.gitignore

@@ -1,24 +1 @@
-madwifi-headers.tar.bz2
-wpa_supplicant-0.4.7.tar.gz
-wpa_supplicant-0.5.1.tar.gz
-wpa_supplicant-0.4.8.tar.gz
-madwifi-headers-r1475.tar.bz2
-wpa_supplicant-0.4.9.tar.gz
-wpa_supplicant-0.5.7.tar.gz
-wpa_supplicant-0.6.3.tar.gz
-wpa_supplicant-0.6.4.tar.gz
-wpa_supplicant-0.6.7.tar.gz
-wpa_supplicant-0.6.8.tar.gz
-/wpa_supplicant-0.7.3.tar.gz
-/wpa_supplicant-1.0-rc1.tar.gz
-/wpa_supplicant-1.0-rc2.tar.gz
-/wpa_supplicant-1.1.tar.gz
-/wpa_supplicant-2.0.tar.gz
-/wpa_supplicant-2.3.tar.gz
-/wpa_supplicant-2.4.tar.gz
-/wpa_supplicant-2.5.tar.gz
-/wpa_supplicant-2.6.tar.gz
-/wpa_supplicant-2.7.tar.gz
-/wpa_supplicant-2.9.tar.gz
-/wpa_supplicant-2.9.20211112.gitc8b94bc7b347.tar.gz
-/wpa_supplicant-2.10.tar.gz
+SOURCES/wpa_supplicant-2.10.tar.gz

.wpa_supplicant.metadata

@@ -0,0 +1 @@
+e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz

SPECS/wpa_supplicant.spec

@@ -7,7 +7,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.10
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: BSD
 Group: System Environment/Base
 Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
@@ -31,9 +31,6 @@ Patch3: wpa_supplicant-quiet-scan-results-message.patch
 Patch5: rh1542234-remove-wpa_gui.patch
 Patch6: wpa_supplicant-gui-qt4.patch
 
-# fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160)
-Patch7: wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch
-
 URL: http://w1.fi/wpa_supplicant/
 
 %if %{build_gui}
@@ -176,9 +173,6 @@ chmod -R 0644 %{name}/examples/*.py
 %endif
 
 %changelog
-* Tue Feb 20 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-2
-- Backport fix for PEAP client (CVE-2023-52160)
-
 * Thu Jan  20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
 - Update to version 2.10 (rh #2042104)
 

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

sources

@@ -1 +0,0 @@
-SHA512 (wpa_supplicant-2.10.tar.gz) = 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1

tests/tests.yml

@@ -1,15 +0,0 @@
----
-- hosts: localhost
-  tags:
-  - classic
-  roles:
-  - role: standard-test-beakerlib
-    tests:
-    - wpa_supplicant_standalone
-    required_packages:
-    - kernel-modules-extra
-    - kernel-modules-internal
-    - wpa_supplicant
-    - iproute
-    - iw
-    - util-linux

tests/wpa_supplicant_standalone/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
-#   Description: sanity test for wpa_supplicant
-#   Author: Davide Caratti <dcaratti@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2019 Red Hat, Inc.
-#
-#   This program is free software: you can redistribute it and/or
-#   modify it under the terms of the GNU General Public License as
-#   published by the Free Software Foundation, either version 2 of
-#   the License, or (at your option) any later version.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE.  See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License
-#   along with this program. If not, see http://www.gnu.org/licenses/.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Davide Caratti <dcaratti@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     sanity test for wpa_supplicant" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          wpa_supplicant" >> $(METADATA)
-	@echo "Requires:        util-linux iproute iw wpa_supplicant" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2+" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/wpa_supplicant_standalone/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
-Description: sanity test for wpa_supplicant
-Author: Davide Caratti <dcaratti@redhat.com>

tests/wpa_supplicant_standalone/runtest.sh

@@ -1,221 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
-#   Description: sanity test for wpa_supplicant
-#   Author: Davide Caratti <dcaratti@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2019 Red Hat, Inc.
-#
-#   This program is free software: you can redistribute it and/or
-#   modify it under the terms of the GNU General Public License as
-#   published by the Free Software Foundation, either version 2 of
-#   the License, or (at your option) any later version.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE.  See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public License
-#   along with this program. If not, see http://www.gnu.org/licenses/.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="wpa_supplicant"
-
-MACSTA="00:00:0a:bb:e1:1a"
-IFACEAP="wlan0"
-IFACESTA="wlan1"
-
-open_ap() {
-	local SSID=${1:-notreallyassid}
-
-	cat >openap.conf <<-EOF
-	network={
-		frequency=2412
-		ssid="$SSID"
-		mode=2
-		key_mgmt=NONE
-	}
-	EOF
-	wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -copenap.conf -B -fopenap.log -Pw1ap.pid
-}
-
-open_sta() {
-	local SSID=${1:-notreallyassid}
-
-	cat >opensta.conf <<-EOF
-	network={
-		ssid="$SSID"
-		key_mgmt=NONE
-	}
-	EOF
-	wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -copensta.conf -B -fopensta.log -Pw1sta.pid
-}
-
-wpa2psk_ap() {
-	local SSID=${1:-notreallyassid}
-
-	cat >wpapskap.conf <<-EOF
-	network={
-		frequency=2437
-		ssid="$SSID"
-		mode=2
-		key_mgmt=WPA-PSK
-		pairwise=CCMP
-		group=CCMP
-		psk="hunter2?"
-	}
-	EOF
-	wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -cwpapskap.conf -B -fwpapskap.log -Pw2ap.pid
-}
-
-wpa2psk_sta() {
-	local SSID=${1:-notreallyassid}
-
-	cat >wpapsksta.conf <<-EOF
-	network={
-		frequency=2437
-		ssid="$SSID"
-		proto=WPA
-		key_mgmt=WPA-PSK
-		pairwise=CCMP
-		group=CCMP
-		psk="hunter2?"
-	}
-	EOF
-	wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -cwpapsksta.conf -B -fwpapsksta.log -Pw2sta.pid
-}
-
-kill_supplicants() {
-	local a=`cat w*.pid`
-	local iter=0
-
-	while [ ${#a} -gt 0 -a $iter -lt 10 ]; do
-		for a in $a; do
-			kill $a 1>/dev/null 2>&1
-			sleep 1
-		done
-		a=`cat w*.pid`
-		iter=$((iter+1))
-	done
-
-	ip link set dev $IFACEAP down
-	ip link set dev $IFACESTA down
-
-	if [ $iter -ge 10 -a ${#a} -gt 0 ]; then
-		return 1
-	else
-		return 0
-	fi
-}
-
-check_for_associated_sta()
-{
-
-	local assoc_found=0 assoc_missed=0
-
-	ip link set dev $IFACEAP up
-	while sleep 2; do
-		if iw dev $IFACEAP station dump | grep -i $MACSTA ; then
-			assoc_found=$((assoc_found+1))
-			rlLog "found $MACSTA in $IFACEAP associations ($assoc_found)"
-		else
-			if [ $assoc_found -gt 0 ]; then
-				rlLog "association disappeared after $assoc_found cycles"
-				return 1
-			fi
-			rlLog "didn't find association ($assoc_missed)"
-			assoc_missed=$((assoc_missed+1))
-		fi
-		if [ $assoc_missed -gt 5 ]; then
-			rlLog "timeout waiting for $MACSTA in $IFACEAP station dump"
-			return 1
-		fi
-		if [ $assoc_found -gt 5 ]; then
-			return 0
-		fi
-	done
-	rlLog "sleep failed!"
-	return 1
-}
-
-check_for_running_aps()
-{
-	local probe_ok=0 probe_missed=0
-
-	ip link set dev $IFACESTA up
-	while sleep 1; do
-		if iw dev $IFACESTA scan | grep "${1:-notreallyassid}"; then
-			probe_ok=$((probe_ok+1))
-			rlLog "$probe_ok probe received"
-		else
-			if [ $probe_ok -gt 0 ]; then
-				rlLog "probe failure after $probe_ok attempts"
-				return 1
-			fi
-			rlLog "missed probe response"
-			probe_missed=$((probe_missed+1))
-		fi
-		if [ $probe_missed -gt 5 ]; then
-			rlLog "timeout waiting for beacons"
-			return 1
-		fi
-		if [ $probe_ok -gt 5 ]; then
-			return 0
-		fi
-	done
-	rlLog "sleep failed!"
-	return 1
-}
-
-rlJournalStart
-	rlPhaseStartSetup
-		rlAssertRpm $PACKAGE
-		# avoid randomizing MAC for wlan0 and wlan1
-		rlRun "systemctl stop NetworkManager"
-		# allow scans
-		rlRun "systemctl stop wpa_supplicant"
-		# install required modules
-		rlRun "modprobe rfkill"
-		rlRun "modprobe mac80211_hwsim radio=2"
-		rlRun "rfkill unblock wifi"
-		rlRun "ip link set dev $IFACESTA address $MACSTA"
-		rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-		rlRun "pushd $TmpDir"
-	rlPhaseEnd
-
-	rlPhaseStartTest
-		# cleartext wifi
-		rlRun "kill_supplicants"
-		rlRun "open_ap test_OPEN"
-		rlRun "check_for_running_aps test_OPEN"
-		rlRun "open_sta test_OPEN"
-		rlRun "check_for_associated_sta test_OPEN"
-
-		# WPA2 personal
-		rlRun "kill_supplicants"
-		rlRun "wpa2psk_ap test_WPAPSK"
-		rlRun "check_for_running_aps test_WPAPSK"
-		rlRun "wpa2psk_sta test_WPAPSK"
-		rlRun "check_for_associated_sta test_WPAPSK"
-	rlPhaseEnd
-
-	rlPhaseStartCleanup
-		rlRun kill_supplicants
-		rlRun "popd"
-		rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-		rlRun "modprobe -r mac80211_hwsim"
-		rlRun "systemctl restart wpa_supplicant"
-		rlRun "systemctl restart NetworkManager"
-		rlPhaseEnd
-	rlJournalPrintText
-rlJournalEnd

wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch

@@ -1,198 +0,0 @@
-From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
-Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com>
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 8 Jul 2023 19:55:32 +0300
-Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
-
-The previous PEAP client behavior allowed the server to skip Phase 2
-authentication with the expectation that the server was authenticated
-during Phase 1 through TLS server certificate validation. Various PEAP
-specifications are not exactly clear on what the behavior on this front
-is supposed to be and as such, this ended up being more flexible than
-the TTLS/FAST/TEAP cases. However, this is not really ideal when
-unfortunately common misconfiguration of PEAP is used in deployed
-devices where the server trust root (ca_cert) is not configured or the
-user has an easy option for allowing this validation step to be skipped.
-
-Change the default PEAP client behavior to be to require Phase 2
-authentication to be successfully completed for cases where TLS session
-resumption is not used and the client certificate has not been
-configured. Those two exceptions are the main cases where a deployed
-authentication server might skip Phase 2 and as such, where a more
-strict default behavior could result in undesired interoperability
-issues. Requiring Phase 2 authentication will end up disabling TLS
-session resumption automatically to avoid interoperability issues.
-
-Allow Phase 2 authentication behavior to be configured with a new phase1
-configuration parameter option:
-'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-tunnel) behavior for PEAP:
- * 0 = do not require Phase 2 authentication
- * 1 = require Phase 2 authentication when client certificate
-   (private_key/client_cert) is no used and TLS session resumption was
-   not used (default)
- * 2 = require Phase 2 authentication in all cases
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_config.h          |  8 ++++++
- src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
- src/eap_peer/eap_tls_common.c      |  6 +++++
- src/eap_peer/eap_tls_common.h      |  5 ++++
- wpa_supplicant/wpa_supplicant.conf |  7 ++++++
- 5 files changed, 63 insertions(+), 3 deletions(-)
-
---- a/src/eap_peer/eap_config.h
-+++ b/src/eap_peer/eap_config.h
-@@ -469,6 +469,14 @@ struct eap_peer_config {
- 	 * 1 = use cryptobinding if server supports it
- 	 * 2 = require cryptobinding
- 	 *
-+	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
-+	 * tunnel) behavior for PEAP:
-+	 * 0 = do not require Phase 2 authentication
-+	 * 1 = require Phase 2 authentication when client certificate
-+	 *  (private_key/client_cert) is no used and TLS session resumption was
-+	 *  not used (default)
-+	 * 2 = require Phase 2 authentication in all cases
-+	 *
- 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
- 	 * uuid=Device_UUID
- 	 *
---- a/src/eap_peer/eap_peap.c
-+++ b/src/eap_peer/eap_peap.c
-@@ -67,6 +67,7 @@ struct eap_peap_data {
- 	u8 cmk[20];
- 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
- 		  * is enabled. */
-+	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
- };
- 
- 
-@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct
- 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
- 	}
- 
-+	if (os_strstr(phase1, "phase2_auth=0")) {
-+		data->phase2_auth = NO_AUTH;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Do not require Phase 2 authentication");
-+	} else if (os_strstr(phase1, "phase2_auth=1")) {
-+		data->phase2_auth = FOR_INITIAL;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
-+	} else if (os_strstr(phase1, "phase2_auth=2")) {
-+		data->phase2_auth = ALWAYS;
-+		wpa_printf(MSG_DEBUG,
-+			   "EAP-PEAP: Require Phase 2 authentication for all cases");
-+	}
- #ifdef EAP_TNC
- 	if (os_strstr(phase1, "tnc=soh2")) {
- 		data->soh = 2;
-@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s
- 	data->force_peap_version = -1;
- 	data->peap_outer_success = 2;
- 	data->crypto_binding = OPTIONAL_BINDING;
-+	data->phase2_auth = FOR_INITIAL;
- 
- 	if (config && config->phase1)
- 		eap_peap_parse_phase1(data, config->phase1);
-@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin
- }
- 
- 
-+static bool peap_phase2_sufficient(struct eap_sm *sm,
-+				   struct eap_peap_data *data)
-+{
-+	if ((data->phase2_auth == ALWAYS ||
-+	     (data->phase2_auth == FOR_INITIAL &&
-+	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
-+	      !data->ssl.client_cert_conf) ||
-+	     data->phase2_eap_started) &&
-+	    !data->phase2_eap_success)
-+		return false;
-+	return true;
-+}
-+
-+
- /**
-  * eap_tlv_process - Process a received EAP-TLV message and generate a response
-  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
-@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm
- 					   " - force failed Phase 2");
- 				resp_status = EAP_TLV_RESULT_FAILURE;
- 				ret->decision = DECISION_FAIL;
-+			} else if (!peap_phase2_sufficient(sm, data)) {
-+				wpa_printf(MSG_INFO,
-+					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
-+				resp_status = EAP_TLV_RESULT_FAILURE;
-+				ret->decision = DECISION_FAIL;
- 			} else {
- 				resp_status = EAP_TLV_RESULT_SUCCESS;
- 				ret->decision = DECISION_UNCOND_SUCC;
-@@ -887,8 +921,7 @@ continue_req:
- 			/* EAP-Success within TLS tunnel is used to indicate
- 			 * shutdown of the TLS channel. The authentication has
- 			 * been completed. */
--			if (data->phase2_eap_started &&
--			    !data->phase2_eap_success) {
-+			if (!peap_phase2_sufficient(sm, data)) {
- 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
- 					   "Success used to indicate success, "
- 					   "but Phase 2 EAP was not yet "
-@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(
- static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
- {
- 	struct eap_peap_data *data = priv;
-+
- 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
--		data->phase2_success;
-+		data->phase2_success && data->phase2_auth != ALWAYS;
- }
- 
- 
---- a/src/eap_peer/eap_tls_common.c
-+++ b/src/eap_peer/eap_tls_common.c
-@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru
- 
- 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
- 
-+	if (!phase2)
-+		data->client_cert_conf = params->client_cert ||
-+			params->client_cert_blob ||
-+			params->private_key ||
-+			params->private_key_blob;
-+
- 	return 0;
- }
- 
---- a/src/eap_peer/eap_tls_common.h
-+++ b/src/eap_peer/eap_tls_common.h
-@@ -79,6 +79,11 @@ struct eap_ssl_data {
- 	 * tls_v13 - Whether TLS v1.3 or newer is used
- 	 */
- 	int tls_v13;
-+
-+	/**
-+	 * client_cert_conf: Whether client certificate has been configured
-+	 */
-+	bool client_cert_conf;
- };
- 
- 
---- a/wpa_supplicant/wpa_supplicant.conf
-+++ b/wpa_supplicant/wpa_supplicant.conf
-@@ -1330,6 +1330,13 @@ fast_reauth=1
- #	 * 0 = do not use cryptobinding (default)
- #	 * 1 = use cryptobinding if server supports it
- #	 * 2 = require cryptobinding
-+#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
-+#	tunnel) behavior for PEAP:
-+#	 * 0 = do not require Phase 2 authentication
-+#	 * 1 = require Phase 2 authentication when client certificate
-+#	   (private_key/client_cert) is no used and TLS session resumption was
-+#	   not used (default)
-+#	 * 2 = require Phase 2 authentication in all cases
- #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
- #	pbc=1.
- #