• Home
Name Date Size #Lines LOC

..--

aidl/03-May-2024-14,94412,410

dbus/03-May-2024-19,68313,962

doc/docbook/03-May-2024-2,0831,745

examples/03-May-2024-5,1754,008

src/03-May-2024-

systemd/03-May-2024-6348

utils/03-May-2024-5638

wpa_client_include/libwpa_client/03-May-2024-16,2714,245

wpa_gui-qt4/03-May-2024-12,49811,188

.gitignoreD03-May-202420 32

Android.bpD03-May-202413.6 KiB449439

Android.mkD03-May-202442.9 KiB2,0511,711

ChangeLogD03-May-2024129.8 KiB2,5012,449

CleanSpec.mkD03-May-20242.5 KiB554

MakefileD03-May-202448.1 KiB2,2751,964

READMED03-May-202442.4 KiB1,166928

README-DPPD03-May-20245.9 KiB205147

README-HS20D03-May-202423.7 KiB686592

README-P2PD03-May-202433 KiB857629

README-WPSD03-May-202415.9 KiB394293

README-Windows.txtD03-May-202412.1 KiB300228

android.configD03-May-202420 KiB565456

ap.cD03-May-202455.8 KiB2,1641,719

ap.hD03-May-20245.4 KiB127108

autoscan.cD03-May-20243.5 KiB163113

autoscan.hD03-May-20241.4 KiB6035

autoscan_exponential.cD03-May-20242 KiB10569

autoscan_periodic.cD03-May-20241.6 KiB8652

bgscan.cD03-May-20242.4 KiB11082

bgscan.hD03-May-20242.1 KiB8357

bgscan_learn.cD03-May-202414.4 KiB615479

bgscan_simple.cD03-May-20248 KiB276191

bss.cD03-May-202438.5 KiB1,471995

bss.hD03-May-20246.7 KiB207142

bssid_ignore.cD03-May-20245.4 KiB222142

bssid_ignore.hD03-May-20241 KiB3417

config.cD03-May-2024137.8 KiB5,6654,571

config.hD03-May-202459.1 KiB1,901366

config_file.cD03-May-202445.1 KiB1,7121,489

config_none.cD03-May-20241.3 KiB5829

config_ssid.hD03-May-202434.1 KiB1,270256

config_winreg.cD03-May-202424.8 KiB1,061852

ctrl_iface.cD03-May-2024332.3 KiB13,66211,453

ctrl_iface.hD03-May-20245.7 KiB17055

ctrl_iface_named_pipe.cD03-May-202419.7 KiB832644

ctrl_iface_udp.cD03-May-202421 KiB832682

ctrl_iface_unix.cD03-May-202436.2 KiB1,4351,148

defconfigD03-May-202423.6 KiB661537

dpp_supplicant.cD03-May-2024156.7 KiB5,6824,744

dpp_supplicant.hD03-May-20242.4 KiB5137

driver_i.hD03-May-202431.4 KiB1,1761,023

eap_proxy_dummy.makD03-May-20240

eap_proxy_dummy.mkD03-May-20240 10

eap_proxy_qmi_oc.makD03-May-2024530 2014

eap_proxy_qmi_oc.mkD03-May-20241.1 KiB3824

eap_register.cD03-May-20245.2 KiB272204

eap_testing.txtD03-May-202414.4 KiB393363

eapol_test.cD03-May-202439.9 KiB1,5691,318

eapol_test.pyD03-May-20244.9 KiB160131

events.cD03-May-2024178.6 KiB6,4575,218

gas_query.cD03-May-202425.4 KiB908695

gas_query.hD03-May-20241.4 KiB6036

hs20_supplicant.cD03-May-202433.8 KiB1,3751,147

hs20_supplicant.hD03-May-20242.2 KiB5340

ibss_rsn.cD03-May-202424 KiB959717

ibss_rsn.hD03-May-20241.7 KiB6740

interworking.cD03-May-202483.6 KiB3,3342,771

interworking.hD03-May-20241.3 KiB3826

libwpa_test.cD03-May-2024611 3319

main.cD03-May-202410.1 KiB412362

main_none.cD03-May-2024844 4122

main_winmain.cD03-May-20241.7 KiB7955

main_winsvc.cD03-May-202411.2 KiB459352

mbo.cD03-May-202416.6 KiB688506

mesh.cD03-May-202423.9 KiB899692

mesh.hD03-May-20241.5 KiB5033

mesh_mpm.cD03-May-202438 KiB1,4361,164

mesh_mpm.hD03-May-20241.5 KiB4729

mesh_rsn.cD03-May-202420.6 KiB796597

mesh_rsn.hD03-May-20241.4 KiB4634

nfc_pw_token.cD03-May-20241.7 KiB8457

nmake.makD03-May-20246.6 KiB241200

notify.cD03-May-202432.4 KiB1,4141,018

notify.hD03-May-202411.2 KiB236219

offchannel.cD03-May-202416.1 KiB489325

offchannel.hD03-May-20241.4 KiB3624

op_classes.cD03-May-202413.1 KiB527376

p2p_supplicant.cD03-May-2024292.4 KiB10,3198,103

p2p_supplicant.hD03-May-202413.2 KiB357314

p2p_supplicant_sd.cD03-May-202431 KiB1,283970

pasn_supplicant.cD03-May-202425.1 KiB974763

preauth_test.cD03-May-20248.8 KiB374281

robust_av.cD03-May-202438.7 KiB1,5421,205

rrm.cD03-May-202441.6 KiB1,5931,168

scan.cD03-May-202493.8 KiB3,5042,600

scan.hD03-May-20244.3 KiB9969

sme.cD03-May-202499.7 KiB3,4942,869

sme.hD03-May-20243.7 KiB138105

todo.txtD03-May-20244.4 KiB7978

twt.cD03-May-20243.9 KiB14390

wifi_display.cD03-May-202410.4 KiB432302

wifi_display.hD03-May-2024904 2513

win_if_list.cD03-May-20243.7 KiB174128

wmm_ac.cD03-May-202423.6 KiB988739

wmm_ac.hD03-May-20244.8 KiB17757

wnm_sta.cD03-May-202452.2 KiB2,0071,628

wnm_sta.hD03-May-20242.5 KiB9469

wpa_cli.cD03-May-2024133.1 KiB5,1694,272

wpa_passphrase.cD03-May-20242 KiB9777

wpa_priv.cD03-May-202430.2 KiB1,2951,064

wpa_supplicant.cD03-May-2024255.3 KiB9,3137,141

wpa_supplicant.confD03-May-202485.9 KiB2,157298

wpa_supplicant_conf.mkD03-May-20241.5 KiB3820

wpa_supplicant_conf.shD03-May-2024458 176

wpa_supplicant_i.hD03-May-202458.1 KiB1,9611,371

wpa_supplicant_template.confD03-May-2024230 1311

wpas_glue.cD03-May-202442.5 KiB1,5911,235

wpas_glue.hD03-May-20241 KiB3317

wpas_kay.cD03-May-20249.5 KiB420308

wpas_kay.hD03-May-20241.1 KiB5233

wpas_module_tests.cD03-May-20243.2 KiB11581

wps_supplicant.cD03-May-202482.3 KiB3,0882,490

wps_supplicant.hD03-May-20245.7 KiB180147

README

1wpa_supplicant
2==============
3
4Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
5All Rights Reserved.
6
7This program is licensed under the BSD license (the one with
8advertisement clause removed).
9
10If you are submitting changes to the project, please see CONTRIBUTIONS
11file for more instructions.
12
13
14
15License
16-------
17
18This software may be distributed, used, and modified under the terms of
19BSD license:
20
21Redistribution and use in source and binary forms, with or without
22modification, are permitted provided that the following conditions are
23met:
24
251. Redistributions of source code must retain the above copyright
26   notice, this list of conditions and the following disclaimer.
27
282. Redistributions in binary form must reproduce the above copyright
29   notice, this list of conditions and the following disclaimer in the
30   documentation and/or other materials provided with the distribution.
31
323. Neither the name(s) of the above-listed copyright holder(s) nor the
33   names of its contributors may be used to endorse or promote products
34   derived from this software without specific prior written permission.
35
36THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
37"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
38LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
39A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
40OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
42LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
43DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
44THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
45(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
46OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
47
48
49
50Features
51--------
52
53Supported WPA/IEEE 802.11i features:
54- WPA-PSK ("WPA-Personal")
55- WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise")
56  Following authentication methods are supported with an integrate IEEE 802.1X
57  Supplicant:
58  * EAP-TLS
59  * EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
60  * EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
61  * EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
62  * EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
63  * EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
64  * EAP-TTLS/EAP-MD5-Challenge
65  * EAP-TTLS/EAP-GTC
66  * EAP-TTLS/EAP-OTP
67  * EAP-TTLS/EAP-MSCHAPv2
68  * EAP-TTLS/EAP-TLS
69  * EAP-TTLS/MSCHAPv2
70  * EAP-TTLS/MSCHAP
71  * EAP-TTLS/PAP
72  * EAP-TTLS/CHAP
73  * EAP-SIM
74  * EAP-AKA
75  * EAP-AKA'
76  * EAP-PSK
77  * EAP-PAX
78  * EAP-SAKE
79  * EAP-IKEv2
80  * EAP-GPSK
81  * EAP-pwd
82  * LEAP (note: requires special support from the driver for IEEE 802.11
83	  authentication)
84  (following methods are supported, but since they do not generate keying
85   material, they cannot be used with WPA or IEEE 802.1X WEP keying)
86  * EAP-MD5-Challenge
87  * EAP-MSCHAPv2
88  * EAP-GTC
89  * EAP-OTP
90- key management for CCMP, TKIP, WEP104, WEP40
91- RSN/WPA2 (IEEE 802.11i)
92  * pre-authentication
93  * PMKSA caching
94
95Supported TLS/crypto libraries:
96- OpenSSL (default)
97- GnuTLS
98
99Internal TLS/crypto implementation (optional):
100- can be used in place of an external TLS/crypto library
101- TLSv1
102- X.509 certificate processing
103- PKCS #1
104- ASN.1
105- RSA
106- bignum
107- minimal size (ca. 50 kB binary, parts of which are already needed for WPA;
108  TLSv1/X.509/ASN.1/RSA/bignum parts are about 25 kB on x86)
109
110
111Requirements
112------------
113
114Current hardware/software requirements:
115- Linux kernel 2.4.x or 2.6.x with Linux Wireless Extensions v15 or newer
116- FreeBSD 6-CURRENT
117- NetBSD-current
118- Microsoft Windows with WinPcap (at least WinXP, may work with other versions)
119- drivers:
120	Linux drivers that support cfg80211/nl80211. Even though there are
121	number of driver specific interface included in wpa_supplicant, please
122	note that Linux drivers are moving to use generic wireless configuration
123	interface driver_nl80211 (-Dnl80211 on wpa_supplicant command line)
124	should be the default option to start with before falling back to driver
125	specific interface.
126
127	Linux drivers that support WPA/WPA2 configuration with the generic
128	Linux wireless extensions (WE-18 or newer). Obsoleted by nl80211.
129
130	In theory, any driver that supports Linux wireless extensions can be
131	used with IEEE 802.1X (i.e., not WPA) when using ap_scan=0 option in
132	configuration file.
133
134	Wired Ethernet drivers (with ap_scan=0)
135
136	BSD net80211 layer (e.g., Atheros driver)
137	At the moment, this is for FreeBSD 6-CURRENT branch and NetBSD-current.
138
139	Windows NDIS
140	The current Windows port requires WinPcap (http://winpcap.polito.it/).
141	See README-Windows.txt for more information.
142
143wpa_supplicant was designed to be portable for different drivers and
144operating systems. Hopefully, support for more wlan cards and OSes will be
145added in the future. See developer's documentation
146(http://hostap.epitest.fi/wpa_supplicant/devel/) for more information about the
147design of wpa_supplicant and porting to other drivers. One main goal
148is to add full WPA/WPA2 support to Linux wireless extensions to allow
149new drivers to be supported without having to implement new
150driver-specific interface code in wpa_supplicant.
151
152Optional libraries for layer2 packet processing:
153- libpcap (tested with 0.7.2, most relatively recent versions assumed to work,
154	this is likely to be available with most distributions,
155	http://tcpdump.org/)
156- libdnet (tested with v1.4, most versions assumed to work,
157	http://libdnet.sourceforge.net/)
158
159These libraries are _not_ used in the default Linux build. Instead,
160internal Linux specific implementation is used. libpcap/libdnet are
161more portable and they can be used by adding CONFIG_L2_PACKET=pcap into
162.config. They may also be selected automatically for other operating
163systems. In case of Windows builds, WinPcap is used by default
164(CONFIG_L2_PACKET=winpcap).
165
166
167Optional libraries for EAP-TLS, EAP-PEAP, and EAP-TTLS:
168- OpenSSL (tested with 1.0.1 and 1.0.2 versions; assumed to
169  work with most relatively recent versions; this is likely to be
170  available with most distributions, http://www.openssl.org/)
171- GnuTLS
172- internal TLSv1 implementation
173
174One of these libraries is needed when EAP-TLS, EAP-PEAP, EAP-TTLS, or
175EAP-FAST support is enabled. WPA-PSK mode does not require this or EAPOL/EAP
176implementation. A configuration file, .config, for compilation is
177needed to enable IEEE 802.1X/EAPOL and EAP methods. Note that EAP-MD5,
178EAP-GTC, EAP-OTP, and EAP-MSCHAPV2 cannot be used alone with WPA, so
179they should only be enabled if testing the EAPOL/EAP state
180machines. However, there can be used as inner authentication
181algorithms with EAP-PEAP and EAP-TTLS.
182
183See Building and installing section below for more detailed
184information about the wpa_supplicant build time configuration.
185
186
187
188WPA
189---
190
191The original security mechanism of IEEE 802.11 standard was not
192designed to be strong and has proven to be insufficient for most
193networks that require some kind of security. Task group I (Security)
194of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked
195to address the flaws of the base standard and has in practice
196completed its work in May 2004. The IEEE 802.11i amendment to the IEEE
197802.11 standard was approved in June 2004 and published in July 2004.
198
199Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the
200IEEE 802.11i work (draft 3.0) to define a subset of the security
201enhancements that can be implemented with existing wlan hardware. This
202is called Wi-Fi Protected Access<TM> (WPA). This has now become a
203mandatory component of interoperability testing and certification done
204by Wi-Fi Alliance. Wi-Fi provides information about WPA at its web
205site (http://www.wi-fi.org/OpenSection/protected_access.asp).
206
207IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm
208for protecting wireless networks. WEP uses RC4 with 40-bit keys,
20924-bit initialization vector (IV), and CRC32 to protect against packet
210forgery. All these choices have proven to be insufficient: key space is
211too small against current attacks, RC4 key scheduling is insufficient
212(beginning of the pseudorandom stream should be skipped), IV space is
213too small and IV reuse makes attacks easier, there is no replay
214protection, and non-keyed authentication does not protect against bit
215flipping packet data.
216
217WPA is an intermediate solution for the security issues. It uses
218Temporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a
219compromise on strong security and possibility to use existing
220hardware. It still uses RC4 for the encryption like WEP, but with
221per-packet RC4 keys. In addition, it implements replay protection,
222keyed packet authentication mechanism (Michael MIC).
223
224Keys can be managed using two different mechanisms. WPA can either use
225an external authentication server (e.g., RADIUS) and EAP just like
226IEEE 802.1X is using or pre-shared keys without need for additional
227servers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal",
228respectively. Both mechanisms will generate a master session key for
229the Authenticator (AP) and Supplicant (client station).
230
231WPA implements a new key handshake (4-Way Handshake and Group Key
232Handshake) for generating and exchanging data encryption keys between
233the Authenticator and Supplicant. This handshake is also used to
234verify that both Authenticator and Supplicant know the master session
235key. These handshakes are identical regardless of the selected key
236management mechanism (only the method for generating master session
237key changes).
238
239
240
241IEEE 802.11i / WPA2
242-------------------
243
244The design for parts of IEEE 802.11i that were not included in WPA has
245finished (May 2004) and this amendment to IEEE 802.11 was approved in
246June 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new
247version of WPA called WPA2. This includes, e.g., support for more
248robust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC)
249to replace TKIP and optimizations for handoff (reduced number of
250messages in initial key handshake, pre-authentication, and PMKSA caching).
251
252
253
254wpa_supplicant
255--------------
256
257wpa_supplicant is an implementation of the WPA Supplicant component,
258i.e., the part that runs in the client stations. It implements WPA key
259negotiation with a WPA Authenticator and EAP authentication with
260Authentication Server. In addition, it controls the roaming and IEEE
261802.11 authentication/association of the wlan driver.
262
263wpa_supplicant is designed to be a "daemon" program that runs in the
264background and acts as the backend component controlling the wireless
265connection. wpa_supplicant supports separate frontend programs and an
266example text-based frontend, wpa_cli, is included with wpa_supplicant.
267
268Following steps are used when associating with an AP using WPA:
269
270- wpa_supplicant requests the kernel driver to scan neighboring BSSes
271- wpa_supplicant selects a BSS based on its configuration
272- wpa_supplicant requests the kernel driver to associate with the chosen
273  BSS
274- If WPA-EAP: integrated IEEE 802.1X Supplicant completes EAP
275  authentication with the authentication server (proxied by the
276  Authenticator in the AP)
277- If WPA-EAP: master key is received from the IEEE 802.1X Supplicant
278- If WPA-PSK: wpa_supplicant uses PSK as the master session key
279- wpa_supplicant completes WPA 4-Way Handshake and Group Key Handshake
280  with the Authenticator (AP)
281- wpa_supplicant configures encryption keys for unicast and broadcast
282- normal data packets can be transmitted and received
283
284
285
286Building and installing
287-----------------------
288
289In order to be able to build wpa_supplicant, you will first need to
290select which parts of it will be included. This is done by creating a
291build time configuration file, .config, in the wpa_supplicant root
292directory. Configuration options are text lines using following
293format: CONFIG_<option>=y. Lines starting with # are considered
294comments and are ignored. See defconfig file for an example configuration
295and a list of available options and additional notes.
296
297The build time configuration can be used to select only the needed
298features and limit the binary size and requirements for external
299libraries. The main configuration parts are the selection of which
300driver interfaces (e.g., nl80211, wext, ..) and which authentication
301methods (e.g., EAP-TLS, EAP-PEAP, ..) are included.
302
303Following build time configuration options are used to control IEEE
304802.1X/EAPOL and EAP state machines and all EAP methods. Including
305TLS, PEAP, or TTLS will require linking wpa_supplicant with OpenSSL
306library for TLS implementation. Alternatively, GnuTLS or the internal
307TLSv1 implementation can be used for TLS functionality.
308
309CONFIG_IEEE8021X_EAPOL=y
310CONFIG_EAP_MD5=y
311CONFIG_EAP_MSCHAPV2=y
312CONFIG_EAP_TLS=y
313CONFIG_EAP_PEAP=y
314CONFIG_EAP_TTLS=y
315CONFIG_EAP_GTC=y
316CONFIG_EAP_OTP=y
317CONFIG_EAP_SIM=y
318CONFIG_EAP_AKA=y
319CONFIG_EAP_AKA_PRIME=y
320CONFIG_EAP_PSK=y
321CONFIG_EAP_SAKE=y
322CONFIG_EAP_GPSK=y
323CONFIG_EAP_PAX=y
324CONFIG_EAP_LEAP=y
325CONFIG_EAP_IKEV2=y
326CONFIG_EAP_PWD=y
327
328Following option can be used to include GSM SIM/USIM interface for GSM/UMTS
329authentication algorithm (for EAP-SIM/EAP-AKA/EAP-AKA'). This requires pcsc-lite
330(http://www.linuxnet.com/) for smart card access.
331
332CONFIG_PCSC=y
333
334Following options can be added to .config to select which driver
335interfaces are included.
336
337CONFIG_DRIVER_NL80211=y
338CONFIG_DRIVER_WEXT=y
339CONFIG_DRIVER_BSD=y
340CONFIG_DRIVER_NDIS=y
341
342Following example includes some more features and driver interfaces that
343are included in the wpa_supplicant package:
344
345CONFIG_DRIVER_NL80211=y
346CONFIG_DRIVER_WEXT=y
347CONFIG_DRIVER_BSD=y
348CONFIG_DRIVER_NDIS=y
349CONFIG_IEEE8021X_EAPOL=y
350CONFIG_EAP_MD5=y
351CONFIG_EAP_MSCHAPV2=y
352CONFIG_EAP_TLS=y
353CONFIG_EAP_PEAP=y
354CONFIG_EAP_TTLS=y
355CONFIG_EAP_GTC=y
356CONFIG_EAP_OTP=y
357CONFIG_EAP_SIM=y
358CONFIG_EAP_AKA=y
359CONFIG_EAP_PSK=y
360CONFIG_EAP_SAKE=y
361CONFIG_EAP_GPSK=y
362CONFIG_EAP_PAX=y
363CONFIG_EAP_LEAP=y
364CONFIG_EAP_IKEV2=y
365CONFIG_PCSC=y
366
367EAP-PEAP and EAP-TTLS will automatically include configured EAP
368methods (MD5, OTP, GTC, MSCHAPV2) for inner authentication selection.
369
370
371After you have created a configuration file, you can build
372wpa_supplicant and wpa_cli with 'make' command. You may then install
373the binaries to a suitable system directory, e.g., /usr/local/bin.
374
375Example commands:
376
377# build wpa_supplicant and wpa_cli
378make
379# install binaries (this may need root privileges)
380cp wpa_cli wpa_supplicant /usr/local/bin
381
382
383You will need to make a configuration file, e.g.,
384/etc/wpa_supplicant.conf, with network configuration for the networks
385you are going to use. Configuration file section below includes
386explanation of the configuration file format and includes various
387examples. Once the configuration is ready, you can test whether the
388configuration work by first running wpa_supplicant with following
389command to start it on foreground with debugging enabled:
390
391wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -d
392
393Assuming everything goes fine, you can start using following command
394to start wpa_supplicant on background without debugging:
395
396wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
397
398Please note that if you included more than one driver interface in the
399build time configuration (.config), you may need to specify which
400interface to use by including -D<driver name> option on the command
401line. See following section for more details on command line options
402for wpa_supplicant.
403
404
405
406Command line options
407--------------------
408
409usage:
410  wpa_supplicant [-BddfhKLqqtuvW] [-P<pid file>] [-g<global ctrl>] \
411        [-G<group>] \
412        -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] [-p<driver_param>] \
413        [-b<br_ifname> [-MN -i<ifname> -c<conf> [-C<ctrl>] [-D<driver>] \
414        [-p<driver_param>] [-b<br_ifname>] [-m<P2P Device config file>] ...
415
416options:
417  -b = optional bridge interface name
418  -B = run daemon in the background
419  -c = Configuration file
420  -C = ctrl_interface parameter (only used if -c is not)
421  -i = interface name
422  -d = increase debugging verbosity (-dd even more)
423  -D = driver name (can be multiple drivers: nl80211,wext)
424  -f = Log output to default log location (normally /tmp)
425  -g = global ctrl_interface
426  -G = global ctrl_interface group
427  -K = include keys (passwords, etc.) in debug output
428  -t = include timestamp in debug messages
429  -h = show this help text
430  -L = show license (BSD)
431  -p = driver parameters
432  -P = PID file
433  -q = decrease debugging verbosity (-qq even less)
434  -u = enable DBus control interface
435  -v = show version
436  -W = wait for a control interface monitor before starting
437  -M = start describing matching interface
438  -N = start describing new interface
439  -m = Configuration file for the P2P Device
440
441drivers:
442  nl80211 = Linux nl80211/cfg80211
443  wext = Linux wireless extensions (generic)
444  wired = wpa_supplicant wired Ethernet driver
445  macsec_linux = MACsec Ethernet driver for Linux
446  roboswitch = wpa_supplicant Broadcom switch driver
447  none = no driver (RADIUS server/WPS ER only)
448  bsd = BSD 802.11 support (Atheros, etc.)
449  ndis = Windows NDIS driver
450
451In most common cases, wpa_supplicant is started with
452
453wpa_supplicant -B -c/etc/wpa_supplicant.conf -iwlan0
454
455This makes the process fork into background.
456
457The easiest way to debug problems, and to get debug log for bug
458reports, is to start wpa_supplicant on foreground with debugging
459enabled:
460
461wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d
462
463If the specific driver wrapper is not known beforehand, it is possible
464to specify multiple comma separated driver wrappers on the command
465line. wpa_supplicant will use the first driver wrapper that is able to
466initialize the interface.
467
468wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
469
470
471wpa_supplicant can control multiple interfaces (radios) either by
472running one process for each interface separately or by running just
473one process and list of options at command line. Each interface is
474separated with -N argument. As an example, following command would
475start wpa_supplicant for two interfaces:
476
477wpa_supplicant \
478	-c wpa1.conf -i wlan0 -D nl80211 -N \
479	-c wpa2.conf -i wlan1 -D wext
480
481
482If the interfaces on which wpa_supplicant is to run are not known or do
483not exist, wpa_supplicant can match an interface when it arrives. Each
484matched interface is separated with -M argument and the -i argument now
485allows for pattern matching.
486
487As an example, the following command would start wpa_supplicant for a
488specific wired interface called lan0, any interface starting with wlan
489and lastly any other interface. Each match has its own configuration
490file, and for the wired interface a specific driver has also been given.
491
492wpa_supplicant \
493	-M -c wpa_wired.conf -ilan0 -D wired \
494	-M -c wpa1.conf -iwlan* \
495	-M -c wpa2.conf
496
497
498If the interface is added in a Linux bridge (e.g., br0), the bridge
499interface needs to be configured to wpa_supplicant in addition to the
500main interface:
501
502wpa_supplicant -cw.conf -Dnl80211 -iwlan0 -bbr0
503
504
505Configuration file
506------------------
507
508wpa_supplicant is configured using a text file that lists all accepted
509networks and security policies, including pre-shared keys. See
510example configuration file, wpa_supplicant.conf, for detailed
511information about the configuration format and supported fields.
512
513Changes to configuration file can be reloaded be sending SIGHUP signal
514to wpa_supplicant ('killall -HUP wpa_supplicant'). Similarly,
515reloading can be triggered with 'wpa_cli reconfigure' command.
516
517Configuration file can include one or more network blocks, e.g., one
518for each used SSID. wpa_supplicant will automatically select the best
519network based on the order of network blocks in the configuration
520file, network security level (WPA/WPA2 is preferred), and signal
521strength.
522
523Example configuration files for some common configurations:
524
5251) WPA-Personal (PSK) as home network and WPA-Enterprise with EAP-TLS as work
526   network
527
528# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
529ctrl_interface=/var/run/wpa_supplicant
530ctrl_interface_group=wheel
531#
532# home network; allow all valid ciphers
533network={
534	ssid="home"
535	scan_ssid=1
536	key_mgmt=WPA-PSK
537	psk="very secret passphrase"
538}
539#
540# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
541network={
542	ssid="work"
543	scan_ssid=1
544	key_mgmt=WPA-EAP
545	pairwise=CCMP TKIP
546	group=CCMP TKIP
547	eap=TLS
548	identity="user@example.com"
549	ca_cert="/etc/cert/ca.pem"
550	client_cert="/etc/cert/user.pem"
551	private_key="/etc/cert/user.prv"
552	private_key_passwd="password"
553}
554
555
5562) WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel
557   (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series)
558
559ctrl_interface=/var/run/wpa_supplicant
560ctrl_interface_group=wheel
561network={
562	ssid="example"
563	scan_ssid=1
564	key_mgmt=WPA-EAP
565	eap=PEAP
566	identity="user@example.com"
567	password="foobar"
568	ca_cert="/etc/cert/ca.pem"
569	phase1="peaplabel=0"
570	phase2="auth=MSCHAPV2"
571}
572
573
5743) EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
575   unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
576
577ctrl_interface=/var/run/wpa_supplicant
578ctrl_interface_group=wheel
579network={
580	ssid="example"
581	scan_ssid=1
582	key_mgmt=WPA-EAP
583	eap=TTLS
584	identity="user@example.com"
585	anonymous_identity="anonymous@example.com"
586	password="foobar"
587	ca_cert="/etc/cert/ca.pem"
588	phase2="auth=MD5"
589}
590
591
5924) IEEE 802.1X (i.e., no WPA) with dynamic WEP keys (require both unicast and
593   broadcast); use EAP-TLS for authentication
594
595ctrl_interface=/var/run/wpa_supplicant
596ctrl_interface_group=wheel
597network={
598	ssid="1x-test"
599	scan_ssid=1
600	key_mgmt=IEEE8021X
601	eap=TLS
602	identity="user@example.com"
603	ca_cert="/etc/cert/ca.pem"
604	client_cert="/etc/cert/user.pem"
605	private_key="/etc/cert/user.prv"
606	private_key_passwd="password"
607	eapol_flags=3
608}
609
610
6115) Catch all example that allows more or less all configuration modes. The
612   configuration options are used based on what security policy is used in the
613   selected SSID. This is mostly for testing and is not recommended for normal
614   use.
615
616ctrl_interface=/var/run/wpa_supplicant
617ctrl_interface_group=wheel
618network={
619	ssid="example"
620	scan_ssid=1
621	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
622	pairwise=CCMP TKIP
623	group=CCMP TKIP WEP104 WEP40
624	psk="very secret passphrase"
625	eap=TTLS PEAP TLS
626	identity="user@example.com"
627	password="foobar"
628	ca_cert="/etc/cert/ca.pem"
629	client_cert="/etc/cert/user.pem"
630	private_key="/etc/cert/user.prv"
631	private_key_passwd="password"
632	phase1="peaplabel=0"
633	ca_cert2="/etc/cert/ca2.pem"
634	client_cert2="/etc/cer/user.pem"
635	private_key2="/etc/cer/user.prv"
636	private_key2_passwd="password"
637}
638
639
6406) Authentication for wired Ethernet. This can be used with 'wired' or
641   'roboswitch' interface (-Dwired or -Droboswitch on command line).
642
643ctrl_interface=/var/run/wpa_supplicant
644ctrl_interface_group=wheel
645ap_scan=0
646network={
647	key_mgmt=IEEE8021X
648	eap=MD5
649	identity="user"
650	password="password"
651	eapol_flags=0
652}
653
654
655
656Certificates
657------------
658
659Some EAP authentication methods require use of certificates. EAP-TLS
660uses both server side and client certificates whereas EAP-PEAP and
661EAP-TTLS only require the server side certificate. When client
662certificate is used, a matching private key file has to also be
663included in configuration. If the private key uses a passphrase, this
664has to be configured in wpa_supplicant.conf ("private_key_passwd").
665
666wpa_supplicant supports X.509 certificates in PEM and DER
667formats. User certificate and private key can be included in the same
668file.
669
670If the user certificate and private key is received in PKCS#12/PFX
671format, they need to be converted to suitable PEM/DER format for
672wpa_supplicant. This can be done, e.g., with following commands:
673
674# convert client certificate and private key to PEM format
675openssl pkcs12 -in example.pfx -out user.pem -clcerts
676# convert CA certificate (if included in PFX file) to PEM format
677openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
678
679
680
681wpa_cli
682-------
683
684wpa_cli is a text-based frontend program for interacting with
685wpa_supplicant. It is used to query current status, change
686configuration, trigger events, and request interactive user input.
687
688wpa_cli can show the current authentication status, selected security
689mode, dot11 and dot1x MIBs, etc. In addition, it can configure some
690variables like EAPOL state machine parameters and trigger events like
691reassociation and IEEE 802.1X logoff/logon. wpa_cli provides a user
692interface to request authentication information, like username and
693password, if these are not included in the configuration. This can be
694used to implement, e.g., one-time-passwords or generic token card
695authentication where the authentication is based on a
696challenge-response that uses an external device for generating the
697response.
698
699The control interface of wpa_supplicant can be configured to allow
700non-root user access (ctrl_interface_group in the configuration
701file). This makes it possible to run wpa_cli with a normal user
702account.
703
704wpa_cli supports two modes: interactive and command line. Both modes
705share the same command set and the main difference is in interactive
706mode providing access to unsolicited messages (event messages,
707username/password requests).
708
709Interactive mode is started when wpa_cli is executed without including
710the command as a command line parameter. Commands are then entered on
711the wpa_cli prompt. In command line mode, the same commands are
712entered as command line arguments for wpa_cli.
713
714
715Interactive authentication parameters request
716
717When wpa_supplicant need authentication parameters, like username and
718password, which are not present in the configuration file, it sends a
719request message to all attached frontend programs, e.g., wpa_cli in
720interactive mode. wpa_cli shows these requests with
721"CTRL-REQ-<type>-<id>:<text>" prefix. <type> is IDENTITY, PASSWORD, or
722OTP (one-time-password). <id> is a unique identifier for the current
723network. <text> is description of the request. In case of OTP request,
724it includes the challenge from the authentication server.
725
726The reply to these requests can be given with 'identity', 'password',
727and 'otp' commands. <id> needs to be copied from the the matching
728request. 'password' and 'otp' commands can be used regardless of
729whether the request was for PASSWORD or OTP. The main difference
730between these two commands is that values given with 'password' are
731remembered as long as wpa_supplicant is running whereas values given
732with 'otp' are used only once and then forgotten, i.e., wpa_supplicant
733will ask frontend for a new value for every use. This can be used to
734implement one-time-password lists and generic token card -based
735authentication.
736
737Example request for password and a matching reply:
738
739CTRL-REQ-PASSWORD-1:Password needed for SSID foobar
740> password 1 mysecretpassword
741
742Example request for generic token card challenge-response:
743
744CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
745> otp 2 9876
746
747
748wpa_cli commands
749
750  status = get current WPA/EAPOL/EAP status
751  mib = get MIB variables (dot1x, dot11)
752  help = show this usage help
753  interface [ifname] = show interfaces/select interface
754  level <debug level> = change debug level
755  license = show full wpa_cli license
756  logoff = IEEE 802.1X EAPOL state machine logoff
757  logon = IEEE 802.1X EAPOL state machine logon
758  set = set variables (shows list of variables when run without arguments)
759  pmksa = show PMKSA cache
760  reassociate = force reassociation
761  reconfigure = force wpa_supplicant to re-read its configuration file
762  preauthenticate <BSSID> = force preauthentication
763  identity <network id> <identity> = configure identity for an SSID
764  password <network id> <password> = configure password for an SSID
765  pin <network id> <pin> = configure pin for an SSID
766  otp <network id> <password> = configure one-time-password for an SSID
767  passphrase <network id> <passphrase> = configure private key passphrase
768    for an SSID
769  bssid <network id> <BSSID> = set preferred BSSID for an SSID
770  list_networks = list configured networks
771  select_network <network id> = select a network (disable others)
772  enable_network <network id> = enable a network
773  disable_network <network id> = disable a network
774  add_network = add a network
775  remove_network <network id> = remove a network
776  set_network <network id> <variable> <value> = set network variables (shows
777    list of variables when run without arguments)
778  get_network <network id> <variable> = get network variables
779  save_config = save the current configuration
780  disconnect = disconnect and wait for reassociate command before connecting
781  scan = request new BSS scan
782  scan_results = get latest scan results
783  get_capability <eap/pairwise/group/key_mgmt/proto/auth_alg> = get capabilities
784  terminate = terminate wpa_supplicant
785  quit = exit wpa_cli
786
787
788wpa_cli command line options
789
790wpa_cli [-p<path to ctrl sockets>] [-i<ifname>] [-hvB] [-a<action file>] \
791        [-P<pid file>] [-g<global ctrl>]  [command..]
792  -h = help (show this usage text)
793  -v = shown version information
794  -a = run in daemon mode executing the action file based on events from
795       wpa_supplicant
796  -B = run a daemon in the background
797  default path: /var/run/wpa_supplicant
798  default interface: first interface found in socket path
799
800
801Using wpa_cli to run external program on connect/disconnect
802-----------------------------------------------------------
803
804wpa_cli can used to run external programs whenever wpa_supplicant
805connects or disconnects from a network. This can be used, e.g., to
806update network configuration and/or trigget DHCP client to update IP
807addresses, etc.
808
809One wpa_cli process in "action" mode needs to be started for each
810interface. For example, the following command starts wpa_cli for the
811default interface (-i can be used to select the interface in case of
812more than one interface being used at the same time):
813
814wpa_cli -a/sbin/wpa_action.sh -B
815
816The action file (-a option, /sbin/wpa_action.sh in this example) will
817be executed whenever wpa_supplicant completes authentication (connect
818event) or detects disconnection). The action script will be called
819with two command line arguments: interface name and event (CONNECTED
820or DISCONNECTED). If the action script needs to get more information
821about the current network, it can use 'wpa_cli status' to query
822wpa_supplicant for more information.
823
824Following example can be used as a simple template for an action
825script:
826
827#!/bin/sh
828
829IFNAME=$1
830CMD=$2
831
832if [ "$CMD" = "CONNECTED" ]; then
833    SSID=`wpa_cli -i$IFNAME status | grep ^ssid= | cut -f2- -d=`
834    # configure network, signal DHCP client, etc.
835fi
836
837if [ "$CMD" = "DISCONNECTED" ]; then
838    # remove network configuration, if needed
839    SSID=
840fi
841
842
843
844Integrating with pcmcia-cs/cardmgr scripts
845------------------------------------------
846
847wpa_supplicant needs to be running when using a wireless network with
848WPA. It can be started either from system startup scripts or from
849pcmcia-cs/cardmgr scripts (when using PC Cards). WPA handshake must be
850completed before data frames can be exchanged, so wpa_supplicant
851should be started before DHCP client.
852
853For example, following small changes to pcmcia-cs scripts can be used
854to enable WPA support:
855
856Add MODE="Managed" and WPA="y" to the network scheme in
857/etc/pcmcia/wireless.opts.
858
859Add the following block to the end of 'start' action handler in
860/etc/pcmcia/wireless:
861
862    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
863	/usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf \
864		-i$DEVICE
865    fi
866
867Add the following block to the end of 'stop' action handler (may need
868to be separated from other actions) in /etc/pcmcia/wireless:
869
870    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
871	killall wpa_supplicant
872    fi
873
874This will make cardmgr start wpa_supplicant when the card is plugged
875in.
876
877
878
879Dynamic interface add and operation without configuration files
880---------------------------------------------------------------
881
882wpa_supplicant can be started without any configuration files or
883network interfaces. When used in this way, a global (i.e., per
884wpa_supplicant process) control interface is used to add and remove
885network interfaces. Each network interface can then be configured
886through a per-network interface control interface. For example,
887following commands show how to start wpa_supplicant without any
888network interfaces and then add a network interface and configure a
889network (SSID):
890
891# Start wpa_supplicant in the background
892wpa_supplicant -g/var/run/wpa_supplicant-global -B
893
894# Add a new interface (wlan0, no configuration file, driver=nl80211, and
895# enable control interface)
896wpa_cli -g/var/run/wpa_supplicant-global interface_add wlan0 \
897	"" nl80211 /var/run/wpa_supplicant
898
899# Configure a network using the newly added network interface:
900wpa_cli -iwlan0 add_network
901wpa_cli -iwlan0 set_network 0 ssid '"test"'
902wpa_cli -iwlan0 set_network 0 key_mgmt WPA-PSK
903wpa_cli -iwlan0 set_network 0 psk '"12345678"'
904wpa_cli -iwlan0 set_network 0 pairwise TKIP
905wpa_cli -iwlan0 set_network 0 group TKIP
906wpa_cli -iwlan0 set_network 0 proto WPA
907wpa_cli -iwlan0 enable_network 0
908
909# At this point, the new network interface should start trying to associate
910# with the WPA-PSK network using SSID test.
911
912# Remove network interface
913wpa_cli -g/var/run/wpa_supplicant-global interface_remove wlan0
914
915
916Privilege separation
917--------------------
918
919To minimize the size of code that needs to be run with root privileges
920(e.g., to control wireless interface operation), wpa_supplicant
921supports optional privilege separation. If enabled, this separates the
922privileged operations into a separate process (wpa_priv) while leaving
923rest of the code (e.g., EAP authentication and WPA handshakes) into an
924unprivileged process (wpa_supplicant) that can be run as non-root
925user. Privilege separation restricts the effects of potential software
926errors by containing the majority of the code in an unprivileged
927process to avoid full system compromise.
928
929Privilege separation is not enabled by default and it can be enabled
930by adding CONFIG_PRIVSEP=y to the build configuration (.config). When
931enabled, the privileged operations (driver wrapper and l2_packet) are
932linked into a separate daemon program, wpa_priv. The unprivileged
933program, wpa_supplicant, will be built with a special driver/l2_packet
934wrappers that communicate with the privileged wpa_priv process to
935perform the needed operations. wpa_priv can control what privileged
936are allowed.
937
938wpa_priv needs to be run with network admin privileges (usually, root
939user). It opens a UNIX domain socket for each interface that is
940included on the command line; any other interface will be off limits
941for wpa_supplicant in this kind of configuration. After this,
942wpa_supplicant can be run as a non-root user (e.g., all standard users
943on a laptop or as a special non-privileged user account created just
944for this purpose to limit access to user files even further).
945
946
947Example configuration:
948- create user group for users that are allowed to use wpa_supplicant
949  ('wpapriv' in this example) and assign users that should be able to
950  use wpa_supplicant into that group
951- create /var/run/wpa_priv directory for UNIX domain sockets and control
952  user access by setting it accessible only for the wpapriv group:
953  mkdir /var/run/wpa_priv
954  chown root:wpapriv /var/run/wpa_priv
955  chmod 0750 /var/run/wpa_priv
956- start wpa_priv as root (e.g., from system startup scripts) with the
957  enabled interfaces configured on the command line:
958  wpa_priv -B -P /var/run/wpa_priv.pid nl80211:wlan0
959- run wpa_supplicant as non-root with a user that is in wpapriv group:
960  wpa_supplicant -i ath0 -c wpa_supplicant.conf
961
962wpa_priv does not use the network interface before wpa_supplicant is
963started, so it is fine to include network interfaces that are not
964available at the time wpa_priv is started. As an alternative, wpa_priv
965can be started when an interface is added (hotplug/udev/etc. scripts).
966wpa_priv can control multiple interface with one process, but it is
967also possible to run multiple wpa_priv processes at the same time, if
968desired.
969
970It should be noted that the interface used between wpa_supplicant and
971wpa_priv does not include all the capabilities of the wpa_supplicant
972driver interface and at times, this interface lacks update especially
973for recent addition. Consequently, use of wpa_priv does come with the
974price of somewhat reduced available functionality. The next section
975describing how wpa_supplicant can be used with reduced privileges
976without having to handle the complexity of separate wpa_priv. While that
977approve does not provide separation for network admin capabilities, it
978does allow other root privileges to be dropped without the drawbacks of
979the wpa_priv process.
980
981
982Linux capabilities instead of privileged process
983------------------------------------------------
984
985wpa_supplicant performs operations that need special permissions, e.g.,
986to control the network connection. Traditionally this has been achieved
987by running wpa_supplicant as a privileged process with effective user id
9880 (root). Linux capabilities can be used to provide restricted set of
989capabilities to match the functions needed by wpa_supplicant. The
990minimum set of capabilities needed for the operations is CAP_NET_ADMIN
991and CAP_NET_RAW.
992
993setcap(8) can be used to set file capabilities. For example:
994
995sudo setcap cap_net_raw,cap_net_admin+ep wpa_supplicant
996
997Please note that this would give anyone being able to run that
998wpa_supplicant binary access to the additional capabilities. This can
999further be limited by file owner/group and mode bits. For example:
1000
1001sudo chown wpas wpa_supplicant
1002sudo chmod 0100 wpa_supplicant
1003
1004This combination of setcap, chown, and chmod commands would allow wpas
1005user to execute wpa_supplicant with additional network admin/raw
1006capabilities.
1007
1008Common way style of creating a control interface socket in
1009/var/run/wpa_supplicant could not be done by this user, but this
1010directory could be created before starting the wpa_supplicant and set to
1011suitable mode to allow wpa_supplicant to create sockets
1012there. Alternatively, other directory or abstract socket namespace could
1013be used for the control interface.
1014
1015
1016External requests for radio control
1017-----------------------------------
1018
1019External programs can request wpa_supplicant to not start offchannel
1020operations during other tasks that may need exclusive control of the
1021radio. The RADIO_WORK control interface command can be used for this.
1022
1023"RADIO_WORK add <name> [freq=<MHz>] [timeout=<seconds>]" command can be
1024used to reserve a slot for radio access. If freq is specified, other
1025radio work items on the same channel may be completed in
1026parallel. Otherwise, all other radio work items are blocked during
1027execution. Timeout is set to 10 seconds by default to avoid blocking
1028wpa_supplicant operations for excessive time. If a longer (or shorter)
1029safety timeout is needed, that can be specified with the optional
1030timeout parameter. This command returns an identifier for the radio work
1031item.
1032
1033Once the radio work item has been started, "EXT-RADIO-WORK-START <id>"
1034event message is indicated that the external processing can start. Once
1035the operation has been completed, "RADIO_WORK done <id>" is used to
1036indicate that to wpa_supplicant. This allows other radio works to be
1037performed. If this command is forgotten (e.g., due to the external
1038program terminating), wpa_supplicant will time out the radio work item
1039and send "EXT-RADIO-WORK-TIMEOUT <id>" event to indicate that this has
1040happened. "RADIO_WORK done <id>" can also be used to cancel items that
1041have not yet been started.
1042
1043For example, in wpa_cli interactive mode:
1044
1045> radio_work add test
10461
1047<3>EXT-RADIO-WORK-START 1
1048> radio_work show
1049ext:test@wlan0:0:1:2.487797
1050> radio_work done 1
1051OK
1052> radio_work show
1053
1054
1055> radio_work done 3
1056OK
1057> radio_work show
1058ext:test freq=2412 timeout=30@wlan0:2412:1:28.583483
1059<3>EXT-RADIO-WORK-TIMEOUT 2
1060
1061
1062> radio_work add test2 freq=2412 timeout=60
10635
1064<3>EXT-RADIO-WORK-START 5
1065> radio_work add test3
10666
1067> radio_work add test4
10687
1069> radio_work show
1070ext:test2 freq=2412 timeout=60@wlan0:2412:1:9.751844
1071ext:test3@wlan0:0:0:5.071812
1072ext:test4@wlan0:0:0:3.143870
1073> radio_work done 6
1074OK
1075> radio_work show
1076ext:test2 freq=2412 timeout=60@wlan0:2412:1:16.287869
1077ext:test4@wlan0:0:0:9.679895
1078> radio_work done 5
1079OK
1080<3>EXT-RADIO-WORK-START 7
1081<3>EXT-RADIO-WORK-TIMEOUT 7
1082
1083
1084DSCP policy procedures
1085----------------------
1086
1087DSCP policy procedures defined in WFA QoS Management-R2 program
1088facilitates AP devices to configure DSCP settings for specific uplink
1089data streams.
1090
1091An AP may transmit a DSCP Policy Request frame containing zero or more
1092QoS Management IEs to an associated STA which supports DSCP policy
1093procedures. Each QoS Management element in a DSCP Policy Request frame
1094represents one DSCP policy, and shall include one DSCP Policy attribute
1095including a DSCP Policy ID, Request type, and a DSCP value.
1096
1097wpa_supplicant sends control interface event messages consisting details
1098of DSCP policies requested by the AP through a DSCP Policy Request frame
1099to external programs. The format of the control interface event messages
1100is as shown below:
1101
1102- Control interface event message format to indicate DSCP request start
1103
1104  <3>CTRL-EVENT-DSCP-POLICY request_start [clear_all] [more]
1105
1106  clear_all - AP requested to clear all DSCP policies configured earlier
1107  more      - AP may request to configure more DSCP policies with new DSCP
1108              request
1109
1110- Control interface event message format to add new policy
1111
1112  <3>CTRL-EVENT-DSCP-POLICY add <policy_id> <dscp_value> <ip_version=0|4|6>
1113  [protocol] [source ip] [destination_ip]/[domain name] [source port]
1114  [[<start_port> <end_port>]/destination port]
1115
1116  ip_version = 0: Both IPv4 and IPv6
1117             = 4: IPv4
1118             = 6: IPv6
1119  protocol: Internet Protocol Numbers as per IETF RFCs
1120	 = 6: TCP
1121	 = 17: UDP
1122	 = 50: ESP
1123
1124- Control interface event message format to remove a particular policy,
1125  identified by the policy_id attribute.
1126
1127  <3>CTRL-EVENT-DSCP-POLICY remove <policy_id>
1128
1129- DSCP policy may get rejected due to invalid policy parameters. Ccontrol
1130  interface event message format for rejected policy.
1131
1132  <3>CTRL-EVENT-DSCP-POLICY reject <policy_id>
1133
1134- Control interface event message format to indicate end of DSCP request.
1135
1136  <3>CTRL-EVENT-DSCP-POLICY request_end
1137
1138- External applications shall clear active DSCP policies upon receiving
1139  "CTRL-EVENT-DISCONNECTED" or "CTRL-EVENT-DSCP-POLICY clear_all" events.
1140
1141- Control interface event message format to indicate wpa_supplicant started
1142  a timer to wait until the unsolicited DSCP request from the AP.
1143
1144  <3>CTRL-EVENT-DSCP-POLICY request_wait start
1145
1146- Control interface event message format to indicate timeout to receive the
1147  unsolicited DSCP request. This event is expected only when an unsolicited
1148  DSCP request is not received from the AP before timeout.
1149
1150  <3>CTRL-EVENT-DSCP-POLICY request_wait end
1151
1152DSCP Response:
1153A QoS Management STA that enables DSCP Policy capability shall respond
1154with DSCP response on receipt of a successful DSCP request from its
1155associated AP.  wpa_supplicant sends DSCP policy response based on the
1156control interface command received from the user is as below:
1157
1158DSCP_RESP <[reset]>/<[solicited] [policy_id=1 status=0...]> [more]
1159
1160DSCP Query:
1161DSCP Policy Query enables a STA to query its associated AP for DSCP
1162policies applicable to the STA. Currently, this includes support to send
1163a wildcard DSCP query or a DSCP query with a single domain name
1164attribute. The command format for the DSCP query command is as follows:
1165DSCP_QUERY <wildcard>/<domain_name=<string>>
1166

README-DPP

1Device Provisioning Protocol (DPP)
2==================================
3
4This document describes how the Device Provisioning Protocol (DPP)
5implementation in wpa_supplicant and hostapd can be configured and how
6the STA device and AP can be configured to connect each other using DPP
7Connector mechanism.
8
9Introduction to DPP
10-------------------
11
12Device Provisioning Protocol (also known as Wi-Fi Easy Connect) allows
13enrolling of interface-less devices in a secure Wi-Fi network using many
14methods like QR code based authentication (detailed below), PKEX based
15authentication (password with in-band provisioning), etc. In DPP a
16Configurator is used to provide network credentials to the devices. The
17three phases of DPP connection are authentication, configuration and
18network introduction.
19
20More information about Wi-Fi Easy Connect is available from this Wi-Fi
21Alliance web page:
22https://www.wi-fi.org/discover-wi-fi/wi-fi-easy-connect
23
24Build config setup
25------------------
26
27The following parameters must be included in the config file used to
28compile hostapd and wpa_supplicant.
29
30wpa_supplicant build config
31---------------------------
32
33Enable DPP in wpa_supplicant build config file
34
35CONFIG_DPP=y
36
37hostapd build config
38--------------------
39
40Enable DPP in hostapd build config file
41
42CONFIG_DPP=y
43
44Configurator build config
45-------------------------
46
47Any STA or AP device can act as a Configurator. Enable DPP in build
48config. For an AP to act as a Configurator, Interworking needs to be
49enabled for GAS. For wpa_supplicant it is not required.
50
51CONFIG_INTERWORKING=y
52
53
54Sample supplicant config file before provisioning
55-------------------------------------------------
56
57ctrl_interface=DIR=/var/run/wpa_supplicant
58ctrl_interface_group=0
59update_config=1
60pmf=2
61dpp_config_processing=2
62
63Sample hostapd config file before provisioning
64----------------------------------------------
65
66interface=wlan0
67driver=nl80211
68ctrl_interface=/var/run/hostapd
69ssid=test
70channel=1
71wpa=2
72wpa_key_mgmt=DPP
73ieee80211w=1
74wpa_pairwise=CCMP
75rsn_pairwise=CCMP
76
77
78Pre-requisites
79--------------
80
81It is assumed that an AP and client station are up by running hostapd
82and wpa_supplicant using respective config files.
83
84
85Creating Configurator
86---------------------
87
88Add a Configurator over the control interface (wpa_cli/hostapd_cli)
89
90> dpp_configurator_add
91(returns id)
92
93To get key of Configurator
94> dpp_configurator_get_key <id>
95
96
97How to configure an Enrollee using Configurator
98-----------------------------------------------
99
100On Enrollee side:
101
102Generate QR code for the device. Store the QR code id returned by the
103command.
104
105> dpp_bootstrap_gen type=qrcode mac=<mac-address-of-device> chan=<operating-class/channel> key=<key of the device>
106(Returns bootstrapping info id. If the key parameter is not included, a new key
107is generated automatically. The MAC address is specified without octet
108separating colons. The channel list includes the possible channels on which the
109device is waiting. This uses global operating classes; e.g., 81/1 is the 2.4
110GHz channel 1 on 2412 MHz.)
111
112Get URI for the QR Code of device using the bootstrap info id.
113> dpp_bootstrap_get_uri <bootstrap-id>
114
115Make device listen to DPP request. The central frequency of the 2.4 GHz
116band channel 1 is 2412 MHz) in case the Enrollee is a client device. An
117AP as an Enrollee is listening on its operating channel.
118
119> dpp_listen <frequency>
120
121On Configurator side:
122
123Enter the QR Code in the Configurator.
124> dpp_qr_code "<URI-from-QR-Code-read-from-enrollee>"
125
126On successfully adding QR Code, a bootstrapping info id is returned.
127
128Send provisioning request to Enrollee. (conf is ap-dpp if Enrollee is an
129AP. conf is sta-dpp if Enrollee is a client)
130> dpp_auth_init peer=<qr-code-id> conf=<ap-dpp|sta-dpp> ssid=<SSID hexdump> configurator=<configurator-id>
131or for legacy (PSK/SAE) provisioning for a station Enrollee:
132> dpp_auth_init peer=<qr-code-id> conf=sta-psk ssid=<SSID hexdump> pass=<passphrase hexdump>
133
134The DPP values will be printed in the console. Save these values into the
135config file. If the Enrollee is an AP, we need to manually write these
136values to the hostapd config file. If the Enrollee is a client device,
137these details can be automatically saved to config file using the
138following command.
139
140> save_config
141
142To set values in runtime for AP enrollees
143
144> set dpp_connector <Connector-value-printed-on-console>
145> set dpp_csign <csign-value-on-console>
146> set dpp_netaccesskey <netaccess-value-on-console>
147
148To set values in runtime for client enrollees, set dpp_config_processing
149to 2 in wpa_supplicant conf file.
150
151Once the values are set in run-time (if not set in run-time, but saved
152in config files, they are taken up in next restart), the client device
153will automatically connect to the already provisioned AP and connection
154will be established.
155
156
157Self-configuring a device
158-------------------------
159
160It is possible for a device to configure itself if it is the
161Configurator for the network.
162
163Create a Configurator in the device and use the dpp_configurator_sign
164command to get DPP credentials.
165
166> dpp_configurator_add
167(returns configurator id)
168> dpp_configurator_sign conf=<ap-dpp|sta-dpp> configurator=<configurator-id> ssid=<SSID hexdump>
169
170
171Sample AP configuration files after provisioning
172------------------------------------------------
173
174interface=wlan0
175driver=nl80211
176ctrl_interface=/var/run/hostapd
177ssid=test
178channel=1
179wpa=2
180wpa_key_mgmt=DPP
181ieee80211w=1
182wpa_pairwise=CCMP
183rsn_pairwise=CCMP
184dpp_connector=<Connector value provided by Configurator>
185dpp_csign=<C-Sign-Key value provided by Configurator>
186dpp_netaccesskey=<Net access key provided by Configurator>
187
188
189Sample station configuration file after provisioning
190----------------------------------------------------
191
192ctrl_interface=DIR=/var/run/wpa_supplicant
193ctrl_interface_group=0
194update_config=1
195pmf=2
196dpp_config_processing=2
197network={
198	ssid="test"
199	key_mgmt=DPP
200	ieee80211w=2
201	dpp_connector="<Connector value provided by Configurator>"
202	dpp_netaccesskey=<Net access key provided by Configurator>
203	dpp_csign=<C-sign-key value provided by Configurator>
204}
205

README-HS20

1wpa_supplicant and Hotspot 2.0
2==============================
3
4This document describe how the IEEE 802.11u Interworking and Wi-Fi
5Hotspot 2.0 (Release 1) implementation in wpa_supplicant can be
6configured and how an external component on the client e.g., management
7GUI or Wi-Fi framework) is used to manage this functionality.
8
9
10Introduction to Wi-Fi Hotspot 2.0
11---------------------------------
12
13Hotspot 2.0 is the name of the Wi-Fi Alliance specification that is used
14in the Wi-Fi CERTIFIED Passpoint<TM> program. More information about
15this is available in this white paper:
16
17http://www.wi-fi.org/knowledge-center/white-papers/wi-fi-certified-passpoint%E2%84%A2-new-program-wi-fi-alliance%C2%AE-enable-seamless
18
19The Hotspot 2.0 specification is also available from WFA:
20https://www.wi-fi.org/knowledge-center/published-specifications
21
22The core Interworking functionality (network selection, GAS/ANQP) were
23standardized in IEEE Std 802.11u-2011 which is now part of the IEEE Std
24802.11-2012.
25
26
27wpa_supplicant network selection
28--------------------------------
29
30Interworking support added option for configuring credentials that can
31work with multiple networks as an alternative to configuration of
32network blocks (e.g., per-SSID parameters). When requested to perform
33network selection, wpa_supplicant picks the highest priority enabled
34network block or credential. If a credential is picked (based on ANQP
35information from APs), a temporary network block is created
36automatically for the matching network. This temporary network block is
37used similarly to the network blocks that can be configured by the user,
38but it is not stored into the configuration file and is meant to be used
39only for temporary period of time since a new one can be created
40whenever needed based on ANQP information and the credential.
41
42By default, wpa_supplicant is not using automatic network selection
43unless requested explicitly with the interworking_select command. This
44can be changed with the auto_interworking=1 parameter to perform network
45selection automatically whenever trying to find a network for connection
46and none of the enabled network blocks match with the scan results. This
47case works similarly to "interworking_select auto", i.e., wpa_supplicant
48will internally determine which network or credential is going to be
49used based on configured priorities, scan results, and ANQP information.
50
51
52wpa_supplicant configuration
53----------------------------
54
55Interworking and Hotspot 2.0 functionality are optional components that
56need to be enabled in the wpa_supplicant build configuration
57(.config). This is done by adding following parameters into that file:
58
59CONFIG_INTERWORKING=y
60CONFIG_HS20=y
61
62It should be noted that this functionality requires a driver that
63supports GAS/ANQP operations. This uses the same design as P2P, i.e.,
64Action frame processing and building in user space within
65wpa_supplicant. The Linux nl80211 driver interface provides the needed
66functionality for this.
67
68
69There are number of run-time configuration parameters (e.g., in
70wpa_supplicant.conf when using the configuration file) that can be used
71to control Hotspot 2.0 operations.
72
73# Enable Interworking
74interworking=1
75
76# Enable Hotspot 2.0
77hs20=1
78
79# Parameters for controlling scanning
80
81# Homogeneous ESS identifier
82# If this is set, scans will be used to request response only from BSSes
83# belonging to the specified Homogeneous ESS. This is used only if interworking
84# is enabled.
85#hessid=00:11:22:33:44:55
86
87# Access Network Type
88# When Interworking is enabled, scans can be limited to APs that advertise the
89# specified Access Network Type (0..15; with 15 indicating wildcard match).
90# This value controls the Access Network Type value in Probe Request frames.
91#access_network_type=15
92
93# Automatic network selection behavior
94# 0 = do not automatically go through Interworking network selection
95#     (i.e., require explicit interworking_select command for this; default)
96# 1 = perform Interworking network selection if one or more
97#     credentials have been configured and scan did not find a
98#     matching network block
99#auto_interworking=0
100
101
102Credentials can be pre-configured for automatic network selection:
103
104# credential block
105#
106# Each credential used for automatic network selection is configured as a set
107# of parameters that are compared to the information advertised by the APs when
108# interworking_select and interworking_connect commands are used.
109#
110# credential fields:
111#
112# temporary: Whether this credential is temporary and not to be saved
113#
114# priority: Priority group
115#	By default, all networks and credentials get the same priority group
116#	(0). This field can be used to give higher priority for credentials
117#	(and similarly in struct wpa_ssid for network blocks) to change the
118#	Interworking automatic networking selection behavior. The matching
119#	network (based on either an enabled network block or a credential)
120#	with the highest priority value will be selected.
121#
122# pcsc: Use PC/SC and SIM/USIM card
123#
124# realm: Home Realm for Interworking
125#
126# username: Username for Interworking network selection
127#
128# password: Password for Interworking network selection
129#
130# ca_cert: CA certificate for Interworking network selection
131#
132# client_cert: File path to client certificate file (PEM/DER)
133#	This field is used with Interworking networking selection for a case
134#	where client certificate/private key is used for authentication
135#	(EAP-TLS). Full path to the file should be used since working
136#	directory may change when wpa_supplicant is run in the background.
137#
138#	Alternatively, a named configuration blob can be used by setting
139#	this to blob://blob_name.
140#
141# private_key: File path to client private key file (PEM/DER/PFX)
142#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
143#	commented out. Both the private key and certificate will be read
144#	from the PKCS#12 file in this case. Full path to the file should be
145#	used since working directory may change when wpa_supplicant is run
146#	in the background.
147#
148#	Windows certificate store can be used by leaving client_cert out and
149#	configuring private_key in one of the following formats:
150#
151#	cert://substring_to_match
152#
153#	hash://certificate_thumbprint_in_hex
154#
155#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
156#
157#	Note that when running wpa_supplicant as an application, the user
158#	certificate store (My user account) is used, whereas computer store
159#	(Computer account) is used when running wpasvc as a service.
160#
161#	Alternatively, a named configuration blob can be used by setting
162#	this to blob://blob_name.
163#
164# private_key_passwd: Password for private key file
165#
166# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
167#
168# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
169#	format
170#
171# imsi_privacy_cert: IMSI privacy certificate (PEM encoded X.509v3 certificate)
172#	This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
173#	identity (IMSI) to improve privacy. The X.509v3 certificate needs to
174#	include a 2048-bit RSA public key and this is from the operator who
175#	authenticates the SIM/USIM.
176# imsi_privacy_attr: IMSI privacy attribute
177#	This field is used to help the EAP-SIM/AKA/AKA' server to identify
178#	the used certificate (and as such, the matching private key). This
179#	is set to an attribute in name=value format if the operator needs
180#	this information.
181#
182# domain_suffix_match: Constraint for server domain name
183#	If set, this FQDN is used as a suffix match requirement for the AAA
184#	server certificate in SubjectAltName dNSName element(s). If a
185#	matching dNSName is found, this constraint is met. If no dNSName
186#	values are present, this constraint is matched against SubjectName CN
187#	using same suffix match comparison. Suffix match here means that the
188#	host/domain name is compared one label at a time starting from the
189#	top-level domain and all the labels in @domain_suffix_match shall be
190#	included in the certificate. The certificate may include additional
191#	sub-level labels in addition to the required labels.
192#
193#	For example, domain_suffix_match=example.com would match
194#	test.example.com but would not match test-example.com.
195#
196# domain: Home service provider FQDN(s)
197#	This is used to compare against the Domain Name List to figure out
198#	whether the AP is operated by the Home SP. Multiple domain entries can
199#	be used to configure alternative FQDNs that will be considered home
200#	networks.
201#
202# home_ois: Home OI(s)
203#	This string field contains one or more comma delimited OIs (hexdump)
204#	identifying the access the access points that support authentication
205#	with this credential. There are an alternative to the use of the realm
206#	parameter. When using Home OIs to match the network, the EAP parameters
207#	need to be pre-configured with the credentials since the NAI Realm
208#	information may not be available or fetched.
209#	A successful authentication with the access point is possible as soon
210#	as at least one Home OI from the list matches an OI in the Roaming
211#	Consortium advertised by the access point.
212#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOI)
213#
214# required_home_ois: Required Home OI(s)
215#	This string field contains the set of Home OI(s) (hexdump) that are
216#	required to be advertised by the AP for the credential to be considered
217#	matching.
218#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOIRequired)
219#
220# roaming_consortium: Roaming Consortium OI
221#	Deprecated: use home_ois instead.
222#	If roaming_consortium_len is non-zero, this field contains the
223#	Roaming Consortium OI that can be used to determine which access
224#	points support authentication with this credential. This is an
225#	alternative to the use of the realm parameter. When using Roaming
226#	Consortium to match the network, the EAP parameters need to be
227#	pre-configured with the credential since the NAI Realm information
228#	may not be available or fetched.
229#
230# required_roaming_consortium: Required Roaming Consortium OI
231#	Deprecated: use required_home_ois instead.
232#	If required_roaming_consortium_len is non-zero, this field contains the
233#	Roaming Consortium OI that is required to be advertised by the AP for
234#	the credential to be considered matching.
235#
236# roaming_consortiums: Roaming Consortium OI(s) memberships
237#	This string field contains one or more comma delimited OIs (hexdump)
238#	identifying the roaming consortiums of which the provider is a member.
239#	The list is sorted from the most preferred one to the least preferred
240#	one. A match between the Roaming Consortium OIs advertised by an AP and
241#	the OIs in this list indicates that successful authentication is
242#	possible.
243#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI)
244#
245# eap: Pre-configured EAP method
246#	This optional field can be used to specify which EAP method will be
247#	used with this credential. If not set, the EAP method is selected
248#	automatically based on ANQP information (e.g., NAI Realm).
249#
250# phase1: Pre-configure Phase 1 (outer authentication) parameters
251#	This optional field is used with like the 'eap' parameter.
252#
253# phase2: Pre-configure Phase 2 (inner authentication) parameters
254#	This optional field is used with like the 'eap' parameter.
255#
256# excluded_ssid: Excluded SSID
257#	This optional field can be used to excluded specific SSID(s) from
258#	matching with the network. Multiple entries can be used to specify more
259#	than one SSID.
260#
261# roaming_partner: Roaming partner information
262#	This optional field can be used to configure preferences between roaming
263#	partners. The field is a string in following format:
264#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
265#	(non-exact match means any subdomain matches the entry; priority is in
266#	0..255 range with 0 being the highest priority)
267#
268# update_identifier: PPS MO ID
269#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
270#
271# provisioning_sp: FQDN of the SP that provisioned the credential
272#	This optional field can be used to keep track of the SP that provisioned
273#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
274#
275# sp_priority: Credential priority within a provisioning SP
276#	This is the priority of the credential among all credentials
277#	provisioned by the same SP (i.e., for entries that have identical
278#	provisioning_sp value). The range of this priority is 0-255 with 0
279#	being the highest and 255 the lower priority.
280#
281# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
282#	These fields can be used to specify minimum download/upload backhaul
283#	bandwidth that is preferred for the credential. This constraint is
284#	ignored if the AP does not advertise WAN Metrics information or if the
285#	limit would prevent any connection. Values are in kilobits per second.
286# min_dl_bandwidth_home
287# min_ul_bandwidth_home
288# min_dl_bandwidth_roaming
289# min_ul_bandwidth_roaming
290#
291# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
292#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
293#	This value is used as the maximum channel utilization for network
294#	selection purposes for home networks. If the AP does not advertise
295#	BSS Load or if the limit would prevent any connection, this constraint
296#	will be ignored.
297#
298# req_conn_capab: Required connection capability
299#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
300#	This value is used to configure set of required protocol/port pairs that
301#	a roaming network shall support (include explicitly in Connection
302#	Capability ANQP element). This constraint is ignored if the AP does not
303#	advertise Connection Capability or if this constraint would prevent any
304#	network connection. This policy is not used in home networks.
305#	Format: <protocol>[:<comma-separated list of ports]
306#	Multiple entries can be used to list multiple requirements.
307#	For example, number of common TCP protocols:
308#	req_conn_capab=6:22,80,443
309#	For example, IPSec/IKE:
310#	req_conn_capab=17:500
311#	req_conn_capab=50
312#
313# ocsp: Whether to use/require OCSP to check server certificate
314#	0 = do not use OCSP stapling (TLS certificate status extension)
315#	1 = try to use OCSP stapling, but not require response
316#	2 = require valid OCSP stapling response
317#
318# sim_num: Identifier for which SIM to use in multi-SIM devices
319#
320# engine: Whether to use an engine for private key operations (0/1)
321# engine_id: String identifying the engine to use
322# ca_cert_id: The CA certificate identifier when using an engine
323# cert_id: The certificate identifier when using an engine
324# key_id: The private key identifier when using an engine
325#
326# for example:
327#
328#cred={
329#	realm="example.com"
330#	username="user@example.com"
331#	password="password"
332#	ca_cert="/etc/wpa_supplicant/ca.pem"
333#	domain="example.com"
334#	domain_suffix_match="example.com"
335#}
336#
337#cred={
338#	imsi="310026-000000000"
339#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
340#}
341#
342#cred={
343#	realm="example.com"
344#	username="user"
345#	password="password"
346#	ca_cert="/etc/wpa_supplicant/ca.pem"
347#	domain="example.com"
348#	home_ois="223344"
349#	roaming_consortiums="112233,4455667788,aabbcc"
350#	eap=TTLS
351#	phase2="auth=MSCHAPV2"
352#}
353
354
355Control interface
356-----------------
357
358wpa_supplicant provides a control interface that can be used from
359external programs to manage various operations. The included command
360line tool, wpa_cli, can be used for manual testing with this interface.
361
362Following wpa_cli interactive mode commands show some examples of manual
363operations related to Hotspot 2.0:
364
365Remove configured networks and credentials:
366
367> remove_network all
368OK
369> remove_cred all
370OK
371
372
373Add a username/password credential:
374
375> add_cred
3760
377> set_cred 0 realm "mail.example.com"
378OK
379> set_cred 0 username "username"
380OK
381> set_cred 0 password "password"
382OK
383> set_cred 0 priority 1
384OK
385> set_cred 0 temporary 1
386OK
387
388Add a SIM credential using a simulated SIM/USIM card for testing:
389
390> add_cred
3911
392> set_cred 1 imsi "23456-0000000000"
393OK
394> set_cred 1 milenage "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
395OK
396> set_cred 1 priority 1
397OK
398
399Note: the return value of add_cred is used as the first argument to
400the following set_cred commands.
401
402Add a SIM credential using a external SIM/USIM processing:
403
404> set external_sim 1
405OK
406> add_cred
4071
408> set_cred 1 imsi "23456-0000000000"
409OK
410> set_cred 1 eap SIM
411OK
412
413
414Add a WPA2-Enterprise network:
415
416> add_network
4170
418> set_network 0 key_mgmt WPA-EAP
419OK
420> set_network 0 ssid "enterprise"
421OK
422> set_network 0 eap TTLS
423OK
424> set_network 0 anonymous_identity "anonymous"
425OK
426> set_network 0 identity "user"
427OK
428> set_network 0 password "password"
429OK
430> set_network 0 priority 0
431OK
432> enable_network 0 no-connect
433OK
434
435
436Add an open network:
437
438> add_network
4393
440> set_network 3 key_mgmt NONE
441OK
442> set_network 3 ssid "coffee-shop"
443OK
444> select_network 3
445OK
446
447Note: the return value of add_network is used as the first argument to
448the following set_network commands.
449
450The preferred credentials/networks can be indicated with the priority
451parameter (1 is higher priority than 0).
452
453
454Interworking network selection can be started with interworking_select
455command. This instructs wpa_supplicant to run a network scan and iterate
456through the discovered APs to request ANQP information from the APs that
457advertise support for Interworking/Hotspot 2.0:
458
459> interworking_select
460OK
461<3>Starting ANQP fetch for 02:00:00:00:01:00
462<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
463<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
464<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
465<3>ANQP fetch completed
466<3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
467
468
469INTERWORKING-AP event messages indicate the APs that support network
470selection and for which there is a matching
471credential. interworking_connect command can be used to select a network
472to connect with:
473
474
475> interworking_connect 02:00:00:00:01:00
476OK
477<3>CTRL-EVENT-SCAN-RESULTS
478<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
479<3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
480<3>Associated with 02:00:00:00:01:00
481<3>CTRL-EVENT-EAP-STARTED EAP authentication started
482<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
483<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
484<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
485<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
486<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (auth) [id=0 id_str=]
487
488
489wpa_supplicant creates a temporary network block for the selected
490network based on the configured credential and ANQP information from the
491AP:
492
493> list_networks
494network id / ssid / bssid / flags
4950	Example Network	any	[CURRENT]
496> get_network 0 key_mgmt
497WPA-EAP
498> get_network 0 eap
499TTLS
500
501
502Alternatively to using an external program to select the network,
503"interworking_select auto" command can be used to request wpa_supplicant
504to select which network to use based on configured priorities:
505
506
507> remove_network all
508OK
509<3>CTRL-EVENT-DISCONNECTED bssid=02:00:00:00:01:00 reason=1 locally_generated=1
510> interworking_select auto
511OK
512<3>Starting ANQP fetch for 02:00:00:00:01:00
513<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
514<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
515<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
516<3>ANQP fetch completed
517<3>INTERWORKING-AP 02:00:00:00:01:00 type=unknown
518<3>CTRL-EVENT-SCAN-RESULTS
519<3>SME: Trying to authenticate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
520<3>Trying to associate with 02:00:00:00:01:00 (SSID='Example Network' freq=2412 MHz)
521<3>Associated with 02:00:00:00:01:00
522<3>CTRL-EVENT-EAP-STARTED EAP authentication started
523<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
524<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
525<3>CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
526<3>WPA: Key negotiation completed with 02:00:00:00:01:00 [PTK=CCMP GTK=CCMP]
527<3>CTRL-EVENT-CONNECTED - Connection to 02:00:00:00:01:00 completed (reauth) [id=0 id_str=]
528
529
530The connection status can be shown with the status command:
531
532> status
533bssid=02:00:00:00:01:00
534ssid=Example Network
535id=0
536mode=station
537pairwise_cipher=CCMP       <--- link layer security indication
538group_cipher=CCMP
539key_mgmt=WPA2/IEEE 802.1X/EAP
540wpa_state=COMPLETED
541p2p_device_address=02:00:00:00:00:00
542address=02:00:00:00:00:00
543hs20=1      <--- HS 2.0 indication
544Supplicant PAE state=AUTHENTICATED
545suppPortStatus=Authorized
546EAP state=SUCCESS
547selectedMethod=21 (EAP-TTLS)
548EAP TLS cipher=AES-128-SHA
549EAP-TTLSv0 Phase2 method=PAP
550
551
552> status
553bssid=02:00:00:00:02:00
554ssid=coffee-shop
555id=3
556mode=station
557pairwise_cipher=NONE
558group_cipher=NONE
559key_mgmt=NONE
560wpa_state=COMPLETED
561p2p_device_address=02:00:00:00:00:00
562address=02:00:00:00:00:00
563
564
565Note: The Hotspot 2.0 indication is shown as "hs20=1" in the status
566command output. Link layer security is indicated with the
567pairwise_cipher (CCMP = secure, NONE = no encryption used).
568
569
570Also the scan results include the Hotspot 2.0 indication:
571
572> scan_results
573bssid / frequency / signal level / flags / ssid
57402:00:00:00:01:00	2412	-30	[WPA2-EAP-CCMP][ESS][HS20]	Example Network
575
576
577ANQP information for the BSS can be fetched using the BSS command:
578
579> bss 02:00:00:00:01:00
580id=1
581bssid=02:00:00:00:01:00
582freq=2412
583beacon_int=100
584capabilities=0x0411
585qual=0
586noise=-92
587level=-30
588tsf=1345573286517276
589age=105
590ie=000f4578616d706c65204e6574776f726b010882848b960c1218240301012a010432043048606c30140100000fac040100000fac040100000fac0100007f04000000806b091e07010203040506076c027f006f1001531122331020304050010203040506dd05506f9a1000
591flags=[WPA2-EAP-CCMP][ESS][HS20]
592ssid=Example Network
593anqp_roaming_consortium=031122330510203040500601020304050603fedcba
594
595
596ANQP queries can also be requested with the anqp_get and hs20_anqp_get
597commands:
598
599> anqp_get 02:00:00:00:01:00 261
600OK
601<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
602> hs20_anqp_get 02:00:00:00:01:00 2
603OK
604<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
605
606In addition, fetch_anqp command can be used to request similar set of
607ANQP queries to be done as is run as part of interworking_select:
608
609> scan
610OK
611<3>CTRL-EVENT-SCAN-RESULTS
612> fetch_anqp
613OK
614<3>Starting ANQP fetch for 02:00:00:00:01:00
615<3>RX-ANQP 02:00:00:00:01:00 ANQP Capability list
616<3>RX-ANQP 02:00:00:00:01:00 Roaming Consortium list
617<3>RX-HS20-ANQP 02:00:00:00:01:00 HS Capability List
618<3>ANQP fetch completed
619
620
621Hotspot 2.0 Rel 2 online signup and OSEN
622----------------------------------------
623
624Following parameters can be used to create a network profile for
625link-layer protected Hotspot 2.0 online signup connection with
626OSEN. Note that ssid and identify (NAI) values need to be set based on
627the information for the selected provider in the OSU Providers list
628ANQP-element.
629
630network={
631    ssid="HS 2.0 OSU"
632    proto=OSEN
633    key_mgmt=OSEN
634    pairwise=CCMP
635    group=GTK_NOT_USED
636    eap=WFA-UNAUTH-TLS
637    identity="anonymous@example.com"
638    ca_cert="osu-ca.pem"
639    ocsp=2
640}
641
642
643Hotspot 2.0 connection with external network selection
644------------------------------------------------------
645
646When a component controlling wpa_supplicant takes care of Interworking
647network selection, following configuration and network profile
648parameters can be used to configure a temporary network profile for a
649Hotspot 2.0 connection (e.g., with SET, ADD_NETWORK, SET_NETWORK, and
650SELECT_NETWORK control interface commands):
651
652interworking=1
653hs20=1
654auto_interworking=0
655
656network={
657    ssid="test-hs20"
658    proto=RSN
659    key_mgmt=WPA-EAP
660    pairwise=CCMP
661    anonymous_identity="anonymous@example.com"
662    identity="hs20-test@example.com"
663    password="password"
664    ca_cert="ca.pem"
665    eap=TTLS
666    phase2="auth=MSCHAPV2"
667    update_identifier=54321
668    roaming_consortium_selection=112233
669    #ocsp=2
670}
671
672
673These parameters are set based on the PPS MO credential and/or NAI Realm
674list ANQP-element:
675
676anonymous_identity: Credential/UsernamePassword/Username with username part
677		    replaced with "anonymous"
678identity: Credential/UsernamePassword/Username
679password: Credential/UsernamePassword/Password
680update_identifier: PPS/UpdateIdentifier
681ca_cert: from the downloaded trust root based on PPS information
682eap: Credential/UsernamePassword/EAPMethod or NAI Realm list
683phase2: Credential/UsernamePassword/EAPMethod or NAI Realm list
684roaming_consortium_selection: Matching OI from HomeSP/RoamingConsortiumOI
685ocsp: Credential/CheckAAAServerCertStatus
686

README-P2P

1wpa_supplicant and Wi-Fi P2P
2============================
3
4This document describes how the Wi-Fi P2P implementation in
5wpa_supplicant can be configured and how an external component on the
6client (e.g., management GUI) is used to enable WPS enrollment and
7registrar registration.
8
9
10Introduction to Wi-Fi P2P
11-------------------------
12
13TODO
14
15More information about Wi-Fi P2P is available from Wi-Fi Alliance:
16http://www.wi-fi.org/Wi-Fi_Direct.php
17
18
19wpa_supplicant implementation
20-----------------------------
21
22TODO
23
24
25wpa_supplicant configuration
26----------------------------
27
28Wi-Fi P2P is an optional component that needs to be enabled in the
29wpa_supplicant build configuration (.config). Here is an example
30configuration that includes Wi-Fi P2P support and Linux nl80211
31-based driver interface:
32
33CONFIG_DRIVER_NL80211=y
34CONFIG_CTRL_IFACE=y
35CONFIG_P2P=y
36CONFIG_AP=y
37CONFIG_WPS=y
38
39
40In run-time configuration file (wpa_supplicant.conf), some parameters
41for P2P may be set. In order to make the devices easier to recognize,
42device_name and device_type should be specified. For example,
43something like this should be included:
44
45ctrl_interface=/var/run/wpa_supplicant
46device_name=My P2P Device
47device_type=1-0050F204-1
48
49
50wpa_cli
51-------
52
53Actual Wi-Fi P2P operations are requested during runtime. These can be
54done for example using wpa_cli (which is described below) or a GUI
55like wpa_gui-qt4.
56
57
58wpa_cli starts in interactive mode if no command string is included on
59the command line. By default, it will select the first network interface
60that it can find (and that wpa_supplicant controls). If more than one
61interface is in use, it may be necessary to select one of the explicitly
62by adding -i argument on the command line (e.g., 'wpa_cli -i wlan1').
63
64Most of the P2P operations are done on the main interface (e.g., the
65interface that is automatically added when the driver is loaded, e.g.,
66wlan0). When using a separate virtual interface for group operations
67(e.g., wlan1), the control interface for that group interface may need
68to be used for some operations (mainly WPS activation in GO). This may
69change in the future so that all the needed operations could be done
70over the main control interface.
71
72Device Discovery
73
74p2p_find [timeout in seconds] [type=<social|progressive>] \
75	[dev_id=<addr>] [dev_type=<device type>] \
76	[delay=<search delay in ms>] [seek=<service name>] [freq=<MHz>]
77
78The default behavior is to run a single full scan in the beginning and
79then scan only social channels. type=social will scan only social
80channels, i.e., it skips the initial full scan. type=progressive is
81like the default behavior, but it will scan through all the channels
82progressively one channel at the time in the Search state rounds. This
83will help in finding new groups or groups missed during the initial
84full scan. When the type parameter is not included (i.e., full scan), the
85optional freq parameter can be used to override the first scan to use only
86the specified channel after which only social channels are scanned.
87
88The optional dev_id option can be used to specify a single P2P peer to
89search for. The optional delay parameter can be used to request an extra
90delay to be used between search iterations (e.g., to free up radio
91resources for concurrent operations).
92
93The optional dev_type option can be used to specify a single device type
94(primary or secondary) to search for, e.g.,
95"p2p_find dev_type=1-0050F204-1".
96
97
98With one or more seek arguments, the command sends Probe Request frames
99for a P2PS service. For example,
100p2p_find 5 dev_id=11:22:33:44:55:66 seek=alt.example.chat seek=alt.example.video
101
102Parameters description:
103    Timeout - Optional ASCII base-10-encoded u16. If missing, request will not
104	time out and must be canceled manually
105    dev_id - Optional to request responses from a single known remote device
106    Service Name - Mandatory UTF-8 string for ASP seeks
107	Service name must match the remote service being advertised exactly
108	(no prefix matching).
109	Service name may be empty, in which case all ASP services will be
110	returned, and may be filtered with p2p_serv_disc_req settings, and
111	p2p_serv_asp_resp results.
112	Multiple service names may be requested, but if it exceeds internal
113	limit, it will automatically revert to requesting all ASP services.
114
115p2p_listen [timeout in seconds]
116
117Start Listen-only state (become discoverable without searching for
118other devices). Optional parameter can be used to specify the duration
119for the Listen operation in seconds. This command may not be of that
120much use during normal operations and is mainly designed for
121testing. It can also be used to keep the device discoverable without
122having to maintain a group.
123
124p2p_stop_find
125
126Stop ongoing P2P device discovery or other operation (connect, listen
127mode).
128
129p2p_flush
130
131Flush P2P peer table and state.
132
133Group Formation
134
135p2p_prov_disc <peer device address> <display|keypad|pbc> [join|auto]
136
137Send P2P provision discovery request to the specified peer. The
138parameters for this command are the P2P device address of the peer and
139the desired configuration method. For example, "p2p_prov_disc
14002:01:02:03:04:05 display" would request the peer to display a PIN for
141us and "p2p_prov_disc 02:01:02:03:04:05 keypad" would request the peer
142to enter a PIN that we display.
143
144The optional "join" parameter can be used to indicate that this command
145is requesting an already running GO to prepare for a new client. This is
146mainly used with "display" to request it to display a PIN. The "auto"
147parameter can be used to request wpa_supplicant to automatically figure
148out whether the peer device is operating as a GO and if so, use
149join-a-group style PD instead of GO Negotiation style PD.
150
151p2p_connect <peer device address> <pbc|pin|PIN#|p2ps> [display|keypad|p2ps]
152	[persistent|persistent=<network id>] [join|auth]
153	[go_intent=<0..15>] [freq=<in MHz>] [ht40] [vht] [he] [provdisc] [auto]
154	[ssid=<hexdump>]
155
156Start P2P group formation with a discovered P2P peer. This includes
157optional group owner negotiation, group interface setup, provisioning,
158and establishing data connection.
159
160The <pbc|pin|PIN#> parameter specifies the WPS provisioning
161method. "pbc" string starts pushbutton method, "pin" string start PIN
162method using an automatically generated PIN (which will be returned as
163the command return code), PIN# means that a pre-selected PIN can be
164used (e.g., 12345670). [display|keypad] is used with PIN method
165to specify which PIN is used (display=dynamically generated random PIN
166from local display, keypad=PIN entered from peer display). "persistent"
167parameter can be used to request a persistent group to be formed. The
168"persistent=<network id>" alternative can be used to pre-populate
169SSID/passphrase configuration based on a previously used persistent
170group where this device was the GO. The previously used parameters will
171then be used if the local end becomes the GO in GO Negotiation (which
172can be forced with go_intent=15).
173
174"join" indicates that this is a command to join an existing group as a
175client. It skips the GO Negotiation part. This will send a Provision
176Discovery Request message to the target GO before associating for WPS
177provisioning.
178
179"auth" indicates that the WPS parameters are authorized for the peer
180device without actually starting GO Negotiation (i.e., the peer is
181expected to initiate GO Negotiation). This is mainly for testing
182purposes.
183
184"go_intent" can be used to override the default GO Intent for this GO
185Negotiation.
186
187"freq" can be used to set a forced operating channel (e.g., freq=2412
188to select 2.4 GHz channel 1).
189
190"provdisc" can be used to request a Provision Discovery exchange to be
191used prior to starting GO Negotiation as a workaround with some deployed
192P2P implementations that require this to allow the user to accept the
193connection.
194
195"auto" can be used to request wpa_supplicant to automatically figure
196out whether the peer device is operating as a GO and if so, use
197join-a-group operation rather than GO Negotiation.
198
199"ssid=<hexdump>" can be used to specify the Group SSID for join
200operations. This allows the P2P Client interface to filter scan results
201based on SSID to avoid selecting an incorrect BSS entry in case the same
202P2P Device or Interface address have been used in multiple groups
203recently.
204
205P2PS attribute changes to p2p_connect command:
206
207P2PS supports two WPS provisioning methods namely PIN method and P2PS default.
208The remaining parameters hold same role as in legacy P2P. In case of P2PS
209default config method "p2ps" keyword is added in p2p_connect command.
210
211For example:
212p2p_connect 02:0a:f5:85:11:00 12345670 p2ps persistent join
213	(WPS Method = P2PS default)
214
215p2p_connect 02:0a:f5:85:11:00 45629034 keypad persistent
216	(WPS Method = PIN)
217
218p2p_asp_provision <peer MAC address> <adv_id=peer adv id>
219	<adv_mac=peer MAC address> [role=2|4|1] <session=session id>
220	<session_mac=initiator mac address>
221	[info='service info'] <method=Default|keypad|Display>
222
223This command starts provision discovery with the P2PS enabled peer device.
224
225For example,
226p2p_asp_provision 00:11:22:33:44:55 adv_id=4d6fc7 adv_mac=00:55:44:33:22:11 role=1 session=12ab34 session_mac=00:11:22:33:44:55 info='name=john' method=1000
227
228Parameter description:
229    MAC address - Mandatory
230    adv_id - Mandatory remote Advertising ID of service connection is being
231	established for
232    adv_mac - Mandatory MAC address that owns/registered the service
233    role - Optional
234	2 (group client only) or 4 (group owner only)
235	if not present (or 1) role is negotiated by the two peers.
236    session - Mandatory Session ID of the first session to be established
237    session_mac - Mandatory MAC address that owns/initiated the session
238    method - Optional method to request for provisioning (1000 - P2PS Default,
239	100 - Keypad(PIN), 8 - Display(PIN))
240    info - Optional UTF-8 string. Hint for service to indicate possible usage
241	parameters - Escape single quote & backslash:
242	with a backslash 0x27 == ' == \', and 0x5c == \ == \\
243
244p2p_asp_provision_resp <peer mac address> <adv_id= local adv id>
245	<adv_mac=local MAC address> <role=1|2|4> <status=0>
246	<session=session id> <session_mac=peer MAC address>
247
248This command sends a provision discovery response from responder side.
249
250For example,
251p2p_asp_provision_resp 00:55:44:33:22:11 adv_id=4d6fc7 adv_mac=00:55:44:33:22:11 role=1 status=0 session=12ab34 session_mac=00:11:22:33:44:55
252
253Parameters definition:
254    MAC address - Mandatory
255    adv_id - Mandatory local Advertising ID of service connection is being
256	established for
257    adv_mac - Mandatory MAC address that owns/registered the service
258    role -  Optional 2 (group client only) or 4 (group owner only)
259	if not present (or 1) role is negotiated by the two peers.
260    status - Mandatory Acceptance/Rejection code of Provisioning
261    session - Mandatory Session ID of the first session to be established
262    session_mac - Mandatory MAC address that owns/initiated the session
263
264p2p_group_add [persistent|persistent=<network id>] [freq=<freq in MHz>]
265	[ht40] [vht] [he]
266
267Set up a P2P group owner manually (i.e., without group owner
268negotiation with a specific peer). This is also known as autonomous
269GO. Optional persistent=<network id> can be used to specify restart of
270a persistent group. Optional freq=<freq in MHz> can be used to force
271the GO to be started on a specific frequency. Special freq=2 or freq=5
272options can be used to request the best 2.4 GHz or 5 GHz band channel
273to be selected automatically.
274
275p2p_reject <peer device address>
276
277Reject connection attempt from a peer (specified with a device
278address). This is a mechanism to reject a pending GO Negotiation with
279a peer and request to automatically block any further connection or
280discovery of the peer.
281
282p2p_group_remove <group interface>
283
284Terminate a P2P group. If a new virtual network interface was used for
285the group, it will also be removed. The network interface name of the
286group interface is used as a parameter for this command.
287
288p2p_cancel
289
290Cancel an ongoing P2P group formation and joining-a-group related
291operation. This operation unauthorizes the specific peer device (if any
292had been authorized to start group formation), stops P2P find (if in
293progress), stops pending operations for join-a-group, and removes the
294P2P group interface (if one was used) that is in the WPS provisioning
295step. If the WPS provisioning step has been completed, the group is not
296terminated.
297
298p2p_remove_client <peer's P2P Device Address|iface=<interface address>>
299
300This command can be used to remove the specified client from all groups
301(operating and persistent) from the local GO. Note that the peer device
302can rejoin the group if it is in possession of a valid key. See p2p_set
303per_sta_psk command below for more details on how the peer can be
304removed securely.
305
306Service Discovery
307
308p2p_service_add asp <auto accept> <adv id> <status 0/1> <Config Methods>
309	<Service name> [Service Information] [Response Info]
310
311This command can be used to search for a P2PS service which includes
312Play, Send, Display, and Print service. The parameters for this command
313are "asp" to identify the command as P2PS one, auto accept value,
314advertisement id which uniquely identifies the service requests, state
315of the service whether the service is available or not, config methods
316which can be either P2PS method or PIN method, service name followed by
317two optional parameters service information, and response info.
318
319For example,
320p2p_service_add asp 1 4d6fc7 0 1108 alt.example.chat svc_info='name=john' rsp_info='enter PIN 1234'
321
322Parameters definition:
323    asp - Mandatory for ASP service registration
324    auto accept - Mandatory ASCII hex-encoded boolean (0 == no auto-accept,
325	1 == auto-accept ANY role, 2 == auto-accept CLIENT role,
326	4 == auto-accept GO role)
327    Advertisement ID - Mandatory non-zero ASCII hex-encoded u32
328	(Must be unique/not yet exist in svc db)
329    State - Mandatory ASCII hex-encoded u8 (0 -- Svc not available,
330	1 -- Svc available, 2-0xff  Application defined)
331    Config Methods - Mandatory ASCII hex-encoded u16 (bitmask of WSC config
332	methods)
333    Service Name - Mandatory UTF-8 string
334    Service Information - Optional UTF-8 string
335	Escape single quote & backslash with a backslash:
336	0x27 == ' == \', and 0x5c == \ == \\
337    Session response information -  Optional (used only if auto accept is TRUE)
338	UTF-8 string
339	Escape single quote & backslash with a backslash:
340	0x27 == ' == \', and 0x5c == \ == \\
341
342p2p_service_rep asp <auto accept> <adv id> <status 0/1> <Config Methods>
343	<Service name> [Service Information] [Response Info]
344
345This command can be used to replace the existing service request
346attributes from the initiator side. The replacement is only allowed if
347the advertisement id issued in the command matches with any one entry in
348the list of existing SD queries. If advertisement id doesn't match the
349command returns a failure.
350
351For example,
352p2p_service_rep asp 1 4d6fc7 1 1108 alt.example.chat svc_info='name=john' rsp_info='enter PIN 1234'
353
354Parameters definition:
355    asp - Mandatory for ASP service registration
356    auto accept - Mandatory ASCII hex-encoded boolean (1 == true, 0 == false)
357    Advertisement ID - Mandatory non-zero ASCII hex-encoded u32
358	(Must already exist in svc db)
359    State - Mandatory ASCII hex-encoded u8 (can be used to indicate svc
360	available or not available for instance)
361    Config Methods - Mandatory ASCII hex-encoded u16 (bitmask of WSC config
362	methods)
363    Service Name - Mandatory UTF-8 string (Must match existing string in svc db)
364    Service Information - Optional UTF-8 string
365	Escape single quote & backslash with a backslash:
366	0x27 == ' == \', and 0x5c == \ == \\
367    Session response information -  Optional (used only if auto accept is TRUE)
368	UTF-8 string
369	Escape single quote & backslash with a backslash:
370	0x27 == ' == \', and 0x5c == \ == \\
371
372p2p_serv_disc_req
373
374Schedule a P2P service discovery request. The parameters for this
375command are the device address of the peer device (or 00:00:00:00:00:00
376for wildcard query that is sent to every discovered P2P peer that
377supports service discovery) and P2P Service Query TLV(s) as hexdump. For
378example,
379
380p2p_serv_disc_req 00:00:00:00:00:00 02000001
381
382schedules a request for listing all available services of all service
383discovery protocols and requests this to be sent to all discovered
384peers (note: this can result in long response frames). The pending
385requests are sent during device discovery (see p2p_find).
386
387There can be multiple pending peer device specific queries (each will be
388sent in sequence whenever the peer is found).
389
390This command returns an identifier for the pending query (e.g.,
391"1f77628") that can be used to cancel the request. Directed requests
392will be automatically removed when the specified peer has replied to
393it.
394
395Service Query TLV has following format:
396Length (2 octets, little endian) - length of following data
397Service Protocol Type (1 octet) - see the table below
398Service Transaction ID (1 octet) - nonzero identifier for the TLV
399Query Data (Length - 2 octets of data) - service protocol specific data
400
401Service Protocol Types:
4020 = All service protocols
4031 = Bonjour
4042 = UPnP
4053 = WS-Discovery
4064 = Wi-Fi Display
407
408For UPnP, an alternative command format can be used to specify a
409single query TLV (i.e., a service discovery for a specific UPnP
410service):
411
412p2p_serv_disc_req 00:00:00:00:00:00 upnp <version hex> <ST: from M-SEARCH>
413
414For example:
415
416p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 urn:schemas-upnp-org:device:InternetGatewayDevice:1
417
418Additional examples for queries:
419
420# list of all Bonjour services
421p2p_serv_disc_req 00:00:00:00:00:00 02000101
422
423# list of all UPnP services
424p2p_serv_disc_req 00:00:00:00:00:00 02000201
425
426# list of all WS-Discovery services
427p2p_serv_disc_req 00:00:00:00:00:00 02000301
428
429# list of all Bonjour and UPnP services
430p2p_serv_disc_req 00:00:00:00:00:00 0200010102000202
431
432# Apple File Sharing over TCP
433p2p_serv_disc_req 00:00:00:00:00:00 130001010b5f6166706f766572746370c00c000c01
434
435# Bonjour SSTH (supported service type hash)
436p2p_serv_disc_req 00:00:00:00:00:00 05000101000000
437
438# UPnP examples
439p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 ssdp:all
440p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 upnp:rootdevice
441p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 urn:schemas-upnp-org:service:ContentDirectory:2
442p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 uuid:6859dede-8574-59ab-9332-123456789012
443p2p_serv_disc_req 00:00:00:00:00:00 upnp 10 urn:schemas-upnp-org:device:InternetGatewayDevice:1
444
445# Wi-Fi Display examples
446# format: wifi-display <list of roles> <list of subelements>
447p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source] 2,3,4,5
448p2p_serv_disc_req 02:01:02:03:04:05 wifi-display [pri-sink] 3
449p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [sec-source] 2
450p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source+sink] 2,3,4,5
451p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source][pri-sink] 2,3,4,5
452
453p2p_serv_disc_req <Unicast|Broadcast mac address> asp <Transaction ID>
454	<Service Name> [Service Information]
455
456The command can be used for service discovery for P2PS enabled devices.
457
458For example: p2p_serv_disc_req 00:00:00:00:00:00 asp a1 alt.example 'john'
459
460Parameters definition:
461    MAC address - Mandatory Existing
462    asp - Mandatory for ASP queries
463    Transaction ID - Mandatory non-zero ASCII hex-encoded u8 for GAS
464    Service Name Prefix - Mandatory UTF-8 string.
465	Will match from beginning of remote Service Name
466    Service Information Substring - Optional UTF-8 string
467	If Service Information Substring is not included, all services matching
468	Service Name Prefix will be returned.
469	If Service Information Substring is included, both the Substring and the
470	Service Name Prefix must match for service to be returned.
471	If remote service has no Service Information, all Substring searches
472	will fail.
473
474p2p_serv_disc_cancel_req <query identifier>
475
476Cancel a pending P2P service discovery request. This command takes a
477single parameter: identifier for the pending query (the value returned
478by p2p_serv_disc_req, e.g., "p2p_serv_disc_cancel_req 1f77628".
479
480p2p_serv_disc_resp
481
482Reply to a service discovery query. This command takes following
483parameters: frequency in MHz, destination address, dialog token,
484response TLV(s). The first three parameters are copied from the
485request event. For example, "p2p_serv_disc_resp 2437 02:40:61:c2:f3:b7
4861 0300000101". This command is used only if external program is used
487to process the request (see p2p_serv_disc_external).
488
489p2p_service_update
490
491Indicate that local services have changed. This is used to increment
492the P2P service indicator value so that peers know when previously
493cached information may have changed. This is only needed when external
494service discovery processing is enabled since the commands to
495pre-configure services for internal processing will increment the
496indicator automatically.
497
498p2p_serv_disc_external <0|1>
499
500Configure external processing of P2P service requests: 0 (default) =
501no external processing of requests (i.e., internal code will process
502each request based on pre-configured services), 1 = external
503processing of requests (external program is responsible for replying
504to service discovery requests with p2p_serv_disc_resp). Please note
505that there is quite strict limit on how quickly the response needs to
506be transmitted, so use of the internal processing is strongly
507recommended.
508
509p2p_service_add bonjour <query hexdump> <RDATA hexdump>
510
511Add a local Bonjour service for internal SD query processing.
512
513Examples:
514
515# AFP Over TCP (PTR)
516p2p_service_add bonjour 0b5f6166706f766572746370c00c000c01 074578616d706c65c027
517# AFP Over TCP (TXT) (RDATA=null)
518p2p_service_add bonjour 076578616d706c650b5f6166706f766572746370c00c001001 00
519
520# IP Printing over TCP (PTR) (RDATA=MyPrinter._ipp._tcp.local.)
521p2p_service_add bonjour 045f697070c00c000c01 094d795072696e746572c027
522# IP Printing over TCP (TXT) (RDATA=txtvers=1,pdl=application/postscript)
523p2p_service_add bonjour 096d797072696e746572045f697070c00c001001 09747874766572733d311a70646c3d6170706c69636174696f6e2f706f7374736372797074
524
525# Supported Service Type Hash (SSTH)
526p2p_service_add bonjour 000000 <32-byte bitfield as hexdump>
527(note: see P2P spec Annex E.4 for information on how to construct the bitfield)
528
529p2p_service_del bonjour <query hexdump>
530
531Remove a local Bonjour service from internal SD query processing.
532
533p2p_service_add upnp <version hex> <service>
534
535Add a local UPnP service for internal SD query processing.
536
537Examples:
538
539p2p_service_add upnp 10 uuid:6859dede-8574-59ab-9332-123456789012::upnp:rootdevice
540p2p_service_add upnp 10 uuid:5566d33e-9774-09ab-4822-333456785632::upnp:rootdevice
541p2p_service_add upnp 10 uuid:1122de4e-8574-59ab-9322-333456789044::urn:schemas-upnp-org:service:ContentDirectory:2
542p2p_service_add upnp 10 uuid:5566d33e-9774-09ab-4822-333456785632::urn:schemas-upnp-org:service:ContentDirectory:2
543p2p_service_add upnp 10 uuid:6859dede-8574-59ab-9332-123456789012::urn:schemas-upnp-org:device:InternetGatewayDevice:1
544
545p2p_service_del upnp <version hex> <service>
546
547Remove a local UPnP service from internal SD query processing.
548
549p2p_service_del asp <adv id>
550
551Removes the local asp service from internal SD query list.
552For example: p2p_service_del asp 4d6fc7
553
554p2p_service_flush
555
556Remove all local services from internal SD query processing.
557
558Invitation
559
560p2p_invite [persistent=<network id>|group=<group ifname>] [peer=address]
561	[go_dev_addr=address] [freq=<freq in MHz>] [ht40] [vht] [he]
562	[pref=<MHz>]
563
564Invite a peer to join a group (e.g., group=wlan1) or to reinvoke a
565persistent group (e.g., persistent=4). If the peer device is the GO of
566the persistent group, the peer parameter is not needed. Otherwise it is
567used to specify which device to invite. go_dev_addr parameter can be
568used to override the GO device address for Invitation Request should
569it be not known for some reason (this should not be needed in most
570cases). When reinvoking a persistent group, the GO device can specify
571the frequency for the group with the freq parameter. When reinvoking a
572persistent group, the P2P client device can use freq parameter to force
573a specific operating channel (or invitation failure if GO rejects that)
574or pref parameter to request a specific channel (while allowing GO to
575select to use another channel, if needed).
576
577Group Operations
578
579(These are used on the group interface.)
580
581wps_pin <any|address> <PIN>
582
583Start WPS PIN method. This allows a single WPS Enrollee to connect to
584the AP/GO. This is used on the GO when a P2P client joins an existing
585group. The second parameter is the address of the Enrollee or a string
586"any" to allow any station to use the entered PIN (which will restrict
587the PIN for one-time-use). PIN is the Enrollee PIN read either from a
588label or display on the P2P Client/WPS Enrollee.
589
590wps_pbc
591
592Start WPS PBC method (i.e., push the button). This allows a single WPS
593Enrollee to connect to the AP/GO. This is used on the GO when a P2P
594client joins an existing group.
595
596p2p_get_passphrase
597
598Get the passphrase for a group (only available when acting as a GO).
599
600p2p_presence_req [<duration> <interval>] [<duration> <interval>]
601
602Send a P2P Presence Request to the GO (this is only available when
603acting as a P2P client). If no duration/interval pairs are given, the
604request indicates that this client has no special needs for GO
605presence. The first parameter pair gives the preferred duration and
606interval values in microseconds. If the second pair is included, that
607indicates which value would be acceptable. This command returns OK
608immediately and the response from the GO is indicated in a
609P2P-PRESENCE-RESPONSE event message.
610
611Parameters
612
613p2p_ext_listen [<period> <interval>]
614
615Configure Extended Listen Timing. If the parameters are omitted, this
616feature is disabled. If the parameters are included, Listen State will
617be entered every interval msec for at least period msec. Both values
618have acceptable range of 1-65535 (with interval obviously having to be
619larger than or equal to duration). If the P2P module is not idle at
620the time the Extended Listen Timing timeout occurs, the Listen State
621operation will be skipped.
622
623The configured values will also be advertised to other P2P Devices. The
624received values are available in the p2p_peer command output:
625
626ext_listen_period=100 ext_listen_interval=5000
627
628p2p_set <field> <value>
629
630Change dynamic P2P parameters
631
632p2p_set discoverability <0/1>
633
634Disable/enable advertisement of client discoverability. This is
635enabled by default and this parameter is mainly used to allow testing
636of device discoverability.
637
638p2p_set managed <0/1>
639
640Disable/enable managed P2P Device operations. This is disabled by
641default.
642
643p2p_set listen_channel <channel> [<op_class>]
644
645Set P2P Listen channel. This is mainly meant for testing purposes and
646changing the Listen channel during normal operations can result in
647protocol failures.
648
649When specifying a social channel on the 2.4 GHz band (1/6/11) there is
650no need to specify the operating class since it defaults to 81.  When
651specifying a social channel on the 60 GHz band (2), specify the 60 GHz
652operating class (180).
653
654p2p_set ssid_postfix <postfix>
655
656Set postfix string to be added to the automatically generated P2P SSID
657(DIRECT-<two random characters>). For example, postfix of "-testing"
658could result in the SSID becoming DIRECT-ab-testing.
659
660p2p_set per_sta_psk <0/1>
661
662Disabled(default)/enables use of per-client PSK in the P2P groups. This
663can be used to request GO to assign a unique PSK for each client during
664WPS provisioning. When enabled, this allow clients to be removed from
665the group securely with p2p_remove_client command since that client's
666PSK is removed at the same time to prevent it from connecting back using
667the old PSK. When per-client PSK is not used, the client can still be
668disconnected, but it will be able to re-join the group since the PSK it
669learned previously is still valid. It should be noted that the default
670passphrase on the GO that is normally used to allow legacy stations to
671connect through manual configuration does not change here, so if that is
672shared, devices with knowledge of that passphrase can still connect.
673
674set <field> <value>
675
676Set global configuration parameters which may also affect P2P
677operations. The format on these parameters is same as is used in
678wpa_supplicant.conf. Only the parameters listen here should be
679changed. Modifying other parameters may result in incorrect behavior
680since not all existing users of the parameters are updated.
681
682set uuid <UUID>
683
684Set WPS UUID (by default, this is generated based on the MAC address).
685
686set device_name <device name>
687
688Set WPS Device Name (also included in some P2P messages).
689
690set manufacturer <manufacturer>
691
692Set WPS Manufacturer.
693
694set model_name <model name>
695
696Set WPS Model Name.
697
698set model_number <model number>
699
700Set WPS Model Number.
701
702set serial_number <serial number>
703
704Set WPS Serial Number.
705
706set device_type <device type>
707
708Set WPS Device Type.
709
710set os_version <OS version>
711
712Set WPS OS Version.
713
714set config_methods <config methods>
715
716Set WPS Configuration Methods.
717
718set sec_device_type <device type>
719
720Add a new Secondary Device Type.
721
722set p2p_go_intent <GO intent>
723
724Set the default P2P GO Intent. Note: This value can be overridden in
725p2p_connect command and as such, there should be no need to change the
726default value here during normal operations.
727
728set p2p_ssid_postfix <P2P SSID postfix>
729
730Set P2P SSID postfix.
731
732set persistent_reconnect <0/1>
733
734Disable/enabled persistent reconnect for reinvocation of persistent
735groups. If enabled, invitations to reinvoke a persistent group will be
736accepted without separate authorization (e.g., user interaction).
737
738set country <two character country code>
739
740Set country code (this is included in some P2P messages).
741
742set p2p_search_delay <delay>
743
744Set p2p_search_delay which adds extra delay in milliseconds between
745concurrent search iterations to make p2p_find friendlier to concurrent
746operations by avoiding it from taking 100% of radio resources. The
747default value is 500 ms.
748
749Status
750
751p2p_peers [discovered]
752
753List P2P Device Addresses of all the P2P peers we know. The optional
754"discovered" parameter filters out the peers that we have not fully
755discovered, i.e., which we have only seen in a received Probe Request
756frame.
757
758p2p_peer <P2P Device Address>
759
760Fetch information about a known P2P peer.
761
762Group Status
763
764(These are used on the group interface.)
765
766status
767
768Show status information (connection state, role, use encryption
769parameters, IP address, etc.).
770
771sta
772
773Show information about an associated station (when acting in AP/GO role).
774
775all_sta
776
777Lists the currently associated stations.
778
779Configuration data
780
781list_networks
782
783Lists the configured networks, including stored information for
784persistent groups. The identifier in this list is used with
785p2p_group_add and p2p_invite to indicate which persistent group is to
786be reinvoked.
787
788remove_network <network id>
789
790Remove a network entry from configuration.
791
792
793P2PS Events/Responses:
794
795P2PS-PROV-START: This events gets triggered when provisioning is issued for
796either seeker or advertiser.
797
798For example,
799P2PS-PROV-START 00:55:44:33:22:11 adv_id=111 adv_mac=00:55:44:33:22:11 conncap=1 session=1234567 session_mac=00:11:22:33:44:55 info='xxxx'
800
801Parameters definition:
802    MAC address - always
803    adv_id - always ASCII hex-encoded u32
804    adv_mac - always MAC address that owns/registered the service
805    conncap - always mask of 0x01 (new), 0x02 (group client), 0x04 (group owner)
806	bits
807    session - always Session ID of the first session to be established
808    session_mac - always MAC address that owns/initiated the session
809    info - if available, UTF-8 string
810	Escaped single quote & backslash with a backslash:
811	\' == 0x27 == ', and \\ == 0x5c == \
812
813P2PS-PROV-DONE: When provisioning is completed then this event gets triggered.
814
815For example,
816P2PS-PROV-DONE 00:11:22:33:44:55 status=0 adv_id=111 adv_mac=00:55:44:33:22:11 conncap=1 session=1234567 session_mac=00:11:22:33:44:55 [dev_passwd_id=8 | go=p2p-wlan0-0 | join=11:22:33:44:55:66 | persist=0]
817
818Parameters definition:
819    MAC address - always main device address of peer. May be different from MAC
820	ultimately connected to.
821    status - always ascii hex-encoded u8 (0 == success, 12 == deferred success)
822    adv_id - always ascii hex-encoded u32
823    adv_mac - always MAC address that owns/registered the service
824    conncap - always One of: 1 (new), 2 (group client), 4 (group owner) bits
825    session - always Session ID of the first session to be established
826    session_mac - always MAC address that owns/initiated the session
827    dev_passwd_id - only if conncap value == 1 (New GO negotiation)
828	8 - "p2ps" password must be passed in p2p_connect command
829	1 - "display" password must be passed in p2p_connect command
830	5 - "keypad" password must be passed in p2p_connect command
831    join only - if conncap value == 2 (Client Only). Display password and "join"
832	must be passed in p2p_connect and address must be the MAC specified
833    go only - if conncap value == 4 (GO Only). Interface name must be set with a
834	password
835    persist - only if previous persistent group existed between peers and shall
836	be re-used. Group is restarted by sending "p2p_group_add persistent=0"
837	where value is taken from P2P-PROV-DONE
838
839Extended Events/Response
840
841P2P-DEVICE-FOUND 00:11:22:33:44:55 p2p_dev_addr=00:11:22:33:44:55 pri_dev_type=0-00000000-0 name='' config_methods=0x108 dev_capab=0x21 group_capab=0x0 adv_id=111 asp_svc=alt.example.chat
842
843Parameters definition:
844    adv_id - if ASP ASCII hex-encoded u32. If it is reporting the
845	"wildcard service", this value will be 0
846    asp_svc - if ASP this is the service string. If it is reporting the
847	"wildcard service", this value will be org.wi-fi.wfds
848
849
850wpa_cli action script
851---------------------
852
853See examples/p2p-action.sh
854
855TODO: describe DHCP/DNS setup
856TODO: cross-connection
857

README-WPS

1wpa_supplicant and Wi-Fi Protected Setup (WPS)
2==============================================
3
4This document describes how the WPS implementation in wpa_supplicant
5can be configured and how an external component on the client (e.g.,
6management GUI) is used to enable WPS enrollment and registrar
7registration.
8
9
10Introduction to WPS
11-------------------
12
13Wi-Fi Protected Setup (WPS) is a mechanism for easy configuration of a
14wireless network. It allows automated generation of random keys (WPA
15passphrase/PSK) and configuration of an access point and client
16devices. WPS includes number of methods for setting up connections
17with PIN method and push-button configuration (PBC) being the most
18commonly deployed options.
19
20While WPS can enable more home networks to use encryption in the
21wireless network, it should be noted that the use of the PIN and
22especially PBC mechanisms for authenticating the initial key setup is
23not very secure. As such, use of WPS may not be suitable for
24environments that require secure network access without chance for
25allowing outsiders to gain access during the setup phase.
26
27WPS uses the following terms to describe the entities participating
28in the network setup:
29- access point: the WLAN access point
30- Registrar: a device that control a network and can authorize
31  addition of new devices); this may be either in the AP ("internal
32  Registrar") or in an external device, e.g., a laptop, ("external
33  Registrar")
34- Enrollee: a device that is being authorized to use the network
35
36It should also be noted that the AP and a client device may change
37roles (i.e., AP acts as an Enrollee and client device as a Registrar)
38when WPS is used to configure the access point.
39
40
41More information about WPS is available from Wi-Fi Alliance:
42http://www.wi-fi.org/wifi-protected-setup
43
44
45wpa_supplicant implementation
46-----------------------------
47
48wpa_supplicant includes an optional WPS component that can be used as
49an Enrollee to enroll new network credential or as a Registrar to
50configure an AP.
51
52
53wpa_supplicant configuration
54----------------------------
55
56WPS is an optional component that needs to be enabled in
57wpa_supplicant build configuration (.config). Here is an example
58configuration that includes WPS support and Linux nl80211-based
59driver interface:
60
61CONFIG_DRIVER_NL80211=y
62CONFIG_WPS=y
63
64If you want to enable WPS external registrar (ER) functionality, you
65will also need to add the following line:
66
67CONFIG_WPS_ER=y
68
69The following parameter can be used to enable support for NFC config
70method:
71
72CONFIG_WPS_NFC=y
73
74WPS needs the Universally Unique IDentifier (UUID; see RFC 4122) for
75the device. This is configured in the runtime configuration for
76wpa_supplicant (if not set, UUID will be generated based on local MAC
77address):
78
79# example UUID for WPS
80uuid=12345678-9abc-def0-1234-56789abcdef0
81
82The network configuration blocks needed for WPS are added
83automatically based on control interface commands, so they do not need
84to be added explicitly in the configuration file.
85
86WPS registration will generate new network blocks for the acquired
87credentials. If these are to be stored for future use (after
88restarting wpa_supplicant), wpa_supplicant will need to be configured
89to allow configuration file updates:
90
91update_config=1
92
93
94External operations
95-------------------
96
97WPS requires either a device PIN code (usually, 8-digit number) or a
98pushbutton event (for PBC) to allow a new WPS Enrollee to join the
99network. wpa_supplicant uses the control interface as an input channel
100for these events.
101
102The PIN value used in the commands must be processed by an UI to
103remove non-digit characters and potentially, to verify the checksum
104digit. "wpa_cli wps_check_pin <PIN>" can be used to do such processing.
105It returns FAIL if the PIN is invalid, or FAIL-CHECKSUM if the checksum
106digit is incorrect, or the processed PIN (non-digit characters removed)
107if the PIN is valid.
108
109If the client device has a display, a random PIN has to be generated
110for each WPS registration session. wpa_supplicant can do this with a
111control interface request, e.g., by calling wpa_cli:
112
113wpa_cli wps_pin any
114
115This will return the generated 8-digit PIN which will then need to be
116entered at the Registrar to complete WPS registration. At that point,
117the client will be enrolled with credentials needed to connect to the
118AP to access the network.
119
120If the client device does not have a display that could show the
121random PIN, a hardcoded PIN that is printed on a label can be
122used. wpa_supplicant is notified this with a control interface
123request, e.g., by calling wpa_cli:
124
125wpa_cli wps_pin any 12345670
126
127This starts the WPS negotiation in the same way as above with the
128generated PIN.
129
130When the wps_pin command is issued for an AP (including P2P GO) mode
131interface, an optional timeout parameter can be used to specify
132expiration timeout for the PIN in seconds. For example:
133
134wpa_cli wps_pin any 12345670 300
135
136If a random PIN is needed for a user interface, "wpa_cli wps_pin get"
137can be used to generate a new PIN without starting WPS negotiation.
138This random PIN can then be passed as an argument to another wps_pin
139call when the actual operation should be started.
140
141If the client design wants to support optional WPS PBC mode, this can
142be enabled by either a physical button in the client device or a
143virtual button in the user interface. The PBC operation requires that
144a button is also pressed at the AP/Registrar at about the same time (2
145minute window). wpa_supplicant is notified of the local button event
146over the control interface, e.g., by calling wpa_cli:
147
148wpa_cli wps_pbc
149
150At this point, the AP/Registrar has two minutes to complete WPS
151negotiation which will generate a new WPA PSK in the same way as the
152PIN method described above.
153
154If the client wants to operate in the Registrar role to learn the
155current AP configuration and optionally, to configure an AP,
156wpa_supplicant is notified over the control interface, e.g., with
157wpa_cli:
158
159wpa_cli wps_reg <AP BSSID> <AP PIN>
160(example: wpa_cli wps_reg 02:34:56:78:9a:bc 12345670)
161
162This is used to fetch the current AP settings instead of actually
163changing them. The main difference with the wps_pin command is that
164wps_reg uses the AP PIN (e.g., from a label on the AP) instead of a
165PIN generated at the client.
166
167In order to change the AP configuration, the new configuration
168parameters are given to the wps_reg command:
169
170wpa_cli wps_reg <AP BSSID> <AP PIN> <new SSID> <auth> <encr> <new key>
171examples:
172  wpa_cli wps_reg 02:34:56:78:9a:bc 12345670 testing WPA2PSK CCMP 12345678
173  wpa_cli wps_reg 02:34:56:78:9a:bc 12345670 clear OPEN NONE ""
174
175<auth> must be one of the following: OPEN WPAPSK WPA2PSK
176<encr> must be one of the following: NONE WEP TKIP CCMP
177
178
179Scanning
180--------
181
182Scan results ('wpa_cli scan_results' or 'wpa_cli bss <idx>') include a
183flags field that is used to indicate whether the BSS support WPS. If
184the AP support WPS, but has not recently activated a Registrar, [WPS]
185flag will be included. If PIN method has been recently selected,
186[WPS-PIN] is shown instead. Similarly, [WPS-PBC] is shown if PBC mode
187is in progress. GUI programs can use these as triggers for suggesting
188a guided WPS configuration to the user. In addition, control interface
189monitor events WPS-AP-AVAILABLE{,-PBC,-PIN} can be used to find out if
190there are WPS enabled APs in scan results without having to go through
191all the details in the GUI. These notification could be used, e.g., to
192suggest possible WPS connection to the user.
193
194
195wpa_gui
196-------
197
198wpa_gui-qt4 directory contains a sample GUI that shows an example of
199how WPS support can be integrated into the GUI. Its main window has a
200WPS tab that guides user through WPS registration with automatic AP
201selection. In addition, it shows how WPS can be started manually by
202selecting an AP from scan results.
203
204
205Credential processing
206---------------------
207
208By default, wpa_supplicant processes received credentials and updates
209its configuration internally. However, it is possible to
210control these operations from external programs, if desired.
211
212This internal processing can be disabled with wps_cred_processing=1
213option. When this is used, an external program is responsible for
214processing the credential attributes and updating wpa_supplicant
215configuration based on them.
216
217The following control interface messages are sent out for external
218programs:
219
220WPS-CRED-RECEIVED  <hexdump of Credential attribute(s)>
221For example:
222<2>WPS-CRED-RECEIVED 100e006f10260001011045000c6a6b6d2d7770732d74657374100300020020100f000200081027004030653462303435366332363666653064333961643135353461316634626637313234333761636664623766333939653534663166316230323061643434386235102000060266a0ee1727
223
224
225wpa_supplicant as WPS External Registrar (ER)
226---------------------------------------------
227
228wpa_supplicant can be used as a WPS ER to configure an AP or enroll
229new Enrollee to join the network. This functionality uses UPnP and
230requires that a working IP connectivity is available with the AP (this
231can be either over a wired or wireless connection).
232
233Separate wpa_supplicant process can be started for WPS ER
234operations. A special "none" driver can be used in such a case to
235indicate that no local network interface is actually controlled. For
236example, the following command could be used to start the ER:
237
238wpa_supplicant -Dnone -c er.conf -ieth0
239
240Sample er.conf:
241
242ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
243device_name=WPS External Registrar
244
245wpa_cli commands for ER functionality:
246
247wps_er_start [IP address]
248- start WPS ER functionality
249- the optional IP address parameter can be used to filter operations only
250  to include a single AP
251- if run again while ER is active, the stored information (discovered APs
252  and Enrollees) are shown again
253
254wps_er_stop
255- stop WPS ER functionality
256
257wps_er_learn <UUID|BSSID> <AP PIN>
258- learn AP configuration
259
260wps_er_set_config <UUID|BSSID> <network id>
261- use AP configuration from a locally configured network (e.g., from
262  wps_reg command); this does not change the AP's configuration, but
263  only prepares a configuration to be used when enrolling a new device
264  to the AP
265
266wps_er_config <UUID|BSSID> <AP PIN> <new SSID> <auth> <encr> <new key>
267- examples:
268  wps_er_config 87654321-9abc-def0-1234-56789abc0002 12345670 testing WPA2PSK CCMP 12345678
269  wpa_er_config 87654321-9abc-def0-1234-56789abc0002 12345670 clear OPEN NONE ""
270
271<auth> must be one of the following: OPEN WPAPSK WPA2PSK
272<encr> must be one of the following: NONE WEP TKIP CCMP
273
274wps_er_pbc <Enrollee UUID|MAC address>
275- accept an Enrollee PBC using External Registrar
276
277wps_er_pin <Enrollee UUID|"any"|MAC address> <PIN> [Enrollee MAC address]
278- add an Enrollee PIN to External Registrar
279- if Enrollee UUID is not known, "any" can be used to add a wildcard PIN
280- if the MAC address of the enrollee is known, it should be configured
281  to allow the AP to advertise list of authorized enrollees
282
283WPS ER events:
284
285WPS_EVENT_ER_AP_ADD
286- WPS ER discovered an AP
287
288WPS-ER-AP-ADD 87654321-9abc-def0-1234-56789abc0002 02:11:22:33:44:55 pri_dev_type=6-0050F204-1 wps_state=1 |Very friendly name|Company|Long description of the model|WAP|http://w1.fi/|http://w1.fi/hostapd/
289
290WPS_EVENT_ER_AP_REMOVE
291- WPS ER removed an AP entry
292
293WPS-ER-AP-REMOVE 87654321-9abc-def0-1234-56789abc0002
294
295WPS_EVENT_ER_ENROLLEE_ADD
296- WPS ER discovered a new Enrollee
297
298WPS-ER-ENROLLEE-ADD 2b7093f1-d6fb-5108-adbb-bea66bb87333 02:66:a0:ee:17:27 M1=1 config_methods=0x14d dev_passwd_id=0 pri_dev_type=1-0050F204-1 |Wireless Client|Company|cmodel|123|12345|
299
300WPS_EVENT_ER_ENROLLEE_REMOVE
301- WPS ER removed an Enrollee entry
302
303WPS-ER-ENROLLEE-REMOVE 2b7093f1-d6fb-5108-adbb-bea66bb87333 02:66:a0:ee:17:27
304
305WPS-ER-AP-SETTINGS
306- WPS ER learned AP settings
307
308WPS-ER-AP-SETTINGS uuid=fd91b4ec-e3fa-5891-a57d-8c59efeed1d2 ssid=test-wps auth_type=0x0020 encr_type=0x0008 key=12345678
309
310
311WPS with NFC
312------------
313
314WPS can be used with NFC-based configuration method. An NFC tag
315containing a password token from the Enrollee can be used to
316authenticate the connection instead of the PIN. In addition, an NFC tag
317with a configuration token can be used to transfer AP settings without
318going through the WPS protocol.
319
320When the station acts as an Enrollee, a local NFC tag with a password
321token can be used by touching the NFC interface of a Registrar.
322
323"wps_nfc [BSSID]" command starts WPS protocol run with the local end as
324the Enrollee using the NFC password token that is either pre-configured
325in the configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey,
326wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with
327"wps_nfc_token <WPS|NDEF>" command. The included nfc_pw_token tool
328(build with "make nfc_pw_token") can be used to generate NFC password
329tokens during manufacturing (each station needs to have its own random
330keys).
331
332The "wps_nfc_config_token <WPS/NDEF>" command can be used to build an
333NFC configuration token when wpa_supplicant is controlling an AP
334interface (AP or P2P GO). The output value from this command is a
335hexdump of the current AP configuration (WPS parameter requests this to
336include only the WPS attributes; NDEF parameter requests additional NDEF
337encapsulation to be included). This data needs to be written to an NFC
338tag with an external program. Once written, the NFC configuration token
339can be used to touch an NFC interface on a station to provision the
340credentials needed to access the network.
341
342The "wps_nfc_config_token <WPS/NDEF> <network id>" command can be used
343to build an NFC configuration token based on a locally configured
344network.
345
346If the station includes NFC interface and reads an NFC tag with a MIME
347media type "application/vnd.wfa.wsc", the NDEF message payload (with or
348without NDEF encapsulation) can be delivered to wpa_supplicant using the
349following wpa_cli command:
350
351wps_nfc_tag_read <hexdump of payload>
352
353If the NFC tag contains a configuration token, the network is added to
354wpa_supplicant configuration. If the NFC tag contains a password token,
355the token is added to the WPS Registrar component. This information can
356then be used with wps_reg command (when the NFC password token was from
357an AP) using a special value "nfc-pw" in place of the PIN parameter. If
358the ER functionality has been started (wps_er_start), the NFC password
359token is used to enable enrollment of a new station (that was the source
360of the NFC password token).
361
362"nfc_get_handover_req <NDEF> <WPS-CR>" command can be used to build the
363WPS carrier record for a Handover Request Message for connection
364handover. The first argument selects the format of the output data and
365the second argument selects which type of connection handover is
366requested (WPS-CR = Wi-Fi handover as specified in WSC 2.0).
367
368"nfc_get_handover_sel <NDEF> <WPS> [UUID|BSSID]" command can be used to
369build the contents of a Handover Select Message for connection handover
370when this does not depend on the contents of the Handover Request
371Message. The first argument selects the format of the output data and
372the second argument selects which type of connection handover is
373requested (WPS = Wi-Fi handover as specified in WSC 2.0). If the options
374UUID|BSSID argument is included, this is a request to build the handover
375message for the specified AP when wpa_supplicant is operating as a WPS
376ER.
377
378"nfc_report_handover <INIT/RESP> WPS <carrier from handover request>
379<carrier from handover select>" can be used as an alternative way for
380reporting completed NFC connection handover. The first parameter
381indicates whether the local device initiated or responded to the
382connection handover and the carrier records are the selected carrier
383from the handover request and select messages as a hexdump.
384
385The "wps_er_nfc_config_token <WPS/NDEF> <UUID|BSSID>" command can be
386used to build an NFC configuration token for the specified AP when
387wpa_supplicant is operating as a WPS ER. The output value from this
388command is a hexdump of the selected AP configuration (WPS parameter
389requests this to include only the WPS attributes; NDEF parameter
390requests additional NDEF encapsulation to be included). This data needs
391to be written to an NFC tag with an external program. Once written, the
392NFC configuration token can be used to touch an NFC interface on a
393station to provision the credentials needed to access the network.
394

README-Windows.txt

1wpa_supplicant for Windows
2==========================
3
4Copyright (c) 2003-2009, Jouni Malinen <j@w1.fi> and contributors
5All Rights Reserved.
6
7This program is licensed under the BSD license (the one with
8advertisement clause removed).
9
10
11wpa_supplicant has support for being used as a WPA/WPA2/IEEE 802.1X
12Supplicant on Windows. The current port requires that WinPcap
13(http://winpcap.polito.it/) is installed for accessing packets and the
14driver interface. Both release versions 3.0 and 3.1 are supported.
15
16The current port is still somewhat experimental. It has been tested
17mainly on Windows XP (SP2) with limited set of NDIS drivers. In
18addition, the current version has been reported to work with Windows
192000.
20
21All security modes have been verified to work (at least complete
22authentication and successfully ping a wired host):
23- plaintext
24- static WEP / open system authentication
25- static WEP / shared key authentication
26- IEEE 802.1X with dynamic WEP keys
27- WPA-PSK, TKIP, CCMP, TKIP+CCMP
28- WPA-EAP, TKIP, CCMP, TKIP+CCMP
29- WPA2-PSK, TKIP, CCMP, TKIP+CCMP
30- WPA2-EAP, TKIP, CCMP, TKIP+CCMP
31
32
33Building wpa_supplicant with mingw
34----------------------------------
35
36The default build setup for wpa_supplicant is to use MinGW and
37cross-compiling from Linux to MinGW/Windows. It should also be
38possible to build this under Windows using the MinGW tools, but that
39is not tested nor supported and is likely to require some changes to
40the Makefile unless cygwin is used.
41
42
43Building wpa_supplicant with MSVC
44---------------------------------
45
46wpa_supplicant can be built with Microsoft Visual C++ compiler. This
47has been tested with Microsoft Visual C++ Toolkit 2003 and Visual
48Studio 2005 using the included nmake.mak as a Makefile for nmake. IDE
49can also be used by creating a project that includes the files and
50defines mentioned in nmake.mak. Example VS2005 solution and project
51files are included in vs2005 subdirectory. This can be used as a
52starting point for building the programs with VS2005 IDE. Visual Studio
532008 Express Edition is also able to use these project files.
54
55WinPcap development package is needed for the build and this can be
56downloaded from http://www.winpcap.org/install/bin/WpdPack_4_0_2.zip. The
57default nmake.mak expects this to be unpacked into C:\dev\WpdPack so
58that Include and Lib directories are in this directory. The files can be
59stored elsewhere as long as the WINPCAPDIR in nmake.mak is updated to
60match with the selected directory. In case a project file in the IDE is
61used, these Include and Lib directories need to be added to project
62properties as additional include/library directories.
63
64OpenSSL source package can be downloaded from
65http://www.openssl.org/source/openssl-0.9.8i.tar.gz and built and
66installed following instructions in INSTALL.W32. Note that if EAP-FAST
67support will be included in the wpa_supplicant, OpenSSL needs to be
68patched to# support it openssl-0.9.8i-tls-extensions.patch. The example
69nmake.mak file expects OpenSSL to be installed into C:\dev\openssl, but
70this directory can be modified by changing OPENSSLDIR variable in
71nmake.mak.
72
73If you do not need EAP-FAST support, you may also be able to use Win32
74binary installation package of OpenSSL from
75http://www.slproweb.com/products/Win32OpenSSL.html instead of building
76the library yourself. In this case, you will need to copy Include and
77Lib directories in suitable directory, e.g., C:\dev\openssl for the
78default nmake.mak. Copy {Win32OpenSSLRoot}\include into
79C:\dev\openssl\include and make C:\dev\openssl\lib subdirectory with
80files from {Win32OpenSSLRoot}\VC (i.e., libeay*.lib and ssleay*.lib).
81This will end up using dynamically linked OpenSSL (i.e., .dll files are
82needed) for it. Alternative, you can copy files from
83{Win32OpenSSLRoot}\VC\static to create a static build (no OpenSSL .dll
84files needed).
85
86
87Building wpa_supplicant for cygwin
88----------------------------------
89
90wpa_supplicant can be built for cygwin by installing the needed
91development packages for cygwin. This includes things like compiler,
92make, openssl development package, etc. In addition, developer's pack
93for WinPcap (WPdpack.zip) from
94http://winpcap.polito.it/install/default.htm is needed.
95
96.config file should enable only one driver interface,
97CONFIG_DRIVER_NDIS. In addition, include directories may need to be
98added to match the system. An example configuration is available in
99defconfig. The library and include files for WinPcap will either need
100to be installed in compiler/linker default directories or their
101location will need to be adding to .config when building
102wpa_supplicant.
103
104Othen than this, the build should be more or less identical to Linux
105version, i.e., just run make after having created .config file. An
106additional tool, win_if_list.exe, can be built by running "make
107win_if_list".
108
109
110Building wpa_gui
111----------------
112
113wpa_gui uses Qt application framework from Trolltech. It can be built
114with the open source version of Qt4 and MinGW. Following commands can
115be used to build the binary in the Qt 4 Command Prompt:
116
117# go to the root directory of wpa_supplicant source code
118cd wpa_gui-qt4
119qmake -o Makefile wpa_gui.pro
120make
121# the wpa_gui.exe binary is created into 'release' subdirectory
122
123
124Using wpa_supplicant for Windows
125--------------------------------
126
127wpa_supplicant, wpa_cli, and wpa_gui behave more or less identically to
128Linux version, so instructions in README and example wpa_supplicant.conf
129should be applicable for most parts. In addition, there is another
130version of wpa_supplicant, wpasvc.exe, which can be used as a Windows
131service and which reads its configuration from registry instead of
132text file.
133
134When using access points in "hidden SSID" mode, ap_scan=2 mode need to
135be used (see wpa_supplicant.conf for more information).
136
137Windows NDIS/WinPcap uses quite long interface names, so some care
138will be needed when starting wpa_supplicant. Alternatively, the
139adapter description can be used as the interface name which may be
140easier since it is usually in more human-readable
141format. win_if_list.exe can be used to find out the proper interface
142name.
143
144Example steps in starting up wpa_supplicant:
145
146# win_if_list.exe
147ifname: \Device\NPF_GenericNdisWanAdapter
148description: Generic NdisWan adapter
149
150ifname: \Device\NPF_{769E012B-FD17-4935-A5E3-8090C38E25D2}
151description: Atheros Wireless Network Adapter (Microsoft's Packet Scheduler)
152
153ifname: \Device\NPF_{732546E7-E26C-48E3-9871-7537B020A211}
154description: Intel 8255x-based Integrated Fast Ethernet (Microsoft's Packet Scheduler)
155
156
157Since the example configuration used Atheros WLAN card, the middle one
158is the correct interface in this case. The interface name for -i
159command line option is the full string following "ifname:" (the
160"\Device\NPF_" prefix can be removed). In other words, wpa_supplicant
161would be started with the following command:
162
163# wpa_supplicant.exe -i'{769E012B-FD17-4935-A5E3-8090C38E25D2}' -c wpa_supplicant.conf -d
164
165-d optional enables some more debugging (use -dd for even more, if
166needed). It can be left out if debugging information is not needed.
167
168With the alternative mechanism for selecting the interface, this
169command has identical results in this case:
170
171# wpa_supplicant.exe -iAtheros -c wpa_supplicant.conf -d
172
173
174Simple configuration example for WPA-PSK:
175
176#ap_scan=2
177ctrl_interface=
178network={
179	ssid="test"
180	key_mgmt=WPA-PSK
181	proto=WPA
182	pairwise=TKIP
183	psk="secret passphrase"
184}
185
186(remove '#' from the comment out ap_scan line to enable mode in which
187wpa_supplicant tries to associate with the SSID without doing
188scanning; this allows APs with hidden SSIDs to be used)
189
190
191wpa_cli.exe and wpa_gui.exe can be used to interact with the
192wpa_supplicant.exe program in the same way as with Linux. Note that
193ctrl_interface is using UNIX domain sockets when built for cygwin, but
194the native build for Windows uses named pipes and the contents of the
195ctrl_interface configuration item is used to control access to the
196interface. Anyway, this variable has to be included in the configuration
197to enable the control interface.
198
199
200Example SDDL string formats:
201
202(local admins group has permission, but nobody else):
203
204ctrl_interface=SDDL=D:(A;;GA;;;BA)
205
206("A" == "access allowed", "GA" == GENERIC_ALL == all permissions, and
207"BA" == "builtin administrators" == the local admins.  The empty fields
208are for flags and object GUIDs, none of which should be required in this
209case.)
210
211(local admins and the local "power users" group have permissions,
212but nobody else):
213
214ctrl_interface=SDDL=D:(A;;GA;;;BA)(A;;GA;;;PU)
215
216(One ACCESS_ALLOWED ACE for GENERIC_ALL for builtin administrators, and
217one ACCESS_ALLOWED ACE for GENERIC_ALL for power users.)
218
219(close to wide open, but you have to be a valid user on
220the machine):
221
222ctrl_interface=SDDL=D:(A;;GA;;;AU)
223
224(One ACCESS_ALLOWED ACE for GENERIC_ALL for the "authenticated users"
225group.)
226
227This one would allow absolutely everyone (including anonymous
228users) -- this is *not* recommended, since named pipes can be attached
229to from anywhere on the network (i.e. there's no "this machine only"
230like there is with 127.0.0.1 sockets):
231
232ctrl_interface=SDDL=D:(A;;GA;;;BU)(A;;GA;;;AN)
233
234(BU == "builtin users", "AN" == "anonymous")
235
236See also [1] for the format of ACEs, and [2] for the possible strings
237that can be used for principal names.
238
239[1]
240http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/ace_strings.asp
241[2]
242http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/sid_strings.asp
243
244
245Starting wpa_supplicant as a Windows service (wpasvc.exe)
246---------------------------------------------------------
247
248wpa_supplicant can be started as a Windows service by using wpasvc.exe
249program that is alternative build of wpa_supplicant.exe. Most of the
250core functionality of wpasvc.exe is identical to wpa_supplicant.exe,
251but it is using Windows registry for configuration information instead
252of a text file and command line parameters. In addition, it can be
253registered as a service that can be started automatically or manually
254like any other Windows service.
255
256The root of wpa_supplicant configuration in registry is
257HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant. This level includes global
258parameters and a 'interfaces' subkey with all the interface configuration
259(adapter to confname mapping). Each such mapping is a subkey that has
260'adapter', 'config', and 'ctrl_interface' values.
261
262This program can be run either as a normal command line application,
263e.g., for debugging, with 'wpasvc.exe app' or as a Windows service.
264Service need to be registered with 'wpasvc.exe reg <full path to
265wpasvc.exe>'. Alternatively, 'wpasvc.exe reg' can be used to register
266the service with the current location of wpasvc.exe. After this, wpasvc
267can be started like any other Windows service (e.g., 'net start wpasvc')
268or it can be configured to start automatically through the Services tool
269in administrative tasks. The service can be unregistered with
270'wpasvc.exe unreg'.
271
272If the service is set to start during system bootup to make the
273network connection available before any user has logged in, there may
274be a long (half a minute or so) delay in starting up wpa_supplicant
275due to WinPcap needing a driver called "Network Monitor Driver" which
276is started by default on demand.
277
278To speed up wpa_supplicant start during system bootup, "Network
279Monitor Driver" can be configured to be started sooner by setting its
280startup type to System instead of the default Demand. To do this, open
281up Device Manager, select Show Hidden Devices, expand the "Non
282Plug-and-Play devices" branch, double click "Network Monitor Driver",
283go to the Driver tab, and change the Demand setting to System instead.
284
285Configuration data is in HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs
286key. Each configuration profile has its own key under this. In terms of text
287files, each profile would map to a separate text file with possibly multiple
288networks. Under each profile, there is a networks key that lists all
289networks as a subkey. Each network has set of values in the same way as
290network block in the configuration file. In addition, blobs subkey has
291possible blobs as values.
292
293HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs\test\networks\0000
294   ssid="example"
295   key_mgmt=WPA-PSK
296
297See win_example.reg for an example on how to setup wpasvc.exe
298parameters in registry. It can also be imported to registry as a
299starting point for the configuration.
300