WPS patch from Ted Merrill, 20071203
Mon Dec 3 20:48:13 PST 2007
I've sent hostap-wps-20071203.patch by separate email to you since it would
otherwise not survive the hostap mail list filter due to size.
This patch includes all of my pending changes for WPS.
It is not well tested but i wanted to get this to you so we can discuss.
[CONFIG_]EAP_WSC is yours, and [CONFIG_]EAP_WPS is mine.
I removed the use of WLAN_STA_WPS... flags entirely along with use of "sta"
that you found objectionable in the hostap code (this was from the Intel
modifications to hostapd). I'm not 100% this is the right thing to do but i
was unable to determine what useful function these flags actually provided.
I added WPS_SCAN and WPS commands to ctrl_iface.c for wpa_supplicant.
WPS_SCAN differs from the old SCAN command in two respects: it sets
appropriate information elements in probe requests (if possible) and it does
not return old stale scan results but instead asyncronously sends new scan
The WPS command does the core WPS algorithm (passing M1 .. M8 messages).
There is a new value for "proto" : "WPS" which bypasses some checks that
would not allow wpa_supplicant to try to associate in open mode with e.g. a
The "WPS" command disables any existing "network" definitions and essentially
defines and activates one like:
The WPS-capable AP will accept an open connection (for WPS purposes only) even
though it does not advertise this in information elements other than the WPS
information element; proto=WPS attempts to make wpa_supplicant happy with
this (see kernel driver issue below).
There are two programs for wps:
wps_enrollee is intended for automated or at least non-interactive
operation... it will do scanning if you don't give it an ssid, but will is
not as flexible or friendly as wps_wizard.
wps_wizard is an interactive program that could serve as the inspiration for a
These programs use wpa_ctrl to use the WPS_SCAN and WPS commands.
There are some issues that you have noted that i have not addressed yet,
-- Uses l2_packet
-- Doesn't use hmac_sha256_vector yet
-- I haven't looked into using openssl yet, works only with internal crypto
By separate email i'm giving feedback to your latest email.
Finally, there are some serious Linux kernel driver issues to deal with:
WPS_SCAN only works if the kernel driver reports WPS information elements to
user space. Unfortunately, the latest driver from madwifi doesn't do that.
I used a patch from https://www.saice-wpsnfc.bz which patches a somewhat out
of date version of the madwifi driver, which in turn does not work with the
latest linux (it worked for me with Linux 2.6.15 which i happened to have
Unfortunately, the madwifi driver has been written only to report certain
known i.e.s to user space (the above mentioned patch adds WPS to the list)...
it really should be redesigned to report ALL information elements.
In browsing the madwifi pages i did not get any idea that any sort of fix for
this problem is in the works... and of course this is not the only kernel
driver to worry about...
There is also a problem with associating with the AP for which i've found only
a poor workaround.
Typically, a WPS capable or ready AP will advertise e.g. WPA2 capability in
the probe responses but will actually associate in open mode (as required)
with a firewall of sorts so that open mode associations can be used only for
For some reason, the ioctls that driver_wext uses do not reliably result in
getting an open connection ... sometimes it works and usually it doesn't.
My work around with my Intel Pro 2200BG is (while the WPS job in
wpa_supplicant is waiting to get associated) to issue the following command:
iwconfig eth1 key open
This typically results in immediate association.
Unfortunately, the same command fails when using madwifi driver with my
Atheros wifi card (ath0 of course)... i can do "iwconfig ath0 key off" but
that is not the same thing.
(I have access to the drivers that Atheros uses internally but have not yet
released, and i can see if the problem occurs with them).
I'm able to use my ath0 (with LInux 2.6.15 with patched madwifi driver) to
demonstrate that scanning works using wps_wizard, and i'm able to use eth1 to
demonstrate that the core WPS algorithm works using wps_enrollee:
wps_enrollee ssid=some_ssid ifname=eth1
More information about the Hostap