1
wpa_supplicant for Windows
2
==========================
4
Copyright (c) 2003-2006, Jouni Malinen <j@w1.fi> and
8
This program is dual-licensed under both the GPL version 2 and BSD
9
license. Either license may be used at your option.
11
This product includes software developed by the OpenSSL Project
12
for use in the OpenSSL Toolkit (http://www.openssl.org/)
15
wpa_supplicant has support for being used as a WPA/WPA2/IEEE 802.1X
16
Supplicant on Windows. The current port requires that WinPcap
17
(http://winpcap.polito.it/) is installed for accessing packets and the
18
driver interface. Both release versions 3.0 and 3.1 are supported.
20
The current port is still somewhat experimental. It has been tested
21
mainly on Windows XP (SP2) with limited set of NDIS drivers. In
22
addition, the current version has been reported to work with Windows
25
All security modes have been verified to work (at least complete
26
authentication and successfully ping a wired host):
28
- static WEP / open system authentication
29
- static WEP / shared key authentication
30
- IEEE 802.1X with dynamic WEP keys
31
- WPA-PSK, TKIP, CCMP, TKIP+CCMP
32
- WPA-EAP, TKIP, CCMP, TKIP+CCMP
33
- WPA2-PSK, TKIP, CCMP, TKIP+CCMP
34
- WPA2-EAP, TKIP, CCMP, TKIP+CCMP
40
Compiled binary version of the wpa_supplicant and additional tools is
41
available from http://hostap.epitest.fi/wpa_supplicant/. These
42
binaries can be used after installing WinPcap.
45
Building wpa_supplicant with mingw
46
----------------------------------
48
The default build setup for wpa_supplicant is to use MinGW and
49
cross-compiling from Linux to MinGW/Windows. It should also be
50
possible to build this under Windows using the MinGW tools, but that
51
is not tested nor supported and is likely to require some changes to
52
the Makefile unless cygwin is used.
55
Building wpa_supplicant with MSVC
56
---------------------------------
58
wpa_supplicant can be built with Microsoft Visual C++ compiler. This
59
has been tested with Microsoft Visual C++ Toolkit 2003 and Visual
60
Studio 2005 using the included nmake.mak as a Makefile for nmake. IDE
61
can also be used by creating a project that includes the files and
62
defines mentioned in nmake.mak. Example VS2005 solution and project
63
files are included in vs2005 subdirectory. This can be used as a
64
starting point for building the programs with VS2005 IDE.
66
WinPcap development package is needed for the build and this can be
67
downloaded from http://www.winpcap.org/install/bin/WpdPack_3_1.zip. The
68
default nmake.mak expects this to be unpacked into C:\dev\WpdPack so
69
that Include and Lib directories are in this directory. The files can be
70
stored elsewhere as long as the WINPCAPDIR in nmake.mak is updated to
71
match with the selected directory. In case a project file in the IDE is
72
used, these Include and Lib directories need to be added to project
73
properties as additional include/library directories.
75
OpenSSL source package can be downloaded from
76
http://www.openssl.org/source/openssl-0.9.8b.tar.gz and built and
77
installed following instructions in INSTALL.W32. Note that if EAP-FAST
78
support will be included in the wpa_supplicant, OpenSSL needs to be
79
patched to# support it openssl-tls-extensions.patch. The example
80
nmake.mak file expects OpenSSL to be installed into C:\dev\openssl, but
81
this directory can be modified by changing OPENSSLDIR variable in
84
If you do not need EAP-FAST support, you may also be able to use Win32
85
binary installation package of OpenSSL from
86
http://www.slproweb.com/products/Win32OpenSSL.html instead of building
87
the library yourself. In this case, you will need to copy Include and
88
Lib directories in suitable directory, e.g., C:\dev\openssl for the
89
default nmake.mak. Copy {Win32OpenSSLRoot}\include into
90
C:\dev\openssl\include and make C:\dev\openssl\lib subdirectory with
91
files from {Win32OpenSSLRoot}\VC (i.e., libeay*.lib and ssleay*.lib).
92
This will end up using dynamically linked OpenSSL (i.e., .dll files are
93
needed) for it. Alternative, you can copy files from
94
{Win32OpenSSLRoot}\VC\static to create a static build (no OpenSSL .dll
98
Building wpa_supplicant for cygwin
99
----------------------------------
101
wpa_supplicant can be built for cygwin by installing the needed
102
development packages for cygwin. This includes things like compiler,
103
make, openssl development package, etc. In addition, developer's pack
104
for WinPcap (WPdpack.zip) from
105
http://winpcap.polito.it/install/default.htm is needed.
107
.config file should enable only one driver interface,
108
CONFIG_DRIVER_NDIS. In addition, include directories may need to be
109
added to match the system. An example configuration is available in
110
defconfig. The library and include files for WinPcap will either need
111
to be installed in compiler/linker default directories or their
112
location will need to be adding to .config when building
115
Othen than this, the build should be more or less identical to Linux
116
version, i.e., just run make after having created .config file. An
117
additional tool, win_if_list.exe, can be built by running "make
124
wpa_gui uses Qt application framework from Trolltech. It can be built
125
with the open source version of Qt4 and MinGW. Following commands can
126
be used to build the binary in the Qt 4 Command Prompt:
128
# go to the root directory of wpa_supplicant source code
130
qmake -o Makefile wpa_gui.pro
132
# the wpa_gui.exe binary is created into 'release' subdirectory
135
Using wpa_supplicant for Windows
136
--------------------------------
138
wpa_supplicant and wpa_cli behave more or less identically to Linux
139
version, so instructions in README and example wpa_supplicant.conf
140
should be applicable for most parts. In addition, there is another
141
version of wpa_supplicant, wpasvc.exe, which can be used as a Windows
142
service and which reads its configuration from registry instead of
145
When using access points in "hidden SSID" mode, ap_scan=2 mode need to
146
be used (see wpa_supplicant.conf for more information).
148
Windows NDIS/WinPcap uses quite long interface names, so some care
149
will be needed when starting wpa_supplicant. Alternatively, the
150
adapter description can be used as the interface name which may be
151
easier since it is usually in more human-readable
152
format. win_if_list.exe can be used to find out the proper interface
155
Example steps in starting up wpa_supplicant:
158
ifname: \Device\NPF_GenericNdisWanAdapter
159
description: Generic NdisWan adapter
161
ifname: \Device\NPF_{769E012B-FD17-4935-A5E3-8090C38E25D2}
162
description: Atheros Wireless Network Adapter (Microsoft's Packet Scheduler)
164
ifname: \Device\NPF_{732546E7-E26C-48E3-9871-7537B020A211}
165
description: Intel 8255x-based Integrated Fast Ethernet (Microsoft's Packet Scheduler)
168
Since the example configuration used Atheros WLAN card, the middle one
169
is the correct interface in this case. The interface name for -i
170
command line option is the full string following "ifname:" (the
171
"\Device\NPF_" prefix can be removed). In other words, wpa_supplicant
172
would be started with the following command:
174
# wpa_supplicant.exe -i'{769E012B-FD17-4935-A5E3-8090C38E25D2}' -c wpa_supplicant.conf -d
176
-d optional enables some more debugging (use -dd for even more, if
177
needed). It can be left out if debugging information is not needed.
179
With the alternative mechanism for selecting the interface, this
180
command has identical results in this case:
182
# wpa_supplicant.exe -iAtheros -c wpa_supplicant.conf -d
185
Simple configuration example for WPA-PSK:
194
psk="secret passphrase"
197
(remove '#' from the comment out ap_scan line to enable mode in which
198
wpa_supplicant tries to associate with the SSID without doing
199
scanning; this allows APs with hidden SSIDs to be used)
202
wpa_cli.exe and wpa_gui.exe can be used to interact with the
203
wpa_supplicant.exe program in the same way as with Linux. Note that
204
ctrl_interface is using UNIX domain sockets when built for cygwin, but
205
the native build for Windows uses named pipes and the contents of the
206
ctrl_interface configuration item is used to control access to the
207
interface. Anyway, this variable has to be included in the configuration
208
to enable the control interface.
211
Example SDDL string formats:
213
(local admins group has permission, but nobody else):
215
ctrl_interface=SDDL=D:(A;;GA;;;BA)
217
("A" == "access allowed", "GA" == GENERIC_ALL == all permissions, and
218
"BA" == "builtin administrators" == the local admins. The empty fields
219
are for flags and object GUIDs, none of which should be required in this
222
(local admins and the local "power users" group have permissions,
225
ctrl_interface=SDDL=D:(A;;GA;;;BA)(A;;GA;;;PU)
227
(One ACCESS_ALLOWED ACE for GENERIC_ALL for builtin administrators, and
228
one ACCESS_ALLOWED ACE for GENERIC_ALL for power users.)
230
(close to wide open, but you have to be a valid user on
233
ctrl_interface=SDDL=D:(A;;GA;;;AU)
235
(One ACCESS_ALLOWED ACE for GENERIC_ALL for the "authenticated users"
238
This one would allow absolutely everyone (including anonymous
239
users) -- this is *not* recommended, since named pipes can be attached
240
to from anywhere on the network (i.e. there's no "this machine only"
241
like there is with 127.0.0.1 sockets):
243
ctrl_interface=SDDL=D:(A;;GA;;;BU)(A;;GA;;;AN)
245
(BU == "builtin users", "AN" == "anonymous")
247
See also [1] for the format of ACEs, and [2] for the possible strings
248
that can be used for principal names.
251
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/ace_strings.asp
253
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/sid_strings.asp
256
Starting wpa_supplicant as a Windows service (wpasvc.exe)
257
---------------------------------------------------------
259
wpa_supplicant can be started as a Windows service by using wpasvc.exe
260
program that is alternative build of wpa_supplicant.exe. Most of the
261
core functionality of wpasvc.exe is identical to wpa_supplicant.exe,
262
but it is using Windows registry for configuration information instead
263
of a text file and command line parameters. In addition, it can be
264
registered as a service that can be started automatically or manually
265
like any other Windows service.
267
The root of wpa_supplicant configuration in registry is
268
HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant. This level includes global
269
parameters and a 'interfaces' subkey with all the interface configuration
270
(adapter to confname mapping). Each such mapping is a subkey that has
271
'adapter', 'config', and 'ctrl_interface' values.
273
This program can be run either as a normal command line application,
274
e.g., for debugging, with 'wpasvc.exe app' or as a Windows service.
275
Service need to be registered with 'wpasvc.exe reg <full path to
276
wpasvc.exe>'. Alternatively, 'wpasvc.exe reg' can be used to register
277
the service with the current location of wpasvc.exe. After this, wpasvc
278
can be started like any other Windows service (e.g., 'net start wpasvc')
279
or it can be configured to start automatically through the Services tool
280
in administrative tasks. The service can be unregistered with
283
If the service is set to start during system bootup to make the
284
network connection available before any user has logged in, there may
285
be a long (half a minute or so) delay in starting up wpa_supplicant
286
due to WinPcap needing a driver called "Network Monitor Driver" which
287
is started by default on demand.
289
To speed up wpa_supplicant start during system bootup, "Network
290
Monitor Driver" can be configured to be started sooner by setting its
291
startup type to System instead of the default Demand. To do this, open
292
up Device Manager, select Show Hidden Devices, expand the "Non
293
Plug-and-Play devices" branch, double click "Network Monitor Driver",
294
go to the Driver tab, and change the Demand setting to System instead.
296
Configuration data is in HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs
297
key. Each configuration profile has its own key under this. In terms of text
298
files, each profile would map to a separate text file with possibly multiple
299
networks. Under each profile, there is a networks key that lists all
300
networks as a subkey. Each network has set of values in the same way as
301
network block in the configuration file. In addition, blobs subkey has
302
possible blobs as values.
304
HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs\test\networks\0000
308
See win_example.reg for an example on how to setup wpasvc.exe
309
parameters in registry. It can also be imported to registry as a
310
starting point for the configuration.
314
License information for third party software used in this product:
319
/* ====================================================================
320
* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
322
* Redistribution and use in source and binary forms, with or without
323
* modification, are permitted provided that the following conditions
326
* 1. Redistributions of source code must retain the above copyright
327
* notice, this list of conditions and the following disclaimer.
329
* 2. Redistributions in binary form must reproduce the above copyright
330
* notice, this list of conditions and the following disclaimer in
331
* the documentation and/or other materials provided with the
334
* 3. All advertising materials mentioning features or use of this
335
* software must display the following acknowledgment:
336
* "This product includes software developed by the OpenSSL Project
337
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
339
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
340
* endorse or promote products derived from this software without
341
* prior written permission. For written permission, please contact
342
* openssl-core@openssl.org.
344
* 5. Products derived from this software may not be called "OpenSSL"
345
* nor may "OpenSSL" appear in their names without prior written
346
* permission of the OpenSSL Project.
348
* 6. Redistributions of any form whatsoever must retain the following
350
* "This product includes software developed by the OpenSSL Project
351
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
353
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
354
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
355
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
356
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
357
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
358
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
359
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
360
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
361
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
362
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
363
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
364
* OF THE POSSIBILITY OF SUCH DAMAGE.
365
* ====================================================================
367
* This product includes cryptographic software written by Eric Young
368
* (eay@cryptsoft.com). This product includes software written by Tim
369
* Hudson (tjh@cryptsoft.com).
373
Original SSLeay License
374
-----------------------
376
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
377
* All rights reserved.
379
* This package is an SSL implementation written
380
* by Eric Young (eay@cryptsoft.com).
381
* The implementation was written so as to conform with Netscapes SSL.
383
* This library is free for commercial and non-commercial use as long as
384
* the following conditions are aheared to. The following conditions
385
* apply to all code found in this distribution, be it the RC4, RSA,
386
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
387
* included with this distribution is covered by the same copyright terms
388
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
390
* Copyright remains Eric Young's, and as such any Copyright notices in
391
* the code are not to be removed.
392
* If this package is used in a product, Eric Young should be given attribution
393
* as the author of the parts of the library used.
394
* This can be in the form of a textual message at program startup or
395
* in documentation (online or textual) provided with the package.
397
* Redistribution and use in source and binary forms, with or without
398
* modification, are permitted provided that the following conditions
400
* 1. Redistributions of source code must retain the copyright
401
* notice, this list of conditions and the following disclaimer.
402
* 2. Redistributions in binary form must reproduce the above copyright
403
* notice, this list of conditions and the following disclaimer in the
404
* documentation and/or other materials provided with the distribution.
405
* 3. All advertising materials mentioning features or use of this software
406
* must display the following acknowledgement:
407
* "This product includes cryptographic software written by
408
* Eric Young (eay@cryptsoft.com)"
409
* The word 'cryptographic' can be left out if the rouines from the library
410
* being used are not cryptographic related :-).
411
* 4. If you include any Windows specific code (or a derivative thereof) from
412
* the apps directory (application code) you must include an acknowledgement:
413
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
415
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
416
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
417
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
418
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
419
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
420
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
421
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
422
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
423
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
424
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
427
* The licence and distribution terms for any publically available version or
428
* derivative of this code cannot be changed. i.e. this code cannot simply be
429
* copied and put under another distribution licence
430
* [including the GNU Public Licence.]