diff options
Diffstat (limited to 'usr.sbin/wpa')
22 files changed, 3037 insertions, 0 deletions
diff --git a/usr.sbin/wpa/Makefile b/usr.sbin/wpa/Makefile new file mode 100644 index 0000000..5d746e9 --- /dev/null +++ b/usr.sbin/wpa/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +SUBDIR= wpa_supplicant wpa_cli wpa_passphrase +SUBDIR+= hostapd hostapd_cli +SUBDIR+= ndis_events + +.include <bsd.subdir.mk> diff --git a/usr.sbin/wpa/Makefile.crypto b/usr.sbin/wpa/Makefile.crypto new file mode 100644 index 0000000..94367bb --- /dev/null +++ b/usr.sbin/wpa/Makefile.crypto @@ -0,0 +1,133 @@ +# $FreeBSD$ + +.if ${MK_OPENSSL} != "no" && !defined(RELEASE_CRUNCH) +SRCS+= crypto_openssl.c random.c sha1-prf.c sha256-prf.c +DPADD+= ${LIBSSL} ${LIBCRYPTO} +LDADD+= -lssl -lcrypto +CFLAGS+= -DCONFIG_SHA256 +.else +CFLAGS+=-DCONFIG_CRYPTO_INTERNAL +SRCS+= crypto_internal.c random.c +CONFIG_INTERNAL_AES=y +CONFIG_INTERNAL_DES=y +CONFIG_INTERNAL_MD4=y +CONFIG_INTERNAL_MD5=y +CONFIG_INTERNAL_RC4=y +CONFIG_INTERNAL_SHA1=y +NEED_SHA256=y +CONFIG_INTERNAL_SHA256=y +CONFIG_INTERNAL_TLS=y +CONFIG_INTERNAL_DH5=y +CONFIG_INTERNAL_DH=y +NEED_AES_ENC=true +.endif + +.if defined(TLS_FUNCS) +NEED_TLS_PRF=y +.if defined(CONFIG_INTERNAL_TLS) +CFLAGS+=-DCONFIG_INTERNAL_LIBTOMMATH \ + -DCONFIG_TLS_INTERNAL_CLIENT +SRCS+= asn1.c \ + bignum.c \ + crypto_internal-cipher.c \ + crypto_internal-modexp.c \ + crypto_internal-rsa.c \ + pkcs1.c \ + pkcs5.c \ + pkcs8.c \ + rsa.c \ + tls_internal.c \ + tlsv1_common.c \ + tlsv1_record.c \ + tlsv1_cred.c \ + tlsv1_client.c \ + tlsv1_client_write.c \ + tlsv1_client_read.c \ + x509v3.c +NEED_DES=y +NEED_MD4=y +NEED_RC4=y +.else +CFLAGS+=-DEAP_TLS_OPENSSL +SRCS+= tls_openssl.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_AES) +SRCS+= aes-internal.c \ + aes-internal-dec.c \ + aes-internal-enc.c +.endif + +.if defined(NEED_AES_CBC) +SRCS+= aes-cbc.c +.endif + +.if defined(NEED_AES_EAX) +SRCS+= aes-eax.c +NEED_AES_CTR=y +.endif + +.if defined(NEED_AES_CTR) +SRCS+= aes-ctr.c +.endif + +.if defined(NEED_AES_ENCBLOCK) +SRCS+= aes-encblock.c +.endif + +.if defined(NEED_AES_OMAC1) +SRCS+= aes-omac1.c +.endif + +.if defined(NEED_DES) +.if defined(CONFIG_INTERNAL_DES) +SRCS+= des-internal.c +.endif +.endif + +.if defined(NEED_MD4) +.if defined(CONFIG_INTERNAL_MD4) +SRCS+= md4-internal.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_MD5) +SRCS+= md5-internal.c +.endif + +.if defined(NEED_FIPS186_2_PRF) +.if defined(CONFIG_INTERNAL_SHA1) +SRCS+= fips_prf_internal.c +.else +SRCS+= fips_prf_openssl.c +.endif +.endif + +.if defined(CONFIG_INTERNAL_RC4) +SRCS+= rc4.c +.endif + +.if defined(CONFIG_INTERNAL_SHA1) +SRCS+= sha1-internal.c sha1-pbkdf2.c sha1.c sha1-prf.c +.endif + +.if defined(NEED_SHA256) +CFLAGS+=-DCONFIG_SHA256 +SRCS+= sha256.c +.if defined(CONFIG_INTERNAL_SHA256) +SRCS+= sha256-internal.c sha256-prf.c +.endif +.endif + +.if defined(NEED_TLS_PRF) +SRCS+= sha1-tlsprf.c +.endif + +.if defined(CONFIG_INTERNAL_DH5) +SRCS+= dh_group5.c +.endif + +.if defined(CONFIG_INTERNAL_DH) +SRCS+= dh_groups.c +.endif diff --git a/usr.sbin/wpa/Makefile.inc b/usr.sbin/wpa/Makefile.inc new file mode 100644 index 0000000..0b13b97 --- /dev/null +++ b/usr.sbin/wpa/Makefile.inc @@ -0,0 +1,38 @@ +# $FreeBSD$ + +BINDIR?= /usr/sbin + +WPA_DISTDIR?= ${.CURDIR}/../../../contrib/wpa/ +WPA_SUPPLICANT_DISTDIR?=${WPA_DISTDIR}/wpa_supplicant +HOSTAPD_DISTDIR?= ${WPA_DISTDIR}/hostapd + +.PATH.c:${.CURDIR}/.. \ + ${WPA_DISTDIR}/src/ap \ + ${WPA_DISTDIR}/src/common \ + ${WPA_DISTDIR}/src/crypto \ + ${WPA_DISTDIR}/src/eapol_auth \ + ${WPA_DISTDIR}/src/eap_common \ + ${WPA_DISTDIR}/src/eap_peer \ + ${WPA_DISTDIR}/src/eap_server \ + ${WPA_DISTDIR}/src/eapol_supp \ + ${WPA_DISTDIR}/src/l2_packet \ + ${WPA_DISTDIR}/src/radius \ + ${WPA_DISTDIR}/src/rsn_supp \ + ${WPA_DISTDIR}/src/tls \ + ${WPA_DISTDIR}/src/utils \ + ${WPA_DISTDIR}/src/wps + +CFLAGS+=-I${.CURDIR} +CFLAGS+=-I${HOSTAPD_DISTDIR} +CFLAGS+=-I${WPA_DISTDIR}/src +CFLAGS+=-I${WPA_DISTDIR}/src/common +CFLAGS+=-I${WPA_DISTDIR}/src/crypto +CFLAGS+=-I${WPA_DISTDIR}/src/drivers +CFLAGS+=-I${WPA_DISTDIR}/src/l2_packet +CFLAGS+=-I${WPA_DISTDIR}/src/utils +CFLAGS+=-I${WPA_DISTDIR}/src/wps + +CFLAGS+= -DCONFIG_CTRL_IFACE +CFLAGS+= -DCONFIG_CTRL_IFACE_UNIX + +.include <bsd.own.mk> diff --git a/usr.sbin/wpa/hostapd/Makefile b/usr.sbin/wpa/hostapd/Makefile new file mode 100644 index 0000000..530cf02 --- /dev/null +++ b/usr.sbin/wpa/hostapd/Makefile @@ -0,0 +1,122 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${HOSTAPD_DISTDIR} \ + ${WPA_DISTDIR}/src/drivers + +PROG= hostapd +SRCS= accounting.c aes-wrap.c ap_config.c ap_drv_ops.c ap_mlme.c authsrv.c \ + base64.c beacon.c chap.c common.c config_file.c ctrl_iface.c \ + ctrl_iface_ap.c driver_common.c l2_packet_freebsd.c driver_bsd.c \ + drivers.c drv_callbacks.c eap_common.c eap_peap_common.c \ + eap_register.c eap_server.c eap_server_methods.c eap_user_db.c \ + eapol_auth_dump.c eapol_auth_sm.c eloop.c gas.c gas_serv.c hostapd.c \ + hs20.c http_client.c http_server.c httpread.c ieee802_11_auth.c \ + ieee802_11_common.c ieee802_11_shared.c ieee802_1x.c ip_addr.c \ + main.c md5.c ms_funcs.c os_unix.c peerkey_auth.c pmksa_cache_auth.c \ + preauth_auth.c radius.c radius_client.c radius_das.c sta_info.c \ + tkip_countermeasures.c upnp_xml.c utils.c uuid.c vlan_init.c \ + wpa_auth.c wpa_auth_glue.c wpa_auth_ie.c wpa_common.c wpa_debug.c \ + wpabuf.c wps.c wps_attr_build.c wps_attr_parse.c wps_attr_process.c \ + wps_common.c wps_dev_attr.c wps_enrollee.c wps_hostapd.c \ + wps_registrar.c wps_upnp.c wps_upnp_ap.c wps_upnp_event.c \ + wps_upnp_ssdp.c wps_upnp_web.c + +MAN= hostapd.8 hostapd.conf.5 + +.if ${MK_EXAMPLES} != "no" +FILESDIR= ${SHAREDIR}/examples/hostapd +.PATH: ${HOSTAPD_DISTDIR} +FILES= hostapd.conf hostapd.eap_user hostapd.wpa_psk +.endif + +CFLAGS+=-DCONFIG_DRIVER_BSD \ + -DHOSTAPD \ + -DCONFIG_DRIVER_RADIUS_ACL \ + -DCONFIG_RSN_PREAUTH \ + -DCONFIG_PEERKEY \ + -DCONFIG_WPS \ + -DCONFIG_WPS2 \ + -DCONFIG_WPS_UPNP \ + -DCONFIG_INTERWORKING \ + -DCONFIG_HS20 +.if ${MK_INET6} != "no" +CFLAGS+= -DCONFIG_IPV6 +.endif +#CFLAGS+= -g +DPADD+= ${LIBPCAP} +LDADD+= -lpcap + +# User customizations for wpa_supplicant/hostapd build environment +CFLAGS+=${HOSTAPD_CFLAGS} +#DPADD+=${HOSTAPD_DPADD} +LDADD+=${HOSTAPD_LDADD} +#LDFLAGS+=${HOSTAPD_LDFLAGS} + +CFLAGS+=-DDPKCS12_FUNCS \ + -DEAP_SERVER \ + -DEAP_SERVER_GTC \ + -DEAP_SERVER_IDENTITY \ + -DEAP_SERVER_MD5 \ + -DEAP_SERVER_MSCHAPV2 \ + -DEAP_SERVER_PEAP \ + -DEAP_SERVER_TLS \ + -DEAP_SERVER_TTLS \ + -DEAP_TLS_FUNCS \ + -DEAP_SERVER_WSC \ + -DCONFIG_NO_DUMP_STATE +SRCS+= dump_state.c \ + eap_server_gtc.c \ + eap_server_identity.c \ + eap_server_md5.c \ + eap_server_mschapv2.c \ + eap_server_peap.c \ + eap_server_tls.c \ + eap_server_tls_common.c \ + eap_server_ttls.c \ + eap_server_wsc.c \ + eap_wsc_common.c +TLS_FUNCS=y + +.if !empty(CFLAGS:M*-DCONFIG_WPS) +NEED_SIM_COMMON=y +.endif + +.if !empty(CFLAGS:M*-DEAP_SERVER_AKA) +SRCS+= eap_server_aka.c +NEED_SIM_COMMON=y +.endif + +.if !empty(CFLAGS:M*-DEAP_SERVER_SIM) +SRCS+= eap_server_sim.c +NEED_SIM_COMMON=y +.endif + +.if defined(NEED_SIM_COMMON) +SRCS+= eap_sim_common.c \ + eap_sim_db.c +NEED_AES_CBC=y +NEED_FIPS186_2_PRF=y +.endif + +.if !empty(CFLAGS:M*-DEAP_SERVER_GPSK) +CFLAGS+=-DEAP_GPSK_SHA256 +SRCS+= eap_server_gpsk.c \ + eap_gpsk_common.c +NEED_AES_OMAC1=y +.endif + +.if !empty(CFLAGS:M*-DEAP_SERVER_PAX) +SRCS+= eap_server_pax.c \ + eap_pax_common.c +.endif + +.if !empty(CFLAGS:M*-DEAP_SERVER_SAKE) +SRCS+= eap_server_sake.c \ + eap_sake_common.c +.endif + +.include "${.CURDIR}/../Makefile.crypto" + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/hostapd/hostapd.8 b/usr.sbin/wpa/hostapd/hostapd.8 new file mode 100644 index 0000000..f624cac --- /dev/null +++ b/usr.sbin/wpa/hostapd/hostapd.8 @@ -0,0 +1,137 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 18, 2012 +.Dt HOSTAPD 8 +.Os +.Sh NAME +.Nm hostapd +.Nd "authenticator for IEEE 802.11 networks" +.Sh SYNOPSIS +.Nm +.Op Fl BdhKtv +.Op Fl P Ar pidfile +.Ar config-file ... +.Sh DESCRIPTION +The +.Nm +utility +is an authenticator for IEEE 802.11 networks. +It provides full support for WPA/IEEE 802.11i and +can also act as an IEEE 802.1X Authenticator with a suitable +backend Authentication Server (typically +.Tn FreeRADIUS ) . +The +.Nm +utility +implements the authentication protocols that piggyback on top +of the normal IEEE 802.11 protocol mechanisms. +To use +.Nm +as an authenticator, the underlying device must support some +basic functionality such as the ability to set security information +in the 802.11 management frames. +Beware that not all devices have this support. +.Pp +The +.Nm +utility +is designed to be a +.Dq daemon +program that runs in the +background and acts as the backend component controlling +the wireless connection. +It supports separate frontend programs such as the +text-based frontend, +.Xr hostapd_cli 8 . +.Pp +The following arguments must be specified on the command line: +.Bl -tag -width indent +.It Ar config-file +Use the settings in the specified configuration file; the name of +the specified wireless interface is contained in this file. +See +.Xr hostapd.conf 5 +for a description of the configuration file syntax. +.Pp +Changes to the configuration file can be reloaded by sending a +.Dv SIGHUP +to the +.Nm +processor or with the +.Xr hostapd_cli 8 +utility, using +.Dq Li "hostapd_cli reconfigure" . +.El +.Sh OPTIONS +The options are as follows: +.Bl -tag -width indent +.It Fl d +Enable debugging messages. +If this option is supplied twice, more verbose messages are displayed. +.It Fl h +Show help text. +.It Fl t +Include timestamps in debugging output. +.It Fl v +Display version information on the terminal and exit. +.It Fl B +Detach from the controlling terminal and run as a daemon process +in the background. +.It Fl K +Include key information in debugging output. +.It Fl P Ar pidfile +Store PID in +.Ar pidfile . +.El +.Sh SEE ALSO +.Xr ath 4 , +.Xr ipw 4 , +.Xr iwi 4 , +.Xr mwl 4 , +.Xr ral 4 , +.Xr rum 4 , +.Xr run 4 , +.Xr ural 4 , +.Xr wi 4 , +.Xr hostapd.conf 5 , +.Xr hostapd_cli 8 , +.Xr ifconfig 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq j@w1.fi . +This manual page is derived from the +.Pa README +file included in the +.Nm +distribution. diff --git a/usr.sbin/wpa/hostapd/hostapd.conf.5 b/usr.sbin/wpa/hostapd/hostapd.conf.5 new file mode 100644 index 0000000..08a04fe --- /dev/null +++ b/usr.sbin/wpa/hostapd/hostapd.conf.5 @@ -0,0 +1,211 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" Copyright (c) 2006 Rui Paulo +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd September 2, 2006 +.Dt HOSTAPD.CONF 5 +.Os +.Sh NAME +.Nm hostapd.conf +.Nd configuration file for +.Xr hostapd 8 +utility +.Sh DESCRIPTION +The +.Xr hostapd 8 +utility +is an authenticator for IEEE 802.11 networks. +It provides full support for WPA/IEEE 802.11i and +can also act as an IEEE 802.1X Authenticator with a suitable +backend Authentication Server (typically +.Tn FreeRADIUS ) . +.Pp +The configuration file consists of global parameters and domain +specific configuration: +.Bl -bullet -offset indent -compact +.It +IEEE 802.1X-2004 +.\" XXX not yet +.\" .It +.\" Integrated EAP server +.\" .It +.\" IEEE 802.11f - Inter-Access Point Protocol (IAPP) +.It +RADIUS client +.It +RADIUS authentication server +.It +WPA/IEEE 802.11i +.El +.Sh GLOBAL PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va interface +Interface name. +Should be set in +.Dq hostap +mode. Make certain that there are no spaces after the interface name, +or hostapd will complain that the interface does not exist. +.It Va debug +Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = +excessive. +.It Va dump_file +Dump file for state information (on +.Dv SIGUSR1 ) . +.It Va ctrl_interface +The pathname of the directory in which +.Xr hostapd 8 +creates +.Ux +domain socket files for communication +with frontend programs such as +.Xr hostapd_cli 8 . +.It Va ctrl_interface_group +A group name or group ID to use in setting protection on the +control interface file. +This can be set to allow non-root users to access the +control interface files. +If no group is specified, the group ID of the control interface +is not modified and will, typically, be the +group ID of the directory in which the socket is created. +.El +.Sh IEEE 802.1X-2004 PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va ieee8021x +Require IEEE 802.1X authorization. +.It Va eap_message +Optional displayable message sent with EAP Request-Identity. +.It Va wep_key_len_broadcast +Key lengths for broadcast keys. +.It Va wep_key_len_unicast +Key lengths for unicast keys. +.It Va wep_rekey_period +Rekeying period in seconds. +.It Va eapol_key_index_workaround +EAPOL-Key index workaround (set bit7) for WinXP Supplicant. +.It Va eap_reauth_period +EAP reauthentication period in seconds. +To disable reauthentication, +use +.Dq 0 . +.\" XXX not yet +.\" .It Va use_pae_group_addr +.El +.\" XXX not yet +.\" .Sh IEEE 802.11f - IAPP PARAMETERS +.\" The following parameters are recognized: +.\" .Bl -tag -width indent +.\" .It Va iapp_interface +.\" Interface to be used for IAPP broadcast packets +.\" .El +.Sh RADIUS CLIENT PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va own_ip_addr +The own IP address of the access point (used as NAS-IP-Address). +.It Va nas_identifier +Optional NAS-Identifier string for RADIUS messages. +.It Va auth_server_addr , auth_server_port , auth_server_shared_secret +RADIUS authentication server parameters. +Can be defined twice for secondary servers to be used if primary one +does not reply to RADIUS packets. +.It Va acct_server_addr , acct_server_port , acct_server_shared_secret +RADIUS accounting server parameters. +Can be defined twice for secondary servers to be used if primary one +does not reply to RADIUS packets. +.It Va radius_retry_primary_interval +Retry interval for trying to return to the primary RADIUS server (in +seconds). +.It Va radius_acct_interim_interval +Interim accounting update interval. +If this is set (larger than 0) and acct_server is configured, +.Xr hostapd 8 +will send interim accounting updates every N seconds. +.El +.Sh RADIUS AUTHENTICATION SERVER PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va radius_server_clients +File name of the RADIUS clients configuration for the RADIUS server. +If this is commented out, RADIUS server is disabled. +.It Va radius_server_auth_port +The UDP port number for the RADIUS authentication server. +.It Va radius_server_ipv6 +Use IPv6 with RADIUS server. +.El +.Sh WPA/IEEE 802.11i PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va wpa +Enable WPA. +Setting this variable configures the AP to require WPA (either +WPA-PSK or WPA-RADIUS/EAP based on other configuration). +.It Va wpa_psk , wpa_passphrase +WPA pre-shared keys for WPA-PSK. +This can be either entered as a 256-bit secret in hex format (64 hex +digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that +will be converted to PSK. +This conversion uses SSID so the PSK changes when ASCII passphrase is +used and the SSID is changed. +.It Va wpa_psk_file +Optionally, WPA PSKs can be read from a separate text file containing a +list of PSK and MAC address pairs. +.It Va wpa_key_mgmt +Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). +.It Va wpa_pairwise +Set of accepted cipher suites (encryption algorithms) for pairwise keys +(unicast packets). +See the example file for more information. +.It Va wpa_group_rekey +Time interval for rekeying GTK (broadcast/multicast encryption keys) in +seconds. +.It Va wpa_strict_rekey +Rekey GTK when any STA that possesses the current GTK is leaving the +BSS. +.It Va wpa_gmk_rekey +Time interval for rekeying GMK (master key used internally to generate GTKs), +in seconds. +.El +.Sh SEE ALSO +.Xr hostapd 8 , +.Xr hostapd_cli 8 +.Sh HISTORY +The +.Nm +manual page and +.Xr hostapd 8 +functionality first appeared in +.Fx 6.0 . +.Sh AUTHORS +This manual page is derived from the +.Pa README +and +.Pa hostapd.conf +files in the +.Nm hostapd +distribution provided by +.An Jouni Malinen Aq j@w1.fi . diff --git a/usr.sbin/wpa/hostapd_cli/Makefile b/usr.sbin/wpa/hostapd_cli/Makefile new file mode 100644 index 0000000..8677fbf --- /dev/null +++ b/usr.sbin/wpa/hostapd_cli/Makefile @@ -0,0 +1,15 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${HOSTAPD_DISTDIR} + +PROG= hostapd_cli +SRCS= common.c edit.c eloop.c hostapd_cli.c os_unix.c wpa_ctrl.c wpa_debug.c + +CFLAGS+= -DCONFIG_CTRL_IFACE +CFLAGS+= -DCONFIG_CTRL_IFACE_UNIX + +MAN= hostapd_cli.8 + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 b/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 new file mode 100644 index 0000000..eb7f60f --- /dev/null +++ b/usr.sbin/wpa/hostapd_cli/hostapd_cli.8 @@ -0,0 +1,112 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 16, 2005 +.Dt HOSTAPD_CLI 8 +.Os +.Sh NAME +.Nm hostapd_cli +.Nd text-based frontend program for interacting with +.Xr hostapd 8 +.Sh SYNOPSIS +.Nm +.Op Ar commands +.Sh DESCRIPTION +The +.Nm +utility +is a text-based frontend program for interacting with +.Xr hostapd 8 . +It is used to query the current status. +.Pp +The +.Nm +utility +can show the +current authentication status, +dot11 and dot1x MIBs, etc. +.Pp +The +.Nm +utility +supports two modes: interactive and command line. +Both modes share the same command set. +.Pp +Interactive mode is started when +.Nm +is executed without any parameters on the command line. +Commands are then entered from the controlling terminal in +response to the +.Nm +prompt. +In command line mode, the same commands are +entered as command line arguments. +.Sh COMMANDS +The following commands may be supplied on the command line +or at a prompt when operating interactively. +.Bl -tag -width indent +.It Ic mib +Report MIB variables (dot1x, dot11) for the current interface. +.It Ic sta Ar addr +Report the MIB variables for the associated station with MAC address +.Ar addr . +.It Ic all_sta +Report the MIB variables for all associated stations. +.It Ic help +Show usage help. +.It Ic interface Op Ar ifname +Show available interfaces and/or set the current interface +when multiple are available. +.It Ic level Ar debug_level +Change the debugging level in +.Xr hostapd 8 . +Larger numbers generate more messages. +.It Ic license +Display the full +license for +.Nm . +.It Ic quit +Exit +.Nm . +.El +.Sh SEE ALSO +.Xr hostapd.conf 5 , +.Xr hostapd 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq j@w1.fi . +This manual page is derived from the +.Pa README +file included in the +.Nm hostapd +distribution. diff --git a/usr.sbin/wpa/ndis_events/Makefile b/usr.sbin/wpa/ndis_events/Makefile new file mode 100644 index 0000000..07caf5a --- /dev/null +++ b/usr.sbin/wpa/ndis_events/Makefile @@ -0,0 +1,8 @@ +# $FreeBSD$ + +PROG= ndis_events +SRCS+= ndis_events.c + +MAN= ndis_events.8 + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/ndis_events/ndis_events.8 b/usr.sbin/wpa/ndis_events/ndis_events.8 new file mode 100644 index 0000000..9cc2bcd --- /dev/null +++ b/usr.sbin/wpa/ndis_events/ndis_events.8 @@ -0,0 +1,135 @@ +.\" Copyright (c) 2005 +.\" Bill Paul <wpaul@windriver.com> All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Bill Paul. +.\" 4. Neither the name of the author nor the names of any co-contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF +.\" THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd August 30, 2007 +.Dt NDIS_EVENTS 8 +.Os +.Sh NAME +.Nm ndis_events +.Nd relay events from +.Xr ndis 4 +drivers to +.Xr wpa_supplicant 8 +.Sh SYNOPSIS +.Nm +.Op Fl a +.Op Fl d +.Op Fl v +.Sh DESCRIPTION +The +.Nm +utility listens for events generated by an +.Xr ndis 4 +wireless network driver and relays them to +.Xr wpa_supplicant 8 +for possible processing. +The three event types that can occur +are media connect and disconnect events, such as when a wireless +interface joins or leaves a network, and media-specific events. +In particular, +.Xr ndis 4 +drivers that support WPA2 will generate media-specific events +containing PMKID candidate information which +.Xr wpa_supplicant 8 +needs in order to properly associate with WPA2-capable access points. +.Pp +The +.Nm +daemon works by listening for interface information events via +a routing socket. +When it detects an event that was generated by an +.Xr ndis 4 +interface, it transmits it via UDP packet on the loopback interface, +where +.Xr wpa_supplicant 8 +is presumably listening. +The standard +.Xr wpa_supplicant 8 +distribution includes its own version of this utility for use with +.Tn Windows\[rg] . +The +.Fx +version performs the same functions as the +.Tn Windows\[rg] +one, except that it uses an +.Xr ioctl 4 +and routing socket interface instead of WMI. +.Pp +Note that a single instance of +.Nm +is sufficient to scan for events for any number of +.Xr ndis 4 +interfaces in a system. +.Sh OPTIONS +The +.Nm +daemon supports the following options: +.Bl -tag -width indent +.It Fl a +Process all events. +By default, +.Nm +will only process and forward media-specific events, which contain +PMKID candidate information, and not bother forwarding connect and +disconnect events, since +.Xr wpa_supplicant 8 +normally can determine the current link state on its own. +In some +cases, the additional connect and disconnect events only confuse it +and make the association and authentication process take longer. +.It Fl d +Run in debug mode. +This causes +.Nm +to run in the foreground and generate any output to the standard +error instead of using the +.Xr syslog 3 +facility. +.It Fl v +Run in verbose mode. +This causes +.Nm +to emit notifications when it receives events. +.El +.Sh SEE ALSO +.Xr ndis 4 , +.Xr wpa_supplicant 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Bill Paul Aq wpaul@windriver.com . diff --git a/usr.sbin/wpa/ndis_events/ndis_events.c b/usr.sbin/wpa/ndis_events/ndis_events.c new file mode 100644 index 0000000..9c6e9de --- /dev/null +++ b/usr.sbin/wpa/ndis_events/ndis_events.c @@ -0,0 +1,352 @@ +/*- + * Copyright (c) 2005 + * Bill Paul <wpaul@windriver.com>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +/* + * This program simulates the behavior of the ndis_events utility + * supplied with wpa_supplicant for Windows. The original utility + * is designed to translate Windows WMI events. We don't have WMI, + * but we need to supply certain event info to wpa_supplicant in + * order to make WPA2 work correctly, so we fake up the interface. + */ + +#include <sys/types.h> +#include <sys/param.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <sys/errno.h> +#include <sys/sysctl.h> +#include <net/if.h> +#include <net/if_dl.h> +#include <net/if_var.h> + +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netdb.h> +#include <net/route.h> + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <err.h> +#include <syslog.h> +#include <stdarg.h> + +static int verbose = 0; +static int debug = 0; +static int all_events = 0; + +#define PROGNAME "ndis_events" + +#define WPA_SUPPLICANT_PORT 9876 +#define NDIS_INDICATION_LEN 2048 + +#define EVENT_CONNECT 0 +#define EVENT_DISCONNECT 1 +#define EVENT_MEDIA_SPECIFIC 2 + +#define NDIS_STATUS_MEDIA_CONNECT 0x4001000B +#define NDIS_STATUS_MEDIA_DISCONNECT 0x4001000C +#define NDIS_STATUS_MEDIA_SPECIFIC_INDICATION 0x40010012 + +struct ndis_evt { + uint32_t ne_sts; + uint32_t ne_len; +#ifdef notdef + char ne_buf[1]; +#endif +}; + +static int find_ifname(int, char *); +static int announce_event(char *, int, struct sockaddr_in *); +static void usage(void); + +static void +dbgmsg(const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + if (debug) + vwarnx(fmt, ap); + else + vsyslog(LOG_ERR, fmt, ap); + va_end(ap); + + return; +} + +static int +find_ifname(idx, name) + int idx; + char *name; +{ + int mib[6]; + size_t needed; + struct if_msghdr *ifm; + struct sockaddr_dl *sdl; + char *buf, *lim, *next; + + needed = 0; + mib[0] = CTL_NET; + mib[1] = PF_ROUTE; + mib[2] = 0; /* protocol */ + mib[3] = 0; /* wildcard address family */ + mib[4] = NET_RT_IFLIST; + mib[5] = 0; /* no flags */ + + if (sysctl (mib, 6, NULL, &needed, NULL, 0) < 0) + return(EIO); + + buf = malloc (needed); + if (buf == NULL) + return(ENOMEM); + + if (sysctl (mib, 6, buf, &needed, NULL, 0) < 0) { + free(buf); + return(EIO); + } + + lim = buf + needed; + + next = buf; + while (next < lim) { + ifm = (struct if_msghdr *)next; + if (ifm->ifm_type == RTM_IFINFO) { + sdl = (struct sockaddr_dl *)(ifm + 1); + if (ifm->ifm_index == idx) { + strncpy(name, sdl->sdl_data, sdl->sdl_nlen); + name[sdl->sdl_nlen] = '\0'; + free (buf); + return (0); + } + } + next += ifm->ifm_msglen; + } + + free (buf); + + return(ENOENT); +} + +static int +announce_event(ifname, sock, dst) + char *ifname; + int sock; + struct sockaddr_in *dst; +{ + int s; + char indication[NDIS_INDICATION_LEN]; + struct ifreq ifr; + struct ndis_evt *e; + char buf[512], *pos, *end; + int len, type, _type; + + s = socket(PF_INET, SOCK_DGRAM, 0); + + if (s < 0) { + dbgmsg("socket creation failed"); + return(EINVAL); + } + + bzero((char *)&ifr, sizeof(ifr)); + e = (struct ndis_evt *)indication; + e->ne_len = NDIS_INDICATION_LEN - sizeof(struct ndis_evt); + + strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); + ifr.ifr_data = indication; + + if (ioctl(s, SIOCGPRIVATE_0, &ifr) < 0) { + close(s); + if (verbose) { + if (errno == ENOENT) + dbgmsg("drained all events from %s", + ifname, errno); + else + dbgmsg("failed to read event info from %s: %d", + ifname, errno); + } + return(ENOENT); + } + + if (e->ne_sts == NDIS_STATUS_MEDIA_CONNECT) { + type = EVENT_CONNECT; + if (verbose) + dbgmsg("Received a connect event for %s", ifname); + if (!all_events) { + close(s); + return(0); + } + } + if (e->ne_sts == NDIS_STATUS_MEDIA_DISCONNECT) { + type = EVENT_DISCONNECT; + if (verbose) + dbgmsg("Received a disconnect event for %s", ifname); + if (!all_events) { + close(s); + return(0); + } + } + if (e->ne_sts == NDIS_STATUS_MEDIA_SPECIFIC_INDICATION) { + type = EVENT_MEDIA_SPECIFIC; + if (verbose) + dbgmsg("Received a media-specific event for %s", + ifname); + } + + end = buf + sizeof(buf); + _type = (int) type; + memcpy(buf, &_type, sizeof(_type)); + pos = buf + sizeof(_type); + + len = snprintf(pos + 1, end - pos - 1, "%s", ifname); + if (len < 0) { + close(s); + return(ENOSPC); + } + if (len > 255) + len = 255; + *pos = (unsigned char) len; + pos += 1 + len; + if (e->ne_len) { + if (e->ne_len > 255 || 1 + e->ne_len > end - pos) { + dbgmsg("Not enough room for send_event data (%d)\n", + e->ne_len); + close(s); + return(ENOSPC); + } + *pos++ = (unsigned char) e->ne_len; + memcpy(pos, (indication) + sizeof(struct ndis_evt), e->ne_len); + pos += e->ne_len; + } + + len = sendto(sock, buf, pos - buf, 0, (struct sockaddr *) dst, + sizeof(struct sockaddr_in)); + + close(s); + return(0); +} + +static void +usage() +{ + fprintf(stderr, "Usage: ndis_events [-a] [-d] [-v]\n"); + exit(1); +} + +int +main(argc, argv) + int argc; + char *argv[]; +{ + int s, r, n; + struct sockaddr_in sin; + char msg[NDIS_INDICATION_LEN]; + struct rt_msghdr *rtm; + struct if_msghdr *ifm; + char ifname[IFNAMSIZ]; + int ch; + + while ((ch = getopt(argc, argv, "dva")) != -1) { + switch(ch) { + case 'd': + debug++; + break; + case 'v': + verbose++; + break; + case 'a': + all_events++; + break; + default: + usage(); + break; + } + } + + if (!debug && daemon(0, 0)) + err(1, "failed to daemonize ourselves"); + + if (!debug) + openlog(PROGNAME, LOG_PID | LOG_CONS, LOG_DAEMON); + + bzero((char *)&sin, sizeof(sin)); + + /* Create a datagram socket. */ + + s = socket(PF_INET, SOCK_DGRAM, 0); + if (s < 0) { + dbgmsg("socket creation failed"); + exit(1); + } + + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr("127.0.0.1"); + sin.sin_port = htons(WPA_SUPPLICANT_PORT); + + /* Create a routing socket. */ + + r = socket (PF_ROUTE, SOCK_RAW, 0); + if (r < 0) { + dbgmsg("routing socket creation failed"); + exit(1); + } + + /* Now sit and spin, waiting for events. */ + + if (verbose) + dbgmsg("Listening for events"); + + while (1) { + n = read(r, msg, NDIS_INDICATION_LEN); + rtm = (struct rt_msghdr *)msg; + if (rtm->rtm_type != RTM_IFINFO) + continue; + ifm = (struct if_msghdr *)msg; + if (find_ifname(ifm->ifm_index, ifname)) + continue; + if (strstr(ifname, "ndis")) { + while(announce_event(ifname, s, &sin) == 0) + ; + } else { + if (verbose) + dbgmsg("Skipping ifinfo message from %s", + ifname); + } + } + + /* NOTREACHED */ + exit(0); +} diff --git a/usr.sbin/wpa/wpa_cli/Makefile b/usr.sbin/wpa/wpa_cli/Makefile new file mode 100644 index 0000000..da25325 --- /dev/null +++ b/usr.sbin/wpa/wpa_cli/Makefile @@ -0,0 +1,21 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${WPA_SUPPLICANT_DISTDIR} + +PROG= wpa_cli +SRCS= common.c edit.c eloop.c os_unix.c wpa_cli.c wpa_ctrl.c wpa_debug.c + +MAN= wpa_cli.8 + +CFLAGS+= -DCONFIG_CTRL_IFACE +CFLAGS+= -DCONFIG_CTRL_IFACE_UNIX +# enable use of d_type to identify unix domain sockets +CFLAGS+= -D_DIRENT_HAVE_D_TYPE + +CFLAGS+= -DCONFIG_READLINE -I${DESTDIR}/${INCLUDEDIR}/edit +LDADD+= -ledit -ltermcap +DPADD+= ${LIBEDIT} ${LIBTERMCAP} + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_cli/wpa_cli.8 b/usr.sbin/wpa/wpa_cli/wpa_cli.8 new file mode 100644 index 0000000..fdb24fc --- /dev/null +++ b/usr.sbin/wpa/wpa_cli/wpa_cli.8 @@ -0,0 +1,222 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 16, 2005 +.Dt WPA_CLI 8 +.Os +.Sh NAME +.Nm wpa_cli +.Nd "text-based frontend program for interacting with wpa_supplicant" +.Sh SYNOPSIS +.Nm +.Op Ar commands +.Sh DESCRIPTION +The +.Nm +utility +is a text-based frontend program for interacting with +.Xr wpa_supplicant 8 . +It is used to query current status, +change configuration, +trigger events, +and +request interactive user input. +.Pp +The +.Nm +utility +can show the +current authentication status, +selected security +mode, dot11 and dot1x MIBs, etc. +In addition, +.Nm +can configure EAPOL state machine +parameters and trigger events such as reassociation +and IEEE 802.1X logoff/logon. +.Pp +The +.Nm +utility +provides an interface to supply authentication information +such as username and password when it is not provided in the +.Xr wpa_supplicant.conf 5 +configuration file. +This can be used, for example, to implement +one-time passwords or generic token card +authentication where the authentication is based on a +challenge-response that uses an external device for generating the +response. +.Pp +The +.Nm +utility +supports two modes: interactive and command line. +Both modes share the same command set and the main difference +is in interactive mode providing access to unsolicited messages +(event messages, username/password requests). +.Pp +Interactive mode is started when +.Nm +is executed without any parameters on the command line. +Commands are then entered from the controlling terminal in +response to the +.Nm +prompt. +In command line mode, the same commands are +entered as command line arguments. +.Pp +The control interface of +.Xr wpa_supplicant 8 +can be configured to allow +non-root user access by using the +.Va ctrl_interface_group +parameter +in the +.Xr wpa_supplicant.conf 5 +configuration file. +This makes it possible to run +.Nm +with a normal user account. +.Sh AUTHENTICATION PARAMETERS +When +.Xr wpa_supplicant 8 +needs authentication parameters, such as username and password, +that are not present in the configuration file, it sends a +request message to all attached frontend programs, e.g., +.Nm +in interactive mode. +The +.Nm +utility +shows these requests with a +.Dq Li CTRL-REQ- Ns Ao Ar type Ac Ns Li - Ns Ao Ar id Ac Ns : Ns Aq Ar text +prefix, where +.Aq Ar type +is +.Li IDENTITY , PASSWORD , +or +.Li OTP +(One-Time Password), +.Aq Ar id +is a unique identifier for the current network, +.Aq Ar text +is a description of the request. +In the case of an +.Li OTP +(One-Time Password) request, +it includes the challenge from the authentication server. +.Pp +A user must supply +.Xr wpa_supplicant 8 +the needed parameters in response to these requests. +.Pp +For example, +.Bd -literal -offset indent +CTRL-REQ-PASSWORD-1:Password needed for SSID foobar +> password 1 mysecretpassword + +Example request for generic token card challenge-response: + +CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar +> otp 2 9876 +.Ed +.Sh COMMANDS +The following commands may be supplied on the command line +or at a prompt when operating interactively. +.Bl -tag -width indent +.It Ic status +Report the current WPA/EAPOL/EAP status for the current interface. +.It Ic mib +Report MIB variables (dot1x, dot11) for the current interface. +.It Ic help +Show usage help. +.It Ic interface Op Ar ifname +Show available interfaces and/or set the current interface +when multiple are available. +.It Ic level Ar debug_level +Change the debugging level in +.Xr wpa_supplicant 8 . +Larger numbers generate more messages. +.It Ic license +Display the full +license for +.Nm . +.It Ic logoff +Send the IEEE 802.1X EAPOL state machine into the +.Dq logoff +state. +.It Ic logon +Send the IEEE 802.1X EAPOL state machine into the +.Dq logon +state. +.It Ic set Op Ar settings +Set variables. +When no arguments are supplied, the known variables and their settings +are displayed. +.It Ic pmksa +Show the contents of the PMKSA cache. +.It Ic reassociate +Force a reassociation to the current access point. +.It Ic reconfigure +Force +.Xr wpa_supplicant 8 +to re-read its configuration file. +.It Ic preauthenticate Ar BSSID +Force preauthentication of the specified +.Ar BSSID . +.It Ic identity Ar network_id identity +Configure an identity for an SSID. +.It Ic password Ar network_id password +Configure a password for an SSID. +.It Ic otp Ar network_id password +Configure a one-time password for an SSID. +.It Ic terminate +Force +.Xr wpa_supplicant 8 +to terminate. +.It Ic quit +Exit +.Nm . +.El +.Sh SEE ALSO +.Xr wpa_supplicant.conf 5 , +.Xr wpa_supplicant 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq j@w1.fi . +This manual page is derived from the +.Pa README +file included in the +.Nm wpa_supplicant +distribution. diff --git a/usr.sbin/wpa/wpa_passphrase/Makefile b/usr.sbin/wpa/wpa_passphrase/Makefile new file mode 100644 index 0000000..16321c4 --- /dev/null +++ b/usr.sbin/wpa/wpa_passphrase/Makefile @@ -0,0 +1,16 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${WPA_SUPPLICANT_DISTDIR} + +PROG= wpa_passphrase +SRCS= common.c md5-internal.c md5.c os_unix.c sha1-internal.c sha1-pbkdf2.c sha1.c \ + wpa_passphrase.c + +CFLAGS+= -DINTERNAL_SHA1 +CFLAGS+= -DINTERNAL_MD5 + +MAN= wpa_passphrase.8 + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 b/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 new file mode 100644 index 0000000..c66d658 --- /dev/null +++ b/usr.sbin/wpa/wpa_passphrase/wpa_passphrase.8 @@ -0,0 +1,66 @@ +.\" Copyright (c) 2006 Henrik Brix Andersen <henrik@brixandersen.dk> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 17, 2007 +.Dt WPA_PASSPHRASE 8 +.Os +.Sh NAME +.Nm wpa_passphrase +.Nd "utility for generating a 256-bit pre-shared WPA key from an ASCII passphrase" +.Sh SYNOPSIS +.Nm +.Aq Ar ssid +.Op Ar passphrase +.Sh DESCRIPTION +The +.Nm +utility is a small program for generating a 256-bit pre-shared WPA key +from an ASCII passphrase and a given SSID. The output is formatted for +inclusion in +.Xr wpa_supplicant.conf 5 . +.Pp +If +.Nm +is called with only an SSID as argument it will prompt for a +passphrase on standard input. +.Sh SEE ALSO +.Xr wpa_supplicant.conf 5 , +.Xr wpa_supplicant 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.3 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen +.Aq j@w1.fi . +.Pp +This manual page was written by +.An Henrik Brix Andersen +.Aq henrik@brixandersen.dk . diff --git a/usr.sbin/wpa/wpa_priv/Makefile b/usr.sbin/wpa/wpa_priv/Makefile new file mode 100644 index 0000000..4dbc631 --- /dev/null +++ b/usr.sbin/wpa/wpa_priv/Makefile @@ -0,0 +1,17 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${WPA_SUPPLICANT_DISTDIR} \ + ${WPA_DISTDIR}/src/drivers + +PROG= wpa_priv +SRCS= drivers.c os_unix.c eloop.c common.c wpa_debug.c wpabuf.c wpa_priv.c \ + driver_common.c l2_packet_freebsd.c + +DPADD+= ${LIBPCAP} +LDADD+= -lpcap + +.include "${.CURDIR}/../Makefile.crypto" + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_supplicant/Makefile b/usr.sbin/wpa/wpa_supplicant/Makefile new file mode 100644 index 0000000..3424413 --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/Makefile @@ -0,0 +1,151 @@ +# $FreeBSD$ + +.include "${.CURDIR}/../Makefile.inc" + +.PATH.c:${WPA_SUPPLICANT_DISTDIR} \ + ${WPA_DISTDIR}/src/drivers + +PROG= wpa_supplicant +SRCS= aes-unwrap.c base64.c blacklist.c bss.c common.c config.c \ + config_file.c ctrl_iface.c ctrl_iface_unix.c driver_bsd.c \ + driver_common.c driver_ndis.c driver_wired.c drivers.c \ + eap_register.c eloop.c events.c gas.c gas_query.c hs20.c \ + hs20_supplicant.c http_client.c http_server.c httpread.c \ + ieee802_11_common.c interworking.c l2_packet_freebsd.c main.c \ + md5.c notify.c offchannel.c os_unix.c peerkey.c pmksa_cache.c \ + preauth.c scan.c upnp_xml.c uuid.c wpa.c wpa_common.c wpa_debug.c \ + wpa_ft.c wpa_ie.c wpa_supplicant.c wpabuf.c wpas_glue.c wps.c \ + wps_attr_build.c wps_attr_parse.c wps_attr_process.c \ + wps_common.c wps_dev_attr.c wps_enrollee.c wps_registrar.c \ + wps_supplicant.c wps_upnp.c wps_upnp_ap.c wps_upnp_event.c \ + wps_upnp_ssdp.c wps_upnp_web.c Packet32.c + +MAN= wpa_supplicant.8 wpa_supplicant.conf.5 + +.if ${MK_EXAMPLES} != "no" +FILESDIR= ${SHAREDIR}/examples/etc +.PATH: ${WPA_SUPPLICANT_DISTDIR} +FILES= wpa_supplicant.conf +.endif + +CFLAGS+=-DCONFIG_BACKEND_FILE \ + -DCONFIG_DEBUG_SYSLOG \ + -DCONFIG_DRIVER_BSD \ + -DCONFIG_DRIVER_NDIS \ + -DCONFIG_DRIVER_WIRED \ + -DCONFIG_PEERKEY \ + -DCONFIG_SMARTCARD \ + -DCONFIG_TERMINATE_ONLASTIF \ + -DCONFIG_WPS \ + -DCONFIG_WPS2 \ + -DCONFIG_WPS_UPNP \ + -DCONFIG_TLS=openssl \ + -DCONFIG_IEEE80211R \ + -DCONFIG_INTERWORKING \ + -DCONFIG_PRIVSEP \ + -DCONFIG_HS20 \ + -DCONFIG_GAS \ + -DPKCS12_FUNCS +#CFLAGS+= -g +DPADD+= ${LIBPCAP} +LDADD+= -lpcap + +# User customizations to the wpa_supplicant build environment +CFLAGS+=${WPA_SUPPLICANT_CFLAGS} +#DPADD+=${WPA_SUPPLICANT_DPADD} +LDADD+=${WPA_SUPPLICANT_LDADD} +#LDFLAGS+=${WPA_SUPPLICANT_LDFLAGS} + +.if ${MK_WPA_SUPPLICANT_EAPOL} != "no" +CFLAGS+=-DEAP_GTC \ + -DEAP_LEAP \ + -DEAP_MD5 \ + -DEAP_MSCHAPv2 \ + -DEAP_OTP \ + -DEAP_PEAP \ + -DEAP_PSK \ + -DEAP_TLS \ + -DEAP_TTLS \ + -DEAP_GTC \ + -DEAP_OTP \ + -DEAP_LEAP \ + -DIEEE8021X_EAPOL +SRCS+= chap.c \ + eap.c \ + eap_common.c \ + eap_gtc.c \ + eap_leap.c \ + eap_md5.c \ + eap_methods.c \ + eap_mschapv2.c \ + eap_otp.c \ + eap_peap.c \ + eap_peap_common.c \ + eap_psk.c \ + eap_psk_common.c \ + eap_tls.c \ + eap_tls_common.c \ + eap_ttls.c \ + eapol_supp_sm.c \ + ms_funcs.c \ + mschapv2.c +TLS_FUNCS=y +NEED_AES_EAX=y +NEED_AES_ENCBLOCK=y +NEED_AES_OMAC1=y +.endif + +.if !empty(CFLAGS:M-DCONFIG_WPS) +NEED_AES_CBC=y +.endif + +.if !empty(CFLAGS:M*-DEAP_AKA) +SRCS+= eap_aka.c +NEED_SIM_COMMON=y +NEED_AES_CBC=y +.endif + +.if !empty(CFLAGS:M*-DEAP_SIM) +SRCS+= eap_sim.c +NEED_SIM_COMMON=y +NEED_AES_CBC=y +.endif + +.if defined(NEED_SIM_COMMON) +SRCS+= eap_sim_common.c +NEED_FIPS186_2_PRF=y +.endif + +# PC/SC interface for smartcards (USIM, GSM SIM) +# GSM/UMTS authentication algorithm (for EAP-SIM/EAP-AKA) +# NB: requires devel/pcsc-lite +# +# WPA_SUPPLICANT_CFLAGS=-DEAP_AKA -DPCSC_FUNCS -I/usr/local/include/PCSC +# WPA_SUPPLICANT_LDADD=-L/usr/local/lib +# +.if !empty(CFLAGS:M*-DPCSC_FUNCS) +SRCS+= pcsc_funcs.c +DPADD+=${LIBPTHREAD} +LDADD+=-lpcsclite -lpthread +.endif + +.if !empty(CFLAGS:M*-DEAP_GPSK) +CFLAGS+=-DEAP_GPSK_SHA256 +SRCS+= eap_gpsk.c \ + eap_gpsk_common.c +NEED_AES_OMAC1=y +.endif + +.if !empty(CFLAGS:M*-DEAP_PAX) +SRCS+= eap_pax.c \ + eap_pax_common.c +.endif + +.if !empty(CFLAGS:M*-DEAP_SAKE) +SRCS+= eap_sake.c \ + eap_sake_common.c +.endif + +.include "${.CURDIR}/../Makefile.crypto" + +.include <bsd.prog.mk> diff --git a/usr.sbin/wpa/wpa_supplicant/Packet32.c b/usr.sbin/wpa/wpa_supplicant/Packet32.c new file mode 100644 index 0000000..876417e --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/Packet32.c @@ -0,0 +1,414 @@ +/*- + * Copyright (c) 2005 + * Bill Paul <wpaul@windriver.com>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +/* + * This file implements a small portion of the Winpcap API for the + * Windows NDIS interface in wpa_supplicant. It provides just enough + * routines to fool wpa_supplicant into thinking it's really running + * in a Windows environment. + */ + +#include <sys/types.h> +#include <sys/param.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <sys/errno.h> +#include <sys/sysctl.h> +#include <sys/fcntl.h> +#include <net/if.h> +#include <net/if_dl.h> +#include <net/if_var.h> + +#include <netinet/in.h> +#include <arpa/inet.h> +#include <netdb.h> +#include <net/route.h> + +#include <net80211/ieee80211_ioctl.h> + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <unistd.h> +#include <pcap.h> + +#include "Packet32.h" + +#define OID_802_11_ADD_KEY 0x0d01011D + +typedef ULONGLONG NDIS_802_11_KEY_RSC; +typedef UCHAR NDIS_802_11_MAC_ADDRESS[6]; + +typedef struct NDIS_802_11_KEY { + ULONG Length; + ULONG KeyIndex; + ULONG KeyLength; + NDIS_802_11_MAC_ADDRESS BSSID; + NDIS_802_11_KEY_RSC KeyRSC; + UCHAR KeyMaterial[1]; +} NDIS_802_11_KEY; + +typedef struct NDIS_802_11_KEY_COMPAT { + ULONG Length; + ULONG KeyIndex; + ULONG KeyLength; + NDIS_802_11_MAC_ADDRESS BSSID; + UCHAR Pad[6]; /* Make struct layout match Windows. */ + NDIS_802_11_KEY_RSC KeyRSC; +#ifdef notdef + UCHAR KeyMaterial[1]; +#endif +} NDIS_802_11_KEY_COMPAT; + +#define TRUE 1 +#define FALSE 0 + +struct adapter { + int socket; + char name[IFNAMSIZ]; + int prev_roaming; +}; + +PCHAR +PacketGetVersion(void) +{ + return("FreeBSD WinPcap compatibility shim v1.0"); +} + +void * +PacketOpenAdapter(CHAR *iface) +{ + struct adapter *a; + int s; + int ifflags; + struct ifreq ifr; + struct ieee80211req ireq; + + s = socket(PF_INET, SOCK_DGRAM, 0); + + if (s == -1) + return(NULL); + + a = malloc(sizeof(struct adapter)); + if (a == NULL) + return(NULL); + + a->socket = s; + if (strncmp(iface, "\\Device\\NPF_", 12) == 0) + iface += 12; + else if (strncmp(iface, "\\DEVICE\\", 8) == 0) + iface += 8; + snprintf(a->name, IFNAMSIZ, "%s", iface); + + /* Turn off net80211 roaming */ + bzero((char *)&ireq, sizeof(ireq)); + strncpy(ireq.i_name, iface, sizeof (ifr.ifr_name)); + ireq.i_type = IEEE80211_IOC_ROAMING; + if (ioctl(a->socket, SIOCG80211, &ireq) == 0) { + a->prev_roaming = ireq.i_val; + ireq.i_val = IEEE80211_ROAMING_MANUAL; + if (ioctl(a->socket, SIOCS80211, &ireq) < 0) + fprintf(stderr, + "Could not set IEEE80211_ROAMING_MANUAL\n"); + } + + bzero((char *)&ifr, sizeof(ifr)); + strncpy(ifr.ifr_name, iface, sizeof (ifr.ifr_name)); + if (ioctl(a->socket, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { + free(a); + close(s); + return(NULL); + } + ifr.ifr_flags |= IFF_UP; + if (ioctl(a->socket, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) { + free(a); + close(s); + return(NULL); + } + + return(a); +} + +int +PacketRequest(void *iface, BOOLEAN set, PACKET_OID_DATA *oid) +{ + struct adapter *a; + uint32_t retval; + struct ifreq ifr; + NDIS_802_11_KEY *old; + NDIS_802_11_KEY_COMPAT *new; + PACKET_OID_DATA *o = NULL; + + if (iface == NULL) + return(-1); + + a = iface; + bzero((char *)&ifr, sizeof(ifr)); + + /* + * This hack is necessary to work around a difference + * betwee the GNU C and Microsoft C compilers. The NDIS_802_11_KEY + * structure has a uint64_t in it, right after an array of + * chars. The Microsoft compiler inserts padding right before + * the 64-bit value to align it on a 64-bit boundary, but + * GCC only aligns it on a 32-bit boundary. Trying to pass + * the GCC-formatted structure to an NDIS binary driver + * fails because some of the fields appear to be at the + * wrong offsets. + * + * To get around this, if we detect someone is trying to do + * a set operation on OID_802_11_ADD_KEY, we shuffle the data + * into a properly padded structure and pass that into the + * driver instead. This allows the driver_ndis.c code supplied + * with wpa_supplicant to work unmodified. + */ + + if (set == TRUE && oid->Oid == OID_802_11_ADD_KEY) { + old = (NDIS_802_11_KEY *)&oid->Data; + o = malloc(sizeof(PACKET_OID_DATA) + + sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength); + if (o == NULL) + return(0); + bzero((char *)o, sizeof(PACKET_OID_DATA) + + sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength); + o->Oid = oid->Oid; + o->Length = sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength; + new = (NDIS_802_11_KEY_COMPAT *)&o->Data; + new->KeyRSC = old->KeyRSC; + new->Length = o->Length; + new->KeyIndex = old->KeyIndex; + new->KeyLength = old->KeyLength; + bcopy(old->BSSID, new->BSSID, sizeof(NDIS_802_11_MAC_ADDRESS)); + bcopy(old->KeyMaterial, (char *)new + + sizeof(NDIS_802_11_KEY_COMPAT), new->KeyLength); + ifr.ifr_data = (caddr_t)o; + } else + ifr.ifr_data = (caddr_t)oid; + + strlcpy(ifr.ifr_name, a->name, sizeof(ifr.ifr_name)); + + if (set == TRUE) + retval = ioctl(a->socket, SIOCSDRVSPEC, &ifr); + else + retval = ioctl(a->socket, SIOCGDRVSPEC, &ifr); + + if (o != NULL) + free(o); + + if (retval) + return(0); + + return(1); +} + +int +PacketGetAdapterNames(CHAR *namelist, ULONG *len) +{ + int mib[6]; + size_t needed; + struct if_msghdr *ifm; + struct sockaddr_dl *sdl; + char *buf, *lim, *next; + char *plist; + int spc; + int i, ifcnt = 0; + + plist = namelist; + spc = 0; + + bzero(plist, *len); + + needed = 0; + mib[0] = CTL_NET; + mib[1] = PF_ROUTE; + mib[2] = 0; /* protocol */ + mib[3] = 0; /* wildcard address family */ + mib[4] = NET_RT_IFLIST; + mib[5] = 0; /* no flags */ + + if (sysctl (mib, 6, NULL, &needed, NULL, 0) < 0) + return(FALSE); + + buf = malloc (needed); + if (buf == NULL) + return(FALSE); + + if (sysctl (mib, 6, buf, &needed, NULL, 0) < 0) { + free(buf); + return(FALSE); + } + + lim = buf + needed; + + /* Generate interface name list. */ + + next = buf; + while (next < lim) { + ifm = (struct if_msghdr *)next; + if (ifm->ifm_type == RTM_IFINFO) { + sdl = (struct sockaddr_dl *)(ifm + 1); + if (strnstr(sdl->sdl_data, "wlan", sdl->sdl_nlen)) { + if ((spc + sdl->sdl_nlen) > *len) { + free(buf); + return(FALSE); + } + strncpy(plist, sdl->sdl_data, sdl->sdl_nlen); + plist += (sdl->sdl_nlen + 1); + spc += (sdl->sdl_nlen + 1); + ifcnt++; + } + } + next += ifm->ifm_msglen; + } + + + /* Insert an extra "" as a spacer */ + + plist++; + spc++; + + /* + * Now generate the interface description list. There + * must be a unique description for each interface, and + * they have to match what the ndis_events program will + * feed in later. To keep this simple, we just repeat + * the interface list over again. + */ + + next = buf; + while (next < lim) { + ifm = (struct if_msghdr *)next; + if (ifm->ifm_type == RTM_IFINFO) { + sdl = (struct sockaddr_dl *)(ifm + 1); + if (strnstr(sdl->sdl_data, "wlan", sdl->sdl_nlen)) { + if ((spc + sdl->sdl_nlen) > *len) { + free(buf); + return(FALSE); + } + strncpy(plist, sdl->sdl_data, sdl->sdl_nlen); + plist += (sdl->sdl_nlen + 1); + spc += (sdl->sdl_nlen + 1); + ifcnt++; + } + } + next += ifm->ifm_msglen; + } + + free (buf); + + *len = spc + 1; + + return(TRUE); +} + +void +PacketCloseAdapter(void *iface) +{ + struct adapter *a; + struct ifreq ifr; + struct ieee80211req ireq; + + if (iface == NULL) + return; + + a = iface; + + /* Reset net80211 roaming */ + bzero((char *)&ireq, sizeof(ireq)); + strncpy(ireq.i_name, a->name, sizeof (ifr.ifr_name)); + ireq.i_type = IEEE80211_IOC_ROAMING; + ireq.i_val = a->prev_roaming; + ioctl(a->socket, SIOCS80211, &ireq); + + bzero((char *)&ifr, sizeof(ifr)); + strncpy(ifr.ifr_name, a->name, sizeof (ifr.ifr_name)); + ioctl(a->socket, SIOCGIFFLAGS, (caddr_t)&ifr); + ifr.ifr_flags &= ~IFF_UP; + ioctl(a->socket, SIOCSIFFLAGS, (caddr_t)&ifr); + close(a->socket); + free(a); + + return; +} + +#if __FreeBSD_version < 600000 + +/* + * The version of libpcap in FreeBSD 5.2.1 doesn't have these routines. + * Call me insane if you will, but I still run 5.2.1 on my laptop, and + * I'd like to use WPA there. + */ + +int +pcap_get_selectable_fd(pcap_t *p) +{ + return(pcap_fileno(p)); +} + +/* + * The old version of libpcap opens its BPF descriptor in read-only + * mode. We need to temporarily create a new one we can write to. + */ + +int +pcap_inject(pcap_t *p, const void *buf, size_t len) +{ + int fd; + int res, n = 0; + char device[sizeof "/dev/bpf0000000000"]; + struct ifreq ifr; + + /* + * Go through all the minors and find one that isn't in use. + */ + do { + (void)snprintf(device, sizeof(device), "/dev/bpf%d", n++); + fd = open(device, O_RDWR); + } while (fd < 0 && errno == EBUSY); + + if (fd == -1) + return(-1); + + bzero((char *)&ifr, sizeof(ifr)); + ioctl(pcap_fileno(p), BIOCGETIF, (caddr_t)&ifr); + ioctl(fd, BIOCSETIF, (caddr_t)&ifr); + + res = write(fd, buf, len); + + close(fd); + + return(res); +} +#endif diff --git a/usr.sbin/wpa/wpa_supplicant/Packet32.h b/usr.sbin/wpa/wpa_supplicant/Packet32.h new file mode 100644 index 0000000..e0598e7 --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/Packet32.h @@ -0,0 +1,67 @@ +/*- + * Copyright (c) 2005 + * Bill Paul <wpaul@windriver.com>. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Bill Paul. + * 4. Neither the name of the author nor the names of any co-contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _PACKET32_H_ +#define _PACKET32_H_ + +#include <sys/types.h> +#include <ntddndis.h> + +struct PACKET_OID_DATA { + uint32_t Oid; + uint32_t Length; + uint8_t Data[1]; +}; + + +typedef struct PACKET_OID_DATA PACKET_OID_DATA; + +extern PCHAR PacketGetVersion(void); +extern void *PacketOpenAdapter(CHAR *); +extern int PacketRequest(void *, BOOLEAN, PACKET_OID_DATA *); +extern int PacketGetAdapterNames(CHAR *, ULONG *); +extern void PacketCloseAdapter(void *); + +/* + * This is for backwards compatibility on FreeBSD 5. + */ + +#ifndef SIOCGDRVSPEC +#define SIOCSDRVSPEC _IOW('i', 123, struct ifreq) /* set driver-specific + parameters */ +#define SIOCGDRVSPEC _IOWR('i', 123, struct ifreq) /* get driver-specific + parameters */ +#endif + +#endif /* _PACKET32_H_ */ diff --git a/usr.sbin/wpa/wpa_supplicant/ntddndis.h b/usr.sbin/wpa/wpa_supplicant/ntddndis.h new file mode 100644 index 0000000..42e403d --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/ntddndis.h @@ -0,0 +1,31 @@ +#ifndef _NTDDNDIS_H_ +#define _NTDDNDIS_H_ + +/* + * $FreeBSD$ + */ + +/* + * Fake up some of the Windows type definitions so that the NDIS + * interface module in wpa_supplicant will build. + */ + +#define ULONG uint32_t +#define USHORT uint16_t +#define UCHAR uint8_t +#define LONG int32_t +#define SHORT int16_t +#define CHAR int8_t +#define ULONGLONG uint64_t +#define LONGLONG int64_t +#define BOOLEAN uint8_t +typedef void * LPADAPTER; +typedef char * PTSTR; +typedef char * PCHAR; + +#define TRUE 1 +#define FALSE 0 + +#define OID_802_3_CURRENT_ADDRESS 0x01010102 + +#endif /* _NTDDNDIS_H_ */ diff --git a/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 new file mode 100644 index 0000000..466759d --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8 @@ -0,0 +1,184 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd November 7, 2012 +.Dt WPA_SUPPLICANT 8 +.Os +.Sh NAME +.Nm wpa_supplicant +.Nd "WPA/802.11i Supplicant for wireless network devices" +.Sh SYNOPSIS +.Nm +.Op Fl BdhKLqstuvW +.Op Fl b Ar br_ifname +.Fl c Ar config-file +.Op Fl C Ar ctrl +.Op Fl D Ar driver +.Op Fl f Ar debug file +.Op Fl g Ar global ctrl +.Fl i Ar ifname +.Op Fl o Ar override driver +.Op Fl O Ar override ctrl +.Op Fl P Ar pid file +.Oo Fl N +.Fl i Ar ifname +.Fl c Ar config-file +.Op Fl C Ar ctrl +.Op Fl D driver +.Op Fl p Ar driver_param +.Op Fl b Ar br_ifname +.No ... +.Oc +.Sh DESCRIPTION +The +.Nm +utility +is an implementation of the WPA Supplicant component, +i.e., the part that runs in the client stations. +It implements WPA key negotiation with a WPA Authenticator +and EAP authentication with an Authentication Server. +In addition, +.Nm +controls the roaming and IEEE 802.11 +authentication/association support of the +.Xr wlan 4 +module and can be used to configure static WEP keys +based on identified networks. +.Pp +The +.Nm +utility +is designed to be a +.Dq daemon +program that runs in the +background and acts as the backend component controlling +the wireless connection. +It supports separate frontend programs such as the +text-based +.Xr wpa_cli 8 +program. +.Pp +The following arguments must be specified on the command line: +.Bl -tag -width indent +.It Fl i Ar ifname +Use the specified wireless interface. +.It Fl c Ar config-file +Use the settings in the specified configuration file when managing +the wireless interface. +See +.Xr wpa_supplicant.conf 5 +for a description of the configuration file syntax and contents. +.Pp +Changes to the configuration file can be reloaded by sending a +.Dv SIGHUP +to the +.Nm +process or with the +.Xr wpa_cli 8 +utility, using +.Dq Li "wpa_cli reconfigure" . +.El +.Sh OPTIONS +The following options are available: +.Bl -tag -width indent +.It Fl b +Optional bridge interface name. +.It Fl B +Detach from the controlling terminal and run as a daemon process +in the background. +.It Fl d +Enable debugging messages. +If this option is supplied twice, more verbose messages are displayed. +.It Fl D +Driver name (can be multiple drivers: nl80211,wext). +.It Fl f +Log output to debug file instead of stdout. +.It Fl g +Global ctrl_interface. +.It Fl h +Show help text. +.It Fl K +Include key information in debugging output. +.It Fl L +Display the license for this program on the terminal and exit. +.It Fl N +Start describing a new interface. +.It Fl o +Overrides driver parameter for new interfaces. +.It Fl O +Override ctrl_interface parameter for new interfaces. +.It Fl p +Specify driver parameters. +.It Fl P +File in which to save the process PID. +.It Fl q +Decrease debugging verbosity (i.e., counteract the use of the +.Fl d +flag). +.It Fl s +Send log messages through +.Xr syslog 3 +instead of to the terminal. +.It Fl t +Include timestamp in debug messages. +.It Fl u +Enable DBus control interface. +.It Fl v +Display version information on the terminal and exit. +.It Fl W +Wait for a control interface monitor before starting. +.El +.Sh SEE ALSO +.Xr an 4 , +.Xr ath 4 , +.Xr ipw 4 , +.Xr iwi 4 , +.Xr ral 4 , +.Xr rum 4 , +.Xr ural 4 , +.Xr wi 4 , +.Xr wlan 4 , +.Xr wpi 4 , +.Xr zyd 4 , +.Xr wpa_supplicant.conf 5 , +.Xr devd 8 , +.Xr ifconfig 8 , +.Xr wpa_cli 8 +.Sh HISTORY +The +.Nm +utility first appeared in +.Fx 6.0 . +.Sh AUTHORS +The +.Nm +utility was written by +.An Jouni Malinen Aq j@w1.fi . +This manual page is derived from the +.Pa README +file included in the +.Nm +distribution. diff --git a/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 new file mode 100644 index 0000000..5d6914f --- /dev/null +++ b/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 @@ -0,0 +1,578 @@ +.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd April 10, 2010 +.Dt WPA_SUPPLICANT.CONF 5 +.Os +.Sh NAME +.Nm wpa_supplicant.conf +.Nd configuration file for +.Xr wpa_supplicant 8 +.Sh DESCRIPTION +The +.Xr wpa_supplicant 8 +utility is an implementation of the WPA Supplicant component, +i.e., the part that runs in the client stations. +It implements WPA key negotiation with a WPA Authenticator +and EAP authentication with Authentication Server using +configuration information stored in a text file. +.Pp +The configuration file consists of optional global parameter +settings and one or more network blocks, e.g.\& +one for each used SSID. +The +.Xr wpa_supplicant 8 +utility +will automatically select the best network based on the order of +the network blocks in the configuration file, network security level +(WPA/WPA2 is preferred), and signal strength. +Comments are indicated with the +.Ql # +character; all text to the +end of the line will be ignored. +.Sh GLOBAL PARAMETERS +Default parameters used by +.Xr wpa_supplicant 8 +may be overridden by specifying +.Pp +.Dl parameter=value +.Pp +in the configuration file (note no spaces are allowed). +Values with embedded spaces must be enclosed in quote marks. +.Pp +The following parameters are recognized: +.Bl -tag -width indent +.It Va ctrl_interface +The pathname of the directory in which +.Xr wpa_supplicant 8 +creates +.Ux +domain socket files for communication +with frontend programs such as +.Xr wpa_cli 8 . +.It Va ctrl_interface_group +A group name or group ID to use in setting protection on the +control interface file. +This can be set to allow non-root users to access the +control interface files. +If no group is specified, the group ID of the control interface +is not modified and will, typically, be the +group ID of the directory in which the socket is created. +.It Va eapol_version +The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2. +The +.Xr wpa_supplicant 8 +utility +is implemented according to IEEE 802-1X-REV-d8 which defines +EAPOL version to be 2. +However, some access points do not work when presented with +this version so by default +.Xr wpa_supplicant 8 +will announce that it is using EAPOL version 1. +If version 2 must be announced for correct operation with an +access point, this value may be set to 2. +.It Va ap_scan +Access point scanning and selection control; one of 0, 1 (default), or 2. +Only setting 1 should be used with the +.Xr wlan 4 +module; the other settings are for use on other operating systems. +.It Va fast_reauth +EAP fast re-authentication; either 1 (default) or 0. +Control fast re-authentication support in EAP methods that support it. +.El +.Sh NETWORK BLOCKS +Each potential network/access point should have a +.Dq "network block" +that describes how to identify it and how to set up security. +When multiple network blocks are listed in a configuration file, +the highest priority one is selected for use or, if multiple networks +with the same priority are identified, the first one listed in the +configuration file is used. +.Pp +A network block description is of the form: +.Bd -literal -offset indent +network={ + parameter=value + ... +} +.Ed +.Pp +(note the leading +.Qq Li "network={" +may have no spaces). +The block specification contains one or more parameters +from the following list: +.Bl -tag -width indent +.It Va ssid No (required) +Network name (as announced by the access point). +An +.Tn ASCII +or hex string enclosed in quotation marks. +.It Va scan_ssid +SSID scan technique; 0 (default) or 1. +Technique 0 scans for the SSID using a broadcast Probe Request +frame while 1 uses a directed Probe Request frame. +Access points that cloak themselves by not broadcasting their SSID +require technique 1, but beware that this scheme can cause scanning +to take longer to complete. +.It Va bssid +Network BSSID (typically the MAC address of the access point). +.It Va priority +The priority of a network when selecting among multiple networks; +a higher value means a network is more desirable. +By default networks have priority 0. +When multiple networks with the same priority are considered +for selection, other information such as security policy and +signal strength are used to select one. +.It Va mode +IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS). +Note that IBSS (adhoc) mode can only be used with +.Va key_mgmt +set to +.Li NONE +(plaintext and static WEP), or +.Va key_mgmt +set to +.Li WPA-NONE +(fixed group key TKIP/CCMP). +In addition, +.Va ap_scan +has to be set to 2 for IBSS. +.Li WPA-NONE +requires +.Va proto +set to WPA, +.Va key_mgmt +set to WPA-NONE, +.Va pairwise +set to NONE, +.Va group +set to either +CCMP or TKIP (but not both), and +.Va psk +must also be set. +.It Va proto +List of acceptable protocols; one or more of: +.Li WPA +(IEEE 802.11i/D3.0) +and +.Li RSN +(IEEE 802.11i). +.Li WPA2 +is another name for +.Li RSN . +If not set this defaults to +.Qq Li "WPA RSN" . +.It Va key_mgmt +List of acceptable key management protocols; one or more of: +.Li WPA-PSK +(WPA pre-shared key), +.Li WPA-EAP +(WPA using EAP authentication), +.Li IEEE8021X +(IEEE 802.1x using EAP authentication and, +optionally, dynamically generated WEP keys), +.Li NONE +(plaintext or static WEP keys). +If not set this defaults to +.Qq Li "WPA-PSK WPA-EAP" . +.It Va auth_alg +List of allowed IEEE 802.11 authentication algorithms; one or more of: +.Li OPEN +(Open System authentication, required for WPA/WPA2), +.Li SHARED +(Shared Key authentication), +.Li LEAP +(LEAP/Network EAP). +If not set automatic selection is used (Open System with LEAP +enabled if LEAP is allowed as one of the EAP methods). +.It Va pairwise +List of acceptable pairwise (unicast) ciphers for WPA; one or more of: +.Li CCMP +(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), +.Li TKIP +(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), +.Li NONE +(deprecated). +If not set this defaults to +.Qq Li "CCMP TKIP" . +.It Va group +List of acceptable group (multicast) ciphers for WPA; one or more of: +.Li CCMP +(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), +.Li TKIP +(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), +.Li WEP104 +(WEP with 104-bit key), +.Li WEP40 +(WEP with 40-bit key). +If not set this defaults to +.Qq Li "CCMP TKIP WEP104 WEP40" . +.It Va psk +WPA preshared key used in WPA-PSK mode. +The key is specified as 64 hex digits or as +an 8-63 character +.Tn ASCII +passphrase. +.Tn ASCII +passphrases are dynamically converted to a 256-bit key at runtime +using the network SSID, or they can be statically converted at +configuration time using +the +.Xr wpa_passphrase 8 +utility. +.It Va eapol_flags +Dynamic WEP key usage for non-WPA mode, specified as a bit field. +Bit 0 (1) forces dynamically generated unicast WEP keys to be used. +Bit 1 (2) forces dynamically generated broadcast WEP keys to be used. +By default this is set to 3 (use both). +.It Va eap +List of acceptable EAP methods; one or more of: +.Li MD5 +(EAP-MD5, cannot be used with WPA, +used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), +.Li MSCHAPV2 +(EAP-MSCHAPV2, cannot be used with WPA; +used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), +.Li OTP +(EAP-OTP, cannot be used with WPA; +used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), +.Li GTC +(EAP-GTC, cannot be used with WPA; +used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), +.Li TLS +(EAP-TLS, client and server certificate), +.Li PEAP +(EAP-PEAP, with tunneled EAP authentication), +.Li TTLS +(EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication). +If not set this defaults to all available methods compiled in to +.Xr wpa_supplicant 8 . +Note that by default +.Xr wpa_supplicant 8 +is compiled with EAP support; see +.Xr make.conf 5 +for the +.Va NO_WPA_SUPPLICANT_EAPOL +configuration variable that can be used to disable EAP support. +.It Va identity +Identity string for EAP. +.It Va anonymous_identity +Anonymous identity string for EAP (to be used as the unencrypted identity +with EAP types that support different tunneled identities; e.g.\& EAP-TTLS). +.It Va mixed_cell +Configure whether networks that allow both plaintext and encryption +are allowed when selecting a BSS from the scan results. +By default this is set to 0 (disabled). +.It Va password +Password string for EAP. +.It Va ca_cert +Pathname to CA certificate file. +This file can have one or more trusted CA certificates. +If +.Va ca_cert +is not included, server certificates will not be verified (not recommended). +.It Va client_cert +Pathname to client certificate file (PEM/DER). +.It Va private_key +Pathname to a client private key file (PEM/DER/PFX). +When a PKCS#12/PFX file is used, then +.Va client_cert +should not be specified as both the private key and certificate will be +read from PKCS#12 file. +.It Va private_key_passwd +Password for any private key file. +.It Va dh_file +Pathname to a file holding DH/DSA parameters (in PEM format). +This file holds parameters for an ephemeral DH key exchange. +In most cases, the default RSA authentication does not use this configuration. +However, it is possible to set up RSA to use an ephemeral DH key exchange. +In addition, ciphers with +DSA keys always use ephemeral DH keys. +This can be used to achieve forward secrecy. +If the +.Va dh_file +is in DSA parameters format, it will be automatically converted +into DH parameters. +.It Va subject_match +Substring to be matched against the subject of the +authentication server certificate. +If this string is set, the server +certificate is only accepted if it contains this string in the subject. +The subject string is in following format: +.Pp +.Dl "/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com" +.It Va phase1 +Phase1 (outer authentication, i.e., TLS tunnel) parameters +(string with field-value pairs, e.g., +.Qq Li peapver=0 +or +.Qq Li "peapver=1 peaplabel=1" ) . +.Bl -inset +.It Li peapver +can be used to force which PEAP version (0 or 1) is used. +.It Li peaplabel=1 +can be used to force new label, +.Dq "client PEAP encryption" , +to be used during key derivation when PEAPv1 or newer. +Most existing PEAPv1 implementations seem to be using the old label, +.Dq Li "client EAP encryption" , +and +.Xr wpa_supplicant 8 +is now using that as the +default value. +Some servers, e.g., +.Tn Radiator , +may require +.Li peaplabel=1 +configuration to interoperate with PEAPv1; see +.Pa eap_testing.txt +for more details. +.It Li peap_outer_success=0 +can be used to terminate PEAP authentication on +tunneled EAP-Success. +This is required with some RADIUS servers that +implement +.Pa draft-josefsson-pppext-eap-tls-eap-05.txt +(e.g., +.Tn Lucent NavisRadius v4.4.0 +with PEAP in +.Dq "IETF Draft 5" +mode). +.It Li include_tls_length=1 +can be used to force +.Xr wpa_supplicant 8 +to include +TLS Message Length field in all TLS messages even if they are not +fragmented. +.It Li sim_min_num_chal=3 +can be used to configure EAP-SIM to require three +challenges (by default, it accepts 2 or 3). +.It Li fast_provisioning=1 +option enables in-line provisioning of EAP-FAST +credentials (PAC). +.El +.It Va phase2 +phase2: Phase2 (inner authentication with TLS tunnel) parameters +(string with field-value pairs, e.g., +.Qq Li "auth=MSCHAPV2" +for EAP-PEAP or +.Qq Li "autheap=MSCHAPV2 autheap=MD5" +for EAP-TTLS). +.It Va ca_cert2 +Like +.Va ca_cert +but for EAP inner Phase 2. +.It Va client_cert2 +Like +.Va client_cert +but for EAP inner Phase 2. +.It Va private_key2 +Like +.Va private_key +but for EAP inner Phase 2. +.It Va private_key2_passwd +Like +.Va private_key_passwd +but for EAP inner Phase 2. +.It Va dh_file2 +Like +.Va dh_file +but for EAP inner Phase 2. +.It Va subject_match2 +Like +.Va subject_match +but for EAP inner Phase 2. +.It Va eappsk +16-byte pre-shared key in hex format for use with EAP-PSK. +.It Va nai +User NAI for use with EAP-PSK. +.It Va server_nai +Authentication Server NAI for use with EAP-PSK. +.It Va pac_file +Pathname to the file to use for PAC entries with EAP-FAST. +The +.Xr wpa_supplicant 8 +utility +must be able to create this file and write updates to it when +PAC is being provisioned or refreshed. +.It Va eap_workaround +Enable/disable EAP workarounds for various interoperability issues +with misbehaving authentication servers. +By default these workarounds are enabled. +Strict EAP conformance can be configured by setting this to 0. +.It Va wep_tx_keyidx +which key to use for transmission of packets. +.It Va wep_keyN key +An +.Tn ASCII +string enclosed in quotation marks to encode the WEP key. +Without quotes this is a hex string of the actual key. +WEP is considered insecure and should be avoided. +The exact translation from an ASCII key to a hex key varies. +Use hex keys where possible. +.El +.Sh CERTIFICATES +Some EAP authentication methods require use of certificates. +EAP-TLS uses both server- and client-side certificates, +whereas EAP-PEAP and EAP-TTLS only require a server-side certificate. +When a client certificate is used, a matching private key file must +also be included in configuration. +If the private key uses a passphrase, this +has to be configured in the +.Nm +file as +.Va private_key_passwd . +.Pp +The +.Xr wpa_supplicant 8 +utility +supports X.509 certificates in PEM and DER formats. +User certificate and private key can be included in the same file. +.Pp +If the user certificate and private key is received in PKCS#12/PFX +format, they need to be converted to a suitable PEM/DER format for +use by +.Xr wpa_supplicant 8 . +This can be done using the +.Xr openssl 1 +program, e.g.\& with the following commands: +.Bd -literal +# convert client certificate and private key to PEM format +openssl pkcs12 -in example.pfx -out user.pem -clcerts +# convert CA certificate (if included in PFX file) to PEM format +openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys +.Ed +.Sh FILES +.Bl -tag -width ".Pa /usr/share/examples/etc/wpa_supplicant.conf" -compact +.It Pa /etc/wpa_supplicant.conf +.It Pa /usr/share/examples/etc/wpa_supplicant.conf +.El +.Sh EXAMPLES +WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS +as a work network: +.Bd -literal +# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +# +# home network; allow all valid ciphers +network={ + ssid="home" + scan_ssid=1 + key_mgmt=WPA-PSK + psk="very secret passphrase" +} +# +# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers +network={ + ssid="work" + scan_ssid=1 + key_mgmt=WPA-EAP + pairwise=CCMP TKIP + group=CCMP TKIP + eap=TLS + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + private_key="/etc/cert/user.prv" + private_key_passwd="password" +} +.Ed +.Pp +WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel +(e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series): +.Bd -literal +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP + eap=PEAP + identity="user@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase1="peaplabel=0" + phase2="auth=MSCHAPV2" +} +.Ed +.Pp +EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the +unencrypted use. +Real identity is sent only within an encrypted TLS tunnel. +.Bd -literal +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +network={ + ssid="example" + scan_ssid=1 + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="/etc/cert/ca.pem" + phase2="auth=MD5" +} +.Ed +.Pp +Traditional WEP configuration with 104 bit key specified in hexadecimal. +Note the WEP key is not quoted. +.Bd -literal +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +network={ + ssid="example" + scan_ssid=1 + key_mgmt=NONE + wep_tx_keyidx=0 + # hex keys denoted without quotes + wep_key0=42FEEDDEAFBABEDEAFBEEFAA55 + # ASCII keys denoted with quotes. + wep_key1="FreeBSDr0cks!" +} +.Ed +.Sh SEE ALSO +.Xr wpa_cli 8 , +.Xr wpa_passphrase 8 , +.Xr wpa_supplicant 8 +.Sh HISTORY +The +.Nm +manual page and +.Xr wpa_supplicant 8 +functionality first appeared in +.Fx 6.0 . +.Sh AUTHORS +This manual page is derived from the +.Pa README +and +.Pa wpa_supplicant.conf +files in the +.Nm wpa_supplicant +distribution provided by +.An Jouni Malinen Aq j@w1.fi . |
