241-0/+12
| | | | | | | | | | Since hostapd supports ACS now, let's enable its support in wpa_supplicant as well when starting AP mode. Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> [u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master] [u.oelmann@pengutronix.de: adjusted added text in defconfig] Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
* P2P: Add support for VHT 80+80 MHz and 160 MHzAhmad Kholaif2015-11-251-0/+4
| | | | | | | | | The new max_oper_chwidth and freq2 arguments to P2P_CONNECT, P2P_INVITE, and P2P_GROUP_ADD control interface commands can be used to request larger VHT operating channel bandwidth to be used than the previously used maximum 80 MHz. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>