The new configuration parameter external_sim=<0/1> can now be used to
configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM
authentication for EAP-SIM or UMTS authentication for EAP-AKA). The
requests and responses for such operations are sent over the ctrl_iface
CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing
password query mechanism.
Changes to the EAP methods to use this new mechanism will be added in
separate commits.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows credentials to be limited from being used to connect to a
network unless the AP advertises a matching roaming consortium OI.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allow domain_suffix_match to be specified for a cred block and then
get this copied for the network blocks generated from this credential as
part of Interworking network selection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Credentials can now be configured with more than one FQDN ('domain'
field in the cred block) to perform Domain Name List matching against
multiple home domains.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If a VIF is already associated, then only scan on the associated
frequency if user requests such. This is a big help when using
lots of virtual stations.
Signed-hostap: Ben Greear <greearb@candelatech.com>
Signed-off-by: Ben Greear <greearb@candelatech.com>
The new sched_scan_interval parameter can be used to set the default
sched_scan interval, e.g., for power saving purposes.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows one to limit the channels that wpa_supplicant will
scan. This is a useful addition to the freq_list configurable
in the network {} section.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This option can be used only for global parameters that are not going
to be changed from settings.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Iliyan Malchev <malchev@google.com>
This can be used to configure wpa_supplicant to ignore old scan results
from the driver cache in cases where such results were not updated after
the scan trigger from wpa_supplicant. This can be useful in some cases
where the driver may cache information for a significant time and the AP
configuration is changing. Many such cases are for testing scripts, but
this could potentially be useful for some WPS use cases, too.
Signed-hostap: Jouni Malinen <j@w1.fi>
This new parameter allows wpa_supplicant AP mode operations to use
similar design to the vendor_elements parameter in hostapd to add
vendor_elements into Beacon/Probe Response IE parameters.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_ignore_shared_freq=1 in the configuration file (or "SET
p2p_ignore_shared_freq 1" on control interface) can now be used to
configure wpa_supplicant to ignore the preference on shared operating
channel when the driver support multi-channel concurrency. The default
behavior is to try to start any new P2P group on an operating channel
that is already in use on another virtual interface to avoid extra cost
from hopping between multiple channels. If this new parameter is set to
1, such preference is not used and instead, the channel for the new P2P
group is selected based on other preferences while ignoring operating
channels of any concurrent connection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
beacon_int (in TU) can now be used to configure Beacon interval for AP
mode operations (including P2P GO) in wpa_supplicant. This can be set
either in a network block or as a global parameter in the configuration
file (or with "SET beacon_int <value>" control interface command) to
apply for all networks that do not include the beacon_int parameter to
override the default.
In addition, this commits extends the dtim_period parameter to be
available as a global parameter to set the default value. dtim_period is
now stored in the configuration file, too, if it was set.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, OKC (opportunistic key caching, a.k.a. proactive key
caching) could be enabled only with a per-network parameter
(proactive_key_caching). The new global parameter (okc) can now be used
to change the default behavior to be OKC enabled (okc=1) for network
blocks that do not override this with the proactive_key_caching
parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new p2p_no_group_iface=1 configuration parameter can now be used to
disable the default behavior of adding a separate interface for the P2P
group when driver support for concurrent interfaces is available.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
By default, P2P is enabled globally for all virtual interfaces and this
makes wpa_supplicant include WSC and P2P IEs in Probe Request frames for
all scans even if this is for a non-P2P station connection to speed up
device discovery. If an interface is dedicated for non-P2P station mode
operations, it is now possible to disable addition of WSC and P2P IEs
into Probe Request frames with a per-interface p2p_disabled parameter.
This can be set either in the configuration file (p2p_disabled=1) or at
run time ("wpa_cli -i wlan0 set p2p_disabled 1"). Unlike the previous
mechanism ("wpa_cli p2p_set disabled 1"), the new parameter changes the
behavior only for the specified interface while other interfaces
continue to follow the global P2P enabled/disabled state.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When specified in the conf file this parameter will make all invocations
of p2p_group_add, p2p_connect, and p2p_invite behave as if "ht40" has
been specified on the command line. This shouldn't do harm since
regulatory constraints and driver capabilities are consulted anyway
before starting HT40 mode.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
auto_interworking=1 configuration parameter can be used to request
wpa_supplicant to use Interworking network selection automatically as a
part of the normal (non-Interworking) network selection if the scan
results do not match with enabled networks. This makes scanning work
similarly to the "interworking_select auto" command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In case of P2P GO and AP mode, wpa_supplicant uses the default hostapd
parameters for WMM. In the default parameters the ACM bit for video and
voice are set to 1, meaning, P2P devices and stations which are
connected to the GO cannot pass voice or video data packets. Allow this
to be changed through wpa_supplicant configuration file with wmm_ac_*
parameters.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
This enables setting a different max inactivity timeout for P2P GO.
This timeout is used to detect inactive clients. In some scenarios
it may be useful to have control over this and set a shorter timeout
than the default 300s. For example when running STA and P2P GO interfaces
concurrently, the STA interface may perform scans which may cause the
GO to miss a disassoc / deauth frames from a client and keep assuming
that the client is connected until the inactivity detection kicks in.
300 secs is a bit too long for such scenarios and creates a bad user
experience.
Signed-hostap: Eyal Shapira <eyal@wizery.com>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
Each cred block can now be matched based on Roaming Consortium OI as an
alternative mechanism to using NAI Realm information. This may be
optimized for efficiency in the future since Roaming Consortium
information is available in scan results without having to go through
ANQP queries. In addition, this is easier to support in case there is a
large number of realms that can be used for authentication.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new cred block parameters eap, phase1, and phase2 can be used to
select which EAP method is used with network selection instead of using
the value specified in ANQP information (e.g., NAI Realm).
Signed-hostap: Jouni Malinen <j@w1.fi>
Allow the user to configure an RSSI threshold in dBm below which the
nl80211 driver won't report scan results. Currently only supported
during scheduled (PNO) scans.
Signed-off-by: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
The nl80211 driver interface does not allow 128-bit WEP to be used
without a vendor specific cipher suite and no such suite is defined for
this purpose. Do not accept WEP key length 16 for nl80211 driver
interface forn ow. wext-interface can still try to use these for
backwards compatibility.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Do not try to associate with a network that has an invalid or incomplete
configuration because the association or at least data connection would
fail anyway. This commits adds a common function for checking whether a
network block is disabled to make it easier to check network blocks
without having to reject them during configuration file parsing (which
would prevent wpa_supplicant from starting). The only additional check
added in this commit is to verify the WEP key length. Similar checks for
other parameters can be added in future commits.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This workaround for Windows 7 WPS probing mechanism was previously
allowed only with hostapd, but the same interoperability issue can
happen with wpa_supplicant AP/GO mode. Allow the workaround to be
enabled in wpa_supplicant configuration for these uses.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new configuration parameter can be used to disable automatic
offloading of scan requests to the driver which was previously used
by default if the driver supported sched_scan.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A special value p2p_group_idle=-1 can now be used to configure the P2P
group idle mechanism to terminate a P2P client group immediately on any
disconnection after the completion of the initial 4-way handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_pref_chan configuration parameter can now be used to set the
list of preferred channel for P2P GO Negotiation. This will be used
in the priority order if the peer does not support the channel we
are trying to use as the GO (configured operating channel or the
best 2.4 GHz/5 GHz channel) for the case where a forced channel is
not used.
p2p_pref_chan=<op class:channel>,...
For example:
p2p_pref_chan=81:1,81:2,81:3,81:4,81:5,81:6
This would configure 2.4 GHz channels 1-6 as the preferred ones with
channel 1 the most preferred option.
These configuration parameters can be set in wpa_supplicant.conf and
dynamically updated with "wpa_cli set <param> <value>".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows Interworking network selection to be used with EAP-TLS
(client certificate/private key based credential).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
New global configuration parameters pcsc_reader and pcsc_pin can now be
used to initialize PC/SC reader context at start of wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows credentials to be set with a specific priority to allow
the automatic network selection behavior to be controlled with user
preferences. The priority values are configured to the network block
and BSS selection will select the network based on priorities from
both pre-configured network blocks and credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
New wpa_cli commands list_creds, add_cred, remove_cred, and set_cred
can now be used to manage credentials similarly to the commands used
with network blocks.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This replaces the global home_* parameters with a list of credentials
that can be configured similarly to network blocks. For example:
cred={
realm="example.com"
username="user@example.com"
password="password"
ca_cert="/etc/wpa_supplicant/ca.pem"
domain="example.com"
}
cred={
imsi="310026-000000000"
milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
}
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use Domain Name List (ANQP) and the new home_domain configuration
parameter to figure out whether a network is operated by the home
service provider and if so, prefer it over networks that would
require roaming.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The p2p_group_idle configuration parameter is much more useful for
GO role, so use a separate hardcoded value of 10 seconds in P2P
client role. In practice, this means that the P2P client role will
automatically tear down the group when the GO tears down the group.
The 10 second timeout is enough to recover from temporary disconnections
without unnecessary tearing down the group if the GO is still present
and allows the client to connect.
Signed-hostap: Jouni Malinen <j@w1.fi>
New configuration parameters home_imsi and home_milenage can be used
to configure SIM/USIM simulator parameters for network selection based
on SIM/USIM credentials.
home_imsi=(MCC | MNC | '-' | rest of IMSI)
home_milenage=(Ki):(OPc):(SQN)
For example:
home_imsi=310026-000000000
home_milenage=90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123
Add support for network selection for username/password credentials with
EAP-TTLS and EAP-PEAP. The new global configuration parameters
home_username, home_password, and home_ca_cert can be used to specify
credentials for network selection.
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
Some P2PDevice properties were not updated in p2p->cfg structure:
reg_class, channel, op_reg_class, and op_channel. Hence, update p2p->cfg
parameters through p2p core calls in wpas_p2p_update_config().
Signed-off-by: Jean-Michel.Bachot <jean-michelx.bachot@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Replace compile-time BSS cache expiration age and scan count by config
parameters that can be set via wpa_cli and the new D-Bus API. The latter
is done with interface properties BSSExpireAge and BSSExpireCount.
This adds a new command to the interface to remove all configured
netblocks. Without this it's necessary to query properties on the
interface and explicitly remove each netblock.
This adds the ability to add WPS vendor extension attributes in P2P
frames, like GO Negotiation and Probe Response frames.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Instead of converting back and forth from the string representation,
always use the binary representation internally.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
A new configuration parameter, p2p_group_idle, can now be used to set
idle timeout value for P2P groups in seconds (0 = no timeout). If set,
this values is used to remove P2P group (both GO and P2P client)
interfaces after the group has been idle (no clients/GO seen) for the
configuration duration.
The P2P-GROUP-REMOVED event is now indicating the reason for group
removal when known. For example:
P2P-GROUP-REMOVED wlan0 GO reason=REQUESTED
P2P-GROUP-REMOVED wlan1 client reason=IDLE
Despite comments in the wpa_config_update_prio_list(struct wpa_config
*config) telling that it is called "if priority for a network is
changed", it is apparently not.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
New global configuration parameter bss_max_count can now be used to
change the maximum BSS table size. The old fixed size limit (200) is
used as the default value for this parameter.
This adds config_methods configuration option for wpa_supplicant
following the design used in hostapd. In addition, the string is
now parsed in common code from src/wps/wps_common.c and the list
of configurable methods include all the defined methods from
WPS 1.0h spec.
The following defines are not really needed in most places, so
remove them to clean up source code and build scripts:
EAP_TLS_FUNCS
EAP_TLS_OPENSSL
EAP_TLS_GNUTLS
CONFIG_TLS_INTERNAL
The wps_cred_process option can be used to configure wpa_supplicant to
send received Credential attributes for external processing over
ctrl_iface and dbus. This allows external programs to update their
configuration when WPS is used to provision new networks.
This adds support for setting of a regulatory domain to wpa_supplicant
drivers. It also adds regulatory domain setting for the nl80211 driver.
We expect an ISO / IEC 3166 alpha2 in the wpa configuration file as a
global.