Commit graph

132 commits

Author SHA1 Message Date
Yegor Yefremov
43c6eb5e47 SAE-PK: Add the option to the defconfigs
So far, this option was only present in the Makefiles. Document it as
being available for configuration since the WFA program has already been
launched.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
0482251a6d EAP-TLS: Allow TLSv1.3 support to be enabled with build config
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:45:40 +03:00
Jouni Malinen
77ddd38b66 DPP3: Add build option for version 3 functionality
CONFIG_DPP3=y can now be used to configure hostapd and wpa_supplicant
builds to include DPP version 3 functionality. This functionality is
still under design and the implementation is experimental and not
suitable to be enabled in production uses before the specification has
been finalized.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Patrick Steinhardt
e680a51e94 ext_password: Implement new file-based backend
It was not easily possible to separate configuration of an interface and
credentials when using the configuration file instead of the control
interface or D-Bus interface for setting up the network profiles. This
makes it hard to distribute configuration across a set of nodes which
use wpa_supplicant without also having to store credentials in the same
file. While this can be solved via scripting, having a native way to
achieve this would be preferable.

Turns out there already is a framework to have external password
storages. It only had a single "test" backend though, which is kind of
an in-memory store which gets initialized with all passwords up front
and is mainly for testing purposes. This isn't really suitable for the
above use case: the backend cannot be initialized as part of the central
configuration given that it needs the credentials, and we want to avoid
scripting.

This commit thus extends the infrastructure to implement a new backend,
which instead uses a simple configuration file containing key-value
pairs. The file follows the format which wpa_supplicant.conf(5) uses:
empty lines and comments are ignored, while passwords can be specified
with simple `password-name=password-value` assignments.

With this new backend, splitting up credentials and configuration
becomes trivial:

    # /etc/wpa_supplicant/wpa_supplicant.conf
    ext_password_backend=file:/etc/wpa_supplicant/psk.conf

    network={
        ssid="foobar"
        psk=ext:foobar
    }

    # /etc/wpa_supplicant/psk.conf
    foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b

Alternative approaches would be to support including other configuration
files in the main configuration, such that common configuration and
network declarations including credentials are split up into separate
files. But the implementation would probably have been more complex
compared to reusing the already-existing framework for external password
backends.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Ilan Peer
c6d1a33bb0 PASN: Add functions to compute PTK, MIC and hash
1. Add a function to derive the PTK from a PMK and additional data.
2. Add a function to calculate the MIC for a PASN frames.
3. Add a function to compute the hash of an authentication frame body.

The above are built only in case that CONFIG_PASN is enabled at build
time.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Davide Caratti
39f29f250a defconfig: Enable TDLS
Some distros (e.g., Debian and Arch) already build wpa_supplicant with
support for TDLS, and Fedora is about to enable this feature as well.
Set CONFIG_TDLS=y in wpa_supplicant default build configuration.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2020-05-17 16:10:03 +03:00
Disha Das
6b1c590ebb Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-17 23:51:58 +03:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
0f84a93f65 Fix a type in wpa_supplicant defconfig
ap_mode=1 explanation in CONFIG_NO_SCAN_PROCESSING=y was really supposed
to be talking about ap_scan=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-24 00:05:20 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Lubomir Rintel
a383db0646 defconfig: Enable MACsec
Debian and Fedora enable it, NetworkManager uses it.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-12-28 18:28:10 +02:00
Phil Wise
ec1c0d1548 Fix name of DBus interface in defconfig
Signed-off-by: Phil Wise <phil@phil-wise.com>
2019-10-25 16:03:37 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Mohit Sethi
2f6700c9c6 defconfig: Add config parameter for SIM simulator for EAP-SIM
Allow compilation of internal GSM-Milenage implementation for EAP-SIM
testing with eapol_test.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 16:26:44 +03:00
Lubomir Rintel
fafad85274 defconfig: Enable DBus
Acquire the new name, along with introspection. This is generally useful
for other daemons to integrate with wpa_supplicant, notably
NetworkManager.

Debian and Fedora (and likely any other distro that configured wireless
via NetworkManager) enable this.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-03-09 18:35:49 +02:00
Lubomir Rintel
6a8dee76d4 wpa_supplicant: Drop the old D-Bus interface support
This drops support for the fi.epitest.hostap.WPASupplicant D-Bus name
along with the associated CONFIG_CTRL_IFACE_DBUS option. Nothing should
really be using this since 2010.

This is a just a straightforward removal. Perhaps the dbus_common.c and
dbus_new.c can be merged now. Also, the "_NEW" suffix of the config
option seems to make even less sense than it used to.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-03-09 18:33:26 +02:00
Lubomir Rintel
611308365e defconfig: Enable IEEE 802.11w management frame protection (wpa_supplicant)
NetworkManager can use these if available and the distros generally
enable this already.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
9515fa9250 defconfig: enable IEEE 802.11r fast BSS transition (wpa_supplicant)
Generally useful. Linux distros already enable these, upcoming
NetworkManager will support it too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
6b7a0da75b defconfig: Enable IEEE 802.11n and 802.11ac (wpa_supplicant)
I guess there's no reason anyone with capable hardware wouldn't want to
enable these. Debian and Fedora aleady do.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
467004d632 defconfig: Enable Hotspot 2.0 (wpa_supplicant)
Generally useful, Debian enables this. Other distros should too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ec52faa2b2 defconfig: Enable RSN on IBSS networks (wpa_supplicant)
Fedora and Debian enable this. NetworkManager actually rejects such
configurations citing kernel bugs, but that actually might not be the
right thing to do anymore.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Jouni Malinen
67d99d2e07 defconfig: Remove obsolete notes about OpenSSL requirements for EAP-FAST
OpenSSL 0.9.8 reached its end-of-life long time ago, so remove these old
notes about need of a newer OpenSSL version for EAP-FAST since all
current OpenSSL versions include the needed functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
eafc5fec22 defconfig: Enable a handful of EAP methods (wpa_supplicant)
Fedora uses AKA, FAST, GPSK_SHA256, GPSK, IKEV2, PAX, SAKE and TNC. I
don't know why these in particular. AKA wouldn't work, because
CONFIG_PCSC is off anyways; let's enable all the other ones, and also
PWD (openSUSE enabled it because users demanded it).

Debian enables all of the above uses, but also PWD, AKA_PRIME, SIM, PSK
and EKE.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
f64050da02 defconfig: Enable logging to file and syslog (wpa_supplicant)
Debian and Fedora enable both and log to syslog. openSUSE seems to log
to a flat file instead.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ae5240db86 defconfig: Enable simple bgscan module (wpa_supplicant)
Generally useful. Linux distros enable this and also utilize it via
NetworkManager.

Debian also enables the learn module. I'm leaving it off as it's marked
experimental.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
2d6d47219e defconfig: Enable AP (wpa_supplicant)
Generally useful. Debian and Fedora enable this and support creating
access points via NetworkManager too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
f87450a73f defconfig: Enable WPS (wpa_supplicant)
WPS is generally useful with consumer hardware, and exposed to desktop
users via NetworkManager.

The Linux distros, including Debian, Fedora, and openSUSE enable it.
Debian also enables external registar support and NFC.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Jouni Malinen
d989e67d07 defconfig: Fix typos in Wi-Fi Display description
These were supposed to be talking about Wi-Fi Display, not Wi-Fi Direct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
c4eafad091 defconfig: Enable P2P and Wi-Fi Display (wpa_supplicant)
Generally useful. Debian and Fedora enable this, upcoming NetworkManager
provide some level of support too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
bf46c6fca1 defconfig: Add SAE (wpa_supplicant)
Generally useful and the distros (Debian, Fedora) enable this already to
support WPA3-Personal and protected 802.11s mesh BSSs.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
ca098ee454 defconfig: Add DPP (wpa_supplicant)
Generally useful, already enabled in Debian and Fedora.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Jouni Malinen
13a200a92a FILS: Remove notes about experimental implementation
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-22 13:33:48 +02:00
Lubomir Rintel
89a7cdd690 crypto: Add option to use getrandom()
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:

"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."

An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.

It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-02 01:24:18 +02:00
Mathy Vanhoef
138205d600 OCV: Add build configuration for channel validation support
Add compilation flags for Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Jouni Malinen
55570efe35 Uncomment CONFIG_LIBNL32=y in defconfig
libnl 3.2 release is much more likely to be used nowadays than the
versions using the older API, so uncomment this in wpa_supplicant and
hostapd defconfig.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-02 21:34:59 +02:00
Jouni Malinen
ee2c6bb5e5 Remove CONFIG_IEEE80211R_AP=y build option from wpa_supplicant
There is no existing mechanism for setting up AP mode functionality with
FT enabled, so there is not really much point in having a build option
for trying to include the AP-to-AP FT functionality into wpa_supplicant
either. Since this build option results in failures to complete the
build, simply remove it completely. This can be restored if there is
ever desire to enable FT functionality in wpa_supplicant controlled AP
mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-02 17:00:45 +03:00
Jaap Keuter
208263c014 Add config information related to MACsec
Add examples of relevant top level CONFIG clauses for wpa_supplicant
MACsec support to defconfig.

Extend the example of MACsec related network configuration. Also bring
them in line with the format of the other example network configurations.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2018-04-01 21:58:57 +03:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Jouni Malinen
76e20f4fa7 FILS: Add FILS SK auth PFS support in STA mode
This adds an option to configure wpa_supplicant to use the perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime network profile parameter fils_dh_group is used to enable
this by specifying which DH group to use. For example, fils_dh_group=19
would use FILS SK PFS with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
6115238492 OWE: Add CONFIG_OWE=y build option
This can be used to enable OWE support in hostapd and wpa_supplicant
builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
206516e8c2 af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:15 +02:00
Jouni Malinen
784710b7ff Add bgscan options to wpa_supplicant defconfig
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:21:24 +02:00
Jouni Malinen
212a8f487f Fix wpa_supplicant defconfig copy-paste description
This is obviously for the wpa_supplicant binary, not hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:12:16 +02:00
Masashi Honma
ce691a8d96 Add CONFIG_MESH into wpa_supplicant defconfig
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-12-30 23:59:47 +02:00
Jouni Malinen
3459381dd2 External persistent storage for PMKSA cache entries
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.

"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:

<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>

For example:

02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0

The PMKSA_GET command uses the following format:

<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>

(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)

For example:

PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0

This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00
Jouni Malinen
913c3e1e83 Add CONFIG_IBSS_RSN=y into wpa_supplicant defconfig
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-28 19:39:13 +03:00
Jouni Malinen
9b7a2b836a FILS: Add wpa_supplicant configuration options
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:44 +03:00