From 70c7cea4a716f8723d51aeb202793546a4b2acbb Mon Sep 17 00:00:00 2001 From: Alexandre Perrin Date: Tue, 27 May 2014 15:53:13 +0200 Subject: [PATCH 2/2] hostapd / wpa_supplicant: update to 2.1 - Added hostapd.conf and wpa_supplicant.conf to etc - updated share/initrd/etc/wpa_supplicant.conf with the vendor version, - minors man fixes taken from FreeBSD head, - major Makefile overhaul in usr.sbin/802_11 based on FreeBSD head, - use the vendor's driver_wired and driver_bsd, - l2_packet.c is a copy of the vendor's l2_packet/l2_packet_freebsd. --- etc/Makefile | 1 + etc/hostapd.conf | 1663 ++++++++++++++++++++ etc/wpa_supplicant.conf | 1273 +++++++++++++++ share/initrd/etc/wpa_supplicant.conf | 1277 ++++++++++++++- usr.sbin/802_11/Makefile.crypto | 133 ++ usr.sbin/802_11/Makefile.inc | 4 +- usr.sbin/802_11/hostapd/Makefile | 145 +- usr.sbin/802_11/hostapd/hostapd.8 | 11 +- usr.sbin/802_11/hostapd/hostapd.conf.5 | 11 +- usr.sbin/802_11/hostapd_cli/Makefile | 2 +- usr.sbin/802_11/hostapd_cli/hostapd_cli.8 | 6 +- usr.sbin/802_11/l2_packet.c | 255 +-- usr.sbin/802_11/ndis_events/Makefile | 1 + usr.sbin/802_11/ndis_events/ndis_events.8 | 8 +- usr.sbin/802_11/wpa_cli/Makefile | 7 +- usr.sbin/802_11/wpa_cli/wpa_cli.8 | 8 +- usr.sbin/802_11/wpa_passphrase/Makefile | 5 +- usr.sbin/802_11/wpa_passphrase/wpa_passphrase.8 | 7 +- usr.sbin/802_11/wpa_supplicant/Makefile | 167 +- usr.sbin/802_11/wpa_supplicant/driver_dragonfly.c | 909 ----------- usr.sbin/802_11/wpa_supplicant/driver_wired.c | 185 --- usr.sbin/802_11/wpa_supplicant/wpa_supplicant.8 | 14 +- .../802_11/wpa_supplicant/wpa_supplicant.conf.5 | 47 +- 23 files changed, 4723 insertions(+), 1416 deletions(-) create mode 100644 etc/hostapd.conf create mode 100644 etc/wpa_supplicant.conf create mode 100644 usr.sbin/802_11/Makefile.crypto delete mode 100644 usr.sbin/802_11/wpa_supplicant/driver_dragonfly.c delete mode 100644 usr.sbin/802_11/wpa_supplicant/driver_wired.c diff --git a/etc/Makefile b/etc/Makefile index a7ca12c..6ef876f 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -33,6 +33,7 @@ BIN1= amd.map auth.conf \ nscd.conf pf.conf phones printcap profile \ regdomain.xml remote sensorsd.conf services \ shells sysctl.conf syslog.conf usbd.conf \ + hostapd.conf wpa_supplicant.conf \ etc.${MACHINE_ARCH}/ttys .if defined(BINARY_UPGRADE) # location of these depends on upgrade method BIN1+= manpath.config diff --git a/etc/hostapd.conf b/etc/hostapd.conf new file mode 100644 index 0000000..da7817f --- /dev/null +++ b/etc/hostapd.conf @@ -0,0 +1,1663 @@ +##### hostapd configuration file ############################################## +# Empty lines and lines starting with # are ignored + +# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for +# management frames); ath0 for madwifi +interface=wlan0 + +# In case of madwifi, atheros, and nl80211 driver interfaces, an additional +# configuration parameter, bridge, may be used to notify hostapd if the +# interface is included in a bridge. This parameter is not used with Host AP +# driver. If the bridge parameter is not set, the drivers will automatically +# figure out the bridge interface (assuming sysfs is enabled and mounted to +# /sys) and this parameter may not be needed. +# +# For nl80211, this parameter can be used to request the AP interface to be +# added to the bridge automatically (brctl may refuse to do this before hostapd +# has been started to change the interface mode). If needed, the bridge +# interface is also created. +#bridge=br0 + +# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd); +# default: hostap). nl80211 is used with all Linux mac80211 drivers. +# Use driver=none if building hostapd as a standalone RADIUS server that does +# not control any wireless/wired driver. +# driver=hostap + +# hostapd event logger configuration +# +# Two output method: syslog and stdout (only usable if not forking to +# background). +# +# Module bitfield (ORed bitfield of modules that will be logged; -1 = all +# modules): +# bit 0 (1) = IEEE 802.11 +# bit 1 (2) = IEEE 802.1X +# bit 2 (4) = RADIUS +# bit 3 (8) = WPA +# bit 4 (16) = driver interface +# bit 5 (32) = IAPP +# bit 6 (64) = MLME +# +# Levels (minimum value for logged events): +# 0 = verbose debugging +# 1 = debugging +# 2 = informational messages +# 3 = notification +# 4 = warning +# +logger_syslog=-1 +logger_syslog_level=2 +logger_stdout=-1 +logger_stdout_level=2 + +# Interface for separate control program. If this is specified, hostapd +# will create this directory and a UNIX domain socket for listening to requests +# from external programs (CLI/GUI, etc.) for status information and +# configuration. The socket file will be named based on the interface name, so +# multiple hostapd processes/interfaces can be run at the same time if more +# than one interface is used. +# /var/run/hostapd is the recommended directory for sockets and by default, +# hostapd_cli will use it when trying to connect with hostapd. +ctrl_interface=/var/run/hostapd + +# Access control for the control interface can be configured by setting the +# directory to allow only members of a group to use sockets. This way, it is +# possible to run hostapd as root (since it needs to change network +# configuration and open raw sockets) and still allow GUI/CLI components to be +# run as non-root users. However, since the control interface can be used to +# change the network configuration, this access needs to be protected in many +# cases. By default, hostapd is configured to use gid 0 (root). If you +# want to allow non-root users to use the contron interface, add a new group +# and change this value to match with that group. Add users that should have +# control interface access to this group. +# +# This variable can be a group name or gid. +#ctrl_interface_group=wheel +ctrl_interface_group=0 + + +##### IEEE 802.11 related configuration ####################################### + +# SSID to be used in IEEE 802.11 management frames +ssid=test +# Alternative formats for configuring SSID +# (double quoted string, hexdump, printf-escaped string) +#ssid2="test" +#ssid2=74657374 +#ssid2=P"hello\nthere" + +# UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding +#utf8_ssid=1 + +# Country code (ISO/IEC 3166-1). Used to set regulatory domain. +# Set as needed to indicate country in which device is operating. +# This can limit available channels and transmit power. +#country_code=US + +# Enable IEEE 802.11d. This advertises the country_code and the set of allowed +# channels and transmit power levels based on the regulatory limits. The +# country_code setting must be configured with the correct country for +# IEEE 802.11d functions. +# (default: 0 = disabled) +#ieee80211d=1 + +# Enable IEEE 802.11h. This enables radar detection and DFS support if +# available. DFS support is required on outdoor 5 GHz channels in most countries +# of the world. This can be used only with ieee80211d=1. +# (default: 0 = disabled) +#ieee80211h=1 + +# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g, +# ad = IEEE 802.11ad (60 GHz); a/g options are used with IEEE 802.11n, too, to +# specify band) +# Default: IEEE 802.11b +hw_mode=g + +# Channel number (IEEE 802.11) +# (default: 0, i.e., not set) +# Please note that some drivers do not use this value from hostapd and the +# channel will need to be configured separately with iwconfig. +# +# If CONFIG_ACS build option is enabled, the channel can be selected +# automatically at run time by setting channel=acs_survey or channel=0, both of +# which will enable the ACS survey based algorithm. +channel=1 + +# ACS tuning - Automatic Channel Selection +# See: http://wireless.kernel.org/en/users/Documentation/acs +# +# You can customize the ACS survey algorithm with following variables: +# +# acs_num_scans requirement is 1..100 - number of scans to be performed that +# are used to trigger survey data gathering of an underlying device driver. +# Scans are passive and typically take a little over 100ms (depending on the +# driver) on each available channel for given hw_mode. Increasing this value +# means sacrificing startup time and gathering more data wrt channel +# interference that may help choosing a better channel. This can also help fine +# tune the ACS scan time in case a driver has different scan dwell times. +# +# Defaults: +#acs_num_scans=5 + +# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) +beacon_int=100 + +# DTIM (delivery traffic information message) period (range 1..255): +# number of beacons between DTIMs (1 = every beacon includes DTIM element) +# (default: 2) +dtim_period=2 + +# Maximum number of stations allowed in station table. New stations will be +# rejected after the station table is full. IEEE 802.11 has a limit of 2007 +# different association IDs, so this number should not be larger than that. +# (default: 2007) +max_num_sta=255 + +# RTS/CTS threshold; 2347 = disabled (default); range 0..2347 +# If this field is not included in hostapd.conf, hostapd will not control +# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. +rts_threshold=2347 + +# Fragmentation threshold; 2346 = disabled (default); range 256..2346 +# If this field is not included in hostapd.conf, hostapd will not control +# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set +# it. +fragm_threshold=2346 + +# Rate configuration +# Default is to enable all rates supported by the hardware. This configuration +# item allows this list be filtered so that only the listed rates will be left +# in the list. If the list is empty, all rates are used. This list can have +# entries that are not in the list of rates the hardware supports (such entries +# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. +# If this item is present, at least one rate have to be matching with the rates +# hardware supports. +# default: use the most common supported rate setting for the selected +# hw_mode (i.e., this line can be removed from configuration file in most +# cases) +#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 + +# Basic rate set configuration +# List of rates (in 100 kbps) that are included in the basic rate set. +# If this item is not included, usually reasonable default set is used. +#basic_rates=10 20 +#basic_rates=10 20 55 110 +#basic_rates=60 120 240 + +# Short Preamble +# This parameter can be used to enable optional use of short preamble for +# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. +# This applies only to IEEE 802.11b-compatible networks and this should only be +# enabled if the local hardware supports use of short preamble. If any of the +# associated STAs do not support short preamble, use of short preamble will be +# disabled (and enabled when such STAs disassociate) dynamically. +# 0 = do not allow use of short preamble (default) +# 1 = allow use of short preamble +#preamble=1 + +# Station MAC address -based authentication +# Please note that this kind of access control requires a driver that uses +# hostapd to take care of management frame processing and as such, this can be +# used with driver=hostap or driver=nl80211, but not with driver=madwifi. +# 0 = accept unless in deny list +# 1 = deny unless in accept list +# 2 = use external RADIUS server (accept/deny lists are searched first) +macaddr_acl=0 + +# Accept/deny lists are read from separate files (containing list of +# MAC addresses, one per line). Use absolute path name to make sure that the +# files can be read on SIGHUP configuration reloads. +#accept_mac_file=/etc/hostapd.accept +#deny_mac_file=/etc/hostapd.deny + +# IEEE 802.11 specifies two authentication algorithms. hostapd can be +# configured to allow both of these or only one. Open system authentication +# should be used with IEEE 802.1X. +# Bit fields of allowed authentication algorithms: +# bit 0 = Open System Authentication +# bit 1 = Shared Key Authentication (requires WEP) +auth_algs=3 + +# Send empty SSID in beacons and ignore probe request frames that do not +# specify full SSID, i.e., require stations to know SSID. +# default: disabled (0) +# 1 = send empty (length=0) SSID in beacon and ignore probe request for +# broadcast SSID +# 2 = clear SSID (ASCII 0), but keep the original length (this may be required +# with some clients that do not support empty SSID) and ignore probe +# requests for broadcast SSID +ignore_broadcast_ssid=0 + +# Additional vendor specfic elements for Beacon and Probe Response frames +# This parameter can be used to add additional vendor specific element(s) into +# the end of the Beacon and Probe Response frames. The format for these +# element(s) is a hexdump of the raw information elements (id+len+payload for +# one or more elements) +#vendor_elements=dd0411223301 + +# TX queue parameters (EDCF / bursting) +# tx_queue__ +# queues: data0, data1, data2, data3, after_beacon, beacon +# (data0 is the highest priority queue) +# parameters: +# aifs: AIFS (default 2) +# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023) +# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin +# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for +# bursting +# +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# These parameters are used by the access point when transmitting frames +# to the clients. +# +# Low priority / AC_BK = background +#tx_queue_data3_aifs=7 +#tx_queue_data3_cwmin=15 +#tx_queue_data3_cwmax=1023 +#tx_queue_data3_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 +# +# Normal priority / AC_BE = best effort +#tx_queue_data2_aifs=3 +#tx_queue_data2_cwmin=15 +#tx_queue_data2_cwmax=63 +#tx_queue_data2_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 +# +# High priority / AC_VI = video +#tx_queue_data1_aifs=1 +#tx_queue_data1_cwmin=7 +#tx_queue_data1_cwmax=15 +#tx_queue_data1_burst=3.0 +# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 +# +# Highest priority / AC_VO = voice +#tx_queue_data0_aifs=1 +#tx_queue_data0_cwmin=3 +#tx_queue_data0_cwmax=7 +#tx_queue_data0_burst=1.5 +# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 + +# 802.1D Tag (= UP) to AC mappings +# WMM specifies following mapping of data frames to different ACs. This mapping +# can be configured using Linux QoS/tc and sch_pktpri.o module. +# 802.1D Tag 802.1D Designation Access Category WMM Designation +# 1 BK AC_BK Background +# 2 - AC_BK Background +# 0 BE AC_BE Best Effort +# 3 EE AC_BE Best Effort +# 4 CL AC_VI Video +# 5 VI AC_VI Video +# 6 VO AC_VO Voice +# 7 NC AC_VO Voice +# Data frames with no priority information: AC_BE +# Management frames: AC_VO +# PS-Poll frames: AC_BE + +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# for 802.11a or 802.11g networks +# These parameters are sent to WMM clients when they associate. +# The parameters will be used by WMM clients for frames transmitted to the +# access point. +# +# note - txop_limit is in units of 32microseconds +# note - acm is admission control mandatory flag. 0 = admission control not +# required, 1 = mandatory +# note - here cwMin and cmMax are in exponent form. the actual cw value used +# will be (2^n)-1 where n is the value given here +# +wmm_enabled=1 +# +# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] +# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) +#uapsd_advertisement_enabled=1 +# +# Low priority / AC_BK = background +wmm_ac_bk_cwmin=4 +wmm_ac_bk_cwmax=10 +wmm_ac_bk_aifs=7 +wmm_ac_bk_txop_limit=0 +wmm_ac_bk_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 +# +# Normal priority / AC_BE = best effort +wmm_ac_be_aifs=3 +wmm_ac_be_cwmin=4 +wmm_ac_be_cwmax=10 +wmm_ac_be_txop_limit=0 +wmm_ac_be_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 +# +# High priority / AC_VI = video +wmm_ac_vi_aifs=2 +wmm_ac_vi_cwmin=3 +wmm_ac_vi_cwmax=4 +wmm_ac_vi_txop_limit=94 +wmm_ac_vi_acm=0 +# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 +# +# Highest priority / AC_VO = voice +wmm_ac_vo_aifs=2 +wmm_ac_vo_cwmin=2 +wmm_ac_vo_cwmax=3 +wmm_ac_vo_txop_limit=47 +wmm_ac_vo_acm=0 +# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 + +# Static WEP key configuration +# +# The key number to use when transmitting. +# It must be between 0 and 3, and the corresponding key must be set. +# default: not set +#wep_default_key=0 +# The WEP keys to use. +# A key may be a quoted string or unquoted hexadecimal digits. +# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 +# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or +# 128-bit (152-bit) WEP is used. +# Only the default key must be supplied; the others are optional. +# default: not set +#wep_key0=123456789a +#wep_key1="vwxyz" +#wep_key2=0102030405060708090a0b0c0d +#wep_key3=".2.4.6.8.0.23" + +# Station inactivity limit +# +# If a station does not send anything in ap_max_inactivity seconds, an +# empty data frame is sent to it in order to verify whether it is +# still in range. If this frame is not ACKed, the station will be +# disassociated and then deauthenticated. This feature is used to +# clear station table of old entries when the STAs move out of the +# range. +# +# The station can associate again with the AP if it is still in range; +# this inactivity poll is just used as a nicer way of verifying +# inactivity; i.e., client will not report broken connection because +# disassociation frame is not sent immediately without first polling +# the STA with a data frame. +# default: 300 (i.e., 5 minutes) +#ap_max_inactivity=300 +# +# The inactivity polling can be disabled to disconnect stations based on +# inactivity timeout so that idle stations are more likely to be disconnected +# even if they are still in range of the AP. This can be done by setting +# skip_inactivity_poll to 1 (default 0). +#skip_inactivity_poll=0 + +# Disassociate stations based on excessive transmission failures or other +# indications of connection loss. This depends on the driver capabilities and +# may not be available with all drivers. +#disassoc_low_ack=1 + +# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to +# remain asleep). Default: 65535 (no limit apart from field size) +#max_listen_interval=100 + +# WDS (4-address frame) mode with per-station virtual interfaces +# (only supported with driver=nl80211) +# This mode allows associated stations to use 4-address frames to allow layer 2 +# bridging to be used. +#wds_sta=1 + +# If bridge parameter is set, the WDS STA interface will be added to the same +# bridge by default. This can be overridden with the wds_bridge parameter to +# use a separate bridge. +#wds_bridge=wds-br0 + +# Start the AP with beaconing disabled by default. +#start_disabled=0 + +# Client isolation can be used to prevent low-level bridging of frames between +# associated stations in the BSS. By default, this bridging is allowed. +#ap_isolate=1 + +# Fixed BSS Load value for testing purposes +# This field can be used to configure hostapd to add a fixed BSS Load element +# into Beacon and Probe Response frames for testing purposes. The format is +# :: +#bss_load_test=12:80:20000 + +##### IEEE 802.11n related configuration ###################################### + +# ieee80211n: Whether IEEE 802.11n (HT) is enabled +# 0 = disabled (default) +# 1 = enabled +# Note: You will also need to enable WMM for full HT functionality. +#ieee80211n=1 + +# ht_capab: HT capabilities (list of flags) +# LDPC coding capability: [LDPC] = supported +# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary +# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz +# with secondary channel below the primary channel +# (20 MHz only if neither is set) +# Note: There are limits on which channels can be used with HT40- and +# HT40+. Following table shows the channels that may be available for +# HT40- and HT40+ use per IEEE 802.11n Annex J: +# freq HT40- HT40+ +# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) +# 5 GHz 40,48,56,64 36,44,52,60 +# (depending on the location, not all of these channels may be available +# for use) +# Please note that 40 MHz channels may switch their primary and secondary +# channels if needed or creation of 40 MHz channel maybe rejected based +# on overlapping BSSes. These changes are done automatically when hostapd +# is setting up the 40 MHz channel. +# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] +# (SMPS disabled if neither is set) +# HT-greenfield: [GF] (disabled if not set) +# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) +# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) +# Tx STBC: [TX-STBC] (disabled if not set) +# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial +# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC +# disabled if none of these set +# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) +# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not +# set) +# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) +# PSMP support: [PSMP] (disabled if not set) +# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) +#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] + +# Require stations to support HT PHY (reject association if they do not) +#require_ht=1 + +# If set non-zero, require stations to perform scans of overlapping +# channels to test for stations which would be affected by 40 MHz traffic. +# This parameter sets the interval in seconds between these scans. This +# is useful only for testing that stations properly set the OBSS interval, +# since the other parameters in the OBSS scan parameters IE are set to 0. +#obss_interval=0 + +##### IEEE 802.11ac related configuration ##################################### + +# ieee80211ac: Whether IEEE 802.11ac (VHT) is enabled +# 0 = disabled (default) +# 1 = enabled +# Note: You will also need to enable WMM for full VHT functionality. +#ieee80211ac=1 + +# vht_capab: VHT capabilities (list of flags) +# +# vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] +# Indicates maximum MPDU length +# 0 = 3895 octets (default) +# 1 = 7991 octets +# 2 = 11454 octets +# 3 = reserved +# +# supported_chan_width: [VHT160] [VHT160-80PLUS80] +# Indicates supported Channel widths +# 0 = 160 MHz & 80+80 channel widths are not supported (default) +# 1 = 160 MHz channel width is supported +# 2 = 160 MHz & 80+80 channel widths are supported +# 3 = reserved +# +# Rx LDPC coding capability: [RXLDPC] +# Indicates support for receiving LDPC coded pkts +# 0 = Not supported (default) +# 1 = Supported +# +# Short GI for 80 MHz: [SHORT-GI-80] +# Indicates short GI support for reception of packets transmitted with TXVECTOR +# params format equal to VHT and CBW = 80Mhz +# 0 = Not supported (default) +# 1 = Supported +# +# Short GI for 160 MHz: [SHORT-GI-160] +# Indicates short GI support for reception of packets transmitted with TXVECTOR +# params format equal to VHT and CBW = 160Mhz +# 0 = Not supported (default) +# 1 = Supported +# +# Tx STBC: [TX-STBC-2BY1] +# Indicates support for the transmission of at least 2x1 STBC +# 0 = Not supported (default) +# 1 = Supported +# +# Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234] +# Indicates support for the reception of PPDUs using STBC +# 0 = Not supported (default) +# 1 = support of one spatial stream +# 2 = support of one and two spatial streams +# 3 = support of one, two and three spatial streams +# 4 = support of one, two, three and four spatial streams +# 5,6,7 = reserved +# +# SU Beamformer Capable: [SU-BEAMFORMER] +# Indicates support for operation as a single user beamformer +# 0 = Not supported (default) +# 1 = Supported +# +# SU Beamformee Capable: [SU-BEAMFORMEE] +# Indicates support for operation as a single user beamformee +# 0 = Not supported (default) +# 1 = Supported +# +# Compressed Steering Number of Beamformer Antennas Supported: [BF-ANTENNA-2] +# Beamformee's capability indicating the maximum number of beamformer +# antennas the beamformee can support when sending compressed beamforming +# feedback +# If SU beamformer capable, set to maximum value minus 1 +# else reserved (default) +# +# Number of Sounding Dimensions: [SOUNDING-DIMENSION-2] +# Beamformer's capability indicating the maximum value of the NUM_STS parameter +# in the TXVECTOR of a VHT NDP +# If SU beamformer capable, set to maximum value minus 1 +# else reserved (default) +# +# MU Beamformer Capable: [MU-BEAMFORMER] +# Indicates support for operation as an MU beamformer +# 0 = Not supported or sent by Non-AP STA (default) +# 1 = Supported +# +# MU Beamformee Capable: [MU-BEAMFORMEE] +# Indicates support for operation as an MU beamformee +# 0 = Not supported or sent by AP (default) +# 1 = Supported +# +# VHT TXOP PS: [VHT-TXOP-PS] +# Indicates whether or not the AP supports VHT TXOP Power Save Mode +# or whether or not the STA is in VHT TXOP Power Save mode +# 0 = VHT AP doesnt support VHT TXOP PS mode (OR) VHT Sta not in VHT TXOP PS +# mode +# 1 = VHT AP supports VHT TXOP PS mode (OR) VHT Sta is in VHT TXOP power save +# mode +# +# +HTC-VHT Capable: [HTC-VHT] +# Indicates whether or not the STA supports receiving a VHT variant HT Control +# field. +# 0 = Not supported (default) +# 1 = supported +# +# Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7] +# Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv +# This field is an integer in the range of 0 to 7. +# The length defined by this field is equal to +# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets +# +# VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] +# Indicates whether or not the STA supports link adaptation using VHT variant +# HT Control field +# If +HTC-VHTcapable is 1 +# 0 = (no feedback) if the STA does not provide VHT MFB (default) +# 1 = reserved +# 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB +# 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the +# STA provides unsolicited VHT MFB +# Reserved if +HTC-VHTcapable is 0 +# +# Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN] +# Indicates the possibility of Rx antenna pattern change +# 0 = Rx antenna pattern might change during the lifetime of an association +# 1 = Rx antenna pattern does not change during the lifetime of an association +# +# Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN] +# Indicates the possibility of Tx antenna pattern change +# 0 = Tx antenna pattern might change during the lifetime of an association +# 1 = Tx antenna pattern does not change during the lifetime of an association +#vht_capab=[SHORT-GI-80][HTC-VHT] +# +# Require stations to support VHT PHY (reject association if they do not) +#require_vht=1 + +# 0 = 20 or 40 MHz operating Channel width +# 1 = 80 MHz channel width +# 2 = 160 MHz channel width +# 3 = 80+80 MHz channel width +#vht_oper_chwidth=1 +# +# center freq = 5 GHz + (5 * index) +# So index 42 gives center freq 5.210 GHz +# which is channel 42 in 5G band +# +#vht_oper_centr_freq_seg0_idx=42 +# +# center freq = 5 GHz + (5 * index) +# So index 159 gives center freq 5.795 GHz +# which is channel 159 in 5G band +# +#vht_oper_centr_freq_seg1_idx=159 + +##### IEEE 802.1X-2004 related configuration ################################## + +# Require IEEE 802.1X authorization +#ieee8021x=1 + +# IEEE 802.1X/EAPOL version +# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL +# version 2. However, there are many client implementations that do not handle +# the new version number correctly (they seem to drop the frames completely). +# In order to make hostapd interoperate with these clients, the version number +# can be set to the older version (1) with this configuration value. +#eapol_version=2 + +# Optional displayable message sent with EAP Request-Identity. The first \0 +# in this string will be converted to ASCII-0 (nul). This can be used to +# separate network info (comma separated list of attribute=value pairs); see, +# e.g., RFC 4284. +#eap_message=hello +#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com + +# WEP rekeying (disabled if key lengths are not set or are set to 0) +# Key lengths for default/broadcast and individual/unicast keys: +# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) +# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) +#wep_key_len_broadcast=5 +#wep_key_len_unicast=5 +# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) +#wep_rekey_period=300 + +# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if +# only broadcast keys are used) +eapol_key_index_workaround=0 + +# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable +# reauthentication). +#eap_reauth_period=3600 + +# Use PAE group address (01:80:c2:00:00:03) instead of individual target +# address when sending EAPOL frames with driver=wired. This is the most common +# mechanism used in wired authentication, but it also requires that the port +# is only used by one station. +#use_pae_group_addr=1 + +##### Integrated EAP server ################################################### + +# Optionally, hostapd can be configured to use an integrated EAP server +# to process EAP authentication locally without need for an external RADIUS +# server. This functionality can be used both as a local authentication server +# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + +# Use integrated EAP server instead of external RADIUS authentication +# server. This is also needed if hostapd is configured to act as a RADIUS +# authentication server. +eap_server=0 + +# Path for EAP server user database +# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db" +# to use SQLite database instead of a text file. +#eap_user_file=/etc/hostapd.eap_user + +# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#ca_cert=/etc/hostapd.ca.pem + +# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#server_cert=/etc/hostapd.server.pem + +# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS +# This may point to the same file as server_cert if both certificate and key +# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be +# used by commenting out server_cert and specifying the PFX file as the +# private_key. +#private_key=/etc/hostapd.server.prv + +# Passphrase for private key +#private_key_passwd=secret passphrase + +# Server identity +# EAP methods that provide mechanism for authenticated server identity delivery +# use this value. If not set, "hostapd" is used as a default. +#server_id=server.example.com + +# Enable CRL verification. +# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a +# valid CRL signed by the CA is required to be included in the ca_cert file. +# This can be done by using PEM format for CA certificate and CRL and +# concatenating these into one file. Whenever CRL changes, hostapd needs to be +# restarted to take the new CRL into use. +# 0 = do not verify CRLs (default) +# 1 = check the CRL of the user certificate +# 2 = check all CRLs in the certificate path +#check_crl=1 + +# Cached OCSP stapling response (DER encoded) +# If set, this file is sent as a certificate status response by the EAP server +# if the EAP peer requests certificate status in the ClientHello message. +# This cache file can be updated, e.g., by running following command +# periodically to get an update from the OCSP responder: +# openssl ocsp \ +# -no_nonce \ +# -CAfile /etc/hostapd.ca.pem \ +# -issuer /etc/hostapd.ca.pem \ +# -cert /etc/hostapd.server.pem \ +# -url http://ocsp.example.com:8888/ \ +# -respout /tmp/ocsp-cache.der +#ocsp_stapling_response=/tmp/ocsp-cache.der + +# dh_file: File path to DH/DSA parameters file (in PEM format) +# This is an optional configuration file for setting parameters for an +# ephemeral DH key exchange. In most cases, the default RSA authentication does +# not use this configuration. However, it is possible setup RSA to use +# ephemeral DH key exchange. In addition, ciphers with DSA keys always use +# ephemeral DH keys. This can be used to achieve forward secrecy. If the file +# is in DSA parameters format, it will be automatically converted into DH +# params. This parameter is required if anonymous EAP-FAST is used. +# You can generate DH parameters file with OpenSSL, e.g., +# "openssl dhparam -out /etc/hostapd.dh.pem 1024" +#dh_file=/etc/hostapd.dh.pem + +# Fragment size for EAP methods +#fragment_size=1400 + +# Finite cyclic group for EAP-pwd. Number maps to group of domain parameters +# using the IANA repository for IKE (RFC 2409). +#pwd_group=19 + +# Configuration data for EAP-SIM database/authentication gateway interface. +# This is a text string in implementation specific format. The example +# implementation in eap_sim_db.c uses this as the UNIX domain socket name for +# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" +# prefix. If hostapd is built with SQLite support (CONFIG_SQLITE=y in .config), +# database file can be described with an optional db= parameter. +#eap_sim_db=unix:/tmp/hlr_auc_gw.sock +#eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/hostapd.db + +# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, +# random value. It is configured as a 16-octet value in hex format. It can be +# generated, e.g., with the following command: +# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' +#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f + +# EAP-FAST authority identity (A-ID) +# A-ID indicates the identity of the authority that issues PACs. The A-ID +# should be unique across all issuing servers. In theory, this is a variable +# length field, but due to some existing implementations requiring A-ID to be +# 16 octets in length, it is strongly recommended to use that length for the +# field to provid interoperability with deployed peer implementations. This +# field is configured in hex format. +#eap_fast_a_id=101112131415161718191a1b1c1d1e1f + +# EAP-FAST authority identifier information (A-ID-Info) +# This is a user-friendly name for the A-ID. For example, the enterprise name +# and server name in a human-readable format. This field is encoded as UTF-8. +#eap_fast_a_id_info=test server + +# Enable/disable different EAP-FAST provisioning modes: +#0 = provisioning disabled +#1 = only anonymous provisioning allowed +#2 = only authenticated provisioning allowed +#3 = both provisioning modes allowed (default) +#eap_fast_prov=3 + +# EAP-FAST PAC-Key lifetime in seconds (hard limit) +#pac_key_lifetime=604800 + +# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard +# limit). The server will generate a new PAC-Key when this number of seconds +# (or fewer) of the lifetime remains. +#pac_key_refresh_time=86400 + +# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND +# (default: 0 = disabled). +#eap_sim_aka_result_ind=1 + +# Trusted Network Connect (TNC) +# If enabled, TNC validation will be required before the peer is allowed to +# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other +# EAP method is enabled, the peer will be allowed to connect without TNC. +#tnc=1 + + +##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### + +# Interface to be used for IAPP broadcast packets +#iapp_interface=eth0 + + +##### RADIUS client configuration ############################################# +# for IEEE 802.1X with external Authentication Server, IEEE 802.11 +# authentication with external ACL for MAC addresses, and accounting + +# The own IP address of the access point (used as NAS-IP-Address) +own_ip_addr=127.0.0.1 + +# Optional NAS-Identifier string for RADIUS messages. When used, this should be +# a unique to the NAS within the scope of the RADIUS server. For example, a +# fully qualified domain name can be used here. +# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and +# 48 octets long. +#nas_identifier=ap.example.com + +# RADIUS authentication server +#auth_server_addr=127.0.0.1 +#auth_server_port=1812 +#auth_server_shared_secret=secret + +# RADIUS accounting server +#acct_server_addr=127.0.0.1 +#acct_server_port=1813 +#acct_server_shared_secret=secret + +# Secondary RADIUS servers; to be used if primary one does not reply to +# RADIUS packets. These are optional and there can be more than one secondary +# server listed. +#auth_server_addr=127.0.0.2 +#auth_server_port=1812 +#auth_server_shared_secret=secret2 +# +#acct_server_addr=127.0.0.2 +#acct_server_port=1813 +#acct_server_shared_secret=secret2 + +# Retry interval for trying to return to the primary RADIUS server (in +# seconds). RADIUS client code will automatically try to use the next server +# when the current server is not replying to requests. If this interval is set, +# primary server will be retried after configured amount of time even if the +# currently used secondary server is still working. +#radius_retry_primary_interval=600 + + +# Interim accounting update interval +# If this is set (larger than 0) and acct_server is configured, hostapd will +# send interim accounting updates every N seconds. Note: if set, this overrides +# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this +# value should not be configured in hostapd.conf, if RADIUS server is used to +# control the interim interval. +# This value should not be less 600 (10 minutes) and must not be less than +# 60 (1 minute). +#radius_acct_interim_interval=600 + +# Request Chargeable-User-Identity (RFC 4372) +# This parameter can be used to configure hostapd to request CUI from the +# RADIUS server by including Chargeable-User-Identity attribute into +# Access-Request packets. +#radius_request_cui=1 + +# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN +# is used for the stations. This information is parsed from following RADIUS +# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), +# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value +# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can +# be used to set static client MAC address to VLAN ID mapping. +# 0 = disabled (default) +# 1 = option; use default interface if RADIUS server does not include VLAN ID +# 2 = required; reject authentication if RADIUS server does not include VLAN ID +#dynamic_vlan=0 + +# VLAN interface list for dynamic VLAN mode is read from a separate text file. +# This list is used to map VLAN ID from the RADIUS server to a network +# interface. Each station is bound to one interface in the same way as with +# multiple BSSIDs or SSIDs. Each line in this text file is defining a new +# interface and the line must include VLAN ID and interface name separated by +# white space (space or tab). +# If no entries are provided by this file, the station is statically mapped +# to . interfaces. +#vlan_file=/etc/hostapd.vlan + +# Interface where 802.1q tagged packets should appear when a RADIUS server is +# used to determine which VLAN a station is on. hostapd creates a bridge for +# each VLAN. Then hostapd adds a VLAN interface (associated with the interface +# indicated by 'vlan_tagged_interface') and the appropriate wireless interface +# to the bridge. +#vlan_tagged_interface=eth0 + +# Bridge (prefix) to add the wifi and the tagged interface to. This gets the +# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given +# and br%s.%d if a tagged interface is given, provided %s = tagged interface +# and %d = VLAN ID. +#vlan_bridge=brvlan + +# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs +# to know how to name it. +# 0 = vlan, e.g., vlan1 +# 1 = ., e.g. eth0.1 +#vlan_naming=0 + +# Arbitrary RADIUS attributes can be added into Access-Request and +# Accounting-Request packets by specifying the contents of the attributes with +# the following configuration parameters. There can be multiple of these to +# add multiple attributes. These parameters can also be used to override some +# of the attributes added automatically by hostapd. +# Format: [:] +# attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific) +# syntax: s = string (UTF-8), d = integer, x = octet string +# value: attribute value in format indicated by the syntax +# If syntax and value parts are omitted, a null value (single 0x00 octet) is +# used. +# +# Additional Access-Request attributes +# radius_auth_req_attr=[:] +# Examples: +# Operator-Name = "Operator" +#radius_auth_req_attr=126:s:Operator +# Service-Type = Framed (2) +#radius_auth_req_attr=6:d:2 +# Connect-Info = "testing" (this overrides the automatically generated value) +#radius_auth_req_attr=77:s:testing +# Same Connect-Info value set as a hexdump +#radius_auth_req_attr=77:x:74657374696e67 + +# +# Additional Accounting-Request attributes +# radius_acct_req_attr=[:] +# Examples: +# Operator-Name = "Operator" +#radius_acct_req_attr=126:s:Operator + +# Dynamic Authorization Extensions (RFC 5176) +# This mechanism can be used to allow dynamic changes to user session based on +# commands from a RADIUS server (or some other disconnect client that has the +# needed session information). For example, Disconnect message can be used to +# request an associated station to be disconnected. +# +# This is disabled by default. Set radius_das_port to non-zero UDP port +# number to enable. +#radius_das_port=3799 +# +# DAS client (the host that can send Disconnect/CoA requests) and shared secret +#radius_das_client=192.168.1.123 shared secret here +# +# DAS Event-Timestamp time window in seconds +#radius_das_time_window=300 +# +# DAS require Event-Timestamp +#radius_das_require_event_timestamp=1 + +##### RADIUS authentication server configuration ############################## + +# hostapd can be used as a RADIUS authentication server for other hosts. This +# requires that the integrated EAP server is also enabled and both +# authentication services are sharing the same configuration. + +# File name of the RADIUS clients configuration for the RADIUS server. If this +# commented out, RADIUS server is disabled. +#radius_server_clients=/etc/hostapd.radius_clients + +# The UDP port number for the RADIUS authentication server +#radius_server_auth_port=1812 + +# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) +#radius_server_ipv6=1 + + +##### WPA/IEEE 802.11i configuration ########################################## + +# Enable WPA. Setting this variable configures the AP to require WPA (either +# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either +# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. +# Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. +# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), +# RADIUS authentication server must be configured, and WPA-EAP must be included +# in wpa_key_mgmt. +# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) +# and/or WPA2 (full IEEE 802.11i/RSN): +# bit0 = WPA +# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) +#wpa=1 + +# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit +# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase +# (8..63 characters) that will be converted to PSK. This conversion uses SSID +# so the PSK changes when ASCII passphrase is used and the SSID is changed. +# wpa_psk (dot11RSNAConfigPSKValue) +# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) +#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +#wpa_passphrase=secret passphrase + +# Optionally, WPA PSKs can be read from a separate text file (containing list +# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. +# Use absolute path name to make sure that the files can be read on SIGHUP +# configuration reloads. +#wpa_psk_file=/etc/hostapd.wpa_psk + +# Optionally, WPA passphrase can be received from RADIUS authentication server +# This requires macaddr_acl to be set to 2 (RADIUS) +# 0 = disabled (default) +# 1 = optional; use default passphrase/psk if RADIUS server does not include +# Tunnel-Password +# 2 = required; reject authentication if RADIUS server does not include +# Tunnel-Password +#wpa_psk_radius=0 + +# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The +# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be +# added to enable SHA256-based stronger algorithms. +# (dot11RSNAConfigAuthenticationSuitesTable) +#wpa_key_mgmt=WPA-PSK WPA-EAP + +# Set of accepted cipher suites (encryption algorithms) for pairwise keys +# (unicast packets). This is a space separated list of algorithms: +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# Group cipher suite (encryption algorithm for broadcast and multicast frames) +# is automatically selected based on this configuration. If only CCMP is +# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, +# TKIP will be used as the group cipher. +# (dot11RSNAConfigPairwiseCiphersTable) +# Pairwise cipher for WPA (v1) (default: TKIP) +#wpa_pairwise=TKIP CCMP +# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) +#rsn_pairwise=CCMP + +# Time interval for rekeying GTK (broadcast/multicast encryption keys) in +# seconds. (dot11RSNAConfigGroupRekeyTime) +#wpa_group_rekey=600 + +# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. +# (dot11RSNAConfigGroupRekeyStrict) +#wpa_strict_rekey=1 + +# Time interval for rekeying GMK (master key used internally to generate GTKs +# (in seconds). +#wpa_gmk_rekey=86400 + +# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of +# PTK to mitigate some attacks against TKIP deficiencies. +#wpa_ptk_rekey=600 + +# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up +# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN +# authentication and key handshake before actually associating with a new AP. +# (dot11RSNAPreauthenticationEnabled) +#rsn_preauth=1 +# +# Space separated list of interfaces from which pre-authentication frames are +# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all +# interface that are used for connections to other APs. This could include +# wired interfaces and WDS links. The normal wireless data interface towards +# associated stations (e.g., wlan0) should not be added, since +# pre-authentication is only used with APs other than the currently associated +# one. +#rsn_preauth_interfaces=eth0 + +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is +# allowed. This is only used with RSN/WPA2. +# 0 = disabled (default) +# 1 = enabled +#peerkey=1 + +# ieee80211w: Whether management frame protection (MFP) is enabled +# 0 = disabled (default) +# 1 = optional +# 2 = required +#ieee80211w=0 + +# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) +# (maximum time to wait for a SA Query response) +# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 +#assoc_sa_query_max_timeout=1000 + +# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) +# (time between two subsequent SA Query requests) +# dot11AssociationSAQueryRetryTimeout, 1...4294967295 +#assoc_sa_query_retry_timeout=201 + +# disable_pmksa_caching: Disable PMKSA caching +# This parameter can be used to disable caching of PMKSA created through EAP +# authentication. RSN preauthentication may still end up using PMKSA caching if +# it is enabled (rsn_preauth=1). +# 0 = PMKSA caching enabled (default) +# 1 = PMKSA caching disabled +#disable_pmksa_caching=0 + +# okc: Opportunistic Key Caching (aka Proactive Key Caching) +# Allow PMK cache to be shared opportunistically among configured interfaces +# and BSSes (i.e., all configurations within a single hostapd process). +# 0 = disabled (default) +# 1 = enabled +#okc=1 + +# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) +# This parameter defines how many open SAE instances can be in progress at the +# same time before the anti-clogging mechanism is taken into use. +#sae_anti_clogging_threshold=5 + +# Enabled SAE finite cyclic groups +# SAE implementation are required to support group 19 (ECC group defined over a +# 256-bit prime order field). All groups that are supported by the +# implementation are enabled by default. This configuration parameter can be +# used to specify a limited set of allowed groups. The group values are listed +# in the IANA registry: +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 +#sae_groups=19 20 21 25 26 + +##### IEEE 802.11r configuration ############################################## + +# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) +# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the +# same SSID) between which a STA can use Fast BSS Transition. +# 2-octet identifier as a hex string. +#mobility_domain=a1b2 + +# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) +# 1 to 48 octet identifier. +# This is configured with nas_identifier (see RADIUS client section above). + +# Default lifetime of the PMK-RO in minutes; range 1..65535 +# (dot11FTR0KeyLifetime) +#r0_key_lifetime=10000 + +# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) +# 6-octet identifier as a hex string. +#r1_key_holder=000102030405 + +# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) +# (dot11FTReassociationDeadline) +#reassociation_deadline=1000 + +# List of R0KHs in the same Mobility Domain +# format: <128-bit key as hex string> +# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC +# address when requesting PMK-R1 key from the R0KH that the STA used during the +# Initial Mobility Domain Association. +#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f +#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff +# And so on.. One line per R0KH. + +# List of R1KHs in the same Mobility Domain +# format: <128-bit key as hex string> +# This list is used to map R1KH-ID to a destination MAC address when sending +# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD +# that can request PMK-R1 keys. +#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f +#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff +# And so on.. One line per R1KH. + +# Whether PMK-R1 push is enabled at R0KH +# 0 = do not push PMK-R1 to all configured R1KHs (default) +# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived +#pmk_r1_push=1 + +##### Neighbor table ########################################################## +# Maximum number of entries kept in AP table (either for neigbor table or for +# detecting Overlapping Legacy BSS Condition). The oldest entry will be +# removed when adding a new entry that would make the list grow over this +# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is +# enabled, so this field should not be set to 0 when using IEEE 802.11g. +# default: 255 +#ap_table_max_size=255 + +# Number of seconds of no frames received after which entries may be deleted +# from the AP table. Since passive scanning is not usually performed frequently +# this should not be set to very small value. In addition, there is no +# guarantee that every scan cycle will receive beacon frames from the +# neighboring APs. +# default: 60 +#ap_table_expiration_time=3600 + + +##### Wi-Fi Protected Setup (WPS) ############################################# + +# WPS state +# 0 = WPS disabled (default) +# 1 = WPS enabled, not configured +# 2 = WPS enabled, configured +#wps_state=2 + +# Whether to manage this interface independently from other WPS interfaces +# By default, a single hostapd process applies WPS operations to all configured +# interfaces. This parameter can be used to disable that behavior for a subset +# of interfaces. If this is set to non-zero for an interface, WPS commands +# issued on that interface do not apply to other interfaces and WPS operations +# performed on other interfaces do not affect this interface. +#wps_independent=0 + +# AP can be configured into a locked state where new WPS Registrar are not +# accepted, but previously authorized Registrars (including the internal one) +# can continue to add new Enrollees. +#ap_setup_locked=1 + +# Universally Unique IDentifier (UUID; see RFC 4122) of the device +# This value is used as the UUID for the internal WPS Registrar. If the AP +# is also using UPnP, this value should be set to the device's UPnP UUID. +# If not configured, UUID will be generated based on the local MAC address. +#uuid=12345678-9abc-def0-1234-56789abcdef0 + +# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs +# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the +# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of +# per-device PSKs is recommended as the more secure option (i.e., make sure to +# set wpa_psk_file when using WPS with WPA-PSK). + +# When an Enrollee requests access to the network with PIN method, the Enrollee +# PIN will need to be entered for the Registrar. PIN request notifications are +# sent to hostapd ctrl_iface monitor. In addition, they can be written to a +# text file that could be used, e.g., to populate the AP administration UI with +# pending PIN requests. If the following variable is set, the PIN requests will +# be written to the configured file. +#wps_pin_requests=/var/run/hostapd_wps_pin_requests + +# Device Name +# User-friendly description of device; up to 32 octets encoded in UTF-8 +#device_name=Wireless AP + +# Manufacturer +# The manufacturer of the device (up to 64 ASCII characters) +#manufacturer=Company + +# Model Name +# Model of the device (up to 32 ASCII characters) +#model_name=WAP + +# Model Number +# Additional device description (up to 32 ASCII characters) +#model_number=123 + +# Serial Number +# Serial number of the device (up to 32 characters) +#serial_number=12345 + +# Primary Device Type +# Used format: -- +# categ = Category as an integer value +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for +# default WPS OUI +# subcateg = OUI-specific Sub Category as an integer value +# Examples: +# 1-0050F204-1 (Computer / PC) +# 1-0050F204-2 (Computer / Server) +# 5-0050F204-1 (Storage / NAS) +# 6-0050F204-1 (Network Infrastructure / AP) +#device_type=6-0050F204-1 + +# OS Version +# 4-octet operating system version number (hex string) +#os_version=01020300 + +# Config Methods +# List of the supported configuration methods +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token +# nfc_interface push_button keypad virtual_display physical_display +# virtual_push_button physical_push_button +#config_methods=label virtual_display virtual_push_button keypad + +# WPS capability discovery workaround for PBC with Windows 7 +# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting +# as a Registrar and using M1 from the AP. The config methods attribute in that +# message is supposed to indicate only the configuration method supported by +# the AP in Enrollee role, i.e., to add an external Registrar. For that case, +# PBC shall not be used and as such, the PushButton config method is removed +# from M1 by default. If pbc_in_m1=1 is included in the configuration file, +# the PushButton config method is left in M1 (if included in config_methods +# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label +# in the AP). +#pbc_in_m1=1 + +# Static access point PIN for initial configuration and adding Registrars +# If not set, hostapd will not allow external WPS Registrars to control the +# access point. The AP PIN can also be set at runtime with hostapd_cli +# wps_ap_pin command. Use of temporary (enabled by user action) and random +# AP PIN is much more secure than configuring a static AP PIN here. As such, +# use of the ap_pin parameter is not recommended if the AP device has means for +# displaying a random PIN. +#ap_pin=12345670 + +# Skip building of automatic WPS credential +# This can be used to allow the automatically generated Credential attribute to +# be replaced with pre-configured Credential(s). +#skip_cred_build=1 + +# Additional Credential attribute(s) +# This option can be used to add pre-configured Credential attributes into M8 +# message when acting as a Registrar. If skip_cred_build=1, this data will also +# be able to override the Credential attribute that would have otherwise been +# automatically generated based on network configuration. This configuration +# option points to an external file that much contain the WPS Credential +# attribute(s) as binary data. +#extra_cred=hostapd.cred + +# Credential processing +# 0 = process received credentials internally (default) +# 1 = do not process received credentials; just pass them over ctrl_iface to +# external program(s) +# 2 = process received credentials internally and pass them over ctrl_iface +# to external program(s) +# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and +# extra_cred be used to provide the Credential data for Enrollees. +# +# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file +# both for Credential processing and for marking AP Setup Locked based on +# validation failures of AP PIN. An external program is responsible on updating +# the configuration appropriately in this case. +#wps_cred_processing=0 + +# AP Settings Attributes for M7 +# By default, hostapd generates the AP Settings Attributes for M7 based on the +# current configuration. It is possible to override this by providing a file +# with pre-configured attributes. This is similar to extra_cred file format, +# but the AP Settings attributes are not encapsulated in a Credential +# attribute. +#ap_settings=hostapd.ap_settings + +# WPS UPnP interface +# If set, support for external Registrars is enabled. +#upnp_iface=br0 + +# Friendly Name (required for UPnP) +# Short description for end use. Should be less than 64 characters. +#friendly_name=WPS Access Point + +# Manufacturer URL (optional for UPnP) +#manufacturer_url=http://www.example.com/ + +# Model Description (recommended for UPnP) +# Long description for end user. Should be less than 128 characters. +#model_description=Wireless Access Point + +# Model URL (optional for UPnP) +#model_url=http://www.example.com/model/ + +# Universal Product Code (optional for UPnP) +# 12-digit, all-numeric code that identifies the consumer package. +#upc=123456789012 + +# WPS RF Bands (a = 5G, b = 2.4G, g = 2.4G, ag = dual band) +# This value should be set according to RF band(s) supported by the AP if +# hw_mode is not set. For dual band dual concurrent devices, this needs to be +# set to ag to allow both RF bands to be advertized. +#wps_rf_bands=ag + +# NFC password token for WPS +# These parameters can be used to configure a fixed NFC password token for the +# AP. This can be generated, e.g., with nfc_pw_token from wpa_supplicant. When +# these parameters are used, the AP is assumed to be deployed with a NFC tag +# that includes the matching NFC password token (e.g., written based on the +# NDEF record from nfc_pw_token). +# +#wps_nfc_dev_pw_id: Device Password ID (16..65535) +#wps_nfc_dh_pubkey: Hexdump of DH Public Key +#wps_nfc_dh_privkey: Hexdump of DH Private Key +#wps_nfc_dev_pw: Hexdump of Device Password + +##### Wi-Fi Direct (P2P) ###################################################### + +# Enable P2P Device management +#manage_p2p=1 + +# Allow cross connection +#allow_cross_connection=1 + +#### TDLS (IEEE 802.11z-2010) ################################################# + +# Prohibit use of TDLS in this BSS +#tdls_prohibit=1 + +# Prohibit use of TDLS Channel Switching in this BSS +#tdls_prohibit_chan_switch=1 + +##### IEEE 802.11v-2011 ####################################################### + +# Time advertisement +# 0 = disabled (default) +# 2 = UTC time at which the TSF timer is 0 +#time_advertisement=2 + +# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: +# stdoffset[dst[offset][,start[/time],end[/time]]] +#time_zone=EST5 + +# WNM-Sleep Mode (extended sleep mode for stations) +# 0 = disabled (default) +# 1 = enabled (allow stations to use WNM-Sleep Mode) +#wnm_sleep_mode=1 + +# BSS Transition Management +# 0 = disabled (default) +# 1 = enabled +#bss_transition=1 + +##### IEEE 802.11u-2011 ####################################################### + +# Enable Interworking service +#interworking=1 + +# Access Network Type +# 0 = Private network +# 1 = Private network with guest access +# 2 = Chargeable public network +# 3 = Free public network +# 4 = Personal device network +# 5 = Emergency services only network +# 14 = Test or experimental +# 15 = Wildcard +#access_network_type=0 + +# Whether the network provides connectivity to the Internet +# 0 = Unspecified +# 1 = Network provides connectivity to the Internet +#internet=1 + +# Additional Step Required for Access +# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if +# RSN is used. +#asra=0 + +# Emergency services reachable +#esr=0 + +# Unauthenticated emergency service accessible +#uesa=0 + +# Venue Info (optional) +# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. +# Example values (group,type): +# 0,0 = Unspecified +# 1,7 = Convention Center +# 1,13 = Coffee Shop +# 2,0 = Unspecified Business +# 7,1 Private Residence +#venue_group=7 +#venue_type=1 + +# Homogeneous ESS identifier (optional; dot11HESSID) +# If set, this shall be identifical to one of the BSSIDs in the homogeneous +# ESS and this shall be set to the same value across all BSSs in homogeneous +# ESS. +#hessid=02:03:04:05:06:07 + +# Roaming Consortium List +# Arbitrary number of Roaming Consortium OIs can be configured with each line +# adding a new OI to the list. The first three entries are available through +# Beacon and Probe Response frames. Any additional entry will be available only +# through ANQP queries. Each OI is between 3 and 15 octets and is configured as +# a hexstring. +#roaming_consortium=021122 +#roaming_consortium=2233445566 + +# Venue Name information +# This parameter can be used to configure one or more Venue Name Duples for +# Venue Name ANQP information. Each entry has a two or three character language +# code (ISO-639) separated by colon from the venue name string. +# Note that venue_group and venue_type have to be set for Venue Name +# information to be complete. +#venue_name=eng:Example venue +#venue_name=fin:Esimerkkipaikka +# Alternative format for language:value strings: +# (double quoted string, printf-escaped string) +#venue_name=P"eng:Example\nvenue" + +# Network Authentication Type +# This parameter indicates what type of network authentication is used in the +# network. +# format: [redirect URL] +# Network Authentication Type Indicator values: +# 00 = Acceptance of terms and conditions +# 01 = On-line enrollment supported +# 02 = http/https redirection +# 03 = DNS redirection +#network_auth_type=00 +#network_auth_type=02http://www.example.com/redirect/me/here/ + +# IP Address Type Availability +# format: <1-octet encoded value as hex str> +# (ipv4_type & 0x3f) << 2 | (ipv6_type & 0x3) +# ipv4_type: +# 0 = Address type not available +# 1 = Public IPv4 address available +# 2 = Port-restricted IPv4 address available +# 3 = Single NATed private IPv4 address available +# 4 = Double NATed private IPv4 address available +# 5 = Port-restricted IPv4 address and single NATed IPv4 address available +# 6 = Port-restricted IPv4 address and double NATed IPv4 address available +# 7 = Availability of the address type is not known +# ipv6_type: +# 0 = Address type not available +# 1 = Address type available +# 2 = Availability of the address type not known +#ipaddr_type_availability=14 + +# Domain Name +# format: [,] +#domain_name=example.com,another.example.com,yet-another.example.com + +# 3GPP Cellular Network information +# format: [;][;...] +#anqp_3gpp_cell_net=244,91;310,026;234,56 + +# NAI Realm information +# One or more realm can be advertised. Each nai_realm line adds a new realm to +# the set. These parameters provide information for stations using Interworking +# network selection to allow automatic connection to a network based on +# credentials. +# format: ,[,][,][,...] +# encoding: +# 0 = Realm formatted in accordance with IETF RFC 4282 +# 1 = UTF-8 formatted character string that is not formatted in +# accordance with IETF RFC 4282 +# NAI Realm(s): Semi-colon delimited NAI Realm(s) +# EAP Method: [:<[AuthParam1:Val1]>][<[AuthParam2:Val2]>][...] +# AuthParam (Table 8-188 in IEEE Std 802.11-2012): +# ID 2 = Non-EAP Inner Authentication Type +# 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 +# ID 3 = Inner authentication EAP Method Type +# ID 5 = Credential Type +# 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, +# 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, +# 10 = Vendor Specific +#nai_realm=0,example.com;example.net +# EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with +# username/password +#nai_realm=0,example.org,13[5:6],21[2:4][5:7] + +# QoS Map Set configuration +# +# Comma delimited QoS Map Set in decimal values +# (see IEEE Std 802.11-2012, 8.4.2.97) +# +# format: +# [,],... +# +# There can be up to 21 optional DSCP Exceptions which are pairs of DSCP Value +# (0..63 or 255) and User Priority (0..7). This is followed by eight DSCP Range +# descriptions with DSCP Low Value and DSCP High Value pairs (0..63 or 255) for +# each UP starting from 0. If both low and high value are set to 255, the +# corresponding UP is not used. +# +# default: not set +#qos_map_set=53,2,22,6,8,15,0,7,255,255,16,31,32,39,255,255,40,47,255,255 + +##### Hotspot 2.0 ############################################################# + +# Enable Hotspot 2.0 support +#hs20=1 + +# Disable Downstream Group-Addressed Forwarding (DGAF) +# This can be used to configure a network where no group-addressed frames are +# allowed. The AP will not forward any group-address frames to the stations and +# random GTKs are issued for each station to prevent associated stations from +# forging such frames to other stations in the BSS. +#disable_dgaf=1 + +# Operator Friendly Name +# This parameter can be used to configure one or more Operator Friendly Name +# Duples. Each entry has a two or three character language code (ISO-639) +# separated by colon from the operator friendly name string. +#hs20_oper_friendly_name=eng:Example operator +#hs20_oper_friendly_name=fin:Esimerkkioperaattori + +# Connection Capability +# This can be used to advertise what type of IP traffic can be sent through the +# hotspot (e.g., due to firewall allowing/blocking protocols/ports). +# format: :: +# IP Protocol: 1 = ICMP, 6 = TCP, 17 = UDP +# Port Number: 0..65535 +# Status: 0 = Closed, 1 = Open, 2 = Unknown +# Each hs20_conn_capab line is added to the list of advertised tuples. +#hs20_conn_capab=1:0:2 +#hs20_conn_capab=6:22:1 +#hs20_conn_capab=17:5060:0 + +# WAN Metrics +# format: :
:
    :
    :
      : +# WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity +# (encoded as two hex digits) +# Link Status: 1 = Link up, 2 = Link down, 3 = Link in test state +# Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps; +# 1..4294967295; 0 = unknown +# Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps +# 1..4294967295; 0 = unknown +# Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%) +# Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%) +# Load Measurement Duration: Duration for measuring downlink/uplink load in +# tenths of a second (1..65535); 0 if load cannot be determined +#hs20_wan_metrics=01:8000:1000:80:240:3000 + +# Operating Class Indication +# List of operating classes the BSSes in this ESS use. The Global operating +# classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that +# can be used in this. +# format: hexdump of operating class octets +# for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz +# channels 36-48): +#hs20_operating_class=5173 + +##### TESTING OPTIONS ######################################################### +# +# The options in this section are only available when the build configuration +# option CONFIG_TESTING_OPTIONS is set while compiling hostapd. They allow +# testing some scenarios that are otherwise difficult to reproduce. +# +# Ignore probe requests sent to hostapd with the given probability, must be a +# floating point number in the range [0, 1). +#ignore_probe_probability=0.0 +# +# Ignore authentication frames with the given probability +#ignore_auth_probability=0.0 +# +# Ignore association requests with the given probability +#ignore_assoc_probability=0.0 +# +# Ignore reassociation requests with the given probability +#ignore_reassoc_probability=0.0 +# +# Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability +#corrupt_gtk_rekey_mic_probability=0.0 + +##### Multiple BSSID support ################################################## +# +# Above configuration is using the default interface (wlan#, or multi-SSID VLAN +# interfaces). Other BSSIDs can be added by using separator 'bss' with +# default interface name to be allocated for the data packets of the new BSS. +# +# hostapd will generate BSSID mask based on the BSSIDs that are +# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is +# not the case, the MAC address of the radio must be changed before starting +# hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for +# every secondary BSS, this limitation is not applied at hostapd and other +# masks may be used if the driver supports them (e.g., swap the locally +# administered bit) +# +# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is +# specified using the 'bssid' parameter. +# If an explicit BSSID is specified, it must be chosen such that it: +# - results in a valid MASK that covers it and the dev_addr +# - is not the same as the MAC address of the radio +# - is not the same as any other explicitly specified BSSID +# +# Please note that hostapd uses some of the values configured for the first BSS +# as the defaults for the following BSSes. However, it is recommended that all +# BSSes include explicit configuration of all relevant configuration items. +# +#bss=wlan0_0 +#ssid=test2 +# most of the above items can be used here (apart from radio interface specific +# items, like channel) + +#bss=wlan0_1 +#bssid=00:13:10:95:fe:0b +# ... diff --git a/etc/wpa_supplicant.conf b/etc/wpa_supplicant.conf new file mode 100644 index 0000000..9d3bf6d --- /dev/null +++ b/etc/wpa_supplicant.conf @@ -0,0 +1,1273 @@ +##### Example wpa_supplicant configuration file ############################### +# +# This file describes configuration file format and lists all available option. +# Please also take a look at simpler configuration examples in 'examples' +# subdirectory. +# +# Empty lines and lines starting with # are ignored + +# NOTE! This file may contain password information and should probably be made +# readable only by root user on multiuser systems. + +# Note: All file paths in this configuration file should use full (absolute, +# not relative to working directory) path in order to allow working directory +# to be changed. This can happen if wpa_supplicant is run in the background. + +# Whether to allow wpa_supplicant to update (overwrite) configuration +# +# This option can be used to allow wpa_supplicant to overwrite configuration +# file whenever configuration is changed (e.g., new network block is added with +# wpa_cli or wpa_gui, or a password is changed). This is required for +# wpa_cli/wpa_gui to be able to store the configuration changes permanently. +# Please note that overwriting configuration file will remove the comments from +# it. +#update_config=1 + +# global configuration (shared by all network blocks) +# +# Parameters for the control interface. If this is specified, wpa_supplicant +# will open a control interface that is available for external programs to +# manage wpa_supplicant. The meaning of this string depends on which control +# interface mechanism is used. For all cases, the existence of this parameter +# in configuration is used to determine whether the control interface is +# enabled. +# +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +# +# Access control for the control interface can be configured by setting the +# directory to allow only members of a group to use sockets. This way, it is +# possible to run wpa_supplicant as root (since it needs to change network +# configuration and open raw sockets) and still allow GUI/CLI components to be +# run as non-root users. However, since the control interface can be used to +# change the network configuration, this access needs to be protected in many +# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you +# want to allow non-root users to use the control interface, add a new group +# and change this value to match with that group. Add users that should have +# control interface access to this group. If this variable is commented out or +# not included in the configuration file, group will not be changed from the +# value it got by default when the directory or socket was created. +# +# When configuring both the directory and group, use following format: +# DIR=/var/run/wpa_supplicant GROUP=wheel +# DIR=/var/run/wpa_supplicant GROUP=0 +# (group can be either group name or gid) +# +# For UDP connections (default on Windows): The value will be ignored. This +# variable is just used to select that the control interface is to be created. +# The value can be set to, e.g., udp (ctrl_interface=udp) +# +# For Windows Named Pipe: This value can be used to set the security descriptor +# for controlling access to the control interface. Security descriptor can be +# set using Security Descriptor String Format (see http://msdn.microsoft.com/ +# library/default.asp?url=/library/en-us/secauthz/security/ +# security_descriptor_string_format.asp). The descriptor string needs to be +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty +# DACL (which will reject all connections). See README-Windows.txt for more +# information about SDDL string format. +# +ctrl_interface=/var/run/wpa_supplicant + +# IEEE 802.1X/EAPOL version +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines +# EAPOL version 2. However, there are many APs that do not handle the new +# version number correctly (they seem to drop the frames completely). In order +# to make wpa_supplicant interoperate with these APs, the version number is set +# to 1 by default. This configuration value can be used to set it to the new +# version (2). +eapol_version=1 + +# AP scanning/selection +# By default, wpa_supplicant requests driver to perform AP scanning and then +# uses the scan results to select a suitable AP. Another alternative is to +# allow the driver to take care of AP scanning and selection and use +# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association +# information from the driver. +# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to +# the currently enabled networks are found, a new network (IBSS or AP mode +# operation) may be initialized (if configured) (default) +# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association +# parameters (e.g., WPA IE generation); this mode can also be used with +# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with +# APs (i.e., external program needs to control association). This mode must +# also be used when using wired Ethernet drivers. +# 2: like 0, but associate with APs using security policy and SSID (but not +# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to +# enable operation with hidden SSIDs and optimized roaming; in this mode, +# the network blocks in the configuration file are tried one by one until +# the driver reports successful association; each network block should have +# explicit security policy (i.e., only one option in the lists) for +# key_mgmt, pairwise, group, proto variables +# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be +# created immediately regardless of scan results. ap_scan=1 mode will first try +# to scan for existing networks and only if no matches with the enabled +# networks are found, a new IBSS or AP mode network is created. +ap_scan=1 + +# EAP fast re-authentication +# By default, fast re-authentication is enabled for all EAP methods that +# support it. This variable can be used to disable fast re-authentication. +# Normally, there is no need to disable this. +fast_reauth=1 + +# OpenSSL Engine support +# These options can be used to load OpenSSL engines. +# The two engines that are supported currently are shown below: +# They are both from the opensc project (http://www.opensc.org/) +# By default no engines are loaded. +# make the opensc engine available +#opensc_engine_path=/usr/lib/opensc/engine_opensc.so +# make the pkcs11 engine available +#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so +# configure the path to the pkcs11 module required by the pkcs11 engine +#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so + +# Dynamic EAP methods +# If EAP methods were built dynamically as shared object files, they need to be +# loaded here before being used in the network blocks. By default, EAP methods +# are included statically in the build, so these lines are not needed +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so + +# Driver interface parameters +# This field can be used to configure arbitrary driver interace parameters. The +# format is specific to the selected driver interface. This field is not used +# in most cases. +#driver_param="field=value" + +# Country code +# The ISO/IEC alpha2 country code for the country in which this device is +# currently operating. +#country=US + +# Maximum lifetime for PMKSA in seconds; default 43200 +#dot11RSNAConfigPMKLifetime=43200 +# Threshold for reauthentication (percentage of PMK lifetime); default 70 +#dot11RSNAConfigPMKReauthThreshold=70 +# Timeout for security association negotiation in seconds; default 60 +#dot11RSNAConfigSATimeout=60 + +# Wi-Fi Protected Setup (WPS) parameters + +# Universally Unique IDentifier (UUID; see RFC 4122) of the device +# If not configured, UUID will be generated based on the local MAC address. +#uuid=12345678-9abc-def0-1234-56789abcdef0 + +# Device Name +# User-friendly description of device; up to 32 octets encoded in UTF-8 +#device_name=Wireless Client + +# Manufacturer +# The manufacturer of the device (up to 64 ASCII characters) +#manufacturer=Company + +# Model Name +# Model of the device (up to 32 ASCII characters) +#model_name=cmodel + +# Model Number +# Additional device description (up to 32 ASCII characters) +#model_number=123 + +# Serial Number +# Serial number of the device (up to 32 characters) +#serial_number=12345 + +# Primary Device Type +# Used format: -- +# categ = Category as an integer value +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for +# default WPS OUI +# subcateg = OUI-specific Sub Category as an integer value +# Examples: +# 1-0050F204-1 (Computer / PC) +# 1-0050F204-2 (Computer / Server) +# 5-0050F204-1 (Storage / NAS) +# 6-0050F204-1 (Network Infrastructure / AP) +#device_type=1-0050F204-1 + +# OS Version +# 4-octet operating system version number (hex string) +#os_version=01020300 + +# Config Methods +# List of the supported configuration methods +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token +# nfc_interface push_button keypad virtual_display physical_display +# virtual_push_button physical_push_button +# For WSC 1.0: +#config_methods=label display push_button keypad +# For WSC 2.0: +#config_methods=label virtual_display virtual_push_button keypad + +# Credential processing +# 0 = process received credentials internally (default) +# 1 = do not process received credentials; just pass them over ctrl_iface to +# external program(s) +# 2 = process received credentials internally and pass them over ctrl_iface +# to external program(s) +#wps_cred_processing=0 + +# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing +# The vendor attribute contents to be added in M1 (hex string) +#wps_vendor_ext_m1=000137100100020001 + +# NFC password token for WPS +# These parameters can be used to configure a fixed NFC password token for the +# station. This can be generated, e.g., with nfc_pw_token. When these +# parameters are used, the station is assumed to be deployed with a NFC tag +# that includes the matching NFC password token (e.g., written based on the +# NDEF record from nfc_pw_token). +# +#wps_nfc_dev_pw_id: Device Password ID (16..65535) +#wps_nfc_dh_pubkey: Hexdump of DH Public Key +#wps_nfc_dh_privkey: Hexdump of DH Private Key +#wps_nfc_dev_pw: Hexdump of Device Password + +# Maximum number of BSS entries to keep in memory +# Default: 200 +# This can be used to limit memory use on the BSS entries (cached scan +# results). A larger value may be needed in environments that have huge number +# of APs when using ap_scan=1 mode. +#bss_max_count=200 + +# Automatic scan +# This is an optional set of parameters for automatic scanning +# within an interface in following format: +#autoscan=: +# autoscan is like bgscan but on disconnected or inactive state. +# For instance, on exponential module parameters would be : +#autoscan=exponential:3:300 +# Which means a delay between scans on a base exponential of 3, +# up to the limit of 300 seconds (3, 9, 27 ... 300) +# For periodic module, parameters would be +#autoscan=periodic:30 +# So a delay of 30 seconds will be applied between each scan + +# filter_ssids - SSID-based scan result filtering +# 0 = do not filter scan results (default) +# 1 = only include configured SSIDs in scan results/BSS table +#filter_ssids=0 + +# Password (and passphrase, etc.) backend for external storage +# format: [:] +#ext_password_backend=test:pw1=password|pw2=testing + +# Timeout in seconds to detect STA inactivity (default: 300 seconds) +# +# This timeout value is used in P2P GO mode to clean up +# inactive stations. +#p2p_go_max_inactivity=300 + +# Opportunistic Key Caching (also known as Proactive Key Caching) default +# This parameter can be used to set the default behavior for the +# proactive_key_caching parameter. By default, OKC is disabled unless enabled +# with the global okc=1 parameter or with the per-network +# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but +# can be disabled with per-network proactive_key_caching=0 parameter. +#okc=0 + +# Protected Management Frames default +# This parameter can be used to set the default behavior for the ieee80211w +# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 +# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF +# is enabled/required by default, but can be disabled with the per-network +# ieee80211w parameter. +#pmf=0 + +# Enabled SAE finite cyclic groups in preference order +# By default (if this parameter is not set), the mandatory group 19 (ECC group +# defined over a 256-bit prime order field) is preferred, but other groups are +# also enabled. If this parameter is set, the groups will be tried in the +# indicated order. The group values are listed in the IANA registry: +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 +#sae_groups=21 20 19 26 25 + +# Default value for DTIM period (if not overridden in network block) +#dtim_period=2 + +# Default value for Beacon interval (if not overridden in network block) +#beacon_int=100 + +# Additional vendor specific elements for Beacon and Probe Response frames +# This parameter can be used to add additional vendor specific element(s) into +# the end of the Beacon and Probe Response frames. The format for these +# element(s) is a hexdump of the raw information elements (id+len+payload for +# one or more elements). This is used in AP and P2P GO modes. +#ap_vendor_elements=dd0411223301 + +# Ignore scan results older than request +# +# The driver may have a cache of scan results that makes it return +# information that is older than our scan trigger. This parameter can +# be used to configure such old information to be ignored instead of +# allowing it to update the internal BSS table. +#ignore_old_scan_res=0 + +# scan_cur_freq: Whether to scan only the current frequency +# 0: Scan all available frequencies. (Default) +# 1: Scan current operating frequency if another VIF on the same radio +# is already associated. + +# Interworking (IEEE 802.11u) + +# Enable Interworking +# interworking=1 + +# Homogenous ESS identifier +# If this is set, scans will be used to request response only from BSSes +# belonging to the specified Homogeneous ESS. This is used only if interworking +# is enabled. +# hessid=00:11:22:33:44:55 + +# Automatic network selection behavior +# 0 = do not automatically go through Interworking network selection +# (i.e., require explicit interworking_select command for this; default) +# 1 = perform Interworking network selection if one or more +# credentials have been configured and scan did not find a +# matching network block +#auto_interworking=0 + +# credential block +# +# Each credential used for automatic network selection is configured as a set +# of parameters that are compared to the information advertised by the APs when +# interworking_select and interworking_connect commands are used. +# +# credential fields: +# +# temporary: Whether this credential is temporary and not to be saved +# +# priority: Priority group +# By default, all networks and credentials get the same priority group +# (0). This field can be used to give higher priority for credentials +# (and similarly in struct wpa_ssid for network blocks) to change the +# Interworking automatic networking selection behavior. The matching +# network (based on either an enabled network block or a credential) +# with the highest priority value will be selected. +# +# pcsc: Use PC/SC and SIM/USIM card +# +# realm: Home Realm for Interworking +# +# username: Username for Interworking network selection +# +# password: Password for Interworking network selection +# +# ca_cert: CA certificate for Interworking network selection +# +# client_cert: File path to client certificate file (PEM/DER) +# This field is used with Interworking networking selection for a case +# where client certificate/private key is used for authentication +# (EAP-TLS). Full path to the file should be used since working +# directory may change when wpa_supplicant is run in the background. +# +# Alternatively, a named configuration blob can be used by setting +# this to blob://blob_name. +# +# private_key: File path to client private key file (PEM/DER/PFX) +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be +# commented out. Both the private key and certificate will be read +# from the PKCS#12 file in this case. Full path to the file should be +# used since working directory may change when wpa_supplicant is run +# in the background. +# +# Windows certificate store can be used by leaving client_cert out and +# configuring private_key in one of the following formats: +# +# cert://substring_to_match +# +# hash://certificate_thumbprint_in_hex +# +# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# +# Alternatively, a named configuration blob can be used by setting +# this to blob://blob_name. +# +# private_key_passwd: Password for private key file +# +# imsi: IMSI in | | '-' | format +# +# milenage: Milenage parameters for SIM/USIM simulator in :: +# format +# +# domain: Home service provider FQDN(s) +# This is used to compare against the Domain Name List to figure out +# whether the AP is operated by the Home SP. Multiple domain entries can +# be used to configure alternative FQDNs that will be considered home +# networks. +# +# roaming_consortium: Roaming Consortium OI +# If roaming_consortium_len is non-zero, this field contains the +# Roaming Consortium OI that can be used to determine which access +# points support authentication with this credential. This is an +# alternative to the use of the realm parameter. When using Roaming +# Consortium to match the network, the EAP parameters need to be +# pre-configured with the credential since the NAI Realm information +# may not be available or fetched. +# +# eap: Pre-configured EAP method +# This optional field can be used to specify which EAP method will be +# used with this credential. If not set, the EAP method is selected +# automatically based on ANQP information (e.g., NAI Realm). +# +# phase1: Pre-configure Phase 1 (outer authentication) parameters +# This optional field is used with like the 'eap' parameter. +# +# phase2: Pre-configure Phase 2 (inner authentication) parameters +# This optional field is used with like the 'eap' parameter. +# +# excluded_ssid: Excluded SSID +# This optional field can be used to excluded specific SSID(s) from +# matching with the network. Multiple entries can be used to specify more +# than one SSID. +# +# for example: +# +#cred={ +# realm="example.com" +# username="user@example.com" +# password="password" +# ca_cert="/etc/wpa_supplicant/ca.pem" +# domain="example.com" +#} +# +#cred={ +# imsi="310026-000000000" +# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" +#} +# +#cred={ +# realm="example.com" +# username="user" +# password="password" +# ca_cert="/etc/wpa_supplicant/ca.pem" +# domain="example.com" +# roaming_consortium=223344 +# eap=TTLS +# phase2="auth=MSCHAPV2" +#} + +# Hotspot 2.0 +# hs20=1 + +# network block +# +# Each network (usually AP's sharing the same SSID) is configured as a separate +# block in this configuration file. The network blocks are in preference order +# (the first match is used). +# +# network block fields: +# +# disabled: +# 0 = this network can be used (default) +# 1 = this network block is disabled (can be enabled through ctrl_iface, +# e.g., with wpa_cli or wpa_gui) +# +# id_str: Network identifier string for external scripts. This value is passed +# to external action script through wpa_cli as WPA_ID_STR environment +# variable to make it easier to do network specific configuration. +# +# ssid: SSID (mandatory); network name in one of the optional formats: +# - an ASCII string with double quotation +# - a hex string (two characters per octet of SSID) +# - a printf-escaped ASCII string P"" +# +# scan_ssid: +# 0 = do not scan this SSID with specific Probe Request frames (default) +# 1 = scan with SSID-specific Probe Request frames (this can be used to +# find APs that do not accept broadcast SSID or use multiple SSIDs; +# this will add latency to scanning, so enable this only when needed) +# +# bssid: BSSID (optional); if set, this network block is used only when +# associating with the AP using the configured BSSID +# +# priority: priority group (integer) +# By default, all networks will get same priority group (0). If some of the +# networks are more desirable, this field can be used to change the order in +# which wpa_supplicant goes through the networks when selecting a BSS. The +# priority groups will be iterated in decreasing priority (i.e., the larger the +# priority value, the sooner the network is matched against the scan results). +# Within each priority group, networks will be selected based on security +# policy, signal strength, etc. +# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not +# using this priority to select the order for scanning. Instead, they try the +# networks in the order that used in the configuration file. +# +# mode: IEEE 802.11 operation mode +# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) +# 1 = IBSS (ad-hoc, peer-to-peer) +# 2 = AP (access point) +# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and +# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key +# TKIP/CCMP) is available for backwards compatibility, but its use is +# deprecated. WPA-None requires following network block options: +# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not +# both), and psk must also be set. +# +# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., +# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial +# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. +# In addition, this value is only used by the station that creates the IBSS. If +# an IBSS network with the configured SSID is already present, the frequency of +# the network will be used instead of this configured value. +# +# scan_freq: List of frequencies to scan +# Space-separated list of frequencies in MHz to scan when searching for this +# BSS. If the subset of channels used by the network is known, this option can +# be used to optimize scanning to not occur on channels that the network does +# not use. Example: scan_freq=2412 2437 2462 +# +# freq_list: Array of allowed frequencies +# Space-separated list of frequencies in MHz to allow for selecting the BSS. If +# set, scan results that do not match any of the specified frequencies are not +# considered when selecting a BSS. +# +# This can also be set on the outside of the network block. In this case, +# it limits the frequencies that will be scanned. +# +# bgscan: Background scanning +# wpa_supplicant behavior for background scanning can be specified by +# configuring a bgscan module. These modules are responsible for requesting +# background scans for the purpose of roaming within an ESS (i.e., within a +# single network block with all the APs using the same SSID). The bgscan +# parameter uses following format: ":" +# Following bgscan modules are available: +# simple - Periodic background scans based on signal strength +# bgscan="simple::: +# " +# bgscan="simple:30:-45:300" +# learn - Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +# bgscan="learn::: +# [:]" +# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" +# +# This option can also be set outside of all network blocks for the bgscan +# parameter to apply for all the networks that have no specific bgscan +# parameter. +# +# proto: list of accepted protocols +# WPA = WPA/IEEE 802.11i/D3.0 +# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) +# If not set, this defaults to: WPA RSN +# +# key_mgmt: list of accepted authenticated key management protocols +# WPA-PSK = WPA pre-shared key (this requires 'psk' field) +# WPA-EAP = WPA using EAP authentication +# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically +# generated WEP keys +# NONE = WPA is not used; plaintext or static WEP could be used +# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms +# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms +# If not set, this defaults to: WPA-PSK WPA-EAP +# +# ieee80211w: whether management frame protection is enabled +# 0 = disabled (default unless changed with the global pmf parameter) +# 1 = optional +# 2 = required +# The most common configuration options for this based on the PMF (protected +# management frames) certification program are: +# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 +# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 +# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) +# +# auth_alg: list of allowed IEEE 802.11 authentication algorithms +# OPEN = Open System authentication (required for WPA/WPA2) +# SHARED = Shared Key authentication (requires static WEP keys) +# LEAP = LEAP/Network EAP (only used with LEAP) +# If not set, automatic selection is used (Open System with LEAP enabled if +# LEAP is allowed as one of the EAP methods). +# +# pairwise: list of accepted pairwise (unicast) ciphers for WPA +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# NONE = Use only Group Keys (deprecated, should not be included if APs support +# pairwise keys) +# If not set, this defaults to: CCMP TKIP +# +# group: list of accepted group (broadcast/multicast) ciphers for WPA +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key +# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] +# If not set, this defaults to: CCMP TKIP WEP104 WEP40 +# +# psk: WPA preshared key; 256-bit pre-shared key +# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., +# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be +# generated using the passphrase and SSID). ASCII passphrase must be between +# 8 and 63 characters (inclusive). ext: format can +# be used to indicate that the PSK/passphrase is stored in external storage. +# This field is not needed, if WPA-EAP is used. +# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys +# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant +# startup and reconfiguration time can be optimized by generating the PSK only +# only when the passphrase or SSID has actually changed. +# +# eapol_flags: IEEE 802.1X/EAPOL options (bit field) +# Dynamic WEP key required for non-WPA mode +# bit0 (1): require dynamically generated unicast WEP key +# bit1 (2): require dynamically generated broadcast WEP key +# (3 = require both keys; default) +# Note: When using wired authentication, eapol_flags must be set to 0 for the +# authentication to be completed successfully. +# +# mixed_cell: This option can be used to configure whether so called mixed +# cells, i.e., networks that use both plaintext and encryption in the same +# SSID, are allowed when selecting a BSS from scan results. +# 0 = disabled (default) +# 1 = enabled +# +# proactive_key_caching: +# Enable/disable opportunistic PMKSA caching for WPA2. +# 0 = disabled (default unless changed with the global okc parameter) +# 1 = enabled +# +# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or +# hex without quotation, e.g., 0102030405) +# wep_tx_keyidx: Default WEP key index (TX) (0..3) +# +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is +# allowed. This is only used with RSN/WPA2. +# 0 = disabled (default) +# 1 = enabled +#peerkey=1 +# +# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to +# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. +# +# Following fields are only used with internal EAP implementation. +# eap: space-separated list of accepted EAP methods +# MD5 = EAP-MD5 (unsecure and does not generate keying material -> +# cannot be used with WPA; to be used as a Phase 2 method +# with EAP-PEAP or EAP-TTLS) +# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# OTP = EAP-OTP (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# GTC = EAP-GTC (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# TLS = EAP-TLS (client and server certificate) +# PEAP = EAP-PEAP (with tunnelled EAP authentication) +# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 +# authentication) +# If not set, all compiled in methods are allowed. +# +# identity: Identity string for EAP +# This field is also used to configure user NAI for +# EAP-PSK/PAX/SAKE/GPSK. +# anonymous_identity: Anonymous identity string for EAP (to be used as the +# unencrypted identity with EAP types that support different tunnelled +# identity, e.g., EAP-TTLS). This field can also be used with +# EAP-SIM/AKA/AKA' to store the pseudonym identity. +# password: Password string for EAP. This field can include either the +# plaintext password (using ASCII or hex string) or a NtPasswordHash +# (16-byte MD4 hash of password) in hash:<32 hex digits> format. +# NtPasswordHash can only be used when the password is for MSCHAPv2 or +# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). +# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit +# PSK) is also configured using this field. For EAP-GPSK, this is a +# variable length PSK. ext: format can +# be used to indicate that the password is stored in external storage. +# ca_cert: File path to CA certificate file (PEM/DER). This file can have one +# or more trusted CA certificates. If ca_cert and ca_path are not +# included, server certificate will not be verified. This is insecure and +# a trusted CA certificate should always be configured when using +# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may +# change when wpa_supplicant is run in the background. +# +# Alternatively, this can be used to only perform matching of the server +# certificate (SHA-256 hash of the DER encoded X.509 certificate). In +# this case, the possible CA certificates in the server certificate chain +# are ignored and only the server certificate is verified. This is +# configured with the following format: +# hash:://server/sha256/cert_hash_in_hex +# For example: "hash://server/sha256/ +# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" +# +# On Windows, trusted CA certificates can be loaded from the system +# certificate store by setting this to cert_store://, e.g., +# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# ca_path: Directory path for CA certificate files (PEM). This path may +# contain multiple CA certificates in OpenSSL format. Common use for this +# is to point to system trusted CA list which is often installed into +# directory like /etc/ssl/certs. If configured, these certificates are +# added to the list of trusted CAs. ca_cert may also be included in that +# case, but it is not required. +# client_cert: File path to client certificate file (PEM/DER) +# Full path should be used since working directory may change when +# wpa_supplicant is run in the background. +# Alternatively, a named configuration blob can be used by setting this +# to blob://. +# private_key: File path to client private key file (PEM/DER/PFX) +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be +# commented out. Both the private key and certificate will be read from +# the PKCS#12 file in this case. Full path should be used since working +# directory may change when wpa_supplicant is run in the background. +# Windows certificate store can be used by leaving client_cert out and +# configuring private_key in one of the following formats: +# cert://substring_to_match +# hash://certificate_thumbprint_in_hex +# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# Alternatively, a named configuration blob can be used by setting this +# to blob://. +# private_key_passwd: Password for private key file (if left out, this will be +# asked through control interface) +# dh_file: File path to DH/DSA parameters file (in PEM format) +# This is an optional configuration file for setting parameters for an +# ephemeral DH key exchange. In most cases, the default RSA +# authentication does not use this configuration. However, it is possible +# setup RSA to use ephemeral DH key exchange. In addition, ciphers with +# DSA keys always use ephemeral DH keys. This can be used to achieve +# forward secrecy. If the file is in DSA parameters format, it will be +# automatically converted into DH params. +# subject_match: Substring to be matched against the subject of the +# authentication server certificate. If this string is set, the server +# sertificate is only accepted if it contains this string in the subject. +# The subject string is in following format: +# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com +# altsubject_match: Semicolon separated string of entries to be matched against +# the alternative subject name of the authentication server certificate. +# If this string is set, the server sertificate is only accepted if it +# contains one of the entries in an alternative subject name extension. +# altSubjectName string is in following format: TYPE:VALUE +# Example: EMAIL:server@example.com +# Example: DNS:server.example.com;DNS:server2.example.com +# Following types are supported: EMAIL, DNS, URI +# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters +# (string with field-value pairs, e.g., "peapver=0" or +# "peapver=1 peaplabel=1") +# 'peapver' can be used to force which PEAP version (0 or 1) is used. +# 'peaplabel=1' can be used to force new label, "client PEAP encryption", +# to be used during key derivation when PEAPv1 or newer. Most existing +# PEAPv1 implementation seem to be using the old label, "client EAP +# encryption", and wpa_supplicant is now using that as the default value. +# Some servers, e.g., Radiator, may require peaplabel=1 configuration to +# interoperate with PEAPv1; see eap_testing.txt for more details. +# 'peap_outer_success=0' can be used to terminate PEAP authentication on +# tunneled EAP-Success. This is required with some RADIUS servers that +# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., +# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) +# include_tls_length=1 can be used to force wpa_supplicant to include +# TLS Message Length field in all TLS messages even if they are not +# fragmented. +# sim_min_num_chal=3 can be used to configure EAP-SIM to require three +# challenges (by default, it accepts 2 or 3) +# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use +# protected result indication. +# 'crypto_binding' option can be used to control PEAPv0 cryptobinding +# behavior: +# * 0 = do not use cryptobinding (default) +# * 1 = use cryptobinding if server supports it +# * 2 = require cryptobinding +# EAP-WSC (WPS) uses following options: pin= or +# pbc=1. +# phase2: Phase2 (inner authentication with TLS tunnel) parameters +# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or +# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) +# +# TLS-based methods can use the following parameters to control TLS behavior +# (these are normally in the phase1 parameter, but can be used also in the +# phase2 parameter when EAP-TLS is used within the inner tunnel): +# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the +# TLS library, these may be disabled by default to enforce stronger +# security) +# tls_disable_time_checks=1 - ignore certificate validity time (this requests +# the TLS library to accept certificates even if they are not currently +# valid, i.e., have expired or have not yet become valid; this should be +# used only for testing purposes) +# tls_disable_session_ticket=1 - disable TLS Session Ticket extension +# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used +# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS +# as a workaround for broken authentication server implementations unless +# EAP workarounds are disabled with eap_workarounds=0. +# For EAP-FAST, this must be set to 0 (or left unconfigured for the +# default value to be used automatically). +# +# Following certificate/private key fields are used in inner Phase2 +# authentication when using EAP-TTLS or EAP-PEAP. +# ca_cert2: File path to CA certificate file. This file can have one or more +# trusted CA certificates. If ca_cert2 and ca_path2 are not included, +# server certificate will not be verified. This is insecure and a trusted +# CA certificate should always be configured. +# ca_path2: Directory path for CA certificate files (PEM) +# client_cert2: File path to client certificate file +# private_key2: File path to client private key file +# private_key2_passwd: Password for private key file +# dh_file2: File path to DH/DSA parameters file (in PEM format) +# subject_match2: Substring to be matched against the subject of the +# authentication server certificate. +# altsubject_match2: Substring to be matched against the alternative subject +# name of the authentication server certificate. +# +# fragment_size: Maximum EAP fragment size in bytes (default 1398). +# This value limits the fragment size for EAP methods that support +# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set +# small enough to make the EAP messages fit in MTU of the network +# interface used for EAPOL. The default value is suitable for most +# cases. +# +# ocsp: Whether to use/require OCSP to check server certificate +# 0 = do not use OCSP stapling (TLS certificate status extension) +# 1 = try to use OCSP stapling, but not require response +# 2 = require valid OCSP stapling response +# +# EAP-FAST variables: +# pac_file: File path for the PAC entries. wpa_supplicant will need to be able +# to create this file and write updates to it when PAC is being +# provisioned or refreshed. Full path to the file should be used since +# working directory may change when wpa_supplicant is run in the +# background. Alternatively, a named configuration blob can be used by +# setting this to blob:// +# phase1: fast_provisioning option can be used to enable in-line provisioning +# of EAP-FAST credentials (PAC): +# 0 = disabled, +# 1 = allow unauthenticated provisioning, +# 2 = allow authenticated provisioning, +# 3 = allow both unauthenticated and authenticated provisioning +# fast_max_pac_list_len= option can be used to set the maximum +# number of PAC entries to store in a PAC list (default: 10) +# fast_pac_format=binary option can be used to select binary format for +# storing PAC entries in order to save some space (the default +# text format uses about 2.5 times the size of minimal binary +# format) +# +# wpa_supplicant supports number of "EAP workarounds" to work around +# interoperability issues with incorrectly behaving authentication servers. +# These are enabled by default because some of the issues are present in large +# number of authentication servers. Strict EAP conformance mode can be +# configured by disabling workarounds with eap_workaround=0. + +# Station inactivity limit +# +# If a station does not send anything in ap_max_inactivity seconds, an +# empty data frame is sent to it in order to verify whether it is +# still in range. If this frame is not ACKed, the station will be +# disassociated and then deauthenticated. This feature is used to +# clear station table of old entries when the STAs move out of the +# range. +# +# The station can associate again with the AP if it is still in range; +# this inactivity poll is just used as a nicer way of verifying +# inactivity; i.e., client will not report broken connection because +# disassociation frame is not sent immediately without first polling +# the STA with a data frame. +# default: 300 (i.e., 5 minutes) +#ap_max_inactivity=300 + +# DTIM period in Beacon intervals for AP mode (default: 2) +#dtim_period=2 + +# Beacon interval (default: 100 TU) +#beacon_int=100 + +# disable_ht: Whether HT (802.11n) should be disabled. +# 0 = HT enabled (if AP supports it) +# 1 = HT disabled +# +# disable_ht40: Whether HT-40 (802.11n) should be disabled. +# 0 = HT-40 enabled (if AP supports it) +# 1 = HT-40 disabled +# +# disable_sgi: Whether SGI (short guard interval) should be disabled. +# 0 = SGI enabled (if AP supports it) +# 1 = SGI disabled +# +# ht_mcs: Configure allowed MCS rates. +# Parsed as an array of bytes, in base-16 (ascii-hex) +# ht_mcs="" // Use all available (default) +# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only +# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only +# +# disable_max_amsdu: Whether MAX_AMSDU should be disabled. +# -1 = Do not make any changes. +# 0 = Enable MAX-AMSDU if hardware supports it. +# 1 = Disable AMSDU +# +# ampdu_density: Allow overriding AMPDU density configuration. +# Treated as hint by the kernel. +# -1 = Do not make any changes. +# 0-3 = Set AMPDU density (aka factor) to specified value. + +# disable_vht: Whether VHT should be disabled. +# 0 = VHT enabled (if AP supports it) +# 1 = VHT disabled +# +# vht_capa: VHT capabilities to set in the override +# vht_capa_mask: mask of VHT capabilities +# +# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 +# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 +# 0: MCS 0-7 +# 1: MCS 0-8 +# 2: MCS 0-9 +# 3: not supported + +# Example blocks: + +# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers +network={ + ssid="simple" + psk="very secret passphrase" + priority=5 +} + +# Same as previous, but request SSID-specific scanning (for APs that reject +# broadcast SSID) +network={ + ssid="second ssid" + scan_ssid=1 + psk="very secret passphrase" + priority=2 +} + +# Only WPA-PSK is used. Any valid cipher combination is accepted. +network={ + ssid="example" + proto=WPA + key_mgmt=WPA-PSK + pairwise=CCMP TKIP + group=CCMP TKIP WEP104 WEP40 + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb + priority=2 +} + +# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying +network={ + ssid="example" + proto=WPA + key_mgmt=WPA-PSK + pairwise=TKIP + group=TKIP + psk="not so secure passphrase" + wpa_ptk_rekey=600 +} + +# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 +# or WEP40 as the group cipher will not be accepted. +network={ + ssid="example" + proto=RSN + key_mgmt=WPA-EAP + pairwise=CCMP TKIP + group=CCMP TKIP + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + priority=1 +} + +# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel +# (e.g., Radiator) +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=PEAP + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase1="peaplabel=1" + phase2="auth=MSCHAPV2" + priority=10 +} + +# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the +# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + priority=2 +} + +# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted +# use. Real identity is sent only within an encrypted TLS tunnel. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase2="auth=MSCHAPV2" +} + +# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner +# authentication. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + # Phase1 / outer authentication + anonymous_identity="anonymous@example.com" + ca_cert="/etc/cert/ca.pem" + # Phase 2 / inner authentication + phase2="autheap=TLS" + ca_cert2="/etc/cert/ca2.pem" + client_cert2="/etc/cer/user.pem" + private_key2="/etc/cer/user.prv" + private_key2_passwd="password" + priority=2 +} + +# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and +# group cipher. +network={ + ssid="example" + bssid=00:11:22:33:44:55 + proto=WPA RSN + key_mgmt=WPA-PSK WPA-EAP + pairwise=CCMP + group=CCMP + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb +} + +# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP +# and all valid ciphers. +network={ + ssid=00010203 + psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +} + + +# EAP-SIM with a GSM SIM or USIM +network={ + ssid="eap-sim-test" + key_mgmt=WPA-EAP + eap=SIM + pin="1234" + pcsc="" +} + + +# EAP-PSK +network={ + ssid="eap-psk-test" + key_mgmt=WPA-EAP + eap=PSK + anonymous_identity="eap_psk_user" + password=06b4be19da289f475aa46a33cb793029 + identity="eap_psk_user@example.com" +} + + +# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using +# EAP-TLS for authentication and key generation; require both unicast and +# broadcast WEP keys. +network={ + ssid="1x-test" + key_mgmt=IEEE8021X + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + eapol_flags=3 +} + + +# LEAP with dynamic WEP keys +network={ + ssid="leap-example" + key_mgmt=IEEE8021X + eap=LEAP + identity="user" + password="foobar" +} + +# EAP-IKEv2 using shared secrets for both server and peer authentication +network={ + ssid="ikev2-example" + key_mgmt=WPA-EAP + eap=IKEV2 + identity="user" + password="foobar" +} + +# EAP-FAST with WPA (WPA or WPA2) +network={ + ssid="eap-fast-test" + key_mgmt=WPA-EAP + eap=FAST + anonymous_identity="FAST-000102030405" + identity="username" + password="password" + phase1="fast_provisioning=1" + pac_file="/etc/wpa_supplicant.eap-fast-pac" +} + +network={ + ssid="eap-fast-test" + key_mgmt=WPA-EAP + eap=FAST + anonymous_identity="FAST-000102030405" + identity="username" + password="password" + phase1="fast_provisioning=1" + pac_file="blob://eap-fast-pac" +} + +# Plaintext connection (no WPA, no IEEE 802.1X) +network={ + ssid="plaintext-test" + key_mgmt=NONE +} + + +# Shared WEP key connection (no WPA, no IEEE 802.1X) +network={ + ssid="static-wep-test" + key_mgmt=NONE + wep_key0="abcde" + wep_key1=0102030405 + wep_key2="1234567890123" + wep_tx_keyidx=0 + priority=5 +} + + +# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key +# IEEE 802.11 authentication +network={ + ssid="static-wep-test2" + key_mgmt=NONE + wep_key0="abcde" + wep_key1=0102030405 + wep_key2="1234567890123" + wep_tx_keyidx=0 + priority=5 + auth_alg=SHARED +} + + +# IBSS/ad-hoc network with RSN +network={ + ssid="ibss-rsn" + key_mgmt=WPA-PSK + proto=RSN + psk="12345678" + mode=1 + frequency=2412 + pairwise=CCMP + group=CCMP +} + +# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) +network={ + ssid="test adhoc" + mode=1 + frequency=2412 + proto=WPA + key_mgmt=WPA-NONE + pairwise=NONE + group=TKIP + psk="secret passphrase" +} + + +# Catch all example that allows more or less all configuration modes +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE + pairwise=CCMP TKIP + group=CCMP TKIP WEP104 WEP40 + psk="very secret passphrase" + eap=TTLS PEAP TLS + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + phase1="peaplabel=0" +} + +# Example of EAP-TLS with smartcard (openssl engine) +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TLS + proto=RSN + pairwise=CCMP TKIP + group=CCMP TKIP + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + + engine=1 + + # The engine configured here must be available. Look at + # OpenSSL engine support in the global section. + # The key available through the engine must be the private key + # matching the client certificate configured above. + + # use the opensc engine + #engine_id="opensc" + #key_id="45" + + # use the pkcs11 engine + engine_id="pkcs11" + key_id="id_45" + + # Optional PIN configuration; this can be left out and PIN will be + # asked through the control interface + pin="1234" +} + +# Example configuration showing how to use an inlined blob as a CA certificate +# data instead of using external file +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="blob://exampleblob" + priority=20 +} + +blob-base64-exampleblob={ +SGVsbG8gV29ybGQhCg== +} + + +# Wildcard match for SSID (plaintext APs only). This example select any +# open AP regardless of its SSID. +network={ + key_mgmt=NONE +} + + +# Example config file that will only scan on channel 36. +freq_list=5180 +network={ + key_mgmt=NONE +} diff --git a/share/initrd/etc/wpa_supplicant.conf b/share/initrd/etc/wpa_supplicant.conf index 29cc5c6..9d3bf6d 100644 --- a/share/initrd/etc/wpa_supplicant.conf +++ b/share/initrd/etc/wpa_supplicant.conf @@ -1,20 +1,1273 @@ -# Sample wpa_supplicant.conf +##### Example wpa_supplicant configuration file ############################### # +# This file describes configuration file format and lists all available option. +# Please also take a look at simpler configuration examples in 'examples' +# subdirectory. +# +# Empty lines and lines starting with # are ignored + +# NOTE! This file may contain password information and should probably be made +# readable only by root user on multiuser systems. + +# Note: All file paths in this configuration file should use full (absolute, +# not relative to working directory) path in order to allow working directory +# to be changed. This can happen if wpa_supplicant is run in the background. + +# Whether to allow wpa_supplicant to update (overwrite) configuration +# +# This option can be used to allow wpa_supplicant to overwrite configuration +# file whenever configuration is changed (e.g., new network block is added with +# wpa_cli or wpa_gui, or a password is changed). This is required for +# wpa_cli/wpa_gui to be able to store the configuration changes permanently. +# Please note that overwriting configuration file will remove the comments from +# it. +#update_config=1 + +# global configuration (shared by all network blocks) +# +# Parameters for the control interface. If this is specified, wpa_supplicant +# will open a control interface that is available for external programs to +# manage wpa_supplicant. The meaning of this string depends on which control +# interface mechanism is used. For all cases, the existence of this parameter +# in configuration is used to determine whether the control interface is +# enabled. +# +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. +# /var/run/wpa_supplicant is the recommended directory for sockets and by +# default, wpa_cli will use it when trying to connect with wpa_supplicant. +# +# Access control for the control interface can be configured by setting the +# directory to allow only members of a group to use sockets. This way, it is +# possible to run wpa_supplicant as root (since it needs to change network +# configuration and open raw sockets) and still allow GUI/CLI components to be +# run as non-root users. However, since the control interface can be used to +# change the network configuration, this access needs to be protected in many +# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you +# want to allow non-root users to use the control interface, add a new group +# and change this value to match with that group. Add users that should have +# control interface access to this group. If this variable is commented out or +# not included in the configuration file, group will not be changed from the +# value it got by default when the directory or socket was created. +# +# When configuring both the directory and group, use following format: +# DIR=/var/run/wpa_supplicant GROUP=wheel +# DIR=/var/run/wpa_supplicant GROUP=0 +# (group can be either group name or gid) +# +# For UDP connections (default on Windows): The value will be ignored. This +# variable is just used to select that the control interface is to be created. +# The value can be set to, e.g., udp (ctrl_interface=udp) +# +# For Windows Named Pipe: This value can be used to set the security descriptor +# for controlling access to the control interface. Security descriptor can be +# set using Security Descriptor String Format (see http://msdn.microsoft.com/ +# library/default.asp?url=/library/en-us/secauthz/security/ +# security_descriptor_string_format.asp). The descriptor string needs to be +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty +# DACL (which will reject all connections). See README-Windows.txt for more +# information about SDDL string format. +# +ctrl_interface=/var/run/wpa_supplicant + +# IEEE 802.1X/EAPOL version +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines +# EAPOL version 2. However, there are many APs that do not handle the new +# version number correctly (they seem to drop the frames completely). In order +# to make wpa_supplicant interoperate with these APs, the version number is set +# to 1 by default. This configuration value can be used to set it to the new +# version (2). +eapol_version=1 + +# AP scanning/selection +# By default, wpa_supplicant requests driver to perform AP scanning and then +# uses the scan results to select a suitable AP. Another alternative is to +# allow the driver to take care of AP scanning and selection and use +# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association +# information from the driver. +# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to +# the currently enabled networks are found, a new network (IBSS or AP mode +# operation) may be initialized (if configured) (default) +# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association +# parameters (e.g., WPA IE generation); this mode can also be used with +# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with +# APs (i.e., external program needs to control association). This mode must +# also be used when using wired Ethernet drivers. +# 2: like 0, but associate with APs using security policy and SSID (but not +# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to +# enable operation with hidden SSIDs and optimized roaming; in this mode, +# the network blocks in the configuration file are tried one by one until +# the driver reports successful association; each network block should have +# explicit security policy (i.e., only one option in the lists) for +# key_mgmt, pairwise, group, proto variables +# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be +# created immediately regardless of scan results. ap_scan=1 mode will first try +# to scan for existing networks and only if no matches with the enabled +# networks are found, a new IBSS or AP mode network is created. +ap_scan=1 + +# EAP fast re-authentication +# By default, fast re-authentication is enabled for all EAP methods that +# support it. This variable can be used to disable fast re-authentication. +# Normally, there is no need to disable this. +fast_reauth=1 + +# OpenSSL Engine support +# These options can be used to load OpenSSL engines. +# The two engines that are supported currently are shown below: +# They are both from the opensc project (http://www.opensc.org/) +# By default no engines are loaded. +# make the opensc engine available +#opensc_engine_path=/usr/lib/opensc/engine_opensc.so +# make the pkcs11 engine available +#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so +# configure the path to the pkcs11 module required by the pkcs11 engine +#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so + +# Dynamic EAP methods +# If EAP methods were built dynamically as shared object files, they need to be +# loaded here before being used in the network blocks. By default, EAP methods +# are included statically in the build, so these lines are not needed +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so + +# Driver interface parameters +# This field can be used to configure arbitrary driver interace parameters. The +# format is specific to the selected driver interface. This field is not used +# in most cases. +#driver_param="field=value" + +# Country code +# The ISO/IEC alpha2 country code for the country in which this device is +# currently operating. +#country=US + +# Maximum lifetime for PMKSA in seconds; default 43200 +#dot11RSNAConfigPMKLifetime=43200 +# Threshold for reauthentication (percentage of PMK lifetime); default 70 +#dot11RSNAConfigPMKReauthThreshold=70 +# Timeout for security association negotiation in seconds; default 60 +#dot11RSNAConfigSATimeout=60 + +# Wi-Fi Protected Setup (WPS) parameters + +# Universally Unique IDentifier (UUID; see RFC 4122) of the device +# If not configured, UUID will be generated based on the local MAC address. +#uuid=12345678-9abc-def0-1234-56789abcdef0 + +# Device Name +# User-friendly description of device; up to 32 octets encoded in UTF-8 +#device_name=Wireless Client + +# Manufacturer +# The manufacturer of the device (up to 64 ASCII characters) +#manufacturer=Company + +# Model Name +# Model of the device (up to 32 ASCII characters) +#model_name=cmodel + +# Model Number +# Additional device description (up to 32 ASCII characters) +#model_number=123 + +# Serial Number +# Serial number of the device (up to 32 characters) +#serial_number=12345 + +# Primary Device Type +# Used format: -- +# categ = Category as an integer value +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for +# default WPS OUI +# subcateg = OUI-specific Sub Category as an integer value +# Examples: +# 1-0050F204-1 (Computer / PC) +# 1-0050F204-2 (Computer / Server) +# 5-0050F204-1 (Storage / NAS) +# 6-0050F204-1 (Network Infrastructure / AP) +#device_type=1-0050F204-1 + +# OS Version +# 4-octet operating system version number (hex string) +#os_version=01020300 + +# Config Methods +# List of the supported configuration methods +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token +# nfc_interface push_button keypad virtual_display physical_display +# virtual_push_button physical_push_button +# For WSC 1.0: +#config_methods=label display push_button keypad +# For WSC 2.0: +#config_methods=label virtual_display virtual_push_button keypad + +# Credential processing +# 0 = process received credentials internally (default) +# 1 = do not process received credentials; just pass them over ctrl_iface to +# external program(s) +# 2 = process received credentials internally and pass them over ctrl_iface +# to external program(s) +#wps_cred_processing=0 + +# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing +# The vendor attribute contents to be added in M1 (hex string) +#wps_vendor_ext_m1=000137100100020001 + +# NFC password token for WPS +# These parameters can be used to configure a fixed NFC password token for the +# station. This can be generated, e.g., with nfc_pw_token. When these +# parameters are used, the station is assumed to be deployed with a NFC tag +# that includes the matching NFC password token (e.g., written based on the +# NDEF record from nfc_pw_token). +# +#wps_nfc_dev_pw_id: Device Password ID (16..65535) +#wps_nfc_dh_pubkey: Hexdump of DH Public Key +#wps_nfc_dh_privkey: Hexdump of DH Private Key +#wps_nfc_dev_pw: Hexdump of Device Password + +# Maximum number of BSS entries to keep in memory +# Default: 200 +# This can be used to limit memory use on the BSS entries (cached scan +# results). A larger value may be needed in environments that have huge number +# of APs when using ap_scan=1 mode. +#bss_max_count=200 + +# Automatic scan +# This is an optional set of parameters for automatic scanning +# within an interface in following format: +#autoscan=: +# autoscan is like bgscan but on disconnected or inactive state. +# For instance, on exponential module parameters would be : +#autoscan=exponential:3:300 +# Which means a delay between scans on a base exponential of 3, +# up to the limit of 300 seconds (3, 9, 27 ... 300) +# For periodic module, parameters would be +#autoscan=periodic:30 +# So a delay of 30 seconds will be applied between each scan + +# filter_ssids - SSID-based scan result filtering +# 0 = do not filter scan results (default) +# 1 = only include configured SSIDs in scan results/BSS table +#filter_ssids=0 + +# Password (and passphrase, etc.) backend for external storage +# format: [:] +#ext_password_backend=test:pw1=password|pw2=testing + +# Timeout in seconds to detect STA inactivity (default: 300 seconds) +# +# This timeout value is used in P2P GO mode to clean up +# inactive stations. +#p2p_go_max_inactivity=300 + +# Opportunistic Key Caching (also known as Proactive Key Caching) default +# This parameter can be used to set the default behavior for the +# proactive_key_caching parameter. By default, OKC is disabled unless enabled +# with the global okc=1 parameter or with the per-network +# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but +# can be disabled with per-network proactive_key_caching=0 parameter. +#okc=0 + +# Protected Management Frames default +# This parameter can be used to set the default behavior for the ieee80211w +# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 +# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF +# is enabled/required by default, but can be disabled with the per-network +# ieee80211w parameter. +#pmf=0 + +# Enabled SAE finite cyclic groups in preference order +# By default (if this parameter is not set), the mandatory group 19 (ECC group +# defined over a 256-bit prime order field) is preferred, but other groups are +# also enabled. If this parameter is set, the groups will be tried in the +# indicated order. The group values are listed in the IANA registry: +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 +#sae_groups=21 20 19 26 25 + +# Default value for DTIM period (if not overridden in network block) +#dtim_period=2 + +# Default value for Beacon interval (if not overridden in network block) +#beacon_int=100 + +# Additional vendor specific elements for Beacon and Probe Response frames +# This parameter can be used to add additional vendor specific element(s) into +# the end of the Beacon and Probe Response frames. The format for these +# element(s) is a hexdump of the raw information elements (id+len+payload for +# one or more elements). This is used in AP and P2P GO modes. +#ap_vendor_elements=dd0411223301 + +# Ignore scan results older than request +# +# The driver may have a cache of scan results that makes it return +# information that is older than our scan trigger. This parameter can +# be used to configure such old information to be ignored instead of +# allowing it to update the internal BSS table. +#ignore_old_scan_res=0 + +# scan_cur_freq: Whether to scan only the current frequency +# 0: Scan all available frequencies. (Default) +# 1: Scan current operating frequency if another VIF on the same radio +# is already associated. + +# Interworking (IEEE 802.11u) + +# Enable Interworking +# interworking=1 + +# Homogenous ESS identifier +# If this is set, scans will be used to request response only from BSSes +# belonging to the specified Homogeneous ESS. This is used only if interworking +# is enabled. +# hessid=00:11:22:33:44:55 + +# Automatic network selection behavior +# 0 = do not automatically go through Interworking network selection +# (i.e., require explicit interworking_select command for this; default) +# 1 = perform Interworking network selection if one or more +# credentials have been configured and scan did not find a +# matching network block +#auto_interworking=0 + +# credential block +# +# Each credential used for automatic network selection is configured as a set +# of parameters that are compared to the information advertised by the APs when +# interworking_select and interworking_connect commands are used. +# +# credential fields: +# +# temporary: Whether this credential is temporary and not to be saved +# +# priority: Priority group +# By default, all networks and credentials get the same priority group +# (0). This field can be used to give higher priority for credentials +# (and similarly in struct wpa_ssid for network blocks) to change the +# Interworking automatic networking selection behavior. The matching +# network (based on either an enabled network block or a credential) +# with the highest priority value will be selected. +# +# pcsc: Use PC/SC and SIM/USIM card +# +# realm: Home Realm for Interworking +# +# username: Username for Interworking network selection +# +# password: Password for Interworking network selection +# +# ca_cert: CA certificate for Interworking network selection +# +# client_cert: File path to client certificate file (PEM/DER) +# This field is used with Interworking networking selection for a case +# where client certificate/private key is used for authentication +# (EAP-TLS). Full path to the file should be used since working +# directory may change when wpa_supplicant is run in the background. +# +# Alternatively, a named configuration blob can be used by setting +# this to blob://blob_name. +# +# private_key: File path to client private key file (PEM/DER/PFX) +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be +# commented out. Both the private key and certificate will be read +# from the PKCS#12 file in this case. Full path to the file should be +# used since working directory may change when wpa_supplicant is run +# in the background. +# +# Windows certificate store can be used by leaving client_cert out and +# configuring private_key in one of the following formats: +# +# cert://substring_to_match +# +# hash://certificate_thumbprint_in_hex +# +# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# +# Alternatively, a named configuration blob can be used by setting +# this to blob://blob_name. +# +# private_key_passwd: Password for private key file +# +# imsi: IMSI in | | '-' | format +# +# milenage: Milenage parameters for SIM/USIM simulator in :: +# format +# +# domain: Home service provider FQDN(s) +# This is used to compare against the Domain Name List to figure out +# whether the AP is operated by the Home SP. Multiple domain entries can +# be used to configure alternative FQDNs that will be considered home +# networks. +# +# roaming_consortium: Roaming Consortium OI +# If roaming_consortium_len is non-zero, this field contains the +# Roaming Consortium OI that can be used to determine which access +# points support authentication with this credential. This is an +# alternative to the use of the realm parameter. When using Roaming +# Consortium to match the network, the EAP parameters need to be +# pre-configured with the credential since the NAI Realm information +# may not be available or fetched. +# +# eap: Pre-configured EAP method +# This optional field can be used to specify which EAP method will be +# used with this credential. If not set, the EAP method is selected +# automatically based on ANQP information (e.g., NAI Realm). +# +# phase1: Pre-configure Phase 1 (outer authentication) parameters +# This optional field is used with like the 'eap' parameter. +# +# phase2: Pre-configure Phase 2 (inner authentication) parameters +# This optional field is used with like the 'eap' parameter. +# +# excluded_ssid: Excluded SSID +# This optional field can be used to excluded specific SSID(s) from +# matching with the network. Multiple entries can be used to specify more +# than one SSID. +# +# for example: +# +#cred={ +# realm="example.com" +# username="user@example.com" +# password="password" +# ca_cert="/etc/wpa_supplicant/ca.pem" +# domain="example.com" +#} +# +#cred={ +# imsi="310026-000000000" +# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" +#} +# +#cred={ +# realm="example.com" +# username="user" +# password="password" +# ca_cert="/etc/wpa_supplicant/ca.pem" +# domain="example.com" +# roaming_consortium=223344 +# eap=TTLS +# phase2="auth=MSCHAPV2" +#} + +# Hotspot 2.0 +# hs20=1 + +# network block +# +# Each network (usually AP's sharing the same SSID) is configured as a separate +# block in this configuration file. The network blocks are in preference order +# (the first match is used). +# +# network block fields: +# +# disabled: +# 0 = this network can be used (default) +# 1 = this network block is disabled (can be enabled through ctrl_iface, +# e.g., with wpa_cli or wpa_gui) +# +# id_str: Network identifier string for external scripts. This value is passed +# to external action script through wpa_cli as WPA_ID_STR environment +# variable to make it easier to do network specific configuration. +# +# ssid: SSID (mandatory); network name in one of the optional formats: +# - an ASCII string with double quotation +# - a hex string (two characters per octet of SSID) +# - a printf-escaped ASCII string P"" +# +# scan_ssid: +# 0 = do not scan this SSID with specific Probe Request frames (default) +# 1 = scan with SSID-specific Probe Request frames (this can be used to +# find APs that do not accept broadcast SSID or use multiple SSIDs; +# this will add latency to scanning, so enable this only when needed) +# +# bssid: BSSID (optional); if set, this network block is used only when +# associating with the AP using the configured BSSID +# +# priority: priority group (integer) +# By default, all networks will get same priority group (0). If some of the +# networks are more desirable, this field can be used to change the order in +# which wpa_supplicant goes through the networks when selecting a BSS. The +# priority groups will be iterated in decreasing priority (i.e., the larger the +# priority value, the sooner the network is matched against the scan results). +# Within each priority group, networks will be selected based on security +# policy, signal strength, etc. +# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not +# using this priority to select the order for scanning. Instead, they try the +# networks in the order that used in the configuration file. +# +# mode: IEEE 802.11 operation mode +# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) +# 1 = IBSS (ad-hoc, peer-to-peer) +# 2 = AP (access point) +# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and +# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key +# TKIP/CCMP) is available for backwards compatibility, but its use is +# deprecated. WPA-None requires following network block options: +# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not +# both), and psk must also be set. +# +# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., +# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial +# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. +# In addition, this value is only used by the station that creates the IBSS. If +# an IBSS network with the configured SSID is already present, the frequency of +# the network will be used instead of this configured value. +# +# scan_freq: List of frequencies to scan +# Space-separated list of frequencies in MHz to scan when searching for this +# BSS. If the subset of channels used by the network is known, this option can +# be used to optimize scanning to not occur on channels that the network does +# not use. Example: scan_freq=2412 2437 2462 +# +# freq_list: Array of allowed frequencies +# Space-separated list of frequencies in MHz to allow for selecting the BSS. If +# set, scan results that do not match any of the specified frequencies are not +# considered when selecting a BSS. +# +# This can also be set on the outside of the network block. In this case, +# it limits the frequencies that will be scanned. +# +# bgscan: Background scanning +# wpa_supplicant behavior for background scanning can be specified by +# configuring a bgscan module. These modules are responsible for requesting +# background scans for the purpose of roaming within an ESS (i.e., within a +# single network block with all the APs using the same SSID). The bgscan +# parameter uses following format: ":" +# Following bgscan modules are available: +# simple - Periodic background scans based on signal strength +# bgscan="simple::: +# " +# bgscan="simple:30:-45:300" +# learn - Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +# bgscan="learn::: +# [:]" +# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" +# +# This option can also be set outside of all network blocks for the bgscan +# parameter to apply for all the networks that have no specific bgscan +# parameter. +# +# proto: list of accepted protocols +# WPA = WPA/IEEE 802.11i/D3.0 +# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) +# If not set, this defaults to: WPA RSN +# +# key_mgmt: list of accepted authenticated key management protocols +# WPA-PSK = WPA pre-shared key (this requires 'psk' field) +# WPA-EAP = WPA using EAP authentication +# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically +# generated WEP keys +# NONE = WPA is not used; plaintext or static WEP could be used +# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms +# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms +# If not set, this defaults to: WPA-PSK WPA-EAP +# +# ieee80211w: whether management frame protection is enabled +# 0 = disabled (default unless changed with the global pmf parameter) +# 1 = optional +# 2 = required +# The most common configuration options for this based on the PMF (protected +# management frames) certification program are: +# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 +# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 +# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) +# +# auth_alg: list of allowed IEEE 802.11 authentication algorithms +# OPEN = Open System authentication (required for WPA/WPA2) +# SHARED = Shared Key authentication (requires static WEP keys) +# LEAP = LEAP/Network EAP (only used with LEAP) +# If not set, automatic selection is used (Open System with LEAP enabled if +# LEAP is allowed as one of the EAP methods). +# +# pairwise: list of accepted pairwise (unicast) ciphers for WPA +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# NONE = Use only Group Keys (deprecated, should not be included if APs support +# pairwise keys) +# If not set, this defaults to: CCMP TKIP +# +# group: list of accepted group (broadcast/multicast) ciphers for WPA +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key +# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] +# If not set, this defaults to: CCMP TKIP WEP104 WEP40 +# +# psk: WPA preshared key; 256-bit pre-shared key +# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., +# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be +# generated using the passphrase and SSID). ASCII passphrase must be between +# 8 and 63 characters (inclusive). ext: format can +# be used to indicate that the PSK/passphrase is stored in external storage. +# This field is not needed, if WPA-EAP is used. +# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys +# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant +# startup and reconfiguration time can be optimized by generating the PSK only +# only when the passphrase or SSID has actually changed. +# +# eapol_flags: IEEE 802.1X/EAPOL options (bit field) +# Dynamic WEP key required for non-WPA mode +# bit0 (1): require dynamically generated unicast WEP key +# bit1 (2): require dynamically generated broadcast WEP key +# (3 = require both keys; default) +# Note: When using wired authentication, eapol_flags must be set to 0 for the +# authentication to be completed successfully. +# +# mixed_cell: This option can be used to configure whether so called mixed +# cells, i.e., networks that use both plaintext and encryption in the same +# SSID, are allowed when selecting a BSS from scan results. +# 0 = disabled (default) +# 1 = enabled +# +# proactive_key_caching: +# Enable/disable opportunistic PMKSA caching for WPA2. +# 0 = disabled (default unless changed with the global okc parameter) +# 1 = enabled +# +# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or +# hex without quotation, e.g., 0102030405) +# wep_tx_keyidx: Default WEP key index (TX) (0..3) +# +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is +# allowed. This is only used with RSN/WPA2. +# 0 = disabled (default) +# 1 = enabled +#peerkey=1 +# +# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to +# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. +# +# Following fields are only used with internal EAP implementation. +# eap: space-separated list of accepted EAP methods +# MD5 = EAP-MD5 (unsecure and does not generate keying material -> +# cannot be used with WPA; to be used as a Phase 2 method +# with EAP-PEAP or EAP-TTLS) +# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# OTP = EAP-OTP (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# GTC = EAP-GTC (cannot be used separately with WPA; to be used +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) +# TLS = EAP-TLS (client and server certificate) +# PEAP = EAP-PEAP (with tunnelled EAP authentication) +# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 +# authentication) +# If not set, all compiled in methods are allowed. +# +# identity: Identity string for EAP +# This field is also used to configure user NAI for +# EAP-PSK/PAX/SAKE/GPSK. +# anonymous_identity: Anonymous identity string for EAP (to be used as the +# unencrypted identity with EAP types that support different tunnelled +# identity, e.g., EAP-TTLS). This field can also be used with +# EAP-SIM/AKA/AKA' to store the pseudonym identity. +# password: Password string for EAP. This field can include either the +# plaintext password (using ASCII or hex string) or a NtPasswordHash +# (16-byte MD4 hash of password) in hash:<32 hex digits> format. +# NtPasswordHash can only be used when the password is for MSCHAPv2 or +# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). +# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit +# PSK) is also configured using this field. For EAP-GPSK, this is a +# variable length PSK. ext: format can +# be used to indicate that the password is stored in external storage. +# ca_cert: File path to CA certificate file (PEM/DER). This file can have one +# or more trusted CA certificates. If ca_cert and ca_path are not +# included, server certificate will not be verified. This is insecure and +# a trusted CA certificate should always be configured when using +# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may +# change when wpa_supplicant is run in the background. +# +# Alternatively, this can be used to only perform matching of the server +# certificate (SHA-256 hash of the DER encoded X.509 certificate). In +# this case, the possible CA certificates in the server certificate chain +# are ignored and only the server certificate is verified. This is +# configured with the following format: +# hash:://server/sha256/cert_hash_in_hex +# For example: "hash://server/sha256/ +# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" +# +# On Windows, trusted CA certificates can be loaded from the system +# certificate store by setting this to cert_store://, e.g., +# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# ca_path: Directory path for CA certificate files (PEM). This path may +# contain multiple CA certificates in OpenSSL format. Common use for this +# is to point to system trusted CA list which is often installed into +# directory like /etc/ssl/certs. If configured, these certificates are +# added to the list of trusted CAs. ca_cert may also be included in that +# case, but it is not required. +# client_cert: File path to client certificate file (PEM/DER) +# Full path should be used since working directory may change when +# wpa_supplicant is run in the background. +# Alternatively, a named configuration blob can be used by setting this +# to blob://. +# private_key: File path to client private key file (PEM/DER/PFX) +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be +# commented out. Both the private key and certificate will be read from +# the PKCS#12 file in this case. Full path should be used since working +# directory may change when wpa_supplicant is run in the background. +# Windows certificate store can be used by leaving client_cert out and +# configuring private_key in one of the following formats: +# cert://substring_to_match +# hash://certificate_thumbprint_in_hex +# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. +# Alternatively, a named configuration blob can be used by setting this +# to blob://. +# private_key_passwd: Password for private key file (if left out, this will be +# asked through control interface) +# dh_file: File path to DH/DSA parameters file (in PEM format) +# This is an optional configuration file for setting parameters for an +# ephemeral DH key exchange. In most cases, the default RSA +# authentication does not use this configuration. However, it is possible +# setup RSA to use ephemeral DH key exchange. In addition, ciphers with +# DSA keys always use ephemeral DH keys. This can be used to achieve +# forward secrecy. If the file is in DSA parameters format, it will be +# automatically converted into DH params. +# subject_match: Substring to be matched against the subject of the +# authentication server certificate. If this string is set, the server +# sertificate is only accepted if it contains this string in the subject. +# The subject string is in following format: +# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com +# altsubject_match: Semicolon separated string of entries to be matched against +# the alternative subject name of the authentication server certificate. +# If this string is set, the server sertificate is only accepted if it +# contains one of the entries in an alternative subject name extension. +# altSubjectName string is in following format: TYPE:VALUE +# Example: EMAIL:server@example.com +# Example: DNS:server.example.com;DNS:server2.example.com +# Following types are supported: EMAIL, DNS, URI +# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters +# (string with field-value pairs, e.g., "peapver=0" or +# "peapver=1 peaplabel=1") +# 'peapver' can be used to force which PEAP version (0 or 1) is used. +# 'peaplabel=1' can be used to force new label, "client PEAP encryption", +# to be used during key derivation when PEAPv1 or newer. Most existing +# PEAPv1 implementation seem to be using the old label, "client EAP +# encryption", and wpa_supplicant is now using that as the default value. +# Some servers, e.g., Radiator, may require peaplabel=1 configuration to +# interoperate with PEAPv1; see eap_testing.txt for more details. +# 'peap_outer_success=0' can be used to terminate PEAP authentication on +# tunneled EAP-Success. This is required with some RADIUS servers that +# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., +# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) +# include_tls_length=1 can be used to force wpa_supplicant to include +# TLS Message Length field in all TLS messages even if they are not +# fragmented. +# sim_min_num_chal=3 can be used to configure EAP-SIM to require three +# challenges (by default, it accepts 2 or 3) +# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use +# protected result indication. +# 'crypto_binding' option can be used to control PEAPv0 cryptobinding +# behavior: +# * 0 = do not use cryptobinding (default) +# * 1 = use cryptobinding if server supports it +# * 2 = require cryptobinding +# EAP-WSC (WPS) uses following options: pin= or +# pbc=1. +# phase2: Phase2 (inner authentication with TLS tunnel) parameters +# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or +# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) +# +# TLS-based methods can use the following parameters to control TLS behavior +# (these are normally in the phase1 parameter, but can be used also in the +# phase2 parameter when EAP-TLS is used within the inner tunnel): +# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the +# TLS library, these may be disabled by default to enforce stronger +# security) +# tls_disable_time_checks=1 - ignore certificate validity time (this requests +# the TLS library to accept certificates even if they are not currently +# valid, i.e., have expired or have not yet become valid; this should be +# used only for testing purposes) +# tls_disable_session_ticket=1 - disable TLS Session Ticket extension +# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used +# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS +# as a workaround for broken authentication server implementations unless +# EAP workarounds are disabled with eap_workarounds=0. +# For EAP-FAST, this must be set to 0 (or left unconfigured for the +# default value to be used automatically). +# +# Following certificate/private key fields are used in inner Phase2 +# authentication when using EAP-TTLS or EAP-PEAP. +# ca_cert2: File path to CA certificate file. This file can have one or more +# trusted CA certificates. If ca_cert2 and ca_path2 are not included, +# server certificate will not be verified. This is insecure and a trusted +# CA certificate should always be configured. +# ca_path2: Directory path for CA certificate files (PEM) +# client_cert2: File path to client certificate file +# private_key2: File path to client private key file +# private_key2_passwd: Password for private key file +# dh_file2: File path to DH/DSA parameters file (in PEM format) +# subject_match2: Substring to be matched against the subject of the +# authentication server certificate. +# altsubject_match2: Substring to be matched against the alternative subject +# name of the authentication server certificate. +# +# fragment_size: Maximum EAP fragment size in bytes (default 1398). +# This value limits the fragment size for EAP methods that support +# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set +# small enough to make the EAP messages fit in MTU of the network +# interface used for EAPOL. The default value is suitable for most +# cases. +# +# ocsp: Whether to use/require OCSP to check server certificate +# 0 = do not use OCSP stapling (TLS certificate status extension) +# 1 = try to use OCSP stapling, but not require response +# 2 = require valid OCSP stapling response +# +# EAP-FAST variables: +# pac_file: File path for the PAC entries. wpa_supplicant will need to be able +# to create this file and write updates to it when PAC is being +# provisioned or refreshed. Full path to the file should be used since +# working directory may change when wpa_supplicant is run in the +# background. Alternatively, a named configuration blob can be used by +# setting this to blob:// +# phase1: fast_provisioning option can be used to enable in-line provisioning +# of EAP-FAST credentials (PAC): +# 0 = disabled, +# 1 = allow unauthenticated provisioning, +# 2 = allow authenticated provisioning, +# 3 = allow both unauthenticated and authenticated provisioning +# fast_max_pac_list_len= option can be used to set the maximum +# number of PAC entries to store in a PAC list (default: 10) +# fast_pac_format=binary option can be used to select binary format for +# storing PAC entries in order to save some space (the default +# text format uses about 2.5 times the size of minimal binary +# format) +# +# wpa_supplicant supports number of "EAP workarounds" to work around +# interoperability issues with incorrectly behaving authentication servers. +# These are enabled by default because some of the issues are present in large +# number of authentication servers. Strict EAP conformance mode can be +# configured by disabling workarounds with eap_workaround=0. + +# Station inactivity limit +# +# If a station does not send anything in ap_max_inactivity seconds, an +# empty data frame is sent to it in order to verify whether it is +# still in range. If this frame is not ACKed, the station will be +# disassociated and then deauthenticated. This feature is used to +# clear station table of old entries when the STAs move out of the +# range. +# +# The station can associate again with the AP if it is still in range; +# this inactivity poll is just used as a nicer way of verifying +# inactivity; i.e., client will not report broken connection because +# disassociation frame is not sent immediately without first polling +# the STA with a data frame. +# default: 300 (i.e., 5 minutes) +#ap_max_inactivity=300 + +# DTIM period in Beacon intervals for AP mode (default: 2) +#dtim_period=2 + +# Beacon interval (default: 100 TU) +#beacon_int=100 + +# disable_ht: Whether HT (802.11n) should be disabled. +# 0 = HT enabled (if AP supports it) +# 1 = HT disabled +# +# disable_ht40: Whether HT-40 (802.11n) should be disabled. +# 0 = HT-40 enabled (if AP supports it) +# 1 = HT-40 disabled +# +# disable_sgi: Whether SGI (short guard interval) should be disabled. +# 0 = SGI enabled (if AP supports it) +# 1 = SGI disabled +# +# ht_mcs: Configure allowed MCS rates. +# Parsed as an array of bytes, in base-16 (ascii-hex) +# ht_mcs="" // Use all available (default) +# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only +# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only +# +# disable_max_amsdu: Whether MAX_AMSDU should be disabled. +# -1 = Do not make any changes. +# 0 = Enable MAX-AMSDU if hardware supports it. +# 1 = Disable AMSDU +# +# ampdu_density: Allow overriding AMPDU density configuration. +# Treated as hint by the kernel. +# -1 = Do not make any changes. +# 0-3 = Set AMPDU density (aka factor) to specified value. -# wpa/wpa2 +# disable_vht: Whether VHT should be disabled. +# 0 = VHT enabled (if AP supports it) +# 1 = VHT disabled # +# vht_capa: VHT capabilities to set in the override +# vht_capa_mask: mask of VHT capabilities +# +# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 +# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 +# 0: MCS 0-7 +# 1: MCS 0-8 +# 2: MCS 0-9 +# 3: not supported + +# Example blocks: + +# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers network={ - ssid="ssidnamehere" - scan_ssid=1 - psk="passwordhere" + ssid="simple" + psk="very secret passphrase" + priority=5 } -# old wep -# +# Same as previous, but request SSID-specific scanning (for APs that reject +# broadcast SSID) +network={ + ssid="second ssid" + scan_ssid=1 + psk="very secret passphrase" + priority=2 +} + +# Only WPA-PSK is used. Any valid cipher combination is accepted. +network={ + ssid="example" + proto=WPA + key_mgmt=WPA-PSK + pairwise=CCMP TKIP + group=CCMP TKIP WEP104 WEP40 + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb + priority=2 +} + +# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying +network={ + ssid="example" + proto=WPA + key_mgmt=WPA-PSK + pairwise=TKIP + group=TKIP + psk="not so secure passphrase" + wpa_ptk_rekey=600 +} + +# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 +# or WEP40 as the group cipher will not be accepted. +network={ + ssid="example" + proto=RSN + key_mgmt=WPA-EAP + pairwise=CCMP TKIP + group=CCMP TKIP + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + priority=1 +} + +# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel +# (e.g., Radiator) +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=PEAP + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase1="peaplabel=1" + phase2="auth=MSCHAPV2" + priority=10 +} + +# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the +# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + priority=2 +} + +# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted +# use. Real identity is sent only within an encrypted TLS tunnel. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase2="auth=MSCHAPV2" +} + +# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner +# authentication. +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + # Phase1 / outer authentication + anonymous_identity="anonymous@example.com" + ca_cert="/etc/cert/ca.pem" + # Phase 2 / inner authentication + phase2="autheap=TLS" + ca_cert2="/etc/cert/ca2.pem" + client_cert2="/etc/cer/user.pem" + private_key2="/etc/cer/user.prv" + private_key2_passwd="password" + priority=2 +} + +# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and +# group cipher. +network={ + ssid="example" + bssid=00:11:22:33:44:55 + proto=WPA RSN + key_mgmt=WPA-PSK WPA-EAP + pairwise=CCMP + group=CCMP + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb +} + +# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP +# and all valid ciphers. +network={ + ssid=00010203 + psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f +} + + +# EAP-SIM with a GSM SIM or USIM +network={ + ssid="eap-sim-test" + key_mgmt=WPA-EAP + eap=SIM + pin="1234" + pcsc="" +} + + +# EAP-PSK +network={ + ssid="eap-psk-test" + key_mgmt=WPA-EAP + eap=PSK + anonymous_identity="eap_psk_user" + password=06b4be19da289f475aa46a33cb793029 + identity="eap_psk_user@example.com" +} + + +# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using +# EAP-TLS for authentication and key generation; require both unicast and +# broadcast WEP keys. +network={ + ssid="1x-test" + key_mgmt=IEEE8021X + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + eapol_flags=3 +} + + +# LEAP with dynamic WEP keys +network={ + ssid="leap-example" + key_mgmt=IEEE8021X + eap=LEAP + identity="user" + password="foobar" +} + +# EAP-IKEv2 using shared secrets for both server and peer authentication +network={ + ssid="ikev2-example" + key_mgmt=WPA-EAP + eap=IKEV2 + identity="user" + password="foobar" +} + +# EAP-FAST with WPA (WPA or WPA2) +network={ + ssid="eap-fast-test" + key_mgmt=WPA-EAP + eap=FAST + anonymous_identity="FAST-000102030405" + identity="username" + password="password" + phase1="fast_provisioning=1" + pac_file="/etc/wpa_supplicant.eap-fast-pac" +} + +network={ + ssid="eap-fast-test" + key_mgmt=WPA-EAP + eap=FAST + anonymous_identity="FAST-000102030405" + identity="username" + password="password" + phase1="fast_provisioning=1" + pac_file="blob://eap-fast-pac" +} + +# Plaintext connection (no WPA, no IEEE 802.1X) +network={ + ssid="plaintext-test" + key_mgmt=NONE +} + + +# Shared WEP key connection (no WPA, no IEEE 802.1X) +network={ + ssid="static-wep-test" + key_mgmt=NONE + wep_key0="abcde" + wep_key1=0102030405 + wep_key2="1234567890123" + wep_tx_keyidx=0 + priority=5 +} + + +# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key +# IEEE 802.11 authentication +network={ + ssid="static-wep-test2" + key_mgmt=NONE + wep_key0="abcde" + wep_key1=0102030405 + wep_key2="1234567890123" + wep_tx_keyidx=0 + priority=5 + auth_alg=SHARED +} + + +# IBSS/ad-hoc network with RSN +network={ + ssid="ibss-rsn" + key_mgmt=WPA-PSK + proto=RSN + psk="12345678" + mode=1 + frequency=2412 + pairwise=CCMP + group=CCMP +} + +# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) +network={ + ssid="test adhoc" + mode=1 + frequency=2412 + proto=WPA + key_mgmt=WPA-NONE + pairwise=NONE + group=TKIP + psk="secret passphrase" +} + + +# Catch all example that allows more or less all configuration modes +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE + pairwise=CCMP TKIP + group=CCMP TKIP WEP104 WEP40 + psk="very secret passphrase" + eap=TTLS PEAP TLS + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" + phase1="peaplabel=0" +} + +# Example of EAP-TLS with smartcard (openssl engine) +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TLS + proto=RSN + pairwise=CCMP TKIP + group=CCMP TKIP + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + + engine=1 + + # The engine configured here must be available. Look at + # OpenSSL engine support in the global section. + # The key available through the engine must be the private key + # matching the client certificate configured above. + + # use the opensc engine + #engine_id="opensc" + #key_id="45" + + # use the pkcs11 engine + engine_id="pkcs11" + key_id="id_45" + + # Optional PIN configuration; this can be left out and PIN will be + # asked through the control interface + pin="1234" +} + +# Example configuration showing how to use an inlined blob as a CA certificate +# data instead of using external file +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="blob://exampleblob" + priority=20 +} + +blob-base64-exampleblob={ +SGVsbG8gV29ybGQhCg== +} + + +# Wildcard match for SSID (plaintext APs only). This example select any +# open AP regardless of its SSID. +network={ + key_mgmt=NONE +} + + +# Example config file that will only scan on channel 36. +freq_list=5180 network={ - ssid="ssidnamehere" - scan_ssid=1 - key_mgmt=NONE - wep_tx_keyidx=0 - wep_key0=HEXDIGITSFORKEY + key_mgmt=NONE } diff --git a/usr.sbin/802_11/Makefile.crypto b/usr.sbin/802_11/Makefile.crypto new file mode 100644 index 0000000..09608d3 --- /dev/null +++ b/usr.sbin/802_11/Makefile.crypto @@ -0,0 +1,133 @@ +# $FreeBSD: head/usr.sbin/wpa/Makefile.crypto 252726 2013-07-04 21:12:58Z rpaulo $ + +#.if ${MK_OPENSSL} != "no" && !defined(RELEASE_CRUNCH) +SRCS+= crypto_openssl.c random.c sha1-prf.c sha256-prf.c +DPADD+= ${LIBSSL} ${LIBCRYPTO} +LDADD+= -lssl -lcrypto +CFLAGS+= -DCONFIG_SHA256 +#.else +#CFLAGS+=-DCONFIG_CRYPTO_INTERNAL +#SRCS+= crypto_internal.c random.c +#CONFIG_INTERNAL_AES=y +#CONFIG_INTERNAL_DES=y +#CONFIG_INTERNAL_MD4=y +#CONFIG_INTERNAL_MD5=y +#CONFIG_INTERNAL_RC4=y +#CONFIG_INTERNAL_SHA1=y +#NEED_SHA256=y +#CONFIG_INTERNAL_SHA256=y +#CONFIG_INTERNAL_TLS=y +#CONFIG_INTERNAL_DH5=y +#CONFIG_INTERNAL_DH=y +#NEED_AES_ENC=true +#.endif + +.if defined(TLS_FUNCS) +NEED_TLS_PRF=y +.if defined(CONFIG_INTERNAL_TLS) +CFLAGS+=-DCONFIG_INTERNAL_LIBTOMMATH \ + -DCONFIG_TLS_INTERNAL_CLIENT +SRCS+= asn1.c \ + bignum.c \ + crypto_internal-cipher.c \ + crypto_internal-modexp.c \ + crypto_internal-rsa.c \ + pkcs1.c \ + pkcs5.c \ + pkcs8.c \ + rsa.c \ + tls_internal.c \ + tlsv1_common.c \ + tlsv1_record.c \ + tlsv1_cred.c \ + tlsv1_client.c \ + tlsv1_client_write.c \ + tlsv1_client_read.c \ + x509v3.c +NEED_DES=y +NEED_MD4=y +NEED_RC4=y +.else +CFLAGS+=-DEAP_TLS_OPENSSL +SRCS+= tls_openssl.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_AES) +SRCS+= aes-internal.c \ + aes-internal-dec.c \ + aes-internal-enc.c +.endif + +.if defined(NEED_AES_CBC) +SRCS+= aes-cbc.c +.endif + +.if defined(NEED_AES_EAX) +SRCS+= aes-eax.c +NEED_AES_CTR=y +.endif + +.if defined(NEED_AES_CTR) +SRCS+= aes-ctr.c +.endif + +.if defined(NEED_AES_ENCBLOCK) +SRCS+= aes-encblock.c +.endif + +.if defined(NEED_AES_OMAC1) +SRCS+= aes-omac1.c +.endif + +.if defined(NEED_DES) +.if defined(CONFIG_INTERNAL_DES) +SRCS+= des-internal.c +.endif +.endif + +.if defined(NEED_MD4) +.if defined(CONFIG_INTERNAL_MD4) +SRCS+= md4-internal.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_MD5) +SRCS+= md5-internal.c +.endif + +.if defined(NEED_FIPS186_2_PRF) +.if defined(CONFIG_INTERNAL_SHA1) +SRCS+= fips_prf_internal.c +.else +SRCS+= fips_prf_openssl.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_RC4) +SRCS+= rc4.c +.endif + +.if defined(CONFIG_INTERNAL_SHA1) +SRCS+= sha1-internal.c sha1-pbkdf2.c sha1.c sha1-prf.c +.endif + +.if defined(NEED_SHA256) +CFLAGS+=-DCONFIG_SHA256 +SRCS+= sha256.c +.if defined(CONFIG_INTERNAL_SHA256) +SRCS+= sha256-internal.c sha256-prf.c +.endif +.endif + +.if defined(NEED_TLS_PRF) +SRCS+= sha1-tlsprf.c +.endif + +.if defined(CONFIG_INTERNAL_DH5) +SRCS+= dh_group5.c +.endif + +.if defined(CONFIG_INTERNAL_DH) +SRCS+= dh_groups.c +.endif diff --git a/usr.sbin/802_11/Makefile.inc b/usr.sbin/802_11/Makefile.inc index 40cfc2e..cc963cb 100644 --- a/usr.sbin/802_11/Makefile.inc +++ b/usr.sbin/802_11/Makefile.inc @@ -3,12 +3,14 @@ WPA_DISTDIR=${CONTRIBDIR}/wpa_supplicant HOSTAPD_DISTDIR=${CONTRIBDIR}/hostapd .PATH.c: ${.CURDIR}/.. \ + ${WPA_DISTDIR}/src/ap \ ${WPA_DISTDIR}/src/common \ ${WPA_DISTDIR}/src/crypto \ ${WPA_DISTDIR}/src/eap_common \ ${WPA_DISTDIR}/src/eapol_supp \ ${WPA_DISTDIR}/src/l2_packet \ - ${WPA_DISTDIR}/src/utils + ${WPA_DISTDIR}/src/utils \ + ${WPA_DISTDIR}/src/wps CFLAGS+=-I${.CURDIR} CFLAGS+=-I${WPA_DISTDIR}/src diff --git a/usr.sbin/802_11/hostapd/Makefile b/usr.sbin/802_11/hostapd/Makefile index 586185d..3fcae20 100644 --- a/usr.sbin/802_11/hostapd/Makefile +++ b/usr.sbin/802_11/hostapd/Makefile @@ -1,31 +1,52 @@ +# $FreeBSD: head/usr.sbin/wpa/hostapd/Makefile 265420 2014-05-06 04:22:01Z imp $ + +#.include .include "${.CURDIR}/../Makefile.inc" .PATH.c:${HOSTAPD_DISTDIR}/hostapd \ + ${HOSTAPD_DISTDIR}/src/drivers \ ${HOSTAPD_DISTDIR}/src/eap_server \ + ${HOSTAPD_DISTDIR}/src/eapol_auth \ ${HOSTAPD_DISTDIR}/src/radius \ PROG= hostapd -SRCS= accounting.c aes.c aes_wrap.c ap_list.c beacon.c common.c \ - config.c ctrl_iface.c drivers.c eapol_sm.c eap.c eap_common.c \ - eap_identity.c eap_methods.c eloop.c hostapd.c \ - hw_features.c ieee802_11.c ieee802_11_common.c ieee802_11_auth.c \ - ieee802_1x.c ip_addr.c md5.c mlme.c pmksa_cache.c radius.c \ - radius_client.c rc4.c sha1.c sta_info.c vlan_init.c wme.c \ - wpa.c wpa_auth_ie.c wpa_common.c wpa_debug.c wpabuf.c -SRCS+= l2_packet.c driver_dragonfly.c os_unix.c +SRCS= accounting.c aes-wrap.c ap_config.c ap_drv_ops.c ap_mlme.c authsrv.c \ + base64.c beacon.c chap.c common.c config_file.c ctrl_iface.c \ + ctrl_iface_ap.c driver_common.c l2_packet.c driver_bsd.c \ + drivers.c drv_callbacks.c eap_common.c eap_peap_common.c \ + eap_register.c eap_server.c eap_server_methods.c eap_user_db.c \ + eapol_auth_dump.c eapol_auth_sm.c eloop.c gas.c gas_serv.c hostapd.c \ + hs20.c http_client.c http_server.c httpread.c ieee802_11_auth.c \ + ieee802_11_common.c ieee802_11_shared.c ieee802_1x.c ip_addr.c \ + main.c md5.c ms_funcs.c os_unix.c peerkey_auth.c pmksa_cache_auth.c \ + preauth_auth.c radius.c radius_client.c radius_das.c sta_info.c \ + tkip_countermeasures.c upnp_xml.c utils.c uuid.c vlan_init.c \ + wpa_auth.c wpa_auth_glue.c wpa_auth_ie.c wpa_common.c wpa_debug.c \ + wpabuf.c wps.c wps_attr_build.c wps_attr_parse.c wps_attr_process.c \ + wps_common.c wps_dev_attr.c wps_enrollee.c wps_hostapd.c \ + wps_registrar.c wps_upnp.c wps_upnp_ap.c wps_upnp_event.c \ + wps_upnp_ssdp.c wps_upnp_web.c MAN= hostapd.8 hostapd.conf.5 +WARNS= 0 + #.if ${MK_EXAMPLES} != "no" #FILESDIR= ${SHAREDIR}/examples/hostapd #.PATH: ${HOSTAPD_DISTDIR} #FILES= hostapd.conf hostapd.eap_user hostapd.wpa_psk #.endif -CFLAGS+= -I${HOSTAPD_DISTDIR} - -CFLAGS+= -DCONFIG_DRIVER_BSD -CFLAGS+= -DCONFIG_DRIVER_RADIUS_ACL +CFLAGS+=-DCONFIG_DRIVER_BSD \ + -DHOSTAPD \ + -DCONFIG_DRIVER_RADIUS_ACL \ + -DCONFIG_RSN_PREAUTH \ + -DCONFIG_PEERKEY \ + -DCONFIG_WPS \ + -DCONFIG_WPS2 \ + -DCONFIG_WPS_UPNP \ + -DCONFIG_INTERWORKING \ + -DCONFIG_HS20 #.if ${MK_INET6} != "no" CFLAGS+= -DCONFIG_IPV6 #.endif @@ -39,74 +60,68 @@ CFLAGS+=${HOSTAPD_CFLAGS} LDADD+=${HOSTAPD_LDADD} #LDFLAGS+=${HOSTAPD_LDFLAGS} -.if !empty(CFLAGS:M*-DEAP_SERVER) -#SRCS+= eap.c eap_methods.c eap_identity.c - -.if !defined(NO_CRYPT) && !defined(NO_OPENSSL) - -CFLAGS+=-DEAP_TLS -DEAP_PEAP -DEAP_MSCHAPv2 -DEAP_PSK \ - -DEAP_TLS_FUNCS -DEAP_TLS_OPENSSL -SRCS+= crypto_openssl.c -SRCS+= eap_tls.c eap_peap.c eap_peap_common.c eap_mschapv2.c \ - eap_psk.c eap_psk_common.c \ - eap_tls_common.c tls_openssl.c ms_funcs.c chap.c - -CFLAGS+=-DEAP_TTLS -DEAP_MD5 -SRCS+= eap_ttls.c eap_md5.c - -.if !empty(CFLAGS:M*-DEAP_GTC) -SRCS+= eap_gtc.c +CFLAGS+=-DDPKCS12_FUNCS \ + -DEAP_SERVER \ + -DEAP_SERVER_GTC \ + -DEAP_SERVER_IDENTITY \ + -DEAP_SERVER_MD5 \ + -DEAP_SERVER_MSCHAPV2 \ + -DEAP_SERVER_PEAP \ + -DEAP_SERVER_TLS \ + -DEAP_SERVER_TTLS \ + -DEAP_TLS_FUNCS \ + -DEAP_SERVER_WSC \ + -DCONFIG_NO_DUMP_STATE +SRCS+= eap_server_gtc.c \ + eap_server_identity.c \ + eap_server_md5.c \ + eap_server_mschapv2.c \ + eap_server_peap.c \ + eap_server_tls.c \ + eap_server_tls_common.c \ + eap_server_ttls.c \ + eap_server_wsc.c \ + eap_wsc_common.c +TLS_FUNCS=y + +.if !empty(CFLAGS:M*-DCONFIG_WPS) +NEED_SIM_COMMON=y .endif -.if !empty(CFLAGS:M*-DEAP_AKA) -NEED_SIM_COMMON= true -SRCS+= eap_aka.c +.if !empty(CFLAGS:M*-DEAP_SERVER_AKA) +SRCS+= eap_server_aka.c +NEED_SIM_COMMON=y .endif -.if !empty(CFLAGS:M*-DEAP_SIM) -NEED_SIM_COMMON= true -SRCS+= eap_sim.c +.if !empty(CFLAGS:M*-DEAP_SERVER_SIM) +SRCS+= eap_server_sim.c +NEED_SIM_COMMON=y .endif .if defined(NEED_SIM_COMMON) -SRCS+= eap_sim_common.c eap_sim_db.c +SRCS+= eap_sim_common.c \ + eap_sim_db.c +NEED_AES_CBC=y +NEED_FIPS186_2_PRF=y .endif -.if !empty(CFLAGS:M*-DEAP_GPSK) +.if !empty(CFLAGS:M*-DEAP_SERVER_GPSK) CFLAGS+=-DEAP_GPSK_SHA256 -SRCS+= eap_gpsk.c eap_gpsk_common.c -NEED_SHA256= true +SRCS+= eap_server_gpsk.c \ + eap_gpsk_common.c +NEED_AES_OMAC1=y .endif -.if !empty(CFLAGS:M*-DEAP_PAX) -SRCS+= eap_pax.c eap_pax_common.c +.if !empty(CFLAGS:M*-DEAP_SERVER_PAX) +SRCS+= eap_server_pax.c \ + eap_pax_common.c .endif -.if !empty(CFLAGS:M*-DEAP_SAKE) -SRCS+= eap_sake.c eap_sake_common.c +.if !empty(CFLAGS:M*-DEAP_SERVER_SAKE) +SRCS+= eap_server_sake.c \ + eap_sake_common.c .endif -DPADD+= ${LIBSSL} ${LIBCRYPTO} -LDADD+= -lssl -lcrypto -.else -NEED_TLS_NONE= true -.endif - -.else -NEED_TLS_NONE= true -.endif - -.if defined(NEED_SHA256) -CFLAGS+=-DINTERNAL_SHA256 -SRCS+= sha256.c -.endif - -.if defined(NEED_TLS_NONE) -CFLAGS+= -DEAP_TLS_NONE -CFLAGS+= -DINTERNAL_AES -CFLAGS+= -DINTERNAL_SHA1 -CFLAGS+= -DINTERNAL_MD5 -SRCS+= tls_none.c -.endif +.include "${.CURDIR}/../Makefile.crypto" .include diff --git a/usr.sbin/802_11/hostapd/hostapd.8 b/usr.sbin/802_11/hostapd/hostapd.8 index e0441cb..ed7fb0e 100644 --- a/usr.sbin/802_11/hostapd/hostapd.8 +++ b/usr.sbin/802_11/hostapd/hostapd.8 @@ -22,9 +22,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: head/usr.sbin/wpa/hostapd/hostapd.8 195644 2009-07-12 19:58:52Z sam $ +.\" $FreeBSD: head/usr.sbin/wpa/hostapd/hostapd.8 238606 2012-07-18 23:32:12Z gjb $ .\" -.Dd October 26, 2007 +.Dd July 18, 2012 .Dt HOSTAPD 8 .Os .Sh NAME @@ -109,12 +109,13 @@ Store PID in .El .Sh SEE ALSO .Xr ath 4 , -.\".Xr ipw 4 , +.Xr ipw 4 , .Xr iwi 4 , +.Xr mwl 4 , .Xr ral 4 , -.\".Xr ural 4 , .Xr rum 4 , .Xr run 4 , +.Xr ural 4 , .Xr wi 4 , .Xr hostapd.conf 5 , .Xr hostapd_cli 8 , @@ -128,7 +129,7 @@ utility first appeared in The .Nm utility was written by -.An Jouni Malinen Aq Mt j@w1.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the diff --git a/usr.sbin/802_11/hostapd/hostapd.conf.5 b/usr.sbin/802_11/hostapd/hostapd.conf.5 index 9a1ef12..7acb935 100644 --- a/usr.sbin/802_11/hostapd/hostapd.conf.5 +++ b/usr.sbin/802_11/hostapd/hostapd.conf.5 @@ -23,7 +23,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: head/usr.sbin/wpa/hostapd/hostapd.conf.5 195644 2009-07-12 19:58:52Z sam $ +.\" $FreeBSD: head/usr.sbin/wpa/hostapd/hostapd.conf.5 235499 2012-05-16 01:59:09Z gjb $ .\" .Dd September 2, 2006 .Dt HOSTAPD.CONF 5 @@ -67,7 +67,8 @@ The following parameters are recognized: Interface name. Should be set in .Dq hostap -mode. +mode. Make certain that there are no spaces after the interface name, +or hostapd will complain that the interface does not exist. .It Va debug Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive. @@ -171,8 +172,8 @@ will be converted to PSK. This conversion uses SSID so the PSK changes when ASCII passphrase is used and the SSID is changed. .It Va wpa_psk_file -Optionally, WPA PSKs can be read from a separate text file (containing a -list of (PSK,MAC address) pairs. +Optionally, WPA PSKs can be read from a separate text file containing a +list of PSK and MAC address pairs. .It Va wpa_key_mgmt Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). .It Va wpa_pairwise @@ -207,4 +208,4 @@ and files in the .Nm hostapd distribution provided by -.An Jouni Malinen Aq Mt j@w1.fi . +.An Jouni Malinen Aq j@w1.fi . diff --git a/usr.sbin/802_11/hostapd_cli/Makefile b/usr.sbin/802_11/hostapd_cli/Makefile index a5b92cc..e5c9f73 100644 --- a/usr.sbin/802_11/hostapd_cli/Makefile +++ b/usr.sbin/802_11/hostapd_cli/Makefile @@ -5,7 +5,7 @@ .PATH.c: ${.CURDIR}/.. ${HOSTAPD_DISTDIR}/hostapd PROG= hostapd_cli -SRCS= hostapd_cli.c wpa_ctrl.c os_unix.c +SRCS= common.c edit.c eloop.c hostapd_cli.c os_unix.c wpa_ctrl.c wpa_debug.c CFLAGS+= -DCONFIG_CTRL_IFACE CFLAGS+= -DCONFIG_CTRL_IFACE_UNIX diff --git a/usr.sbin/802_11/hostapd_cli/hostapd_cli.8 b/usr.sbin/802_11/hostapd_cli/hostapd_cli.8 index bae10c7..08a39a9 100644 --- a/usr.sbin/802_11/hostapd_cli/hostapd_cli.8 +++ b/usr.sbin/802_11/hostapd_cli/hostapd_cli.8 @@ -22,9 +22,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/usr.sbin/wpa/hostapd_cli/hostapd_cli.8,v 1.2 2005/06/27 06:40:43 ru Exp $ +.\" $FreeBSD: head/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 195644 2009-07-12 19:58:52Z sam $ .\" -.Dd August 19, 2006 +.Dd June 16, 2005 .Dt HOSTAPD_CLI 8 .Os .Sh NAME @@ -104,7 +104,7 @@ utility first appeared in The .Nm utility was written by -.An Jouni Malinen Aq Mt jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the diff --git a/usr.sbin/802_11/l2_packet.c b/usr.sbin/802_11/l2_packet.c index abdc96f..0c6cd3b 100644 --- a/usr.sbin/802_11/l2_packet.c +++ b/usr.sbin/802_11/l2_packet.c @@ -1,47 +1,35 @@ /* - * WPA Supplicant - Layer2 packet handling - * Copyright (c) 2003-2004, Jouni Malinen + * WPA Supplicant - Layer2 packet handling with DragonFlyBSD + * Copyright (c) 2003-2005, Jouni Malinen * Copyright (c) 2005, Sam Leffler * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Alternatively, this software may be distributed under the terms of BSD - * license. - * - * See README and COPYING for more details. - * - * $FreeBSD: head/usr.sbin/wpa/l2_packet.c 172682 2007-10-16 02:12:06Z mlaier $ + * This software may be distributed under the terms of the BSD license. + * See README for more details. */ -/* - * DragonFly-specific implementation. - */ -#include +#include "includes.h" +#include +#include + #include -#include +#ifdef __sun__ +#include +#else /* __sun__ */ #include +#endif /* __sun__ */ -#include #include #include #include #include -#include - -#include -#include -#include -#include -#include #include "common.h" #include "eloop.h" #include "l2_packet.h" + static const u8 pae_group_addr[ETH_ALEN] = - { 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 }; +{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 }; struct l2_packet_data { pcap_t *pcap; @@ -54,77 +42,35 @@ struct l2_packet_data { * buffers */ }; -int -l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) -{ - memcpy(addr, l2->own_addr, ETH_ALEN); - return 0; -} -int -l2_packet_get_ip_addr(struct l2_packet_data *l2, char *buf, size_t len) +int l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) { - pcap_if_t *devs, *dev; - struct pcap_addr *addr; - struct sockaddr_in *saddr; - int found = 0; - char err[PCAP_ERRBUF_SIZE + 1]; - - if (pcap_findalldevs(&devs, err) < 0) { - wpa_printf(MSG_DEBUG, "pcap_findalldevs: %s\n", err); - return -1; - } - - for (dev = devs; dev && !found; dev = dev->next) { - if (strcmp(dev->name, l2->ifname) != 0) - continue; - - addr = dev->addresses; - while (addr) { - saddr = (struct sockaddr_in *) addr->addr; - if (saddr && saddr->sin_family == AF_INET) { - snprintf(buf, len, "%s", - inet_ntoa(saddr->sin_addr)); - found = 1; - break; - } - addr = addr->next; - } - } - - pcap_freealldevs(devs); - - return found ? 0 : -1; + os_memcpy(addr, l2->own_addr, ETH_ALEN); + return 0; } -void -l2_packet_notify_auth_start(struct l2_packet_data *l2) -{ -} -int -l2_packet_send(struct l2_packet_data *l2, - const u8 *dst_addr, u16 proto, const u8 *buf, size_t len) +int l2_packet_send(struct l2_packet_data *l2, const u8 *dst_addr, u16 proto, + const u8 *buf, size_t len) { if (!l2->l2_hdr) { int ret; - struct l2_ethhdr *eth = malloc(sizeof(*eth) + len); + struct l2_ethhdr *eth = os_malloc(sizeof(*eth) + len); if (eth == NULL) return -1; - memcpy(eth->h_dest, dst_addr, ETH_ALEN); - memcpy(eth->h_source, l2->own_addr, ETH_ALEN); + os_memcpy(eth->h_dest, dst_addr, ETH_ALEN); + os_memcpy(eth->h_source, l2->own_addr, ETH_ALEN); eth->h_proto = htons(proto); - memcpy(eth + 1, buf, len); + os_memcpy(eth + 1, buf, len); ret = pcap_inject(l2->pcap, (u8 *) eth, len + sizeof(*eth)); - free(eth); + os_free(eth); return ret; } else return pcap_inject(l2->pcap, buf, len); } -static void -l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) +static void l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) { struct l2_packet_data *l2 = eloop_ctx; pcap_t *pcap = sock_ctx; @@ -150,8 +96,9 @@ l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len); } -static int -l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) + +static int l2_packet_init_libpcap(struct l2_packet_data *l2, + unsigned short protocol) { bpf_u_int32 pcap_maskp, pcap_netp; char pcap_filter[200], pcap_err[PCAP_ERRBUF_SIZE]; @@ -170,13 +117,13 @@ l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) pcap_geterr(l2->pcap)); return -1; } - snprintf(pcap_filter, sizeof(pcap_filter), - "not ether src " MACSTR " and " - "( ether dst " MACSTR " or ether dst " MACSTR " ) and " - "ether proto 0x%x", - MAC2STR(l2->own_addr), /* do not receive own packets */ - MAC2STR(l2->own_addr), MAC2STR(pae_group_addr), - protocol); + os_snprintf(pcap_filter, sizeof(pcap_filter), + "not ether src " MACSTR " and " + "( ether dst " MACSTR " or ether dst " MACSTR " ) and " + "ether proto 0x%x", + MAC2STR(l2->own_addr), /* do not receive own packets */ + MAC2STR(l2->own_addr), MAC2STR(pae_group_addr), + protocol); if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) { fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap)); return -1; @@ -188,19 +135,22 @@ l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) } pcap_freecode(&pcap_fp); +#ifndef __sun__ /* * When libpcap uses BPF we must enable "immediate mode" to * receive frames right away; otherwise the system may * buffer them for us. */ - { unsigned int on = 1; - if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) { - fprintf(stderr, "%s: cannot enable immediate mode on " - "interface %s: %s\n", - __func__, l2->ifname, strerror(errno)); - /* XXX should we fail? */ - } + { + unsigned int on = 1; + if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) { + fprintf(stderr, "%s: cannot enable immediate mode on " + "interface %s: %s\n", + __func__, l2->ifname, strerror(errno)); + /* XXX should we fail? */ + } } +#endif /* __sun__ */ eloop_register_read_sock(pcap_get_selectable_fd(l2->pcap), l2_packet_receive, l2, l2->pcap); @@ -208,19 +158,33 @@ l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) return 0; } -static void -l2_packet_deinit_libpcap(struct l2_packet_data *l2) + +static int eth_get(const char *device, u8 ea[ETH_ALEN]) { - if (l2->pcap != NULL) { - eloop_unregister_read_sock(pcap_get_selectable_fd(l2->pcap)); - pcap_close(l2->pcap); - l2->pcap = NULL; +#ifdef __sun__ + dlpi_handle_t dh; + u32 physaddrlen = DLPI_PHYSADDR_MAX; + u8 physaddr[DLPI_PHYSADDR_MAX]; + int retval; + + retval = dlpi_open(device, &dh, 0); + if (retval != DLPI_SUCCESS) { + wpa_printf(MSG_ERROR, "dlpi_open error: %s", + dlpi_strerror(retval)); + return -1; } -} -static int -eth_get(const char *device, u8 ea[ETH_ALEN]) -{ + retval = dlpi_get_physaddr(dh, DL_CURR_PHYS_ADDR, physaddr, + &physaddrlen); + if (retval != DLPI_SUCCESS) { + wpa_printf(MSG_ERROR, "dlpi_get_physaddr error: %s", + dlpi_strerror(retval)); + dlpi_close(dh); + return -1; + } + os_memcpy(ea, physaddr, ETH_ALEN); + dlpi_close(dh); +#else /* __sun__ */ struct if_msghdr *ifm; struct sockaddr_dl *sdl; u_char *p, *buf; @@ -229,10 +193,10 @@ eth_get(const char *device, u8 ea[ETH_ALEN]) if (sysctl(mib, 6, NULL, &len, NULL, 0) < 0) return -1; - if ((buf = malloc(len)) == NULL) + if ((buf = os_malloc(len)) == NULL) return -1; if (sysctl(mib, 6, buf, &len, NULL, 0) < 0) { - free(buf); + os_free(buf); return -1; } for (p = buf; p < buf + len; p += ifm->ifm_msglen) { @@ -242,33 +206,34 @@ eth_get(const char *device, u8 ea[ETH_ALEN]) (ifm->ifm_addrs & RTA_IFP) == 0) continue; if (sdl->sdl_family != AF_LINK || sdl->sdl_nlen == 0 || - memcmp(sdl->sdl_data, device, sdl->sdl_nlen) != 0) + os_memcmp(sdl->sdl_data, device, sdl->sdl_nlen) != 0) continue; - memcpy(ea, LLADDR(sdl), sdl->sdl_alen); + os_memcpy(ea, LLADDR(sdl), sdl->sdl_alen); break; } - free(buf); + os_free(buf); if (p >= buf + len) { errno = ESRCH; return -1; } +#endif /* __sun__ */ return 0; } -struct l2_packet_data * -l2_packet_init(const char *ifname, const u8 *own_addr, unsigned short protocol, + +struct l2_packet_data * l2_packet_init( + const char *ifname, const u8 *own_addr, unsigned short protocol, void (*rx_callback)(void *ctx, const u8 *src_addr, const u8 *buf, size_t len), void *rx_callback_ctx, int l2_hdr) { struct l2_packet_data *l2; - l2 = malloc(sizeof(struct l2_packet_data)); + l2 = os_zalloc(sizeof(struct l2_packet_data)); if (l2 == NULL) return NULL; - memset(l2, 0, sizeof(*l2)); - strncpy(l2->ifname, ifname, sizeof(l2->ifname)); + os_strlcpy(l2->ifname, ifname, sizeof(l2->ifname)); l2->rx_callback = rx_callback; l2->rx_callback_ctx = rx_callback_ctx; l2->l2_hdr = l2_hdr; @@ -276,22 +241,68 @@ l2_packet_init(const char *ifname, const u8 *own_addr, unsigned short protocol, if (eth_get(l2->ifname, l2->own_addr) < 0) { fprintf(stderr, "Failed to get link-level address for " "interface '%s'.\n", l2->ifname); - free(l2); + os_free(l2); return NULL; } - if (l2_packet_init_libpcap(l2, protocol) != 0) { - free(l2); + if (l2_packet_init_libpcap(l2, protocol)) { + os_free(l2); return NULL; } + return l2; } -void -l2_packet_deinit(struct l2_packet_data *l2) + +void l2_packet_deinit(struct l2_packet_data *l2) { if (l2 != NULL) { - l2_packet_deinit_libpcap(l2); - free(l2); + if (l2->pcap) { + eloop_unregister_read_sock( + pcap_get_selectable_fd(l2->pcap)); + pcap_close(l2->pcap); + } + os_free(l2); } } + + +int l2_packet_get_ip_addr(struct l2_packet_data *l2, char *buf, size_t len) +{ + pcap_if_t *devs, *dev; + struct pcap_addr *addr; + struct sockaddr_in *saddr; + int found = 0; + char err[PCAP_ERRBUF_SIZE + 1]; + + if (pcap_findalldevs(&devs, err) < 0) { + wpa_printf(MSG_DEBUG, "pcap_findalldevs: %s\n", err); + return -1; + } + + for (dev = devs; dev && !found; dev = dev->next) { + if (os_strcmp(dev->name, l2->ifname) != 0) + continue; + + addr = dev->addresses; + while (addr) { + saddr = (struct sockaddr_in *) addr->addr; + if (saddr && saddr->sin_family == AF_INET) { + os_strlcpy(buf, inet_ntoa(saddr->sin_addr), + len); + found = 1; + break; + } + addr = addr->next; + } + } + + pcap_freealldevs(devs); + + return found ? 0 : -1; +} + + +void l2_packet_notify_auth_start(struct l2_packet_data *l2) +{ +} diff --git a/usr.sbin/802_11/ndis_events/Makefile b/usr.sbin/802_11/ndis_events/Makefile index 6866a2b..e75ef37 100644 --- a/usr.sbin/802_11/ndis_events/Makefile +++ b/usr.sbin/802_11/ndis_events/Makefile @@ -1,6 +1,7 @@ # $FreeBSD: src/usr.sbin/wpa/ndis_events/Makefile,v 1.1 2005/10/10 17:51:12 wpaul Exp $ PROG= ndis_events +SRCS+= ndis_events.c MAN= ndis_events.8 WARNS?= 6 diff --git a/usr.sbin/802_11/ndis_events/ndis_events.8 b/usr.sbin/802_11/ndis_events/ndis_events.8 index fb6708b..b783ab6 100644 --- a/usr.sbin/802_11/ndis_events/ndis_events.8 +++ b/usr.sbin/802_11/ndis_events/ndis_events.8 @@ -28,7 +28,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF .\" THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $FreeBSD: src/usr.sbin/wpa/ndis_events/ndis_events.8,v 1.7 2007/09/07 22:19:29 brueffer Exp $ +.\" $FreeBSD: head/usr.sbin/wpa/ndis_events/ndis_events.8 258438 2013-11-21 19:31:57Z pluknet $ .\" .Dd August 30, 2007 .Dt NDIS_EVENTS 8 @@ -77,11 +77,11 @@ The standard distribution includes its own version of this utility for use with .Tn Windows\[rg] . The -.Dx +.Fx version performs the same functions as the .Tn Windows\[rg] one, except that it uses an -.Fn ioctl +.Xr ioctl 2 and routing socket interface instead of WMI. .Pp Note that a single instance of @@ -132,4 +132,4 @@ utility first appeared in The .Nm utility was written by -.An Bill Paul Aq Mt wpaul@windriver.com . +.An Bill Paul Aq wpaul@windriver.com . diff --git a/usr.sbin/802_11/wpa_cli/Makefile b/usr.sbin/802_11/wpa_cli/Makefile index 182a518..a3f91bc 100644 --- a/usr.sbin/802_11/wpa_cli/Makefile +++ b/usr.sbin/802_11/wpa_cli/Makefile @@ -5,17 +5,18 @@ .PATH.c: ${.CURDIR}/.. \ ${WPA_DISTDIR}/wpa_supplicant PROG= wpa_cli -SRCS= wpa_cli.c wpa_ctrl.c os_unix.c +SRCS= common.c edit.c eloop.c os_unix.c wpa_cli.c wpa_ctrl.c wpa_debug.c MAN= wpa_cli.8 WARNS= 0 -CFLAGS+= -I${WPA_DISTDIR} CFLAGS+= -DCONFIG_CTRL_IFACE CFLAGS+= -DCONFIG_CTRL_IFACE_UNIX -CFLAGS+= -DCONFIG_READLINE +# enable use of d_type to identify unix domain sockets +CFLAGS+= -D_DIRENT_HAVE_D_TYPE +CFLAGS+= -DCONFIG_READLINE LDADD+= -ledit -ltermcap DPADD+= ${LIBEDIT} ${LIBTERMCAP} diff --git a/usr.sbin/802_11/wpa_cli/wpa_cli.8 b/usr.sbin/802_11/wpa_cli/wpa_cli.8 index 67cb51e..fb8cd35 100644 --- a/usr.sbin/802_11/wpa_cli/wpa_cli.8 +++ b/usr.sbin/802_11/wpa_cli/wpa_cli.8 @@ -22,9 +22,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/usr.sbin/wpa/wpa_cli/wpa_cli.8,v 1.2.2.1 2005/07/16 19:02:21 brueffer Exp $ +.\" $FreeBSD: head/usr.sbin/wpa/wpa_cli/wpa_cli.8 210763 2010-08-02 13:11:27Z uqs $ .\" -.Dd July 7, 2006 +.Dd June 16, 2005 .Dt WPA_CLI 8 .Os .Sh NAME @@ -113,7 +113,7 @@ The .Nm utility shows these requests with a -.Dq Li CTRL-REQ- Ns Ao Ar type Ac Ns Li - Ns Ao Ar id Ac Ns Li : Ns Aq Ar text +.Dq Li CTRL-REQ- Ns Ao Ar type Ac Ns Li - Ns Ao Ar id Ac Ns : Ns Aq Ar text prefix, where .Aq Ar type is @@ -214,7 +214,7 @@ utility first appeared in The .Nm utility was written by -.An Jouni Malinen Aq Mt jkmaline@cc.hut.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the diff --git a/usr.sbin/802_11/wpa_passphrase/Makefile b/usr.sbin/802_11/wpa_passphrase/Makefile index 5a64091..0bb0b45 100644 --- a/usr.sbin/802_11/wpa_passphrase/Makefile +++ b/usr.sbin/802_11/wpa_passphrase/Makefile @@ -1,9 +1,12 @@ +# $FreeBSD: head/usr.sbin/wpa/wpa_passphrase/Makefile 252726 2013-07-04 21:12:58Z rpaulo $ + .include "${.CURDIR}/../Makefile.inc" .PATH.c:${WPA_DISTDIR}/wpa_supplicant PROG= wpa_passphrase -SRCS= wpa_passphrase.c sha1.c md5.c +SRCS= common.c md5-internal.c md5.c os_unix.c sha1-internal.c sha1-pbkdf2.c sha1.c \ + wpa_passphrase.c CFLAGS+= -DINTERNAL_SHA1 CFLAGS+= -DINTERNAL_MD5 diff --git a/usr.sbin/802_11/wpa_passphrase/wpa_passphrase.8 b/usr.sbin/802_11/wpa_passphrase/wpa_passphrase.8 index 04d4abf..c0ea6d4 100644 --- a/usr.sbin/802_11/wpa_passphrase/wpa_passphrase.8 +++ b/usr.sbin/802_11/wpa_passphrase/wpa_passphrase.8 @@ -55,11 +55,12 @@ The utility first appeared in .Fx 6.3 . .Sh AUTHORS -.An -nosplit The .Nm utility was written by -.An Jouni Malinen Aq Mt j@w1.fi . +.An Jouni Malinen +.Aq j@w1.fi . .Pp This manual page was written by -.An Henrik Brix Andersen Aq Mt henrik@brixandersen.dk . +.An Henrik Brix Andersen +.Aq henrik@brixandersen.dk . diff --git a/usr.sbin/802_11/wpa_supplicant/Makefile b/usr.sbin/802_11/wpa_supplicant/Makefile index 9aaae71..cc64fba 100644 --- a/usr.sbin/802_11/wpa_supplicant/Makefile +++ b/usr.sbin/802_11/wpa_supplicant/Makefile @@ -1,4 +1,4 @@ -# $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/Makefile 189263 2009-03-02 02:28:22Z sam $ +# $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/Makefile 265420 2014-05-06 04:22:01Z imp $ .include "${.CURDIR}/../Makefile.inc" @@ -8,82 +8,117 @@ ${WPA_DISTDIR}/src/rsn_supp PROG= wpa_supplicant -SRCS= aes.c aes_wrap.c blacklist.c common.c config.c ctrl_iface.c \ - ctrl_iface_unix.c drivers.c eloop.c events.c l2_packet.c main.c \ - md5.c preauth.c pmksa_cache.c rc4.c scan.c scan_helpers.c sha1.c \ - wpa.c wpa_common.c wpa_debug.c wpa_ie.c wpa_supplicant.c \ - wpabuf.c wpas_glue.c \ - driver_ndis.c Packet32.c \ - driver_wired.c \ - driver_dragonfly.c os_unix.c +SRCS= aes-unwrap.c base64.c blacklist.c bss.c common.c config.c \ + config_file.c ctrl_iface.c ctrl_iface_unix.c driver_bsd.c \ + driver_common.c driver_ndis.c driver_wired.c drivers.c \ + eap_register.c eloop.c events.c gas.c gas_query.c hs20.c \ + hs20_supplicant.c http_client.c http_server.c httpread.c \ + ieee802_11_common.c interworking.c l2_packet.c main.c \ + md5.c notify.c offchannel.c os_unix.c peerkey.c pmksa_cache.c \ + preauth.c scan.c upnp_xml.c uuid.c wpa.c wpa_common.c wpa_debug.c \ + wpa_ft.c wpa_ie.c wpa_supplicant.c wpabuf.c wpas_glue.c wps.c \ + wps_attr_build.c wps_attr_parse.c wps_attr_process.c \ + wps_common.c wps_dev_attr.c wps_enrollee.c wps_registrar.c \ + wps_supplicant.c wps_upnp.c wps_upnp_ap.c wps_upnp_event.c \ + wps_upnp_ssdp.c wps_upnp_web.c Packet32.c MAN= wpa_supplicant.8 wpa_supplicant.conf.5 +WARNS= 0 + #.if ${MK_EXAMPLES} != "no" #FILESDIR= ${SHAREDIR}/examples/etc #.PATH: ${WPA_SUPPLICANT_DISTDIR} #FILES= wpa_supplicant.conf #.endif -CFLAGS+=-I${WPA_DISTDIR}/src/drivers -CFLAGS+=-I${WPA_DISTDIR}/src/rsn_supp - -CFLAGS+= -DCONFIG_DRIVER_BSD -CFLAGS+= -DCONFIG_DRIVER_NDIS -CFLAGS+= -DCONFIG_DRIVER_WIRED -CFLAGS+= -DCONFIG_TERMINATE_ONLASTIF -CFLAGS+= -DCONFIG_DEBUG_SYSLOG -CFLAGS+= -g +CFLAGS+=-DCONFIG_BACKEND_FILE \ + -DCONFIG_DEBUG_SYSLOG \ + -DCONFIG_DRIVER_BSD \ + -DCONFIG_DRIVER_NDIS \ + -DCONFIG_DRIVER_WIRED \ + -DCONFIG_PEERKEY \ + -DCONFIG_SMARTCARD \ + -DCONFIG_TERMINATE_ONLASTIF \ + -DCONFIG_WPS \ + -DCONFIG_WPS2 \ + -DCONFIG_WPS_UPNP \ + -DCONFIG_TLS=openssl \ + -DCONFIG_IEEE80211R \ + -DCONFIG_INTERWORKING \ + -DCONFIG_PRIVSEP \ + -DCONFIG_HS20 \ + -DCONFIG_GAS \ + -DPKCS12_FUNCS +#CFLAGS+= -g DPADD+= ${LIBPCAP} LDADD+= -lpcap -# NB: we only support wpa_supplicant.conf file -SRCS+= config_file.c base64.c -CFLAGS+=-DCONFIG_BACKEND_FILE - # User customizations to the wpa_supplicant build environment CFLAGS+=${WPA_SUPPLICANT_CFLAGS} #DPADD+=${WPA_SUPPLICANT_DPADD} LDADD+=${WPA_SUPPLICANT_LDADD} #LDFLAGS+=${WPA_SUPPLICANT_LDFLAGS} -SRCS+= eapol_supp_sm.c eap.c eap_common.c eap_methods.c -CFLAGS+= -DIEEE8021X_EAPOL - -.if !defined(NO_CRYPT) && !defined(NO_OPENSSL) -CFLAGS+=-DEAP_TLS -DEAP_PEAP -DEAP_MSCHAPv2 -DEAP_LEAP -DEAP_PSK \ - -DEAP_TLV -DEAP_TLS_FUNCS -DEAP_TLS_OPENSSL -SRCS+= chap.c crypto_openssl.c \ +#.if ${MK_WPA_SUPPLICANT_EAPOL} != "no" +CFLAGS+=-DEAP_GTC \ + -DEAP_LEAP \ + -DEAP_MD5 \ + -DEAP_MSCHAPv2 \ + -DEAP_OTP \ + -DEAP_PEAP \ + -DEAP_PSK \ + -DEAP_TLS \ + -DEAP_TTLS \ + -DEAP_GTC \ + -DEAP_OTP \ + -DEAP_LEAP \ + -DIEEE8021X_EAPOL +SRCS+= chap.c \ + eap.c \ + eap_common.c \ + eap_gtc.c \ eap_leap.c \ + eap_md5.c \ + eap_methods.c \ eap_mschapv2.c \ - eap_peap.c eap_peap_common.c \ - eap_psk.c eap_psk_common.c \ - eap_tls.c eap_tls_common.c \ - mschapv2.c ms_funcs.c tls_openssl.c - -CFLAGS+=-DEAP_TTLS -DEAP_MD5 -SRCS+= eap_ttls.c eap_md5.c - -.if !empty(CFLAGS:M*-DEAP_GTC) -SRCS+= eap_gtc.c -.endif + eap_otp.c \ + eap_peap.c \ + eap_peap_common.c \ + eap_psk.c \ + eap_psk_common.c \ + eap_tls.c \ + eap_tls_common.c \ + eap_ttls.c \ + eapol_supp_sm.c \ + ms_funcs.c \ + mschapv2.c +TLS_FUNCS=y +NEED_AES_EAX=y +NEED_AES_ENCBLOCK=y +NEED_AES_OMAC1=y +#.endif -.if !empty(CFLAGS:M*-DEAP_OTP) -SRCS+= eap_otp.c +.if !empty(CFLAGS:M-DCONFIG_WPS) +NEED_AES_CBC=y .endif .if !empty(CFLAGS:M*-DEAP_AKA) -NEED_SIM_COMMON= true SRCS+= eap_aka.c +NEED_SIM_COMMON=y +NEED_AES_CBC=y .endif .if !empty(CFLAGS:M*-DEAP_SIM) -NEED_SIM_COMMON= true SRCS+= eap_sim.c +NEED_SIM_COMMON=y +NEED_AES_CBC=y .endif .if defined(NEED_SIM_COMMON) SRCS+= eap_sim_common.c +NEED_FIPS186_2_PRF=y +.endif # PC/SC interface for smartcards (USIM, GSM SIM) # GSM/UMTS authentication algorithm (for EAP-SIM/EAP-AKA) @@ -94,53 +129,27 @@ SRCS+= eap_sim_common.c # .if !empty(CFLAGS:M*-DPCSC_FUNCS) SRCS+= pcsc_funcs.c -DPADD+=${LIBPCSCLITE} ${LIBPTHREAD} +DPADD+=${LIBPTHREAD} LDADD+=-lpcsclite -lpthread .endif -.endif .if !empty(CFLAGS:M*-DEAP_GPSK) CFLAGS+=-DEAP_GPSK_SHA256 -SRCS+= eap_gpsk.c eap_gpsk_common.c -NEED_SHA256= true +SRCS+= eap_gpsk.c \ + eap_gpsk_common.c +NEED_AES_OMAC1=y .endif .if !empty(CFLAGS:M*-DEAP_PAX) -SRCS+= eap_pax.c eap_pax_common.c +SRCS+= eap_pax.c \ + eap_pax_common.c .endif .if !empty(CFLAGS:M*-DEAP_SAKE) -SRCS+= eap_sake.c eap_sake_common.c +SRCS+= eap_sake.c \ + eap_sake_common.c .endif -# NB: requires patch to openssl -#CFLAGS+= -DEAP_FAST -#SRCS+= eap_fast.c - -NEED_LIBSSL= true -.else -CFLAGS+= -DEAP_TLS_NONE -SRCS+= tls_none.c -.endif - -# -# Configure crypto/cipher support. -# -# EAPOL support requires openssl in which case we use their -# cipher code. Otherwise we use our internal versions. -# -.if !defined(NEED_LIBSSL) -CFLAGS+= -DINTERNAL_AES -CFLAGS+= -DINTERNAL_SHA1 -CFLAGS+= -DINTERNAL_MD5 -.else -DPADD+= ${LIBSSL} ${LIBCRYPTO} -LDADD+= -lssl -lcrypto -.endif - -.if defined(NEED_SHA256) -CFLAGS+=-DINTERNAL_SHA256 -SRCS+= sha256.c -.endif +.include "${.CURDIR}/../Makefile.crypto" .include diff --git a/usr.sbin/802_11/wpa_supplicant/driver_dragonfly.c b/usr.sbin/802_11/wpa_supplicant/driver_dragonfly.c deleted file mode 100644 index c027f5a..0000000 --- a/usr.sbin/802_11/wpa_supplicant/driver_dragonfly.c +++ /dev/null @@ -1,909 +0,0 @@ -/* - * WPA Supplicant - driver interaction with BSD net80211 layer - * Copyright (c) 2004, Sam Leffler - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Alternatively, this software may be distributed under the terms of BSD - * license. - * - * See README and COPYING for more details. - * - * $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c 189263 2009-03-02 02:28:22Z sam $ - */ - -#include -#include -#include -#include -#include -#include - -#include "common.h" -#include "drivers/driver.h" -#include "eloop.h" -#include "l2_packet.h" -#include "ieee802_11_defs.h" - -#include -#include -#include - -#include - -struct wpa_driver_bsd_data { - int sock; /* open socket for 802.11 ioctls */ - int route; /* routing socket for events */ - char ifname[IFNAMSIZ+1]; /* interface name */ - unsigned int ifindex; /* interface index */ - void *ctx; - int prev_roaming; /* roaming state to restore on deinit */ - int prev_privacy; /* privacy state to restore on deinit */ - int prev_wpa; /* wpa state to restore on deinit */ - int prev_scanvalid; /* scan valid to restore on deinit */ - uint8_t lastssid[IEEE80211_NWID_LEN]; - int lastssid_len; - uint32_t drivercaps; /* general driver capabilities */ - uint32_t cryptocaps; /* hardware crypto support */ -}; - -static int -set80211var(struct wpa_driver_bsd_data *drv, int op, const void *arg, int arg_len) -{ - struct ieee80211req ireq; - - memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); - ireq.i_type = op; - ireq.i_len = arg_len; - ireq.i_data = (void *) arg; - - if (ioctl(drv->sock, SIOCS80211, &ireq) < 0) { - fprintf(stderr, "ioctl[SIOCS80211, op %u, len %u]: %s\n", - op, arg_len, strerror(errno)); - return -1; - } - return 0; -} - -static int -get80211var(struct wpa_driver_bsd_data *drv, int op, void *arg, int arg_len) -{ - struct ieee80211req ireq; - - memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); - ireq.i_type = op; - ireq.i_len = arg_len; - ireq.i_data = arg; - - if (ioctl(drv->sock, SIOCG80211, &ireq) < 0) { - fprintf(stderr, "ioctl[SIOCG80211, op %u, len %u]: %s\n", - op, arg_len, strerror(errno)); - return -1; - } - return ireq.i_len; -} - -static int -set80211param(struct wpa_driver_bsd_data *drv, int op, int arg) -{ - struct ieee80211req ireq; - - memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); - ireq.i_type = op; - ireq.i_val = arg; - - if (ioctl(drv->sock, SIOCS80211, &ireq) < 0) { - fprintf(stderr, "ioctl[SIOCS80211, op %u, arg 0x%x]: %s\n", - op, arg, strerror(errno)); - return -1; - } - return 0; -} - -static int -get80211param(struct wpa_driver_bsd_data *drv, int op) -{ - struct ieee80211req ireq; - - memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); - ireq.i_type = op; - - if (ioctl(drv->sock, SIOCG80211, &ireq) < 0) { - fprintf(stderr, "ioctl[SIOCG80211, op %u]: %s\n", - op, strerror(errno)); - return -1; - } - return ireq.i_val; -} - -static int -getifflags(struct wpa_driver_bsd_data *drv, int *flags) -{ - struct ifreq ifr; - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); - if (ioctl(drv->sock, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { - perror("SIOCGIFFLAGS"); - return errno; - } - *flags = (ifr.ifr_flags & 0xffff) | (ifr.ifr_flagshigh << 16); - return 0; -} - -static int -setifflags(struct wpa_driver_bsd_data *drv, int flags) -{ - struct ifreq ifr; - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); - ifr.ifr_flags = flags & 0xffff; - ifr.ifr_flagshigh = flags >> 16; - if (ioctl(drv->sock, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) { - perror("SIOCSIFFLAGS"); - return errno; - } - return 0; -} - -static int -wpa_driver_bsd_get_bssid(void *priv, u8 *bssid) -{ - struct wpa_driver_bsd_data *drv = priv; - - return get80211var(drv, IEEE80211_IOC_BSSID, - bssid, IEEE80211_ADDR_LEN) < 0 ? -1 : 0; -} - -#if 0 -static int -wpa_driver_bsd_set_bssid(void *priv, const char *bssid) -{ - struct wpa_driver_bsd_data *drv = priv; - - return set80211var(drv, IEEE80211_IOC_BSSID, - bssid, IEEE80211_ADDR_LEN); -} -#endif - -static int -wpa_driver_bsd_get_ssid(void *priv, u8 *ssid) -{ - struct wpa_driver_bsd_data *drv = priv; - - return get80211var(drv, IEEE80211_IOC_SSID, - ssid, IEEE80211_NWID_LEN); -} - -static int -wpa_driver_bsd_set_ssid(void *priv, const char *ssid, - size_t ssid_len) -{ - struct wpa_driver_bsd_data *drv = priv; - - return set80211var(drv, IEEE80211_IOC_SSID, ssid, ssid_len); -} - -static int -wpa_driver_bsd_set_wpa_ie(struct wpa_driver_bsd_data *drv, - const char *wpa_ie, size_t wpa_ie_len) -{ - struct ieee80211req ireq; - - memset(&ireq, 0, sizeof(ireq)); - strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); - ireq.i_type = IEEE80211_IOC_APPIE; - ireq.i_val = IEEE80211_APPIE_WPA; - ireq.i_len = wpa_ie_len; - ireq.i_data = (void *) wpa_ie; - if (ioctl(drv->sock, SIOCS80211, &ireq) < 0) { - fprintf(stderr, - "ioctl[IEEE80211_IOC_APPIE:IEEE80211_APPIE_WPA]: %s\n", - strerror(errno)); - return -1; - } - return 0; -} - -static int -wpa_driver_bsd_set_wpa_internal(void *priv, int wpa, int privacy) -{ - struct wpa_driver_bsd_data *drv = priv; - int ret = 0; - - wpa_printf(MSG_DEBUG, "%s: wpa=%d privacy=%d", - __func__, wpa, privacy); - - if (!wpa && wpa_driver_bsd_set_wpa_ie(drv, NULL, 0) < 0) - ret = -1; - if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0) - ret = -1; - if (set80211param(drv, IEEE80211_IOC_WPA, wpa) < 0) - ret = -1; - - return ret; -} - -static int -wpa_driver_bsd_set_wpa(void *priv, int enabled) -{ - wpa_printf(MSG_DEBUG, "%s: enabled=%d", __func__, enabled); - - return wpa_driver_bsd_set_wpa_internal(priv, enabled ? 3 : 0, enabled); -} - -static int -wpa_driver_bsd_del_key(struct wpa_driver_bsd_data *drv, int key_idx, - const unsigned char *addr) -{ - struct ieee80211req_del_key wk; - - memset(&wk, 0, sizeof(wk)); - if (addr != NULL && - bcmp(addr, "\xff\xff\xff\xff\xff\xff", IEEE80211_ADDR_LEN) != 0) { - struct ether_addr ea; - - memcpy(&ea, addr, IEEE80211_ADDR_LEN); - wpa_printf(MSG_DEBUG, "%s: addr=%s keyidx=%d", - __func__, ether_ntoa(&ea), key_idx); - memcpy(wk.idk_macaddr, addr, IEEE80211_ADDR_LEN); - wk.idk_keyix = (uint8_t) IEEE80211_KEYIX_NONE; - } else { - wpa_printf(MSG_DEBUG, "%s: keyidx=%d", __func__, key_idx); - wk.idk_keyix = key_idx; - } - return set80211var(drv, IEEE80211_IOC_DELKEY, &wk, sizeof(wk)); -} - -static int -wpa_driver_bsd_set_key(void *priv, wpa_alg alg, - const unsigned char *addr, int key_idx, int set_tx, - const u8 *seq, size_t seq_len, - const u8 *key, size_t key_len) -{ - struct wpa_driver_bsd_data *drv = priv; - struct ieee80211req_key wk; - struct ether_addr ea; - char *alg_name; - u_int8_t cipher; - - if (alg == WPA_ALG_NONE) - return wpa_driver_bsd_del_key(drv, key_idx, addr); - - switch (alg) { - case WPA_ALG_WEP: - alg_name = "WEP"; - cipher = IEEE80211_CIPHER_WEP; - break; - case WPA_ALG_TKIP: - alg_name = "TKIP"; - cipher = IEEE80211_CIPHER_TKIP; - break; - case WPA_ALG_CCMP: - alg_name = "CCMP"; - cipher = IEEE80211_CIPHER_AES_CCM; - break; - default: - wpa_printf(MSG_DEBUG, "%s: unknown/unsupported algorithm %d", - __func__, alg); - return -1; - } - - memcpy(&ea, addr, IEEE80211_ADDR_LEN); - wpa_printf(MSG_DEBUG, - "%s: alg=%s addr=%s key_idx=%d set_tx=%d seq_len=%zu key_len=%zu", - __func__, alg_name, ether_ntoa(&ea), key_idx, set_tx, - seq_len, key_len); - - if (seq_len > sizeof(u_int64_t)) { - wpa_printf(MSG_DEBUG, "%s: seq_len %zu too big", - __func__, seq_len); - return -2; - } - if (key_len > sizeof(wk.ik_keydata)) { - wpa_printf(MSG_DEBUG, "%s: key length %zu too big", - __func__, key_len); - return -3; - } - - memset(&wk, 0, sizeof(wk)); - wk.ik_type = cipher; - wk.ik_flags = IEEE80211_KEY_RECV; - if (set_tx) - wk.ik_flags |= IEEE80211_KEY_XMIT; - memcpy(wk.ik_macaddr, addr, IEEE80211_ADDR_LEN); - /* - * Deduce whether group/global or unicast key by checking - * the address (yech). Note also that we can only mark global - * keys default; doing this for a unicast key is an error. - */ - if (bcmp(addr, "\xff\xff\xff\xff\xff\xff", IEEE80211_ADDR_LEN) == 0) { - wk.ik_flags |= IEEE80211_KEY_GROUP; - wk.ik_keyix = key_idx; - } else { - wk.ik_keyix = (key_idx == 0 ? IEEE80211_KEYIX_NONE : key_idx); - } - if (wk.ik_keyix != IEEE80211_KEYIX_NONE && set_tx) - wk.ik_flags |= IEEE80211_KEY_DEFAULT; - wk.ik_keylen = key_len; - memcpy(&wk.ik_keyrsc, seq, seq_len); - wk.ik_keyrsc = le64toh(wk.ik_keyrsc); - memcpy(wk.ik_keydata, key, key_len); - - return set80211var(drv, IEEE80211_IOC_WPAKEY, &wk, sizeof(wk)); -} - -static int -wpa_driver_bsd_set_countermeasures(void *priv, int enabled) -{ - struct wpa_driver_bsd_data *drv = priv; - - wpa_printf(MSG_DEBUG, "%s: enabled=%d", __func__, enabled); - return set80211param(drv, IEEE80211_IOC_COUNTERMEASURES, enabled); -} - - -static int -wpa_driver_bsd_set_drop_unencrypted(void *priv, int enabled) -{ - struct wpa_driver_bsd_data *drv = priv; - - wpa_printf(MSG_DEBUG, "%s: enabled=%d", __func__, enabled); - return set80211param(drv, IEEE80211_IOC_DROPUNENCRYPTED, enabled); -} - -static int -wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, int reason_code) -{ - struct wpa_driver_bsd_data *drv = priv; - struct ieee80211req_mlme mlme; - - drv->lastssid_len = 0; - - wpa_printf(MSG_DEBUG, "%s", __func__); - memset(&mlme, 0, sizeof(mlme)); - mlme.im_op = IEEE80211_MLME_DEAUTH; - mlme.im_reason = reason_code; - memcpy(mlme.im_macaddr, addr, IEEE80211_ADDR_LEN); - return set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)); -} - -static int -wpa_driver_bsd_disassociate(void *priv, const u8 *addr, int reason_code) -{ - struct wpa_driver_bsd_data *drv = priv; - struct ieee80211req_mlme mlme; - - drv->lastssid_len = 0; - - wpa_printf(MSG_DEBUG, "%s", __func__); - memset(&mlme, 0, sizeof(mlme)); - mlme.im_op = IEEE80211_MLME_DISASSOC; - mlme.im_reason = reason_code; - memcpy(mlme.im_macaddr, addr, IEEE80211_ADDR_LEN); - return set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)); -} - -static int -wpa_driver_bsd_associate(void *priv, struct wpa_driver_associate_params *params) -{ - struct wpa_driver_bsd_data *drv = priv; - struct ieee80211req_mlme mlme; - int privacy; - - wpa_printf(MSG_DEBUG, - "%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u" - , __func__ - , params->ssid_len, params->ssid - , params->wpa_ie_len - , params->pairwise_suite - , params->group_suite - , params->key_mgmt_suite - ); - - /* XXX error handling is wrong but unclear what to do... */ - if (wpa_driver_bsd_set_wpa_ie(drv, params->wpa_ie, params->wpa_ie_len) < 0) - return -1; - - privacy = !(params->pairwise_suite == CIPHER_NONE && - params->group_suite == CIPHER_NONE && - params->key_mgmt_suite == KEY_MGMT_NONE && - params->wpa_ie_len == 0); - wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy); - - if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0) - return -1; - - if (params->wpa_ie_len && - set80211param(drv, IEEE80211_IOC_WPA, - params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0) - return -1; - - memset(&mlme, 0, sizeof(mlme)); - mlme.im_op = IEEE80211_MLME_ASSOC; - if (params->ssid != NULL) - memcpy(mlme.im_ssid, params->ssid, params->ssid_len); - mlme.im_ssid_len = params->ssid_len; - if (params->bssid != NULL) - memcpy(mlme.im_macaddr, params->bssid, IEEE80211_ADDR_LEN); - if (set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)) < 0) - return -1; - memcpy(drv->lastssid, params->ssid, params->ssid_len); - drv->lastssid_len = params->ssid_len; - return 0; -} - -static int -wpa_driver_bsd_set_auth_alg(void *priv, int auth_alg) -{ - struct wpa_driver_bsd_data *drv = priv; - int authmode; - - if ((auth_alg & AUTH_ALG_OPEN_SYSTEM) && - (auth_alg & AUTH_ALG_SHARED_KEY)) - authmode = IEEE80211_AUTH_AUTO; - else if (auth_alg & AUTH_ALG_SHARED_KEY) - authmode = IEEE80211_AUTH_SHARED; - else - authmode = IEEE80211_AUTH_OPEN; - - wpa_printf(MSG_DEBUG, "%s alg 0x%x authmode %u", - __func__, auth_alg, authmode); - - return set80211param(drv, IEEE80211_IOC_AUTHMODE, authmode); -} - -static int -wpa_driver_bsd_scan(void *priv, const u8 *ssid, size_t ssid_len) -{ - struct wpa_driver_bsd_data *drv = priv; - struct ieee80211_scan_req sr; - int flags; - - /* XXX not true but easiest to perpetuate the myth */ - /* NB: interface must be marked UP to do a scan */ - if (getifflags(drv, &flags) != 0) { - wpa_printf(MSG_DEBUG, "%s did not mark interface UP", __func__); - return -1; - } - if ((flags & IFF_UP) == 0 && setifflags(drv, flags | IFF_UP) != 0) { - wpa_printf(MSG_DEBUG, "%s unable to mark interface UP", - __func__); - return -1; - } - - memset(&sr, 0, sizeof(sr)); - sr.sr_flags = IEEE80211_IOC_SCAN_ACTIVE - | IEEE80211_IOC_SCAN_ONCE - | IEEE80211_IOC_SCAN_NOJOIN - ; - sr.sr_duration = IEEE80211_IOC_SCAN_FOREVER; - if (ssid_len != 0) { - /* XXX ssid_len must be <= IEEE80211_NWID_LEN */ - memcpy(sr.sr_ssid[sr.sr_nssid].ssid, ssid, ssid_len); - sr.sr_ssid[sr.sr_nssid].len = ssid_len; - sr.sr_nssid++; - } - if (drv->lastssid_len != 0 && - (drv->lastssid_len != ssid_len || - memcmp(drv->lastssid, ssid, ssid_len) != 0)) { - /* - * If we are scanning because we received a deauth - * and the scan cache is warm then we'll find the - * ap there and short circuit a full-blown scan. - */ - memcpy(sr.sr_ssid[sr.sr_nssid].ssid, drv->lastssid, - drv->lastssid_len); - sr.sr_ssid[sr.sr_nssid].len = drv->lastssid_len; - sr.sr_nssid++; - /* NB: clear so we don't retry w/o associating first */ - drv->lastssid_len = 0; - } - if (sr.sr_nssid != 0) /* NB: check scan cache first */ - sr.sr_flags |= IEEE80211_IOC_SCAN_CHECK; - - /* NB: net80211 delivers a scan complete event so no need to poll */ - return set80211var(drv, IEEE80211_IOC_SCAN_REQ, &sr, sizeof(sr)); -} - -#include -#include - -static void -wpa_driver_bsd_event_receive(int sock, void *ctx, void *sock_ctx) -{ - struct wpa_driver_bsd_data *drv = sock_ctx; - char buf[2048]; - struct if_announcemsghdr *ifan; - struct if_msghdr *ifm; - struct rt_msghdr *rtm; - union wpa_event_data event; - struct ieee80211_michael_event *mic; - int n; - - n = read(sock, buf, sizeof(buf)); - if (n < 0) { - if (errno != EINTR && errno != EAGAIN) - perror("read(PF_ROUTE)"); - return; - } - - rtm = (struct rt_msghdr *) buf; - if (rtm->rtm_version != RTM_VERSION) { - wpa_printf(MSG_DEBUG, "Routing message version %d not " - "understood\n", rtm->rtm_version); - return; - } - memset(&event, 0, sizeof(event)); - switch (rtm->rtm_type) { - case RTM_IFANNOUNCE: - ifan = (struct if_announcemsghdr *) rtm; - if (ifan->ifan_index != drv->ifindex) - break; - strlcpy(event.interface_status.ifname, drv->ifname, - sizeof(event.interface_status.ifname)); - switch (ifan->ifan_what) { - case IFAN_DEPARTURE: - event.interface_status.ievent = EVENT_INTERFACE_REMOVED; - default: - return; - } - wpa_printf(MSG_DEBUG, "RTM_IFANNOUNCE: Interface '%s' %s", - event.interface_status.ifname, - ifan->ifan_what == IFAN_DEPARTURE ? - "removed" : "added"); - wpa_supplicant_event(ctx, EVENT_INTERFACE_STATUS, &event); - break; - case RTM_IEEE80211: - ifan = (struct if_announcemsghdr *) rtm; - if (ifan->ifan_index != drv->ifindex) - break; - switch (ifan->ifan_what) { - case RTM_IEEE80211_ASSOC: - case RTM_IEEE80211_REASSOC: - wpa_supplicant_event(ctx, EVENT_ASSOC, NULL); - break; - case RTM_IEEE80211_DISASSOC: - wpa_supplicant_event(ctx, EVENT_DISASSOC, NULL); - break; - case RTM_IEEE80211_SCAN: - wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL); - break; - case RTM_IEEE80211_REPLAY: - /* ignore */ - break; - case RTM_IEEE80211_MICHAEL: - mic = (struct ieee80211_michael_event *) &ifan[1]; - wpa_printf(MSG_DEBUG, - "Michael MIC failure wireless event: " - "keyix=%u src_addr=" MACSTR, mic->iev_keyix, - MAC2STR(mic->iev_src)); - - memset(&event, 0, sizeof(event)); - event.michael_mic_failure.unicast = - !IEEE80211_IS_MULTICAST(mic->iev_dst); - wpa_supplicant_event(ctx, EVENT_MICHAEL_MIC_FAILURE, - &event); - break; - } - break; - case RTM_IFINFO: - ifm = (struct if_msghdr *) rtm; - if (ifm->ifm_index != drv->ifindex) - break; - if ((rtm->rtm_flags & RTF_UP) == 0) { - strlcpy(event.interface_status.ifname, drv->ifname, - sizeof(event.interface_status.ifname)); - event.interface_status.ievent = EVENT_INTERFACE_REMOVED; - wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' DOWN", - event.interface_status.ifname); - wpa_supplicant_event(ctx, EVENT_INTERFACE_STATUS, &event); - } - break; - } -} - -/* Compare function for sorting scan results. Return >0 if @b is consider - * better. */ -static int -wpa_scan_result_compar(const void *a, const void *b) -{ - const struct wpa_scan_result *wa = a; - const struct wpa_scan_result *wb = b; - - /* WPA/WPA2 support preferred */ - if ((wb->wpa_ie_len || wb->rsn_ie_len) && - !(wa->wpa_ie_len || wa->rsn_ie_len)) - return 1; - if (!(wb->wpa_ie_len || wb->rsn_ie_len) && - (wa->wpa_ie_len || wa->rsn_ie_len)) - return -1; - - /* privacy support preferred */ - if ((wa->caps & IEEE80211_CAPINFO_PRIVACY) && - (wb->caps & IEEE80211_CAPINFO_PRIVACY) == 0) - return 1; - if ((wa->caps & IEEE80211_CAPINFO_PRIVACY) == 0 && - (wb->caps & IEEE80211_CAPINFO_PRIVACY)) - return -1; - - /* best/max rate preferred if signal level close enough XXX */ - if (wa->maxrate != wb->maxrate && abs(wb->level - wa->level) < 5) - return wb->maxrate - wa->maxrate; - - /* use freq for channel preference */ - - /* all things being equal, use signal level */ - return wb->level - wa->level; -} - -static int -getmaxrate(const uint8_t rates[15], uint8_t nrates) -{ - int i, maxrate = -1; - - for (i = 0; i < nrates; i++) { - int rate = rates[i] & IEEE80211_RATE_VAL; - if (rate > maxrate) - rate = maxrate; - } - return maxrate; -} - -/* unalligned little endian access */ -#define LE_READ_4(p) \ - ((u_int32_t) \ - ((((const u_int8_t *)(p))[0] ) | \ - (((const u_int8_t *)(p))[1] << 8) | \ - (((const u_int8_t *)(p))[2] << 16) | \ - (((const u_int8_t *)(p))[3] << 24))) - -static __inline int -iswpaoui(const u_int8_t *frm) -{ - return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); -} - -static int -wpa_driver_bsd_get_scan_results(void *priv, - struct wpa_scan_result *results, - size_t max_size) -{ -#define min(a,b) ((a)>(b)?(b):(a)) - struct wpa_driver_bsd_data *drv = priv; - uint8_t buf[24*1024]; - const uint8_t *cp, *vp; - const struct ieee80211req_scan_result *sr; - struct wpa_scan_result *wsr; - int len, ielen; - - memset(results, 0, max_size * sizeof(struct wpa_scan_result)); - - len = get80211var(drv, IEEE80211_IOC_SCAN_RESULTS, buf, sizeof(buf)); - if (len < 0) - return -1; - cp = buf; - wsr = results; - while (len >= sizeof(struct ieee80211req_scan_result)) { - sr = (const struct ieee80211req_scan_result *) cp; - memcpy(wsr->bssid, sr->isr_bssid, IEEE80211_ADDR_LEN); - wsr->ssid_len = sr->isr_ssid_len; - wsr->freq = sr->isr_freq; - wsr->noise = sr->isr_noise; - wsr->qual = sr->isr_rssi; - wsr->level = 0; /* XXX? */ - wsr->caps = sr->isr_capinfo; - wsr->maxrate = getmaxrate(sr->isr_rates, sr->isr_nrates); - vp = ((u_int8_t *)sr) + sr->isr_ie_off; - memcpy(wsr->ssid, vp, sr->isr_ssid_len); - if (sr->isr_ie_len > 0) { - vp += sr->isr_ssid_len; - ielen = sr->isr_ie_len; - while (ielen > 0) { - switch (vp[0]) { - case IEEE80211_ELEMID_VENDOR: - if (!iswpaoui(vp)) - break; - wsr->wpa_ie_len = - min(2+vp[1], SSID_MAX_WPA_IE_LEN); - memcpy(wsr->wpa_ie, vp, wsr->wpa_ie_len); - break; - case IEEE80211_ELEMID_RSN: - wsr->rsn_ie_len = - min(2+vp[1], SSID_MAX_WPA_IE_LEN); - memcpy(wsr->rsn_ie, vp, wsr->rsn_ie_len); - break; - } - ielen -= 2+vp[1]; - vp += 2+vp[1]; - } - } - - cp += sr->isr_len, len -= sr->isr_len; - wsr++; - } - qsort(results, wsr - results, sizeof(struct wpa_scan_result), - wpa_scan_result_compar); - - wpa_printf(MSG_DEBUG, "Received %d bytes of scan results (%d BSSes)", - len, wsr - results); - - return wsr - results; -#undef min -} - -#define GETPARAM(drv, param, v) \ - (((v) = get80211param(drv, param)) != -1) -#define IEEE80211_C_BGSCAN 0x20000000 - -/* - * Set the scan cache valid threshold to 1.5 x bg scan interval - * to force all scan requests to consult the cache unless they - * explicitly bypass it. - */ -static int -setscanvalid(struct wpa_driver_bsd_data *drv) -{ - int bgscan, scanvalid; - - if (!GETPARAM(drv, IEEE80211_IOC_SCANVALID, drv->prev_scanvalid) || - !GETPARAM(drv, IEEE80211_IOC_BGSCAN_INTERVAL, bgscan)) - return -1; - scanvalid = 3*bgscan/2; - return (drv->prev_scanvalid < scanvalid) ? - set80211param(drv, IEEE80211_IOC_SCANVALID, scanvalid) : 0; -} - -static void * -wpa_driver_bsd_init(void *ctx, const char *ifname) -{ - struct wpa_driver_bsd_data *drv; - struct ieee80211_devcaps_req devcaps; - int flags; - - drv = malloc(sizeof(*drv)); - if (drv == NULL) - return NULL; - memset(drv, 0, sizeof(*drv)); - /* - * NB: We require the interface name be mappable to an index. - * This implies we do not support having wpa_supplicant - * wait for an interface to appear. This seems ok; that - * doesn't belong here; it's really the job of devd. - */ - drv->ifindex = if_nametoindex(ifname); - if (drv->ifindex == 0) { - wpa_printf(MSG_DEBUG, "%s: interface %s does not exist", - __func__, ifname); - goto fail1; - } - drv->sock = socket(PF_INET, SOCK_DGRAM, 0); - if (drv->sock < 0) - goto fail1; - drv->ctx = ctx; - strncpy(drv->ifname, ifname, sizeof(drv->ifname)); - - /* - * Mark the interface as down to ensure wpa_supplicant has exclusive - * access to the net80211 state machine, do this before opening the - * route socket to avoid a false event that the interface disappeared. - */ - if (getifflags(drv, &flags) == 0) - (void) setifflags(drv, flags &~ IFF_UP); - - drv->route = socket(PF_ROUTE, SOCK_RAW, 0); - if (drv->route < 0) - goto fail; - eloop_register_read_sock(drv->route, - wpa_driver_bsd_event_receive, ctx, drv); - - if (get80211var(drv, IEEE80211_IOC_DEVCAPS, &devcaps, sizeof(devcaps)) < 0) { - wpa_printf(MSG_DEBUG, - "%s: failed to get device capabilities: %s", - __func__, strerror(errno)); - goto fail; - } - drv->drivercaps = devcaps.dc_drivercaps; - drv->cryptocaps = devcaps.dc_cryptocaps; - - if (!GETPARAM(drv, IEEE80211_IOC_ROAMING, drv->prev_roaming)) { - wpa_printf(MSG_DEBUG, "%s: failed to get roaming state: %s", - __func__, strerror(errno)); - goto fail; - } - if (!GETPARAM(drv, IEEE80211_IOC_PRIVACY, drv->prev_privacy)) { - wpa_printf(MSG_DEBUG, "%s: failed to get privacy state: %s", - __func__, strerror(errno)); - goto fail; - } - if (!GETPARAM(drv, IEEE80211_IOC_WPA, drv->prev_wpa)) { - wpa_printf(MSG_DEBUG, "%s: failed to get wpa state: %s", - __func__, strerror(errno)); - goto fail; - } - if (set80211param(drv, IEEE80211_IOC_ROAMING, IEEE80211_ROAMING_MANUAL) < 0) { - wpa_printf(MSG_DEBUG, "%s: failed to set wpa_supplicant-based " - "roaming: %s", __func__, strerror(errno)); - goto fail; - } - if (drv->drivercaps & IEEE80211_C_BGSCAN) { - /* - * Driver does background scanning; force the scan valid - * setting to 1.5 x bg scan interval so the scan cache is - * always consulted before we force a foreground scan. - */ - if (setscanvalid(drv) < 0) { - wpa_printf(MSG_DEBUG, - "%s: warning, failed to set scanvalid, scanning " - "may be suboptimal: %s", __func__, strerror(errno)); - } - } - if (set80211param(drv, IEEE80211_IOC_WPA, 1+2) < 0) { - wpa_printf(MSG_DEBUG, "%s: failed to enable WPA support %s", - __func__, strerror(errno)); - goto fail; - } - - return drv; -fail: - close(drv->sock); -fail1: - free(drv); - return NULL; -} -#undef GETPARAM - -static void -wpa_driver_bsd_deinit(void *priv) -{ - struct wpa_driver_bsd_data *drv = priv; - int flags; - - /* NB: mark interface down */ - if (getifflags(drv, &flags) == 0) - (void) setifflags(drv, flags &~ IFF_UP); - - wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa, drv->prev_privacy); - if (set80211param(drv, IEEE80211_IOC_ROAMING, drv->prev_roaming) < 0) { - /* NB: don't whinge if device ejected or equivalent */ - if (errno != ENXIO) - wpa_printf(MSG_DEBUG, "%s: failed to restore roaming " - "state", __func__); - } - if (drv->drivercaps & IEEE80211_C_BGSCAN) { - /* XXX check return value */ - (void) set80211param(drv, IEEE80211_IOC_SCANVALID, - drv->prev_scanvalid); - } - - (void) close(drv->route); /* ioctl socket */ - (void) close(drv->sock); /* event socket */ - free(drv); -} - - -struct wpa_driver_ops wpa_driver_bsd_ops = { - .name = "bsd", - .desc = "BSD 802.11 support (Atheros, etc.)", - .init = wpa_driver_bsd_init, - .deinit = wpa_driver_bsd_deinit, - .get_bssid = wpa_driver_bsd_get_bssid, - .get_ssid = wpa_driver_bsd_get_ssid, - .set_wpa = wpa_driver_bsd_set_wpa, - .set_key = wpa_driver_bsd_set_key, - .set_countermeasures = wpa_driver_bsd_set_countermeasures, - .set_drop_unencrypted = wpa_driver_bsd_set_drop_unencrypted, - .scan = wpa_driver_bsd_scan, - .get_scan_results = wpa_driver_bsd_get_scan_results, - .deauthenticate = wpa_driver_bsd_deauthenticate, - .disassociate = wpa_driver_bsd_disassociate, - .associate = wpa_driver_bsd_associate, - .set_auth_alg = wpa_driver_bsd_set_auth_alg, -}; diff --git a/usr.sbin/802_11/wpa_supplicant/driver_wired.c b/usr.sbin/802_11/wpa_supplicant/driver_wired.c deleted file mode 100644 index ed9efb9..0000000 --- a/usr.sbin/802_11/wpa_supplicant/driver_wired.c +++ /dev/null @@ -1,185 +0,0 @@ -/* - * WPA Supplicant - wired Ethernet driver interface - * Copyright (c) 2005-2007, Jouni Malinen - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - * - * Alternatively, this software may be distributed under the terms of BSD - * license. - * - * See README and COPYING for more details. - * - * $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/driver_wired.c 189263 2009-03-02 02:28:22Z sam $ - */ - -#include "includes.h" -#include -#include -#include - -#include "common.h" -#include "drivers/driver.h" -#include "wpa.h" - -static const u8 pae_group_addr[ETH_ALEN] = -{ 0x01, 0x80, 0xc2, 0x00, 0x00, 0x03 }; - -struct wpa_driver_wired_data { - int sock; - char ifname[IFNAMSIZ + 1]; - int multi; - int flags; - void *ctx; -}; - -static int -getifflags(struct wpa_driver_wired_data *drv, int *flags) -{ - struct ifreq ifr; - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); - if (ioctl(drv->sock, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { - perror("SIOCGIFFLAGS"); - return errno; - } - *flags = (ifr.ifr_flags & 0xffff) | (ifr.ifr_flagshigh << 16); - return 0; -} - -static int -setifflags(struct wpa_driver_wired_data *drv, int flags) -{ - struct ifreq ifr; - - memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); - ifr.ifr_flags = flags & 0xffff; - ifr.ifr_flagshigh = flags >> 16; - if (ioctl(drv->sock, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) { - perror("SIOCSIFFLAGS"); - return errno; - } - return 0; -} - -static int -wpa_driver_wired_get_ssid(void *priv, u8 *ssid) -{ - ssid[0] = 0; - return 0; -} - -static int -wpa_driver_wired_get_bssid(void *priv, u8 *bssid) -{ - /* Report PAE group address as the "BSSID" for wired connection. */ - os_memcpy(bssid, pae_group_addr, ETH_ALEN); - return 0; -} - -static int -siocmulti(struct wpa_driver_wired_data *drv, int op, const u8 *addr) -{ - struct ifreq ifr; - struct sockaddr_dl *dlp; - - os_memset(&ifr, 0, sizeof(ifr)); - os_strncpy(ifr.ifr_name, drv->ifname, IFNAMSIZ); - dlp = (struct sockaddr_dl *) &ifr.ifr_addr; - dlp->sdl_len = sizeof(struct sockaddr_dl); - dlp->sdl_family = AF_LINK; - dlp->sdl_index = 0; - dlp->sdl_nlen = 0; - dlp->sdl_alen = ETH_ALEN; - dlp->sdl_slen = 0; - os_memcpy(LLADDR(dlp), addr, ETH_ALEN); - if (ioctl(drv->sock, op, (caddr_t) &ifr) < 0) { - wpa_printf(MSG_INFO, "ioctl[%s]: %s", op == SIOCADDMULTI ? - "SIOCADDMULTI" : "SIOCDELMULTI", strerror(errno)); - return -1; - } - return 0; -} - -static void * -wpa_driver_wired_init(void *ctx, const char *ifname) -{ - struct wpa_driver_wired_data *drv; - int flags; - - drv = os_zalloc(sizeof(*drv)); - if (drv == NULL) - return NULL; - os_strncpy(drv->ifname, ifname, sizeof(drv->ifname)); - drv->sock = socket(PF_INET, SOCK_DGRAM, 0); - if (drv->sock < 0) - goto fail1; - drv->ctx = ctx; - - if (getifflags(drv, &drv->flags) < 0) { - wpa_printf(MSG_INFO, "%s: Unable to get interface flags", - __func__); - goto fail; - } - flags = drv->flags | IFF_UP; /* NB: force interface up */ - - /* - * Arrange to receive PAE mcast frames. Try to add an - * explicit mcast address. If that fails, fallback to - * the all multicast mechanism. - */ - if (siocmulti(drv, SIOCADDMULTI, pae_group_addr) == 0) { - wpa_printf(MSG_DEBUG, "%s: Added PAE multicast address", - __func__); - drv->multi = 1; - } else if ((drv->flags & IFF_ALLMULTI) == 0) - flags |= IFF_ALLMULTI; - - if (flags != drv->flags) { - if (setifflags(drv, flags) < 0) { - wpa_printf(MSG_INFO, "%s: Failed to set interface flags", - __func__); - goto fail; - } - if ((flags ^ drv->flags) & IFF_ALLMULTI) - wpa_printf(MSG_DEBUG, "%s: Enabled all-multi mode", - __func__); - } - return drv; -fail: - close(drv->sock); -fail1: - free(drv); - return NULL; -} - -static void -wpa_driver_wired_deinit(void *priv) -{ - struct wpa_driver_wired_data *drv = priv; - - if (drv->multi) { - if (siocmulti(drv, SIOCDELMULTI, pae_group_addr) < 0) { - wpa_printf(MSG_DEBUG, "%s: Failed to remove PAE " - "multicast " "group (SIOCDELMULTI)", __func__); - } - } - if (setifflags(drv, drv->flags) < 0) { - wpa_printf(MSG_INFO, "%s: Failed to restore interface flags", - __func__); - } - (void) close(drv->sock); - os_free(drv); -} - -const struct wpa_driver_ops wpa_driver_wired_ops = { - .name = "wired", - .desc = "BSD wired Ethernet driver", - .get_ssid = wpa_driver_wired_get_ssid, - .get_bssid = wpa_driver_wired_get_bssid, - .init = wpa_driver_wired_init, - .deinit = wpa_driver_wired_deinit, -}; diff --git a/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.8 b/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.8 index 5b2ec61..ae30d3d 100644 --- a/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.8 +++ b/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.8 @@ -22,9 +22,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8,v 1.8 2012/11/17 01:55:00 svnexp Exp $ +.\" $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 242696 2012-11-07 15:47:36Z issyl0 $ .\" -.Dd November 23, 2012 +.Dd November 7, 2012 .Dt WPA_SUPPLICANT 8 .Os .Sh NAME @@ -113,7 +113,7 @@ in the background. Enable debugging messages. If this option is supplied twice, more verbose messages are displayed. .It Fl D -Driver name (bsd, ndis etc.) +Driver name (can be multiple drivers: nl80211,wext). .It Fl f Log output to debug file instead of stdout. .It Fl g @@ -154,15 +154,15 @@ Wait for a control interface monitor before starting. .Sh SEE ALSO .Xr an 4 , .Xr ath 4 , -.\".Xr ipw 4 , +.Xr ipw 4 , .Xr iwi 4 , .Xr ral 4 , .Xr rum 4 , -.\".Xr ural 4 , +.Xr ural 4 , .Xr wi 4 , .Xr wlan 4 , .Xr wpi 4 , -.\".Xr zyd 4 , +.Xr zyd 4 , .Xr wpa_supplicant.conf 5 , .Xr devd 8 , .Xr ifconfig 8 , @@ -176,7 +176,7 @@ utility first appeared in The .Nm utility was written by -.An Jouni Malinen Aq Mt j@w1.fi . +.An Jouni Malinen Aq j@w1.fi . This manual page is derived from the .Pa README file included in the diff --git a/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.conf.5 b/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.conf.5 index 86559b0..3fa50b9 100644 --- a/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.conf.5 +++ b/usr.sbin/802_11/wpa_supplicant/wpa_supplicant.conf.5 @@ -22,9 +22,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 195644 2009-07-12 19:58:52Z sam $ +.\" $FreeBSD: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 235337 2012-05-12 15:08:22Z gjb $ .\" -.Dd July 8, 2007 +.Dd April 10, 2010 .Dt WPA_SUPPLICANT.CONF 5 .Os .Sh NAME @@ -153,7 +153,27 @@ Note that IBSS (adhoc) mode can only be used with .Va key_mgmt set to .Li NONE -(plaintext and static WEP). +(plaintext and static WEP), or +.Va key_mgmt +set to +.Li WPA-NONE +(fixed group key TKIP/CCMP). +In addition, +.Va ap_scan +has to be set to 2 for IBSS. +.Li WPA-NONE +requires +.Va proto +set to WPA, +.Va key_mgmt +set to WPA-NONE, +.Va pairwise +set to NONE, +.Va group +set to either +CCMP or TKIP (but not both), and +.Va psk +must also be set. .It Va proto List of acceptable protocols; one or more of: .Li WPA @@ -249,7 +269,7 @@ used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), (EAP-PEAP, with tunneled EAP authentication), .Li TTLS (EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication). -If not set this defaults to all available methods compiled into +If not set this defaults to all available methods compiled in to .Xr wpa_supplicant 8 . Note that by default .Xr wpa_supplicant 8 @@ -296,7 +316,7 @@ This can be used to achieve forward secrecy. If the .Va dh_file is in DSA parameters format, it will be automatically converted -into DH params. +into DH parameters. .It Va subject_match Substring to be matched against the subject of the authentication server certificate. @@ -350,7 +370,7 @@ TLS Message Length field in all TLS messages even if they are not fragmented. .It Li sim_min_num_chal=3 can be used to configure EAP-SIM to require three -challenges (by default, it accepts 2 or 3) +challenges (by default, it accepts 2 or 3). .It Li fast_provisioning=1 option enables in-line provisioning of EAP-FAST credentials (PAC). @@ -404,6 +424,16 @@ Enable/disable EAP workarounds for various interoperability issues with misbehaving authentication servers. By default these workarounds are enabled. Strict EAP conformance can be configured by setting this to 0. +.It Va wep_tx_keyidx +which key to use for transmission of packets. +.It Va wep_keyN key +An +.Tn ASCII +string enclosed in quotation marks to encode the WEP key. +Without quotes this is a hex string of the actual key. +WEP is considered insecure and should be avoided. +The exact translation from an ASCII key to a hex key varies. +Use hex keys where possible. .El .Sh CERTIFICATES Some EAP authentication methods require use of certificates. @@ -520,7 +550,10 @@ network={ scan_ssid=1 key_mgmt=NONE wep_tx_keyidx=0 + # hex keys denoted without quotes wep_key0=42FEEDDEAFBABEDEAFBEEFAA55 + # ASCII keys denoted with quotes. + wep_key1="DragonFlyR0X!" } .Ed .Sh SEE ALSO @@ -542,4 +575,4 @@ and files in the .Nm wpa_supplicant distribution provided by -.An Jouni Malinen Aq Mt j@w1.fi . +.An Jouni Malinen Aq j@w1.fi . -- 1.9.2