diff options
| -rw-r--r-- | usr.sbin/wpa/Makefile | 5 | ||||
| -rw-r--r-- | usr.sbin/wpa/Makefile.inc | 3 | ||||
| -rw-r--r-- | usr.sbin/wpa/l2_packet.c | 227 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_cli/Makefile | 9 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_cli/wpa_cli.1 | 192 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_supplicant/Makefile | 40 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_supplicant/driver_freebsd.c | 636 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_supplicant/wpa_supplicant.1 | 132 | ||||
| -rw-r--r-- | usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 | 157 |
9 files changed, 1401 insertions, 0 deletions
diff --git a/usr.sbin/wpa/Makefile b/usr.sbin/wpa/Makefile new file mode 100644 index 0000000..df3c13b --- /dev/null +++ b/usr.sbin/wpa/Makefile @@ -0,0 +1,5 @@ +# $FreeBSD$ + +SUBDIR= wpa_supplicant wpa_cli + +.include <bsd.subdir.mk> diff --git a/usr.sbin/wpa/Makefile.inc b/usr.sbin/wpa/Makefile.inc new file mode 100644 index 0000000..8c6b79e --- /dev/null +++ b/usr.sbin/wpa/Makefile.inc @@ -0,0 +1,3 @@ +# $FreeBSD$ + +BINDIR?= /usr/sbin diff --git a/usr.sbin/wpa/l2_packet.c b/usr.sbin/wpa/l2_packet.c new file mode 100644 index 0000000..dae3eb7 --- /dev/null +++ b/usr.sbin/wpa/l2_packet.c @@ -0,0 +1,227 @@ +/* + * WPA Supplicant - Layer2 packet handling + * Copyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi> + * Copyright (c) 2005, Sam Leffler <sam@errno.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Alternatively, this software may be distributed under the terms of BSD + * license. + * + * See README and COPYING for more details. + * + * $FreeBSD$ + */ + +/* + * FreeBSD-specific implementation. + */ +#include <stdlib.h> +#include <stdio.h> +#include <errno.h> +#include <pcap.h> + +#include <sys/types.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#include <sys/sysctl.h> + +#include <net/if.h> +#include <net/if_dl.h> +#include <net/route.h> + +#include "common.h" +#include "eloop.h" +#include "l2_packet.h" + +struct l2_packet_data { + pcap_t *pcap; + char ifname[100]; + u8 own_addr[ETH_ALEN]; + void (*rx_callback)(void *ctx, unsigned char *src_addr, + unsigned char *buf, size_t len); + void *rx_callback_ctx; + int rx_l2_hdr; /* whether to include layer 2 (Ethernet) header in calls + * to rx_callback */ +}; + +int +l2_packet_get_own_addr(struct l2_packet_data *l2, u8 *addr) +{ + memcpy(addr, l2->own_addr, ETH_ALEN); + return 0; +} + +void +l2_packet_set_rx_l2_hdr(struct l2_packet_data *l2, int rx_l2_hdr) +{ + l2->rx_l2_hdr = rx_l2_hdr; +} + +int +l2_packet_send(struct l2_packet_data *l2, u8 *buf, size_t len) +{ + return pcap_inject(l2->pcap, buf, len); +} + + +static void +l2_packet_receive(int sock, void *eloop_ctx, void *sock_ctx) +{ + struct l2_packet_data *l2 = eloop_ctx; + pcap_t *pcap = sock_ctx; + struct pcap_pkthdr hdr; + const u_char *packet; + struct l2_ethhdr *ethhdr; + unsigned char *buf; + size_t len; + + packet = pcap_next(pcap, &hdr); + + if (packet == NULL || hdr.caplen < sizeof(*ethhdr)) + return; + + ethhdr = (struct l2_ethhdr *) packet; + if (l2->rx_l2_hdr) { + buf = (unsigned char *) ethhdr; + len = hdr.caplen; + } else { + buf = (unsigned char *) (ethhdr + 1); + len = hdr.caplen - sizeof(*ethhdr); + } + l2->rx_callback(l2->rx_callback_ctx, ethhdr->h_source, buf, len); +} + +static int +l2_packet_init_libpcap(struct l2_packet_data *l2, unsigned short protocol) +{ + bpf_u_int32 pcap_maskp, pcap_netp; + char pcap_filter[100], pcap_err[PCAP_ERRBUF_SIZE]; + struct bpf_program pcap_fp; + + pcap_lookupnet(l2->ifname, &pcap_netp, &pcap_maskp, pcap_err); + l2->pcap = pcap_open_live(l2->ifname, 2500, 0, 10, pcap_err); + if (l2->pcap == NULL) { + fprintf(stderr, "pcap_open_live: %s\n", pcap_err); + fprintf(stderr, "ifname='%s'\n", l2->ifname); + return -1; + } + if (pcap_datalink(l2->pcap) != DLT_EN10MB && + pcap_set_datalink(l2->pcap, DLT_EN10MB) < 0) { + fprintf(stderr, "pcap_set_datalinke(DLT_EN10MB): %s\n", + pcap_geterr(l2->pcap)); + return -1; + } + snprintf(pcap_filter, sizeof(pcap_filter), + "ether dst " MACSTR " and ether proto 0x%x", + MAC2STR(l2->own_addr), protocol); + if (pcap_compile(l2->pcap, &pcap_fp, pcap_filter, 1, pcap_netp) < 0) { + fprintf(stderr, "pcap_compile: %s\n", pcap_geterr(l2->pcap)); + return -1; + } + + if (pcap_setfilter(l2->pcap, &pcap_fp) < 0) { + fprintf(stderr, "pcap_setfilter: %s\n", pcap_geterr(l2->pcap)); + return -1; + } + + pcap_freecode(&pcap_fp); + /* + * When libpcap uses BPF we must enable "immediate mode" to + * receive frames right away; otherwise the system may + * buffer them for us. + */ + { unsigned int on = 1; + if (ioctl(pcap_fileno(l2->pcap), BIOCIMMEDIATE, &on) < 0) { + fprintf(stderr, "%s: cannot enable immediate mode on " + "interface %s: %s\n", + __func__, l2->ifname, strerror(errno)); + /* XXX should we fail? */ + } + } + + eloop_register_read_sock(pcap_get_selectable_fd(l2->pcap), + l2_packet_receive, l2, l2->pcap); + + return 0; +} + +static int +eth_get(const char *device, u8 ea[ETH_ALEN]) +{ + struct if_msghdr *ifm; + struct sockaddr_dl *sdl; + u_char *p, *buf; + size_t len; + int mib[] = { CTL_NET, AF_ROUTE, 0, AF_LINK, NET_RT_IFLIST, 0 }; + + if (sysctl(mib, 6, NULL, &len, NULL, 0) < 0) + return -1; + if ((buf = malloc(len)) == NULL) + return -1; + if (sysctl(mib, 6, buf, &len, NULL, 0) < 0) { + free(buf); + return -1; + } + for (p = buf; p < buf + len; p += ifm->ifm_msglen) { + ifm = (struct if_msghdr *)p; + sdl = (struct sockaddr_dl *)(ifm + 1); + if (ifm->ifm_type != RTM_IFINFO || + (ifm->ifm_addrs & RTA_IFP) == 0) + continue; + if (sdl->sdl_family != AF_LINK || sdl->sdl_nlen == 0 || + memcmp(sdl->sdl_data, device, sdl->sdl_nlen) != 0) + continue; + memcpy(ea, LLADDR(sdl), sdl->sdl_alen); + break; + } + free(buf); + + if (p >= buf + len) { + errno = ESRCH; + return -1; + } + return 0; +} + +struct l2_packet_data * +l2_packet_init(const char *ifname, const u8 *own_addr, unsigned short protocol, + void (*rx_callback)(void *ctx, unsigned char *src_addr, + unsigned char *buf, size_t len), + void *rx_callback_ctx) +{ + struct l2_packet_data *l2; + + l2 = malloc(sizeof(struct l2_packet_data)); + if (l2 == NULL) + return NULL; + memset(l2, 0, sizeof(*l2)); + strncpy(l2->ifname, ifname, sizeof(l2->ifname)); + l2->rx_callback = rx_callback; + l2->rx_callback_ctx = rx_callback_ctx; + + if (eth_get(l2->ifname, l2->own_addr) < 0) { + fprintf(stderr, "Failed to get link-level address for " + "interface '%s'.\n", l2->ifname); + free(l2); + return NULL; + } + + if (l2_packet_init_libpcap(l2, protocol) != 0) { + free(l2); + return NULL; + } + return l2; +} + +void +l2_packet_deinit(struct l2_packet_data *l2) +{ + if (l2 != NULL) { + if (l2->pcap) + pcap_close(l2->pcap); + free(l2); + } +} diff --git a/usr.sbin/wpa/wpa_cli/Makefile b/usr.sbin/wpa/wpa_cli/Makefile new file mode 100644 index 0000000..927a30e --- /dev/null +++ b/usr.sbin/wpa/wpa_cli/Makefile @@ -0,0 +1,9 @@ +# $FreeBSD$ + +WPA_SUPPLICANT_DISTDIR?= ${.CURDIR}/../../../contrib/wpa_supplicant +.PATH: ${WPA_SUPPLICANT_DISTDIR} + +PROG= wpa_cli +SRCS= wpa_cli.c wpa_ctrl.c + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_cli/wpa_cli.1 b/usr.sbin/wpa/wpa_cli/wpa_cli.1 new file mode 100644 index 0000000..b28f5b7 --- /dev/null +++ b/usr.sbin/wpa/wpa_cli/wpa_cli.1 @@ -0,0 +1,192 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 3, 2005 +.Dt WPA_CLI 1 +.Os +.Sh NAME +.Nm wpa_cli +.Nd "text-based frontend program for interacting with wpa_supplicant" +.Sh SYNOPSIS +.Nm +.Op commands +.Sh DESCRIPTION +.Nm +is a text-based frontend program for interacting with +.Xr wpa_supplicant 1. +.Nm +is used to query current status, +change configuration, +trigger events, +and +request interactive user input. +.Pp +.Nm +can show the +current authentication status, +selected security +mode, dot11 and dot1x MIBs, etc. +In addition, +.Nm +can configure EAPOL state machine +parameters and trigger events like reassociation +and IEEE 802.1X logoff/logon. +.Nm +provides a user interface to request authentication information, +like username and password, if these are not included in the +configuration. +This can be used to implement, +e.g., one-time-passwords or generic token card +authentication where the authentication is based on a +challenge-response that uses an external device for generating the +response. +.Pp +The control interface of +.Nm wpa_supplicant +can be configured to allow +non-root user access (ctrl_interface_group in the configuration file). +This makes it possible to run +.Nm +with a normal user account. +.Pp +.Nm +supports two modes: interactive and command line. +Both modes share the same command set and the main difference +is in interactive mode providing access to unsolicited messages +(event messages, username/password requests). +.Pp +Interactive mode is started when +.Nm +is executed without with any parameters on the command line. +Commands are then entered from the controlling terminal in +response to the +.Nm +prompt. +In command line mode, the same commands are +entered as command line arguments. +.Sh AUTHENTICATION PARAMETERS +.Pp +When +.Nm wpa_supplicant +needs authentication parameters, such as username and password, +that are not present in the configuration file, it sends a +request message to all attached frontend programs, e.g., +.Nm +in interactive mode. +.Nm +shows these requests with +"CTRL-REQ-<type>-<id>:<text>" prefix. +<type> is IDENTITY, PASSWORD, or OTP (one-time-password). +<id> is a unique identifier for the current network. +<text> is description of the request. +In case of OTP request, it includes the challenge from +the authentication server. +.Pp +A user must supply +.Nm wpa_supplicant +the needed parameters in response to these requests. +.Pp +For example, +.Bd -literal +CTRL-REQ-PASSWORD-1:Password needed for SSID foobar +> password 1 mysecretpassword + +Example request for generic token card challenge-response: + +CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar +> otp 2 9876 +.Ed +.Sh COMMANDS +The following commands may be supplied on the command line +or at a prompt when operating interactively. +.Bl -tag -width indent +.It status +Report the current WPA/EAPOL/EAP status for the current interface. +.It mib +Report MIB variables (dot1x, dot11) for the current interface. +.It help +Show usage help. +.It interface [ Ar ifname ] +Show available interfaces and/or set the current interface +when multiple are available. +.It level <debug level> +Change the debugging level in +.Nm wpa_supplicant . +Larger numbers generate more messages. +.It license +Display the full +.Nm +license for +.Nm . +.It logoff +Send the IEEE 802.1X EAPOL state machine into the logoff state. +.It logon +Send the IEEE 802.1X EAPOL state machine into the logon state. +.It set [ settings ] +Set variables. +When no arguments are supplied the known variables and their settings +are displayed. +.It pmksa +Show the contents of the PMKSA cache. +.It reassociate +Force a reassociation to the current access point. +.It reconfigure +Force +.Nm +to re-read its configuration file. +.It preauthenticate <BSSID> +Force preauthentication of the specified BSSID. +.It identity <network id> <identity> +Configure an identity for an SSID. +.It password <network id> <password> +Configure a password for an SSID. +.It otp <network id> <password> +Configure a one-time-password for an SSID. +.It terminate +Force +.Nm wpa_supplicant +to terminate. +.It quit +Exit +.Nm . +.El +.Sh SEE ALSO +.Xr wpa_supplicant 1 , +.Xr wpa_supplicant.conf 5 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq jkmaline@cc.hut.fi . +This manual page is derived from the README file included in the +.Nm +distribution. +.Sh BUGS diff --git a/usr.sbin/wpa/wpa_supplicant/Makefile b/usr.sbin/wpa/wpa_supplicant/Makefile new file mode 100644 index 0000000..e24743a --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/Makefile @@ -0,0 +1,40 @@ +# $FreeBSD$ + +WPA_SUPPLICANT_DISTDIR?= ${.CURDIR}/../../../contrib/wpa_supplicant +.PATH: ${.CURDIR}/.. ${WPA_SUPPLICANT_DISTDIR} + +PROG= wpa_supplicant +SRCS= config.c eloop.c common.c md5.c rc4.c sha1.c aes_wrap.c \ + wpa_supplicant.c wpa.c \ + ctrl_iface.c l2_packet.c drivers.c driver_freebsd.c + +CFLAGS+= -I${.CURDIR} -I${WPA_SUPPLICANT_DISTDIR} +CFLAGS+= -DCONFIG_DRIVER_BSD +CFLAGS+= -DCONFIG_CTRL_IFACE +CFLAGS+= -g +DPADD+= ${LIBPCAP} +LDADD+= -lpcap + +.if defined(ENABLE_WPA_SUPPLICANT_EAPOL) +SRCS+= eapol_sm.c eap.c +CFLAGS+= -DIEEE8021X_EAPOL + +.if !defined(NO_CRYPT) && !defined(NO_OPENSSL) && !defined(RELEASE_CRUNCH) +CFLAGS+=-DEAP_TLS -DEAP_PEAP -DEAP_MSCHAPv2 -DEAP_LEAP -DEAP_PSK \ + -DEAP_TLV -DEAP_TLS_FUNCS +SRCS+= eap_tls.c eap_peap.c eap_mschapv2.c eap_leap.c eap_psk.c \ + eap_tlv.c eap_tls_common.c tls_openssl.c ms_funcs.c crypto.c + +# NB: requires patch to openssl +#CFLAGS+= -DEAP_FAST +#SRCS+= eap_fast.c + +DPADD+= ${LIBCRYPTO} +LDADD+= -lssl -lcrypto +.else +SRCS+= tls_none.c +.endif + +.endif + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c b/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c new file mode 100644 index 0000000..1a9a0fd --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c @@ -0,0 +1,636 @@ +/* + * WPA Supplicant - driver interaction with BSD net80211 layer + * Copyright (c) 2004, Sam Leffler <sam@errno.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + * + * Alternatively, this software may be distributed under the terms of BSD + * license. + * + * See README and COPYING for more details. + * + * $FreeBSD$ + */ + +#include <stdlib.h> +#include <stdio.h> +#include <unistd.h> +#include <string.h> +#include <sys/ioctl.h> +#include <errno.h> + +#include "common.h" +#include "driver.h" +#include "eloop.h" +#include "wpa_supplicant.h" +#include "l2_packet.h" + +#include <sys/socket.h> +#include <net/if.h> + +#include <net80211/ieee80211.h> +#include <net80211/ieee80211_crypto.h> +#include <net80211/ieee80211_ioctl.h> + +struct wpa_driver_bsd_data { + int sock; /* open socket for 802.11 ioctls */ + int route; /* routing socket for events */ + char ifname[IFNAMSIZ+1]; /* interface name */ + void *ctx; +}; + +static int +set80211var(struct wpa_driver_bsd_data *drv, int op, const void *arg, int arg_len) +{ + struct ieee80211req ireq; + + memset(&ireq, 0, sizeof(ireq)); + strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); + ireq.i_type = op; + ireq.i_len = arg_len; + ireq.i_data = (void *) arg; + + if (ioctl(drv->sock, SIOCS80211, &ireq) < 0) { + perror("ioctl[SIOCS80211]"); + return -1; + } + return 0; +} + +static int +get80211var(struct wpa_driver_bsd_data *drv, int op, void *arg, int arg_len) +{ + struct ieee80211req ireq; + + memset(&ireq, 0, sizeof(ireq)); + strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); + ireq.i_type = op; + ireq.i_len = arg_len; + ireq.i_data = arg; + + if (ioctl(drv->sock, SIOCG80211, &ireq) < 0) { + perror("ioctl[SIOCG80211]"); + return -1; + } + return ireq.i_len; +} + +static int +set80211param(struct wpa_driver_bsd_data *drv, int op, int arg) +{ + struct ieee80211req ireq; + + memset(&ireq, 0, sizeof(ireq)); + strncpy(ireq.i_name, drv->ifname, IFNAMSIZ); + ireq.i_type = op; + ireq.i_val = arg; + + if (ioctl(drv->sock, SIOCS80211, &ireq) < 0) { + perror("ioctl[SIOCS80211]"); + return -1; + } + return 0; +} + +static int +getifflags(struct wpa_driver_bsd_data *drv, int *flags) +{ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); + if (ioctl(drv->sock, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { + perror("SIOCGIFFLAGS"); + return errno; + } + *flags = ifr.ifr_flags & 0xffff; + return 0; +} + +static int +setifflags(struct wpa_driver_bsd_data *drv, int flags) +{ + struct ifreq ifr; + + memset(&ifr, 0, sizeof(ifr)); + strncpy(ifr.ifr_name, drv->ifname, sizeof (ifr.ifr_name)); + ifr.ifr_flags = flags & 0xffff; + if (ioctl(drv->sock, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) { + perror("SIOCSIFFLAGS"); + return errno; + } + return 0; +} + +static int +wpa_driver_bsd_get_bssid(void *priv, u8 *bssid) +{ + struct wpa_driver_bsd_data *drv = priv; + + return get80211var(drv, IEEE80211_IOC_BSSID, + bssid, IEEE80211_ADDR_LEN) < 0 ? -1 : 0; +} + +#if 0 +static int +wpa_driver_bsd_set_bssid(void *priv, const char *bssid) +{ + struct wpa_driver_bsd_data *drv = priv; + + return set80211var(drv, IEEE80211_IOC_BSSID, + bssid, IEEE80211_ADDR_LEN); +} +#endif + +static int +wpa_driver_bsd_get_ssid(void *priv, u8 *ssid) +{ + struct wpa_driver_bsd_data *drv = priv; + + return get80211var(drv, IEEE80211_IOC_SSID, + ssid, IEEE80211_NWID_LEN); +} + +static int +wpa_driver_bsd_set_ssid(void *priv, const char *ssid, + size_t ssid_len) +{ + struct wpa_driver_bsd_data *drv = priv; + + return set80211var(drv, IEEE80211_IOC_SSID, ssid, ssid_len); +} + +static int +wpa_driver_bsd_set_wpa_ie(struct wpa_driver_bsd_data *drv, + const char *wpa_ie, size_t wpa_ie_len) +{ + return set80211var(drv, IEEE80211_IOC_OPTIE, wpa_ie, wpa_ie_len); +} + +static int +wpa_driver_bsd_set_wpa(void *priv, int enabled) +{ + struct wpa_driver_bsd_data *drv = priv; + int ret = 0; + + wpa_printf(MSG_DEBUG, "%s: enabled=%d", __FUNCTION__, enabled); + + if (!enabled && wpa_driver_bsd_set_wpa_ie(drv, NULL, 0) < 0) + ret = -1; + if (set80211param(drv, IEEE80211_IOC_ROAMING, enabled ? 2 : 0) < 0) + ret = -1; + if (set80211param(drv, IEEE80211_IOC_PRIVACY, enabled) < 0) + ret = -1; + if (set80211param(drv, IEEE80211_IOC_WPA, enabled ? 3 : 0) < 0) + ret = -1; + + return ret; +} + +static int +wpa_driver_bsd_del_key(struct wpa_driver_bsd_data *drv, int key_idx, + const unsigned char *addr) +{ + struct ieee80211req_del_key wk; + + wpa_printf(MSG_DEBUG, "%s: keyidx=%d", __FUNCTION__, key_idx); + memset(&wk, 0, sizeof(wk)); + wk.idk_keyix = key_idx; + if (addr != NULL) + memcpy(wk.idk_macaddr, addr, IEEE80211_ADDR_LEN); + + return set80211var(drv, IEEE80211_IOC_DELKEY, &wk, sizeof(wk)); +} + +static int +wpa_driver_bsd_set_key(void *priv, wpa_alg alg, + const unsigned char *addr, int key_idx, int set_tx, + const u8 *seq, size_t seq_len, + const u8 *key, size_t key_len) +{ + struct wpa_driver_bsd_data *drv = priv; + struct ieee80211req_key wk; + char *alg_name; + u_int8_t cipher; + + if (alg == WPA_ALG_NONE) + return wpa_driver_bsd_del_key(drv, key_idx, addr); + + switch (alg) { + case WPA_ALG_WEP: + alg_name = "WEP"; + cipher = IEEE80211_CIPHER_WEP; + break; + case WPA_ALG_TKIP: + alg_name = "TKIP"; + cipher = IEEE80211_CIPHER_TKIP; + break; + case WPA_ALG_CCMP: + alg_name = "CCMP"; + cipher = IEEE80211_CIPHER_AES_CCM; + break; + default: + wpa_printf(MSG_DEBUG, "%s: unknown/unsupported algorithm %d", + __FUNCTION__, alg); + return -1; + } + + wpa_printf(MSG_DEBUG, "%s: alg=%s key_idx=%d set_tx=%d seq_len=%d " + "key_len=%d", __FUNCTION__, alg_name, key_idx, set_tx, + seq_len, key_len); + + if (seq_len > sizeof(u_int64_t)) { + wpa_printf(MSG_DEBUG, "%s: seq_len %d too big", + __FUNCTION__, seq_len); + return -2; + } + if (key_len > sizeof(wk.ik_keydata)) { + wpa_printf(MSG_DEBUG, "%s: key length %d too big", + __FUNCTION__, key_len); + return -3; + } + + memset(&wk, 0, sizeof(wk)); + wk.ik_type = cipher; + wk.ik_flags = IEEE80211_KEY_RECV; + if (set_tx) { + wk.ik_flags |= IEEE80211_KEY_XMIT | IEEE80211_KEY_DEFAULT; + memcpy(wk.ik_macaddr, addr, IEEE80211_ADDR_LEN); + } else + memset(wk.ik_macaddr, 0, IEEE80211_ADDR_LEN); + wk.ik_keyix = key_idx; + wk.ik_keylen = key_len; + memcpy(&wk.ik_keyrsc, seq, seq_len); + memcpy(wk.ik_keydata, key, key_len); + + return set80211var(drv, IEEE80211_IOC_WPAKEY, &wk, sizeof(wk)); +} + +static int +wpa_driver_bsd_set_countermeasures(void *priv, int enabled) +{ + struct wpa_driver_bsd_data *drv = priv; + + wpa_printf(MSG_DEBUG, "%s: enabled=%d", __FUNCTION__, enabled); + return set80211param(drv, IEEE80211_IOC_COUNTERMEASURES, enabled); +} + + +static int +wpa_driver_bsd_set_drop_unencrypted(void *priv, int enabled) +{ + struct wpa_driver_bsd_data *drv = priv; + + wpa_printf(MSG_DEBUG, "%s: enabled=%d", __FUNCTION__, enabled); + return set80211param(drv, IEEE80211_IOC_DROPUNENCRYPTED, enabled); +} + +static int +wpa_driver_bsd_deauthenticate(void *priv, const u8 *addr, int reason_code) +{ + struct wpa_driver_bsd_data *drv = priv; + struct ieee80211req_mlme mlme; + + wpa_printf(MSG_DEBUG, "%s", __FUNCTION__); + mlme.im_op = IEEE80211_MLME_DEAUTH; + mlme.im_reason = reason_code; + memcpy(mlme.im_macaddr, addr, IEEE80211_ADDR_LEN); + return set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)); +} + +static int +wpa_driver_bsd_disassociate(void *priv, const u8 *addr, int reason_code) +{ + struct wpa_driver_bsd_data *drv = priv; + struct ieee80211req_mlme mlme; + + wpa_printf(MSG_DEBUG, "%s", __FUNCTION__); + mlme.im_op = IEEE80211_MLME_DISASSOC; + mlme.im_reason = reason_code; + memcpy(mlme.im_macaddr, addr, IEEE80211_ADDR_LEN); + return set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)); +} + +static int +wpa_driver_bsd_associate(void *priv, struct wpa_driver_associate_params *params) +{ + struct wpa_driver_bsd_data *drv = priv; + struct ieee80211req_mlme mlme; + + int ret = 0; + + wpa_printf(MSG_DEBUG, "%s", __FUNCTION__); + + /* + * NB: Don't need to set the freq or cipher-related state as + * this is implied by the bssid which is used to locate + * the scanned node state which holds it. The ssid is + * needed to disambiguate an AP that broadcasts multiple + * ssid's but uses the same bssid. + */ + /* XXX error handling is wrong but unclear what to do... */ + if (wpa_driver_bsd_set_wpa_ie(drv, params->wpa_ie, params->wpa_ie_len) < 0) + ret = -1; + if (wpa_driver_bsd_set_ssid(drv, params->ssid, params->ssid_len) < 0) + ret = -1; + memset(&mlme, 0, sizeof(mlme)); + mlme.im_op = IEEE80211_MLME_ASSOC; + memcpy(mlme.im_macaddr, params->bssid, IEEE80211_ADDR_LEN); + if (set80211var(drv, IEEE80211_IOC_MLME, &mlme, sizeof(mlme)) < 0) + ret = -1; + + return ret; +} + +static int +wpa_driver_bsd_scan(void *priv, const u8 *ssid, size_t ssid_len) +{ + struct wpa_driver_bsd_data *drv = priv; + int flags; + + /* NB: interface must be marked UP to do a scan */ + if (getifflags(drv, &flags) != 0 || setifflags(drv, flags | IFF_UP) != 0) + return -1; + + /* set desired ssid before scan */ + if (wpa_driver_bsd_set_ssid(drv, ssid, ssid_len) < 0) + return -1; + + /* NB: net80211 delivers a scan complete event so no need to poll */ + return set80211param(drv, IEEE80211_IOC_SCAN_REQ, 0); +} + +#include <net/route.h> +#include <net80211/ieee80211_freebsd.h> + +static void +wpa_driver_bsd_event_receive(int sock, void *ctx, void *sock_ctx) +{ + char buf[2048]; + struct if_announcemsghdr *ifan; + struct rt_msghdr *rtm; + union wpa_event_data event; + struct ieee80211_michael_event *mic; + int n; + + n = read(sock, buf, sizeof(buf)); + if (n < 0) { + if (errno != EINTR && errno != EAGAIN) + perror("read(PF_ROUTE)"); + return; + } + + rtm = (struct rt_msghdr *) buf; + if (rtm->rtm_version != RTM_VERSION) { + wpa_printf(MSG_DEBUG, "Routing message version %d not " + "understood\n", rtm->rtm_version); + return; + } + ifan = (struct if_announcemsghdr *) rtm; + switch (rtm->rtm_type) { + case RTM_IFANNOUNCE: + memset(&event, 0, sizeof(event)); + /* XXX name buffer must be >= IFNAMSIZ */ + /* XXX check return value */ + if_indextoname(ifan->ifan_index, event.interface_status.ifname); + switch (ifan->ifan_what) { + case IFAN_ARRIVAL: + event.interface_status.ievent = EVENT_INTERFACE_ADDED; + break; + case IFAN_DEPARTURE: + event.interface_status.ievent = EVENT_INTERFACE_REMOVED; + default: + return; + } + wpa_printf(MSG_DEBUG, "RTM_IFANNOUNCE: Interface '%s' %s", + event.interface_status.ifname, + ifan->ifan_what == IFAN_DEPARTURE ? + "removed" : "added"); + wpa_supplicant_event(ctx, EVENT_INTERFACE_STATUS, &event); + break; + case RTM_IEEE80211: + switch (ifan->ifan_what) { + case RTM_IEEE80211_ASSOC: + case RTM_IEEE80211_REASSOC: + wpa_supplicant_event(ctx, EVENT_ASSOC, NULL); + break; + case RTM_IEEE80211_DISASSOC: + wpa_supplicant_event(ctx, EVENT_DISASSOC, NULL); + break; + case RTM_IEEE80211_SCAN: + wpa_supplicant_event(ctx, EVENT_SCAN_RESULTS, NULL); + break; + case RTM_IEEE80211_REPLAY: + /* ignore */ + break; + case RTM_IEEE80211_MICHAEL: + mic = (struct ieee80211_michael_event *) &ifan[1]; + wpa_printf(MSG_DEBUG, + "Michael MIC failure wireless event: " + "keyix=%u src_addr=" MACSTR, mic->iev_keyix, + MAC2STR(mic->iev_src)); + + memset(&event, 0, sizeof(event)); + event.michael_mic_failure.unicast = + !IEEE80211_IS_MULTICAST(mic->iev_dst); + wpa_supplicant_event(ctx, EVENT_MICHAEL_MIC_FAILURE, + &event); + break; + } + break; + } +} + +/* Compare function for sorting scan results. Return >0 if @b is consider + * better. */ +static int +wpa_scan_result_compar(const void *a, const void *b) +{ + const struct wpa_scan_result *wa = a; + const struct wpa_scan_result *wb = b; + + /* WPA/WPA2 support preferred */ + if ((wb->wpa_ie_len || wb->rsn_ie_len) && + !(wa->wpa_ie_len || wa->rsn_ie_len)) + return 1; + if (!(wb->wpa_ie_len || wb->rsn_ie_len) && + (wa->wpa_ie_len || wa->rsn_ie_len)) + return -1; + + /* privacy support preferred */ + if ((wa->caps & IEEE80211_CAPINFO_PRIVACY) && + (wb->caps & IEEE80211_CAPINFO_PRIVACY) == 0) + return 1; + if ((wa->caps & IEEE80211_CAPINFO_PRIVACY) == 0 && + (wb->caps & IEEE80211_CAPINFO_PRIVACY)) + return -1; + + /* best/max rate preferred if signal level close enough XXX */ + if (wa->maxrate != wb->maxrate && abs(wb->level - wa->level) < 5) + return wb->maxrate - wa->maxrate; + + /* use freq for channel preference */ + + /* all things being equal, use signal level */ + return wb->level - wa->level; +} + +static int +getmaxrate(uint8_t rates[15], uint8_t nrates) +{ + int i, maxrate = -1; + + for (i = 0; i < nrates; i++) { + int rate = rates[i] & IEEE80211_RATE_VAL; + if (rate > maxrate) + rate = maxrate; + } + return maxrate; +} + +/* unalligned little endian access */ +#define LE_READ_4(p) \ + ((u_int32_t) \ + ((((const u_int8_t *)(p))[0] ) | \ + (((const u_int8_t *)(p))[1] << 8) | \ + (((const u_int8_t *)(p))[2] << 16) | \ + (((const u_int8_t *)(p))[3] << 24))) + +static int __inline +iswpaoui(const u_int8_t *frm) +{ + return frm[1] > 3 && LE_READ_4(frm+2) == ((WPA_OUI_TYPE<<24)|WPA_OUI); +} + +static int +wpa_driver_bsd_get_scan_results(void *priv, + struct wpa_scan_result *results, + size_t max_size) +{ +#define min(a,b) ((a)>(b)?(b):(a)) + struct wpa_driver_bsd_data *drv = priv; + uint8_t buf[24*1024]; + uint8_t *cp, *vp; + struct ieee80211req_scan_result *sr; + struct wpa_scan_result *wsr; + int len, ielen; + + memset(results, 0, max_size * sizeof(struct wpa_scan_result)); + + len = get80211var(drv, IEEE80211_IOC_SCAN_RESULTS, buf, sizeof(buf)); + if (len < 0) + return -1; + cp = buf; + wsr = results; + while (len >= sizeof(struct ieee80211req_scan_result)) { + sr = (struct ieee80211req_scan_result *) cp; + memcpy(wsr->bssid, sr->isr_bssid, IEEE80211_ADDR_LEN); + wsr->ssid_len = sr->isr_ssid_len; + wsr->freq = sr->isr_freq; + wsr->noise = sr->isr_noise; + wsr->qual = sr->isr_rssi; + wsr->level = 0; /* XXX? */ + wsr->caps = sr->isr_capinfo; + wsr->maxrate = getmaxrate(sr->isr_rates, sr->isr_nrates); + vp = (u_int8_t *)(sr+1); + memcpy(wsr->ssid, vp, sr->isr_ssid_len); + if (sr->isr_ie_len > 0) { + vp += sr->isr_ssid_len; + ielen = sr->isr_ie_len; + while (ielen > 0) { + switch (vp[0]) { + case IEEE80211_ELEMID_VENDOR: + if (!iswpaoui(vp)) + break; + wsr->wpa_ie_len = + min(2+vp[1], SSID_MAX_WPA_IE_LEN); + memcpy(wsr->wpa_ie, vp, wsr->wpa_ie_len); + break; + case IEEE80211_ELEMID_RSN: + wsr->rsn_ie_len = + min(2+vp[1], SSID_MAX_WPA_IE_LEN); + memcpy(wsr->rsn_ie, vp, wsr->rsn_ie_len); + break; + } + ielen -= 2+vp[1]; + vp += 2+vp[1]; + } + } + + cp += sr->isr_len, len -= sr->isr_len; + wsr++; + } + qsort(results, wsr - results, sizeof(struct wpa_scan_result), + wpa_scan_result_compar); + + wpa_printf(MSG_DEBUG, "Received %d bytes of scan results (%d BSSes)", + len, wsr - results); + + return wsr - results; +#undef min +} + +static void * +wpa_driver_bsd_init(void *ctx, const char *ifname) +{ + struct wpa_driver_bsd_data *drv; + + drv = malloc(sizeof(*drv)); + if (drv == NULL) + return NULL; + memset(drv, 0, sizeof(*drv)); + drv->sock = socket(PF_INET, SOCK_DGRAM, 0); + if (drv->sock < 0) { + free(drv); + return NULL; + } + drv->route = socket(PF_ROUTE, SOCK_RAW, 0); + if (drv->route < 0) { + close(drv->sock); + free(drv); + return NULL; + } + eloop_register_read_sock(drv->route, + wpa_driver_bsd_event_receive, ctx, NULL); + + drv->ctx = ctx; + strncpy(drv->ifname, ifname, sizeof(drv->ifname)); + + return drv; +} + +static void +wpa_driver_bsd_deinit(void *priv) +{ + struct wpa_driver_bsd_data *drv = priv; + int flags; + + /* NB: mark interface down */ + if (getifflags(drv, &flags) == 0) + (void) setifflags(drv, flags &~ IFF_UP); + + (void) close(drv->route); /* ioctl socket */ + (void) close(drv->sock); /* event socket */ + free(drv); +} + + +struct wpa_driver_ops wpa_driver_bsd_ops = { + .name = "bsd", + .desc = "BSD 802.11 support (Atheros, etc.)", + .init = wpa_driver_bsd_init, + .deinit = wpa_driver_bsd_deinit, + .get_bssid = wpa_driver_bsd_get_bssid, + .get_ssid = wpa_driver_bsd_get_ssid, + .set_wpa = wpa_driver_bsd_set_wpa, + .set_key = wpa_driver_bsd_set_key, + .set_countermeasures = wpa_driver_bsd_set_countermeasures, + .set_drop_unencrypted = wpa_driver_bsd_set_drop_unencrypted, + .scan = wpa_driver_bsd_scan, + .get_scan_results = wpa_driver_bsd_get_scan_results, + .deauthenticate = wpa_driver_bsd_deauthenticate, + .disassociate = wpa_driver_bsd_disassociate, + .associate = wpa_driver_bsd_associate, +}; diff --git a/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.1 b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.1 new file mode 100644 index 0000000..70db4d7 --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.1 @@ -0,0 +1,132 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 3, 2005 +.Dt WPA_SUPPLICANT 8 +.Os +.Sh NAME +.Nm wpa_supplicant +.Nd "WPA/802.11i Supplicant for wireless network devices" +.Sh SYNOPSIS +.Nm +.Op Fl BddehLqqvw +.Fl i Ar ifname +.Fl c Ar config-file +.Op Fl N i Ar ifname Fl c Ar config-file .... +.Sh DESCRIPTION +.Nm +is an implementation of the WPA Supplicant component, +i.e., the part that runs in the client stations. +It implements WPA key negotiation with a WPA Authenticator +and EAP authentication with Authentication Server. +In addition, it controls the roaming and IEEE 802.11 +authentication/association of the wlan driver. +.Pp +.Nm +is designed to be a "daemon" program that runs in the +background and acts as the backend component controlling +the wireless connection. +.Nm +supports separate frontend programs such as the +text-based frontend, +.Xr wpa_cli 8 +.Pp +The following arguments must be specified on the command line: +.Bl -tag -width indent +.It Fl i Ar ifname +Use the specified wireless interface. +.It Fl c Ar config-file +Use the settings in the specified configuration file when managing +the specified wireless interface. +See +.Xr wpa_supplicant.conf 5 +for a description of the configuration file syntax. +.Pp +Changes to the configuration file can be reloaded by sending a +.Nm SIGHUP +to the +.Nm +processor or with the +.Xr wpa_cli +utility, using ``wpa_cli reconfigure''. +.El +.Sh OPTIONS +The options are as follows: +.Bl -tag -width indent +.It Fl d +Enable debugging messages. +If this option is supplied twice more verbose messages are displayed. +.It Fl e +Use an external IEEE 802.1X Supplicant program and disable the +internal Supplicant. +This option is not normally used. +.It Fl h +Show help text. +.It Fl q +Decrease debugging verbosity (i.e. counteract the use of the +.Fl d +flag. +.It Fl v +Display version information on the terminal and exit. +.It Fl w +If the specified interface is not present, wait for it to be +added; e.g. a cardbus device to be inserted. +.It Fl B +Detach from the controlling terminal and run as a daemon process +in the background. +.It Fl K +Include key information in debugging output. +.It Fl L +Display the license for this program on the terminal and exit. +.It Fl N Fl i Ar iface Fl Ar config-file +Specify an additional interface and configuration file. +If multiple interfaces are specified then +.Nm +will manage them all with a single process. +.El +.Sh SEE ALSO +.Xr ath 4 , +.Xr iwi 4 , +.Xr ipw 4 , +.Xr ral 4 , +.Xr ural 4 , +.Xr wi 4 , +.Xr wpa_supplicant.conf 5 , +.Xr ifconfig 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq jkmaline@cc.hut.fi . +This manual page is derived from the README file included in the +.Nm +distribution. +.Sh BUGS diff --git a/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 new file mode 100644 index 0000000..c320453 --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 @@ -0,0 +1,157 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 3, 2005 +.Dt WPA_SUPPLICANT.CONF 5 +.Os +.Sh NAME +.Nm wpa_supplicant.conf +.Nd "configuration file for wpa_supplicant utility" +.Sh DESCRIPTION +The +.Xr wpa_supplicant 1 +program is an implementation of the WPA Supplicant component, +i.e., the part that runs in the client stations. +.Nm wpa_supplicant +implements WPA key negotiation with a WPA Authenticator +and EAP authentication with Authentication Server using +configuration information stored in a text file. +.Pp +The configuration file consists of one or more network blocks, e.g. +one for each used SSID. +.Nm wpa_supplicant +will automatically select the best network based on the order of +the network blocks in the configuration file, network security level +(WPA/WPA2 is preferred), and signal strength. +.Sh CERTIFICATES +.Pp +Some EAP authentication methods require use of certificates. +EAP-TLS uses both server- and client-side certificates, +whereas EAP-PEAP and EAP-TTLS only require a server-side certificate. +When a client certificate is used, a matching private key file must +also be included in configuration. +If the private key uses a passphrase, this +has to be configured in the wpa_supplicant.conf file as "private_key_passwd". +.Pp +.Nm wpa_supplicant +supports X.509 certificates in PEM and DER formats. +User certificate and private key can be included in the same file. +.Pp +If the user certificate and private key is received in PKCS#12/PFX +format, they need to be converted to suitable PEM/DER format for +use by +.Nm wpa_supplicant. +This can be done using the +.Xr openssl 1 +program, e.g. with following commands: +.Bd -literal +# convert client certificate and private key to PEM format +openssl pkcs12 -in example.pfx -out user.pem -clcerts +# convert CA certificate (if included in PFX file) to PEM format +openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys +.Be +.Sh EXAMPLES +.Pp +WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS +as a work network: +.Bd -literal +# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +# +# home network; allow all valid ciphers +network={ + ssid="home" + scan_ssid=1 + key_mgmt=WPA-PSK + psk="very secret passphrase" +} +# +# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers +network={ + ssid="work" + scan_ssid=1 + key_mgmt=WPA-EAP + pairwise=CCMP TKIP + group=CCMP TKIP + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" +} +.Ed +.Pp +WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel +(e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series): +.Bd -literal +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP + eap=PEAP + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase1="peaplabel=0" + phase2="auth=MSCHAPV2" +} +.Ed +.Pp +EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the +unencrypted use. Real identity is sent only within an encrypted TLS tunnel. +.Bd -literal +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase2="auth=MD5" +} +.Ed +.Sh SEE ALSO +.Xr wpa_supplicant 1 +.Sh HISTORY +The +.Nm +manual page and +.Nm wpa_supplicant +functionality first appeared in +.Fx 6.0 . +.Sh AUTHORS +This manual page is derived from the README file in the +.Nm wpa_supplicant +distribution provided by +.An Jouni Malinen Aq jkmaline@cc.hut.fi . |
