1 files changed, 254 insertions, 66 deletions

diff --git a/meta/packages/wpa-supplicant/files/wpa_supplicant.conf b/meta/packages/wpa-supplicant/files/wpa_supplicant.conf
index da407b5ef3..f0c993d195 100644
--- a/meta/packages/wpa-supplicant/files/wpa_supplicant.conf
+++ b/meta/packages/wpa-supplicant/files/wpa_supplicant.conf
@@ -1,21 +1,46 @@
 ##### Example wpa_supplicant configuration file ###############################
+#
+# This file describes configuration file format and lists all available option.
+# Please also take a look at simpler configuration examples in 'examples'
+# subdirectory.
+#
 # Empty lines and lines starting with # are ignored
 
 # NOTE! This file may contain password information and should probably be made
 # readable only by root user on multiuser systems.
 
+# Note: All file paths in this configuration file should use full (absolute,
+# not relative to working directory) path in order to allow working directory
+# to be changed. This can happen if wpa_supplicant is run in the background.
+
+# Whether to allow wpa_supplicant to update (overwrite) configuration
+#
+# This option can be used to allow wpa_supplicant to overwrite configuration
+# file whenever configuration is changed (e.g., new network block is added with
+# wpa_cli or wpa_gui, or a password is changed). This is required for
+# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
+# Please note that overwriting configuration file will remove the comments from
+# it.
+#update_config=1
+
 # global configuration (shared by all network blocks)
 #
-# Interface for separate control program. If this is specified, wpa_supplicant
-# will create this directory and a UNIX domain socket for listening to requests
-# from external programs (CLI/GUI, etc.) for status information and
-# configuration. The socket file will be named based on the interface name, so
-# multiple wpa_supplicant processes can be run at the same time if more than
-# one interface is used.
+# Parameters for the control interface. If this is specified, wpa_supplicant
+# will open a control interface that is available for external programs to
+# manage wpa_supplicant. The meaning of this string depends on which control
+# interface mechanism is used. For all cases, the existance of this parameter
+# in configuration is used to determine whether the control interface is
+# enabled.
+#
+# For UNIX domain sockets (default on Linux and BSD): This is a directory that
+# will be created for UNIX domain sockets for listening to requests from
+# external programs (CLI/GUI, etc.) for status information and configuration.
+# The socket file will be named based on the interface name, so multiple
+# wpa_supplicant processes can be run at the same time if more than one
+# interface is used.
 # /var/run/wpa_supplicant is the recommended directory for sockets and by
 # default, wpa_cli will use it when trying to connect with wpa_supplicant.
-ctrl_interface=/var/run/wpa_supplicant
-
+#
 # Access control for the control interface can be configured by setting the
 # directory to allow only members of a group to use sockets. This way, it is
 # possible to run wpa_supplicant as root (since it needs to change network
@@ -29,12 +54,28 @@ ctrl_interface=/var/run/wpa_supplicant
 # not included in the configuration file, group will not be changed from the
 # value it got by default when the directory or socket was created.
 #
-# This variable can be a group name or gid.
-#ctrl_interface_group=wheel
-ctrl_interface_group=0
+# When configuring both the directory and group, use following format:
+# DIR=/var/run/wpa_supplicant GROUP=wheel
+# DIR=/var/run/wpa_supplicant GROUP=0
+# (group can be either group name or gid)
+#
+# For UDP connections (default on Windows): The value will be ignored. This
+# variable is just used to select that the control interface is to be created.
+# The value can be set to, e.g., udp (ctrl_interface=udp)
+#
+# For Windows Named Pipe: This value can be used to set the security descriptor
+# for controlling access to the control interface. Security descriptor can be
+# set using Security Descriptor String Format (see http://msdn.microsoft.com/
+# library/default.asp?url=/library/en-us/secauthz/security/
+# security_descriptor_string_format.asp). The descriptor string needs to be
+# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
+# DACL (which will reject all connections). See README-Windows.txt for more
+# information about SDDL string format.
+#
+ctrl_interface=/var/run/wpa_supplicant
 
 # IEEE 802.1X/EAPOL version
-# wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines
+# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
 # EAPOL version 2. However, there are many APs that do not handle the new
 # version number correctly (they seem to drop the frames completely). In order
 # to make wpa_supplicant interoperate with these APs, the version number is set
@@ -52,13 +93,15 @@ eapol_version=1
 # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
 #    parameters (e.g., WPA IE generation); this mode can also be used with
 #    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
-#    APs (i.e., external program needs to control association)
+#    APs (i.e., external program needs to control association). This mode must
+#    also be used when using wired Ethernet drivers.
 # 2: like 0, but associate with APs using security policy and SSID (but not
-#    BSSID); this can be used, e.g., with ndiswrapper and NDIS driver to
+#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
 #    enable operation with hidden SSIDs and optimized roaming; in this mode,
-#    only the first network block in the configuration file is used and this
-#    configuration should have explicit security policy (i.e., only one option
-#    in the lists) for key_mgmt, pairwise, group, proto variables
+#    the network blocks in the configuration file are tried one by one until
+#    the driver reports successful association; each network block should have
+#    explicit security policy (i.e., only one option in the lists) for
+#    key_mgmt, pairwise, group, proto variables
 ap_scan=1
 
 # EAP fast re-authentication
@@ -67,6 +110,38 @@ ap_scan=1
 # Normally, there is no need to disable this.
 fast_reauth=1
 
+# OpenSSL Engine support
+# These options can be used to load OpenSSL engines.
+# The two engines that are supported currently are shown below:
+# They are both from the opensc project (http://www.opensc.org/)
+# By default no engines are loaded.
+# make the opensc engine available
+#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
+# make the pkcs11 engine available
+#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
+# configure the path to the pkcs11 module required by the pkcs11 engine
+#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
+
+# Dynamic EAP methods
+# If EAP methods were built dynamically as shared object files, they need to be
+# loaded here before being used in the network blocks. By default, EAP methods
+# are included statically in the build, so these lines are not needed
+#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
+#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
+
+# Driver interface parameters
+# This field can be used to configure arbitrary driver interace parameters. The
+# format is specific to the selected driver interface. This field is not used
+# in most cases.
+#driver_param="field=value"
+
+# Maximum lifetime for PMKSA in seconds; default 43200
+#dot11RSNAConfigPMKLifetime=43200
+# Threshold for reauthentication (percentage of PMK lifetime); default 70
+#dot11RSNAConfigPMKReauthThreshold=70
+# Timeout for security association negotiation in seconds; default 60
+#dot11RSNAConfigSATimeout=60
+
 # network block
 #
 # Each network (usually AP's sharing the same SSID) is configured as a separate
@@ -75,6 +150,15 @@ fast_reauth=1
 #
 # network block fields:
 #
+# disabled:
+#       0 = this network can be used (default)
+#       1 = this network block is disabled (can be enabled through ctrl_iface,
+#           e.g., with wpa_cli or wpa_gui)
+#
+# id_str: Network identifier string for external scripts. This value is passed
+#       to external action script through wpa_cli as WPA_ID_STR environment
+#       variable to make it easier to do network specific configuration.
+#
 # ssid: SSID (mandatory); either as an ASCII string with double quotation or
 #       as hex string; network name
 #
@@ -95,9 +179,9 @@ fast_reauth=1
 # priority value, the sooner the network is matched against the scan results).
 # Within each priority group, networks will be selected based on security
 # policy, signal strength, etc.
-# Please note that AP scanning with scan_ssid=1 is not using this priority to
-# select the order for scanning. Instead, it uses the order the networks are in
-# the configuration file.
+# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
+# using this priority to select the order for scanning. Instead, they try the
+# networks in the order that used in the configuration file.
 #
 # mode: IEEE 802.11 operation mode
 # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
@@ -155,10 +239,27 @@ fast_reauth=1
 # only when the passphrase or SSID has actually changed.
 #
 # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
-# Dynamic WEP key require for non-WPA mode
+# Dynamic WEP key required for non-WPA mode
 # bit0 (1): require dynamically generated unicast WEP key
 # bit1 (2): require dynamically generated broadcast WEP key
 #       (3 = require both keys; default)
+# Note: When using wired authentication, eapol_flags must be set to 0 for the
+# authentication to be completed successfully.
+#
+# proactive_key_caching:
+# Enable/disable opportunistic PMKSA caching for WPA2.
+# 0 = disabled (default)
+# 1 = enabled
+#
+# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
+# hex without quotation, e.g., 0102030405)
+# wep_tx_keyidx: Default WEP key index (TX) (0..3)
+#
+# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
+# allowed. This is only used with RSN/WPA2.
+# 0 = disabled (default)
+# 1 = enabled
+#peerkey=1
 #
 # Following fields are only used with internal EAP implementation.
 # eap: space-separated list of accepted EAP methods
@@ -182,16 +283,46 @@ fast_reauth=1
 #       unencrypted identity with EAP types that support different tunnelled
 #       identity, e.g., EAP-TTLS)
 # password: Password string for EAP
-# ca_cert: File path to CA certificate file. This file can have one or more
-#       trusted CA certificates. If ca_cert is not included, server certificate
-#       will not be verified. This is insecure and the CA file should always be
-#       configured.
+# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
+#       or more trusted CA certificates. If ca_cert and ca_path are not
+#       included, server certificate will not be verified. This is insecure and
+#       a trusted CA certificate should always be configured when using
+#       EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
+#       change when wpa_supplicant is run in the background.
+#       On Windows, trusted CA certificates can be loaded from the system
+#       certificate store by setting this to cert_store://<name>, e.g.,
+#       ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
+#       Note that when running wpa_supplicant as an application, the user
+#       certificate store (My user account) is used, whereas computer store
+#       (Computer account) is used when running wpasvc as a service.
+# ca_path: Directory path for CA certificate files (PEM). This path may
+#       contain multiple CA certificates in OpenSSL format. Common use for this
+#       is to point to system trusted CA list which is often installed into
+#       directory like /etc/ssl/certs. If configured, these certificates are
+#       added to the list of trusted CAs. ca_cert may also be included in that
+#       case, but it is not required.
 # client_cert: File path to client certificate file (PEM/DER)
+#       Full path should be used since working directory may change when
+#       wpa_supplicant is run in the background.
+#       Alternatively, a named configuration blob can be used by setting this
+#       to blob://<blob name>.
 # private_key: File path to client private key file (PEM/DER/PFX)
 #       When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
 #       commented out. Both the private key and certificate will be read from
-#       the PKCS#12 file in this case.
-# private_key_passwd: Password for private key file
+#       the PKCS#12 file in this case. Full path should be used since working
+#       directory may change when wpa_supplicant is run in the background.
+#       Windows certificate store can be used by leaving client_cert out and
+#       configuring private_key in one of the following formats:
+#       cert://substring_to_match
+#       hash://certificate_thumbprint_in_hex
+#       for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
+#       Note that when running wpa_supplicant as an application, the user
+#       certificate store (My user account) is used, whereas computer store
+#       (Computer account) is used when running wpasvc as a service.
+#       Alternatively, a named configuration blob can be used by setting this
+#       to blob://<blob name>.
+# private_key_passwd: Password for private key file (if left out, this will be
+#       asked through control interface)
 # dh_file: File path to DH/DSA parameters file (in PEM format)
 #       This is an optional configuration file for setting parameters for an
 #       ephemeral DH key exchange. In most cases, the default RSA
@@ -205,6 +336,14 @@ fast_reauth=1
 #       sertificate is only accepted if it contains this string in the subject.
 #       The subject string is in following format:
 #       /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
+# altsubject_match: Semicolon separated string of entries to be matched against
+#       the alternative subject name of the authentication server certificate.
+#       If this string is set, the server sertificate is only accepted if it
+#       contains one of the entries in an alternative subject name extension.
+#       altSubjectName string is in following format: TYPE:VALUE
+#       Example: EMAIL:server@example.com
+#       Example: DNS:server.example.com;DNS:server2.example.com
+#       Following types are supported: EMAIL, DNS, URI
 # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
 #       (string with field-value pairs, e.g., "peapver=0" or
 #       "peapver=1 peaplabel=1")
@@ -219,6 +358,9 @@ fast_reauth=1
 #       tunneled EAP-Success. This is required with some RADIUS servers that
 #       implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
 #       Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
+#       include_tls_length=1 can be used to force wpa_supplicant to include
+#       TLS Message Length field in all TLS messages even if they are not
+#       fragmented.
 #       sim_min_num_chal=3 can be used to configure EAP-SIM to require three
 #       challenges (by default, it accepts 2 or 3)
 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
@@ -227,25 +369,49 @@ fast_reauth=1
 # Following certificate/private key fields are used in inner Phase2
 # authentication when using EAP-TTLS or EAP-PEAP.
 # ca_cert2: File path to CA certificate file. This file can have one or more
-#       trusted CA certificates. If ca_cert2 is not included, server
-#       certificate will not be verified. This is insecure and the CA file
-#       should always be configured.
+#       trusted CA certificates. If ca_cert2 and ca_path2 are not included,
+#       server certificate will not be verified. This is insecure and a trusted
+#       CA certificate should always be configured.
+# ca_path2: Directory path for CA certificate files (PEM)
 # client_cert2: File path to client certificate file
 # private_key2: File path to client private key file
 # private_key2_passwd: Password for private key file
 # dh_file2: File path to DH/DSA parameters file (in PEM format)
 # subject_match2: Substring to be matched against the subject of the
 #       authentication server certificate.
+# altsubject_match2: Substring to be matched against the alternative subject
+#       name of the authentication server certificate.
+#
+# fragment_size: Maximum EAP fragment size in bytes (default 1398).
+#       This value limits the fragment size for EAP methods that support
+#       fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
+#       small enough to make the EAP messages fit in MTU of the network
+#       interface used for EAPOL. The default value is suitable for most
+#       cases.
 #
 # EAP-PSK variables:
 # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
 # nai: user NAI
-# server_nai: authentication server NAI
+#
+# EAP-PAX variables:
+# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
+#
+# EAP-SAKE variables:
+# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format
+#       (this is concatenation of Root-Secret-A and Root-Secret-B)
+# nai: user NAI (PEERID)
+#
+# EAP-GPSK variables:
+# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits)
+# nai: user NAI (ID_Client)
 #
 # EAP-FAST variables:
 # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
 #       to create this file and write updates to it when PAC is being
-#       provisioned or refreshed.
+#       provisioned or refreshed. Full path to the file should be used since
+#       working directory may change when wpa_supplicant is run in the
+#       background. Alternatively, a named configuration blob can be used by
+#       setting this to blob://<blob name>
 # phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST
 #       credentials (PAC)
 #
@@ -379,28 +545,6 @@ network={
 }
 
 
-# EAP-SIM with a GSM SIM or USIM
-network={
-        ssid="eap-sim-test"
-        key_mgmt=WPA-EAP
-        eap=SIM
-        pin="1234"
-        pcsc=""
-}
-
-
-# EAP-PSK
-network={
-        ssid="eap-psk-test"
-        key_mgmt=WPA-EAP
-        eap=PSK
-        identity="eap_psk_user"
-        eappsk=06b4be19da289f475aa46a33cb793029
-        nai="eap_psk_user@example.com"
-        server_nai="as@example.com"
-}
-
-
 # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
 # EAP-TLS for authentication and key generation; require both unicast and
 # broadcast WEP keys.
@@ -426,18 +570,6 @@ network={
         password="foobar"
 }
 
-# EAP-FAST with WPA (WPA or WPA2)
-network={
-        ssid="eap-fast-test"
-        key_mgmt=WPA-EAP
-        eap=FAST
-        anonymous_identity="FAST-000102030405"
-        identity="username"
-        password="password"
-        phase1="fast_provisioning=1"
-        pac_file="/etc/wpa_supplicant.eap-fast-pac"
-}
-
 # Plaintext connection (no WPA, no IEEE 802.1X)
 network={
         ssid="plaintext-test"
@@ -500,3 +632,59 @@ network={
         private_key_passwd="password"
         phase1="peaplabel=0"
 }
+
+# Example of EAP-TLS with smartcard (openssl engine)
+network={
+        ssid="example"
+        key_mgmt=WPA-EAP
+        eap=TLS
+        proto=RSN
+        pairwise=CCMP TKIP
+        group=CCMP TKIP
+        identity="user@example.com"
+        ca_cert="/etc/cert/ca.pem"
+        client_cert="/etc/cert/user.pem"
+
+        engine=1
+
+        # The engine configured here must be available. Look at
+        # OpenSSL engine support in the global section.
+        # The key available through the engine must be the private key
+        # matching the client certificate configured above.
+
+        # use the opensc engine
+        #engine_id="opensc"
+        #key_id="45"
+
+        # use the pkcs11 engine
+        engine_id="pkcs11"
+        key_id="id_45"
+
+        # Optional PIN configuration; this can be left out and PIN will be
+        # asked through the control interface
+        pin="1234"
+}
+
+# Example configuration showing how to use an inlined blob as a CA certificate
+# data instead of using external file
+network={
+        ssid="example"
+        key_mgmt=WPA-EAP
+        eap=TTLS
+        identity="user@example.com"
+        anonymous_identity="anonymous@example.com"
+        password="foobar"
+        ca_cert="blob://exampleblob"
+        priority=20
+}
+
+blob-base64-exampleblob={
+SGVsbG8gV29ybGQhCg==
+}
+
+
+# Wildcard match for SSID (plaintext APs only). This example select any
+# open AP regardless of its SSID.
+network={
+        key_mgmt=NONE
+}