Credentials can now be configured with more than one FQDN ('domain'
field in the cred block) to perform Domain Name List matching against
multiple home domains.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new domain_suffix_match (and domain_suffix_match2 for Phase 2
EAP-TLS) can now be used to specify an additional constraint for the
server certificate domain name. If set, one of the dNSName values (or if
no dNSName is present, one of the commonName values) in the certificate
must have a suffix match with the specified value. Suffix match is done
based on full domain name labels, i.e., "example.com" matches
"test.example.com" but not "test-example.com".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Record all generated per-client PSKs in the persistent group network
block and configure these for the GO Authenticator whenever re-starting
the persistent group. This completes per-client PSK support for
persistent groups.
Signed-hostap: Jouni Malinen <j@w1.fi>
If a VIF is already associated, then only scan on the associated
frequency if user requests such. This is a big help when using
lots of virtual stations.
Signed-hostap: Ben Greear <greearb@candelatech.com>
Signed-off-by: Ben Greear <greearb@candelatech.com>
The new sched_scan_interval parameter can be used to set the default
sched_scan interval, e.g., for power saving purposes.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows one to limit the channels that wpa_supplicant will
scan. This is a useful addition to the freq_list configurable
in the network {} section.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This option can be used only for global parameters that are not going
to be changed from settings.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Iliyan Malchev <malchev@google.com>
This can be used to configure wpa_supplicant to ignore old scan results
from the driver cache in cases where such results were not updated after
the scan trigger from wpa_supplicant. This can be useful in some cases
where the driver may cache information for a significant time and the AP
configuration is changing. Many such cases are for testing scripts, but
this could potentially be useful for some WPS use cases, too.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit b277a2bebc added a new global
configuration parameter, but forgot to update configuration file saving
to store this.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new parameter allows wpa_supplicant AP mode operations to use
similar design to the vendor_elements parameter in hostapd to add
vendor_elements into Beacon/Probe Response IE parameters.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
beacon_int (in TU) can now be used to configure Beacon interval for AP
mode operations (including P2P GO) in wpa_supplicant. This can be set
either in a network block or as a global parameter in the configuration
file (or with "SET beacon_int <value>" control interface command) to
apply for all networks that do not include the beacon_int parameter to
override the default.
In addition, this commits extends the dtim_period parameter to be
available as a global parameter to set the default value. dtim_period is
now stored in the configuration file, too, if it was set.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
In case of wpa_supplicant IBSS and AP modes after we will call wpa_cli
save command we should also save configured frequency. In other case
after wpa_supplicant restart we have frequency = 0 and AP start will
fail.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Number of cred block fields were not saved when wpa_supplicant is
writing the configuration file.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, OKC (opportunistic key caching, a.k.a. proactive key
caching) could be enabled only with a per-network parameter
(proactive_key_caching). The new global parameter (okc) can now be used
to change the default behavior to be OKC enabled (okc=1) for network
blocks that do not override this with the proactive_key_caching
parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new p2p_no_group_iface=1 configuration parameter can now be used to
disable the default behavior of adding a separate interface for the P2P
group when driver support for concurrent interfaces is available.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
By default, P2P is enabled globally for all virtual interfaces and this
makes wpa_supplicant include WSC and P2P IEs in Probe Request frames for
all scans even if this is for a non-P2P station connection to speed up
device discovery. If an interface is dedicated for non-P2P station mode
operations, it is now possible to disable addition of WSC and P2P IEs
into Probe Request frames with a per-interface p2p_disabled parameter.
This can be set either in the configuration file (p2p_disabled=1) or at
run time ("wpa_cli -i wlan0 set p2p_disabled 1"). Unlike the previous
mechanism ("wpa_cli p2p_set disabled 1"), the new parameter changes the
behavior only for the specified interface while other interfaces
continue to follow the global P2P enabled/disabled state.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When specified in the conf file this parameter will make all invocations
of p2p_group_add, p2p_connect, and p2p_invite behave as if "ht40" has
been specified on the command line. This shouldn't do harm since
regulatory constraints and driver capabilities are consulted anyway
before starting HT40 mode.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
auto_interworking=1 configuration parameter can be used to request
wpa_supplicant to use Interworking network selection automatically as a
part of the normal (non-Interworking) network selection if the scan
results do not match with enabled networks. This makes scanning work
similarly to the "interworking_select auto" command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Skip the end of long configuration lines that get truncated in
wpa_config_get_line(). Without this, the rest of the file was being
parsed as another line and that resulted in an unexpected error
message (wrong line number and wrong starting point).
In addition, increase the read buffer for network blocks from 256
to 2000 since p2p_client_list parameter can have long values. These
were supposed to truncated cleanly, but the unexpected processing of
the end of the file (which is now fixed in this commit) could cause
configuration file to be rejected.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This enables setting a different max inactivity timeout for P2P GO.
This timeout is used to detect inactive clients. In some scenarios
it may be useful to have control over this and set a shorter timeout
than the default 300s. For example when running STA and P2P GO interfaces
concurrently, the STA interface may perform scans which may cause the
GO to miss a disassoc / deauth frames from a client and keep assuming
that the client is connected until the inactivity detection kicks in.
300 secs is a bit too long for such scenarios and creates a bad user
experience.
Signed-hostap: Eyal Shapira <eyal@wizery.com>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of rejecting network blocks without PSK/passphrase at the time
the configuration file is read, allow such configuration to be loaded
and only behave as if the network block with missing PSK/passphrase is
disabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
This workaround for Windows 7 WPS probing mechanism was previously
allowed only with hostapd, but the same interoperability issue can
happen with wpa_supplicant AP/GO mode. Allow the workaround to be
enabled in wpa_supplicant configuration for these uses.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new configuration parameter can be used to disable automatic
offloading of scan requests to the driver which was previously used
by default if the driver supported sched_scan.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to force this configuration parameter to be written
into the configuration file for each network block that has not modified
the default value.
Signed-hostap: Jouni Malinen <j@w1.fi>
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A network block specific background scan period can now be configured
for drivers that implement internal background scan mechanism for
roaming and BSS selection.
Signed-hostap: Bala Shanmugam <bkamatch@qca.qualcomm.com>
p2p_pref_chan configuration parameter can now be used to set the
list of preferred channel for P2P GO Negotiation. This will be used
in the priority order if the peer does not support the channel we
are trying to use as the GO (configured operating channel or the
best 2.4 GHz/5 GHz channel) for the case where a forced channel is
not used.
p2p_pref_chan=<op class:channel>,...
For example:
p2p_pref_chan=81:1,81:2,81:3,81:4,81:5,81:6
This would configure 2.4 GHz channels 1-6 as the preferred ones with
channel 1 the most preferred option.
These configuration parameters can be set in wpa_supplicant.conf and
dynamically updated with "wpa_cli set <param> <value>".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
New global configuration parameters pcsc_reader and pcsc_pin can now be
used to initialize PC/SC reader context at start of wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows credentials to be set with a specific priority to allow
the automatic network selection behavior to be controlled with user
preferences. The priority values are configured to the network block
and BSS selection will select the network based on priorities from
both pre-configured network blocks and credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This replaces the global home_* parameters with a list of credentials
that can be configured similarly to network blocks. For example:
cred={
realm="example.com"
username="user@example.com"
password="password"
ca_cert="/etc/wpa_supplicant/ca.pem"
domain="example.com"
}
cred={
imsi="310026-000000000"
milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
}
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new persistent group network block field, p2p_client_list, to
maintain a list of P2P Clients that have connected to a persistent
group. This allows GO of a persistent group to figure out more easily
whether re-invocation of a persistent group can be used with a specific
peer device.
Signed-hostap: Jouni Malinen <j@w1.fi>
This cleans up the source code and makes it less likely that new AKM
addition misses some needed changes in the future.
Signed-hostap: Jouni Malinen <j@w1.fi>
wpa_supplicant is going to reject a configuration file that uses
WPA/WPA2-Personal (the default key_mgmt), but does not define
passphrase/PSK. Refuse to save such a configuration to avoid getting
stuck with a configuration that wpa_supplicant will reject.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is the default value if device_type is not set, so do not
write it to the wpa_supplicant configuration file when saving
updated configuration.
Signed-hostap: Jouni Malinen <j@w1.fi>
New configuration parameters home_imsi and home_milenage can be used
to configure SIM/USIM simulator parameters for network selection based
on SIM/USIM credentials.
home_imsi=(MCC | MNC | '-' | rest of IMSI)
home_milenage=(Ki):(OPc):(SQN)
For example:
home_imsi=310026-000000000
home_milenage=90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123
Add support for network selection for username/password credentials with
EAP-TTLS and EAP-PEAP. The new global configuration parameters
home_username, home_password, and home_ca_cert can be used to specify
credentials for network selection.
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
Replace compile-time BSS cache expiration age and scan count by config
parameters that can be set via wpa_cli and the new D-Bus API. The latter
is done with interface properties BSSExpireAge and BSSExpireCount.
Instead of converting back and forth from the string representation,
always use the binary representation internally.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This is an option to continue with wpa_supplicant and hostapd even if
config file has errors. The problem is that these daemons are the best
"candidates" for the config change, so if they can not start because
config file was let's say corrupted, you can not fix it easily.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
A new configuration parameter, p2p_group_idle, can now be used to set
idle timeout value for P2P groups in seconds (0 = no timeout). If set,
this values is used to remove P2P group (both GO and P2P client)
interfaces after the group has been idle (no clients/GO seen) for the
configuration duration.
The P2P-GROUP-REMOVED event is now indicating the reason for group
removal when known. For example:
P2P-GROUP-REMOVED wlan0 GO reason=REQUESTED
P2P-GROUP-REMOVED wlan1 client reason=IDLE
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
New global configuration parameter bss_max_count can now be used to
change the maximum BSS table size. The old fixed size limit (200) is
used as the default value for this parameter.
This adds config_methods configuration option for wpa_supplicant
following the design used in hostapd. In addition, the string is
now parsed in common code from src/wps/wps_common.c and the list
of configurable methods include all the defined methods from
WPS 1.0h spec.
The following defines are not really needed in most places, so
remove them to clean up source code and build scripts:
EAP_TLS_FUNCS
EAP_TLS_OPENSSL
EAP_TLS_GNUTLS
CONFIG_TLS_INTERNAL
The wps_cred_process option can be used to configure wpa_supplicant to
send received Credential attributes for external processing over
ctrl_iface and dbus. This allows external programs to update their
configuration when WPS is used to provision new networks.
This adds support for setting of a regulatory domain to wpa_supplicant
drivers. It also adds regulatory domain setting for the nl80211 driver.
We expect an ISO / IEC 3166 alpha2 in the wpa configuration file as a
global.
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.
Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:
engine2
engine2_id
pin2
and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.
IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for
key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new
AKMPs and clean up AKMP processing with helper functions in defs.h.