298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

hostapd: add WPA3 support

Browse Source
This commit is contained in:
coolsnowwolf 2018-10-17 21:54:59 +08:00
parent b20989af71
commit 67b9ae2d3a
22 changed files with 1312 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/target.mk
View File

@ -64,7 +64,7 @@ endif
DEFAULT_PACKAGES += $(DEFAULT_PACKAGES.$(DEVICE_TYPE)) DEFAULT_PACKAGES += $(DEFAULT_PACKAGES.$(DEVICE_TYPE))
filter_packages = $(filter-out -% $(patsubst -%,%,$(filter -%,$(1))),$(1)) filter_packages = $(filter-out -% $(patsubst -%,%,$(filter -%,$(1))),$(1))
extra_packages = $(if $(filter wpad-mini wpad nas,$(1)),iwinfo) extra_packages = $(if $(filter wpad-mini wpad-basic wpad nas,$(1)),iwinfo)
define ProfileDefault define ProfileDefault
NAME:= NAME:=

6
package/network/config/netifd/Makefile
View File

@ -5,9 +5,9 @@ PKG_RELEASE:=2
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git PKG_SOURCE_URL=$(PROJECT_GIT)/project/netifd.git
PKG_SOURCE_DATE:=2018-09-18 PKG_SOURCE_DATE:=2018-10-02
PKG_SOURCE_VERSION:=23941d7ef3134de9c89c363896e45a0ea4fbe45b PKG_SOURCE_VERSION:=a117e414d8acd5dd27ba9ac30bc462ba4ae6587e
PKG_MIRROR_HASH:=16dd30215b833e2ff5efa0ab95dfabe80e3e239c3720de3e27db5f4ce22bcccf PKG_MIRROR_HASH:=55cd6055f3dc2c30ed2a482d0deedd3de7a30ef65e3356118e27cb57f517ea6a
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name> PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
PKG_LICENSE:=GPL-2.0 PKG_LICENSE:=GPL-2.0

6
package/network/services/hostapd/Config.in
View File

@ -6,11 +6,13 @@ config WPA_SUPPLICANT_NO_TIMESTAMP_CHECK
PACKAGE_wpa-supplicant-wolfssl || \ PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mesh-openssl || \ PACKAGE_wpa-supplicant-mesh-openssl || \
PACKAGE_wpa-supplicant-mesh-wolfssl || \ PACKAGE_wpa-supplicant-mesh-wolfssl || \
PACKAGE_wpa-supplicant-basic || \
PACKAGE_wpa-supplicant-mini || \ PACKAGE_wpa-supplicant-mini || \
PACKAGE_wpa-supplicant-p2p || \ PACKAGE_wpa-supplicant-p2p || \
PACKAGE_wpad || \ PACKAGE_wpad || \
PACKAGE_wpad-openssl || \ PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl || \ PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-basic || \
PACKAGE_wpad-mini || \ PACKAGE_wpad-mini || \
PACKAGE_wpad-mesh-openssl || \ PACKAGE_wpad-mesh-openssl || \
PACKAGE_wpad-mesh-wolfssl PACKAGE_wpad-mesh-wolfssl
@ -26,11 +28,13 @@ config WPA_RFKILL_SUPPORT
PACKAGE_wpa-supplicant-wolfssl || \ PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mesh-openssl || \ PACKAGE_wpa-supplicant-mesh-openssl || \
PACKAGE_wpa-supplicant-mesh-wolfssl || \ PACKAGE_wpa-supplicant-mesh-wolfssl || \
PACKAGE_wpa-supplicant-basic || \
PACKAGE_wpa-supplicant-mini || \ PACKAGE_wpa-supplicant-mini || \
PACKAGE_wpa-supplicant-p2p || \ PACKAGE_wpa-supplicant-p2p || \
PACKAGE_wpad || \ PACKAGE_wpad || \
PACKAGE_wpad-openssl || \ PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl || \ PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-basic || \
PACKAGE_wpad-mini || \ PACKAGE_wpad-mini || \
PACKAGE_wpad-mesh-openssl || \ PACKAGE_wpad-mesh-openssl || \
PACKAGE_wpad-mesh-wolfssl PACKAGE_wpad-mesh-wolfssl
@ -43,11 +47,13 @@ config WPA_MSG_MIN_PRIORITY
PACKAGE_wpa-supplicant-wolfssl || \ PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mesh-openssl || \ PACKAGE_wpa-supplicant-mesh-openssl || \
PACKAGE_wpa-supplicant-mesh-wolfssl || \ PACKAGE_wpa-supplicant-mesh-wolfssl || \
PACKAGE_wpa-supplicant-basic || \
PACKAGE_wpa-supplicant-mini || \ PACKAGE_wpa-supplicant-mini || \
PACKAGE_wpa-supplicant-p2p || \ PACKAGE_wpa-supplicant-p2p || \
PACKAGE_wpad || \ PACKAGE_wpad || \
PACKAGE_wpad-openssl || \ PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl || \ PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-basic || \
PACKAGE_wpad-mini || \ PACKAGE_wpad-mini || \
PACKAGE_wpad-mesh-openssl || \ PACKAGE_wpad-mesh-openssl || \
PACKAGE_wpad-mesh-wolfssl PACKAGE_wpad-mesh-wolfssl

43
package/network/services/hostapd/Makefile
View File

@ -7,7 +7,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd PKG_NAME:=hostapd
PKG_RELEASE:=4 PKG_RELEASE:=5
PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
@ -26,6 +26,7 @@ PKG_CONFIG_DEPENDS:= \
CONFIG_PACKAGE_kmod-ath9k \ CONFIG_PACKAGE_kmod-ath9k \
CONFIG_PACKAGE_kmod-cfg80211 \ CONFIG_PACKAGE_kmod-cfg80211 \
CONFIG_PACKAGE_hostapd \ CONFIG_PACKAGE_hostapd \
CONFIG_PACKAGE_hostapd-basic \
CONFIG_PACKAGE_hostapd-mini \ CONFIG_PACKAGE_hostapd-mini \
CONFIG_WPA_RFKILL_SUPPORT \ CONFIG_WPA_RFKILL_SUPPORT \
CONFIG_DRIVER_WEXT_SUPPORT \ CONFIG_DRIVER_WEXT_SUPPORT \
@ -95,13 +96,17 @@ ifeq ($(LOCAL_VARIANT),full)
DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT) DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT)
endif endif
ifeq ($(LOCAL_VARIANT),basic)
DRIVER_MAKEOPTS += CONFIG_IEEE80211W=$(CONFIG_DRIVER_11W_SUPPORT)
endif
ifeq ($(LOCAL_VARIANT),full) ifeq ($(LOCAL_VARIANT),full)
ifeq ($(SSL_VARIANT),openssl) ifeq ($(SSL_VARIANT),openssl)
DRIVER_MAKEOPTS += CONFIG_TLS=openssl DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y CONFIG_OWE=y CONFIG_SUITEB192=y
TARGET_LDFLAGS += -lcrypto -lssl TARGET_LDFLAGS += -lcrypto -lssl
endif endif
ifeq ($(SSL_VARIANT),wolfssl) ifeq ($(SSL_VARIANT),wolfssl)
DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 CONFIG_SAE=y CONFIG_OWE=y CONFIG_SUITEB192=y
TARGET_LDFLAGS += -lwolfssl TARGET_LDFLAGS += -lwolfssl
endif endif
endif endif
@ -176,6 +181,16 @@ endef
Package/hostapd-wolfssl/description = $(Package/hostapd/description) Package/hostapd-wolfssl/description = $(Package/hostapd/description)
define Package/hostapd-basic
$(call Package/hostapd/Default,$(1))
TITLE+= (WPA-PSK, 11r and 11w)
VARIANT:=basic
endef
define Package/hostapd-basic/description
This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
endef
define Package/hostapd-mini define Package/hostapd-mini
$(call Package/hostapd/Default,$(1)) $(call Package/hostapd/Default,$(1))
TITLE+= (WPA-PSK only) TITLE+= (WPA-PSK only)
@ -228,6 +243,16 @@ endef
Package/wpad-wolfssl/description = $(Package/wpad/description) Package/wpad-wolfssl/description = $(Package/wpad/description)
define Package/wpad-basic
$(call Package/wpad/Default,$(1))
TITLE+= (WPA-PSK, 11r and 11w)
VARIANT:=wpad-basic
endef
define Package/wpad-basic/description
This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, 802.11r and 802.11w support.
endef
define Package/wpad-mini define Package/wpad-mini
$(call Package/wpad/Default,$(1)) $(call Package/wpad/Default,$(1))
TITLE+= (WPA-PSK only) TITLE+= (WPA-PSK only)
@ -324,6 +349,12 @@ $(call Package/wpa-supplicant-mesh/Default,$(1))
DEPENDS+=+libwolfssl DEPENDS+=+libwolfssl
endef endef
define Package/wpa-supplicant-basic
$(call Package/wpa-supplicant/Default,$(1))
TITLE+= (with 11r and 11w)
VARIANT:=supplicant-basic
endef
define Package/wpa-supplicant-mini define Package/wpa-supplicant-mini
$(call Package/wpa-supplicant/Default,$(1)) $(call Package/wpa-supplicant/Default,$(1))
TITLE+= (minimal version) TITLE+= (minimal version)
@ -511,6 +542,7 @@ define Package/hostapd/install
$(call Install/hostapd,$(1)) $(call Install/hostapd,$(1))
$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd $(1)/usr/sbin/
endef endef
Package/hostapd-basic/install = $(Package/hostapd/install)
Package/hostapd-mini/install = $(Package/hostapd/install) Package/hostapd-mini/install = $(Package/hostapd/install)
Package/hostapd-openssl/install = $(Package/hostapd/install) Package/hostapd-openssl/install = $(Package/hostapd/install)
Package/hostapd-wolfssl/install = $(Package/hostapd/install) Package/hostapd-wolfssl/install = $(Package/hostapd/install)
@ -530,6 +562,7 @@ define Package/wpad/install
$(LN) wpad $(1)/usr/sbin/hostapd $(LN) wpad $(1)/usr/sbin/hostapd
$(LN) wpad $(1)/usr/sbin/wpa_supplicant $(LN) wpad $(1)/usr/sbin/wpa_supplicant
endef endef
Package/wpad-basic/install = $(Package/wpad/install)
Package/wpad-mini/install = $(Package/wpad/install) Package/wpad-mini/install = $(Package/wpad/install)
Package/wpad-openssl/install = $(Package/wpad/install) Package/wpad-openssl/install = $(Package/wpad/install)
Package/wpad-wolfssl/install = $(Package/wpad/install) Package/wpad-wolfssl/install = $(Package/wpad/install)
@ -540,6 +573,7 @@ define Package/wpa-supplicant/install
$(call Install/supplicant,$(1)) $(call Install/supplicant,$(1))
$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant $(1)/usr/sbin/ $(INSTALL_BIN) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant $(1)/usr/sbin/
endef endef
Package/wpa-supplicant-basic/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install) Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install) Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install) Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
@ -576,18 +610,21 @@ ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
endif endif
$(eval $(call BuildPackage,hostapd)) $(eval $(call BuildPackage,hostapd))
$(eval $(call BuildPackage,hostapd-basic))
$(eval $(call BuildPackage,hostapd-mini)) $(eval $(call BuildPackage,hostapd-mini))
$(eval $(call BuildPackage,hostapd-openssl)) $(eval $(call BuildPackage,hostapd-openssl))
$(eval $(call BuildPackage,hostapd-wolfssl)) $(eval $(call BuildPackage,hostapd-wolfssl))
$(eval $(call BuildPackage,wpad)) $(eval $(call BuildPackage,wpad))
$(eval $(call BuildPackage,wpad-mesh-openssl)) $(eval $(call BuildPackage,wpad-mesh-openssl))
$(eval $(call BuildPackage,wpad-mesh-wolfssl)) $(eval $(call BuildPackage,wpad-mesh-wolfssl))
$(eval $(call BuildPackage,wpad-basic))
$(eval $(call BuildPackage,wpad-mini)) $(eval $(call BuildPackage,wpad-mini))
$(eval $(call BuildPackage,wpad-openssl)) $(eval $(call BuildPackage,wpad-openssl))
$(eval $(call BuildPackage,wpad-wolfssl)) $(eval $(call BuildPackage,wpad-wolfssl))
$(eval $(call BuildPackage,wpa-supplicant)) $(eval $(call BuildPackage,wpa-supplicant))
$(eval $(call BuildPackage,wpa-supplicant-mesh-openssl)) $(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
$(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl)) $(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
$(eval $(call BuildPackage,wpa-supplicant-basic))
$(eval $(call BuildPackage,wpa-supplicant-mini)) $(eval $(call BuildPackage,wpa-supplicant-mini))
$(eval $(call BuildPackage,wpa-supplicant-p2p)) $(eval $(call BuildPackage,wpa-supplicant-p2p))
$(eval $(call BuildPackage,wpa-supplicant-openssl)) $(eval $(call BuildPackage,wpa-supplicant-openssl))

380
package/network/services/hostapd/files/hostapd-basic.config Normal file
View File

@ -0,0 +1,380 @@
# Example hostapd build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cass, these lines should use += in order not
# to override previous values of the variables.
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y
# Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP
#CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection)
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y
# Integrated EAP server
#CONFIG_EAP=y
# EAP Re-authentication Protocol (ERP) in integrated EAP server
#CONFIG_ERP=y
# EAP-MD5 for the integrated EAP server
#CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
#CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
#CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
#CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
#CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
#CONFIG_EAP_TTLS=y
# EAP-SIM for the integrated EAP server
#CONFIG_EAP_SIM=y
# EAP-AKA for the integrated EAP server
#CONFIG_EAP_AKA=y
# EAP-AKA' for the integrated EAP server
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# EAP-PAX for the integrated EAP server
#CONFIG_EAP_PAX=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-pwd for the integrated EAP server (secure authentication with a password)
#CONFIG_EAP_PWD=y
# EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y
# EAP-GPSK for the integrated EAP server
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
#CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y
# EAP-EKE for the integrated EAP server
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
#CONFIG_PKCS12=y
# RADIUS authentication server. This provides access to the integrated EAP
# server from external hosts using RADIUS.
#CONFIG_RADIUS_SERVER=y
# Build IPv6 support for RADIUS operations
#CONFIG_IPV6=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# IEEE 802.11ac (Very High Throughput) support
CONFIG_IEEE80211AC=y
# IEEE 802.11ax HE support
# Note: This is experimental and work in progress. The definitions are still
# subject to change and this should not be expected to interoperate with the
# final IEEE 802.11ax version.
#CONFIG_IEEE80211AX=y
# Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to a file: -f /tmp/hostapd.log
# Disabled by default.
#CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
CONFIG_DEBUG_SYSLOG=y
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Remove support for RADIUS accounting
CONFIG_NO_ACCOUNTING=y
# Remove support for RADIUS
CONFIG_NO_RADIUS=y
# Remove support for VLANs
#CONFIG_NO_VLAN=y
# Enable support for fully dynamic VLANs. This enables hostapd to
# automatically create bridge and VLAN interfaces if necessary.
#CONFIG_FULL_DYNAMIC_VLAN=y
# Use netlink-based kernel API for VLAN operations instead of ioctl()
# Note: This requires libnl 3.1 or newer.
#CONFIG_VLAN_NETLINK=y
# Remove support for dumping internal state through control interface commands
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
CONFIG_NO_DUMP_STATE=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# hostapd depends on strong random number generation being available from the
# operating system. os_get_random() function is used to fetch random data when
# needed, e.g., for key generation. On Linux and BSD systems, this works by
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
# properly initialized before hostapd is started. This is important especially
# on embedded devices that do not have a hardware random number generator and
# may by default start up with minimal entropy available for random number
# generation.
#
# As a safety net, hostapd is by default trying to internally collect
# additional entropy for generating random data to mix in with the data
# fetched from the OS. This by itself is not considered to be very strong, but
# it may help in cases where the system pool is not initialized properly.
# However, it is very strongly recommended that the system pool is initialized
# with enough entropy either by using hardware assisted random number
# generator or by storing state over device reboots.
#
# hostapd can be configured to maintain its own entropy store over restarts to
# enhance random number generation. This is not perfect, but it is much more
# secure than using the same sequence of random numbers after every reboot.
# This can be enabled with -e<entropy file> command line option. The specified
# file needs to be readable and writable by hostapd.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal hostapd random pool can be disabled.
# This will save some in binary size and CPU use. However, this should only be
# considered for builds that are known to be used on devices that meet the
# requirements described above.
CONFIG_NO_RANDOM_POOL=y
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=internal
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used.
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks.
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
#CONFIG_SQLITE=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# Testing options
# This can be used to enable some testing options (see also the example
# configuration file) that are really useful only for testing clients that
# connect to this hostapd. These options allow, for example, to drop a
# certain percentage of probe requests or auth/(re)assoc frames.
#
#CONFIG_TESTING_OPTIONS=y
# Automatic Channel Selection
# This will allow hostapd to pick the channel automatically when channel is set
# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# You can customize the ACS survey algorithm with the hostapd.conf variable
# acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#
#CONFIG_ACS=y
# Multiband Operation support
# These extentions facilitate efficient use of multiple frequency bands
# available to the AP and the devices that may associate with it.
#CONFIG_MBO=y
# Client Taxonomy
# Has the AP retain the Probe Request and (Re)Association Request frames from
# a client, from which a signature can be produced which can identify the model
# of client device like "Nexus 6P" or "iPhone 5s".
#CONFIG_TAXONOMY=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Include internal line edit mode in hostapd_cli. This can be used to provide
# limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# uBus IPC/RPC System
# Services can connect to the bus and provide methods
# that can be called by other services or clients.
CONFIG_UBUS=y

8
package/network/services/hostapd/files/hostapd-full.config
View File

@ -50,11 +50,7 @@ CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication # WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection)
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Integrated EAP server # Integrated EAP server
@ -374,6 +370,10 @@ CONFIG_TAXONOMY=y
# Experimental implementation of draft-harkins-owe-07.txt # Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y #CONFIG_OWE=y
# Override default value for the wpa_disable_eapol_key_retries configuration
# parameter. See that parameter in hostapd.conf for more details.
#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
# uBus IPC/RPC System # uBus IPC/RPC System
# Services can connect to the bus and provide methods # Services can connect to the bus and provide methods
# that can be called by other services or clients. # that can be called by other services or clients.

8
package/network/services/hostapd/files/hostapd-mini.config
View File

@ -50,11 +50,7 @@ CONFIG_DRIVER_NL80211=y
# WPA2/IEEE 802.11i RSN pre-authentication # WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection)
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Integrated EAP server # Integrated EAP server
@ -374,6 +370,10 @@ CONFIG_TLS=internal
# Experimental implementation of draft-harkins-owe-07.txt # Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y #CONFIG_OWE=y
# Override default value for the wpa_disable_eapol_key_retries configuration
# parameter. See that parameter in hostapd.conf for more details.
#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
# uBus IPC/RPC System # uBus IPC/RPC System
# Services can connect to the bus and provide methods # Services can connect to the bus and provide methods
# that can be called by other services or clients. # that can be called by other services or clients.

71
package/network/services/hostapd/files/hostapd.sh
View File

@ -37,11 +37,38 @@ hostapd_append_wep_key() {
} }
hostapd_append_wpa_key_mgmt() { hostapd_append_wpa_key_mgmt() {
local auth_type="$(echo $auth_type | tr 'a-z' 'A-Z')" local auth_type_l="$(echo $auth_type | tr 'a-z' 'A-Z')"
append wpa_key_mgmt "WPA-$auth_type" case "$auth_type" in
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type}" psk|eap)
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type}-SHA256" append wpa_key_mgmt "WPA-$auth_type_l"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
;;
eap192)
append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
;;
eap-eap192)
append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
append wpa_key_mgmt "WPA-EAP"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256"
;;
sae)
append wpa_key_mgmt "SAE"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
;;
psk-sae)
append wpa_key_mgmt "WPA-PSK"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
append wpa_key_mgmt "SAE"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
;;
owe)
append wpa_key_mgmt "OWE"
;;
esac
} }
hostapd_add_log_config() { hostapd_add_log_config() {
@ -209,6 +236,10 @@ hostapd_common_add_bss_config() {
config_add_int mcast_rate config_add_int mcast_rate
config_add_array basic_rate config_add_array basic_rate
config_add_array supported_rates config_add_array supported_rates
config_add_boolean sae_require_mfp
config_add_string 'owe_transition_bssid:macaddr' 'owe_transition_ssid:string'
} }
hostapd_set_bss_options() { hostapd_set_bss_options() {
@ -230,7 +261,7 @@ hostapd_set_bss_options() {
macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \ macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
iapp_interface eapol_version dynamic_vlan ieee80211w nasid \ iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
acct_server acct_secret acct_port acct_interval \ acct_server acct_secret acct_port acct_interval \
bss_load_update_period chan_util_avg_period bss_load_update_period chan_util_avg_period sae_require_mfp
set_default isolate 0 set_default isolate 0
set_default maxassoc 0 set_default maxassoc 0
@ -284,16 +315,33 @@ hostapd_set_bss_options() {
append bss_conf "radius_acct_interim_interval=$acct_interval" "$N" append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
} }
case "$auth_type" in
sae|owe|eap192|eap-eap192)
set_default ieee80211w 2
set_default sae_require_mfp 1
;;
psk-sae)
set_default ieee80211w 1
set_default sae_require_mfp 1
;;
esac
[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
local vlan_possible="" local vlan_possible=""
case "$auth_type" in case "$auth_type" in
none) none|owe)
json_get_vars owe_transition_bssid owe_transition_ssid
[ -n "$owe_transition_ssid" ] && append bss_conf "owe_transition_ssid=\"$owe_transition_ssid\"" "$N"
[ -n "$owe_transition_bssid" ] && append bss_conf "owe_transition_bssid=$owe_transition_bssid" "$N"
wps_possible=1 wps_possible=1
# Here we make the assumption that if we're in open mode # Here we make the assumption that if we're in open mode
# with WPS enabled, we got to be in unconfigured state. # with WPS enabled, we got to be in unconfigured state.
wps_not_configured=1 wps_not_configured=1
;; ;;
psk) psk|sae|psk-sae)
json_get_vars key wpa_psk_file json_get_vars key wpa_psk_file
if [ ${#key} -lt 8 ]; then if [ ${#key} -lt 8 ]; then
wireless_setup_vif_failed INVALID_WPA_PSK wireless_setup_vif_failed INVALID_WPA_PSK
@ -311,7 +359,7 @@ hostapd_set_bss_options() {
wps_possible=1 wps_possible=1
;; ;;
eap) eap|eap192|eap-eap192)
json_get_vars \ json_get_vars \
auth_server auth_secret auth_port \ auth_server auth_secret auth_port \
dae_client dae_secret dae_port \ dae_client dae_secret dae_port \
@ -704,12 +752,15 @@ wpa_supplicant_add_network() {
case "$auth_type" in case "$auth_type" in
none) ;; none) ;;
owe)
hostapd_append_wpa_key_mgmt
;;
wep) wep)
local wep_keyidx=0 local wep_keyidx=0
hostapd_append_wep_key network_data hostapd_append_wep_key network_data
append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T" append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
;; ;;
psk) psk|sae|psk-sae)
local passphrase local passphrase
if [ "$_w_mode" != "mesh" ]; then if [ "$_w_mode" != "mesh" ]; then
@ -729,7 +780,7 @@ wpa_supplicant_add_network() {
fi fi
append network_data "$passphrase" "$N$T" append network_data "$passphrase" "$N$T"
;; ;;
eap) eap|eap192|eap-eap192)
hostapd_append_wpa_key_mgmt hostapd_append_wpa_key_mgmt
key_mgmt="$wpa_key_mgmt" key_mgmt="$wpa_key_mgmt"

593
package/network/services/hostapd/files/wpa_supplicant-basic.config Normal file
View File

@ -0,0 +1,593 @@
# Example wpa_supplicant build time configuration
#
# This file lists the configuration options that are used when building the
# wpa_supplicant binary. All lines starting with # are ignored. Configuration
# option lines must be commented out complete, if they are not to be included,
# i.e., just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not
# to override previous values of the variables.
# Uncomment following two lines and fix the paths if you have installed OpenSSL
# or GnuTLS in non-default location
#CFLAGS += -I/usr/local/openssl/include
#LIBS += -L/usr/local/openssl/lib
# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
# the kerberos files are not in the default include path. Following line can be
# used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos
# Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for Windows NDIS
#CONFIG_DRIVER_NDIS=y
#CFLAGS += -I/usr/include/w32api/ddk
#LIBS += -L/usr/local/lib
# For native build using mingw
#CONFIG_NATIVE_WINDOWS=y
# Additional directories for cross-compilation on Linux host for mingw target
#CFLAGS += -I/opt/mingw/mingw32/include/ddk
#LIBS += -L/opt/mingw/mingw32/lib
#CC=mingw32-gcc
# By default, driver_ndis uses WinPcap for low-level operations. This can be
# replaced with the following option which replaces WinPcap calls with NDISUIO.
# However, this requires that WZC is disabled (net stop wzcsvc) before starting
# wpa_supplicant.
# CONFIG_USE_NDISUIO=y
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
# Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y
# Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included)
#CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5
#CONFIG_EAP_MD5=y
# EAP-MSCHAPv2
#CONFIG_EAP_MSCHAPV2=y
# EAP-TLS
#CONFIG_EAP_TLS=y
# EAL-PEAP
#CONFIG_EAP_PEAP=y
# EAP-TTLS
#CONFIG_EAP_TTLS=y
# EAP-FAST
# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
#CONFIG_EAP_FAST=y
# EAP-GTC
#CONFIG_EAP_GTC=y
# EAP-OTP
#CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX
#CONFIG_EAP_PAX=y
# LEAP
#CONFIG_EAP_LEAP=y
# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
#CONFIG_EAP_AKA=y
# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# Enable USIM simulator (Milenage) for EAP-AKA
#CONFIG_USIM_SIMULATOR=y
# EAP-SAKE
#CONFIG_EAP_SAKE=y
# EAP-GPSK
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-TNC and related Trusted Network Connect support (experimental)
#CONFIG_EAP_TNC=y
# Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y
# Enable WPS external registrar functionality
#CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
#CONFIG_PKCS12=y
# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine.
#CONFIG_SMARTCARD=y
# PC/SC interface for smartcards (USIM, GSM SIM)
# Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
CONFIG_HT_OVERRIDES=y
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
CONFIG_VHT_OVERRIDES=y
# Development testing
#CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1)
# udp6 = UDP IPv6 sockets using localhost (::1)
# named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
# y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the
# build.
CONFIG_CTRL_IFACE=y
# Include support for GNU Readline and History Libraries in wpa_cli.
# When building a wpa_cli binary for distribution, please note that these
# libraries are licensed under GPL and as such, BSD license may not apply for
# the resulting binary.
#CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35%
# (e.g., 90 kB).
#CONFIG_NO_STDOUT_DEBUG=y
# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
# 35-50 kB in code size.
#CONFIG_NO_WPA=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the
# PSK can only be configured as the 64-octet hexstring (e.g., from
# wpa_passphrase). This saves about 0.5 kB in code size.
#CONFIG_NO_WPA_PASSPHRASE=y
# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
# Select configuration backend:
# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
# path is given on command line, not here; this option is just used to
# select the backend that allows configuration files to be used)
# winreg = Windows registry (see win_example.reg for an example)
CONFIG_BACKEND=file
# Remove configuration write functionality (i.e., to allow the configuration
# file to be updated based on runtime configuration changes). The runtime
# configuration can still be changed, the changes are just not going to be
# persistent over restarts. This option can be used to reduce code size by
# about 3.5 kB.
#CONFIG_NO_CONFIG_WRITE=y
# Remove support for configuration blobs to reduce code size by about 1.5 kB.
#CONFIG_NO_CONFIG_BLOBS=y
# Select program entry point implementation:
# main = UNIX/POSIX like main() function (default)
# main_winsvc = Windows service (read parameters from registry)
# main_none = Very basic example (development use only)
#CONFIG_MAIN=main
# Select wrapper for operating system and C library specific functions
# unix = UNIX/POSIX like systems (default)
# win32 = Windows systems
# none = Empty template
#CONFIG_OS=unix
# Select event loop implementation
# eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop
#CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation
# linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap
# freebsd = FreeBSD libpcap
# winpcap = WinPcap with receive thread
# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
# none = Empty template
#CONFIG_L2_PACKET=linux
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
#CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=internal
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used. It should be noted that some existing TLS v1.0 -based
# implementation may not be compatible with TLS v1.1 message (ClientHello is
# sent prior to negotiating which version will be used)
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
# This is only for Windows builds and requires WMI-related header files and
# WbemUuid.Lib from Platform SDK even when building with MinGW.
#CONFIG_NDIS_EVENTS_INTEGRATED=y
#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
# Add support for old DBus control interface
# (fi.epitest.hostap.WPASupplicant)
#CONFIG_CTRL_IFACE_DBUS=y
# Add support for new DBus control interface
# (fi.w1.hostap.wpa_supplicant1)
#CONFIG_CTRL_IFACE_DBUS_NEW=y
# Add introspection support for new DBus control interface
#CONFIG_CTRL_IFACE_DBUS_INTRO=y
# Add support for loading EAP methods dynamically as shared libraries.
# When this option is enabled, each EAP method can be either included
# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
# be loaded in the beginning of the wpa_supplicant configuration file
# (see load_dynamic_eap parameter in the example file) before being used in
# the network blocks.
#
# Note that some shared parts of EAP methods are included in the main program
# and in order to be able to use dynamic EAP methods using these parts, the
# main program must have been build with the EAP method enabled (=y or =dyn).
# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
# unless at least one of them was included in the main build to force inclusion
# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
# in the main build to be able to load these methods dynamically.
#
# Please also note that using dynamic libraries will increase the total binary
# size. Thus, it may not be the best option for targets that have limited
# amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Add support for writing debug log to Android logcat instead of standard
# output
#CONFIG_ANDROID_LOG=y
# Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y
# Enable mitigation against certain attacks against TKIP by delaying Michael
# MIC error reports by a random amount of time between 0 and 60 seconds
#CONFIG_DELAYED_MIC_ERROR_REPORT=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, uncomment these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
#CONFIG_IEEE80211N=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
#CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
#CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
#CONFIG_P2P=y
# Enable TDLS support
#CONFIG_TDLS=y
# Wi-Fi Direct
# This can be used to enable Wi-Fi Direct extensions for P2P using an external
# program to control the additional information exchanges in the messages.
#CONFIG_WIFI_DISPLAY=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
#CONFIG_IBSS_RSN=y
# External PMKSA cache control
# This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
#CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y

20
package/network/services/hostapd/files/wpa_supplicant-full.config
View File

@ -73,6 +73,12 @@ CONFIG_DRIVER_NL80211=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
# Driver interface for MACsec capable Qualcomm Atheros drivers
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
#CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family # Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y #CONFIG_DRIVER_ROBOSWITCH=y
@ -83,8 +89,8 @@ CONFIG_DRIVER_WIRED=y
#LIBS += -lsocket -ldlpi -lnsl #LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket #LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
# included) # MACsec is included)
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5 # EAP-MD5
@ -166,6 +172,9 @@ CONFIG_WPS=y
# EAP-EKE # EAP-EKE
#CONFIG_EAP_EKE=y #CONFIG_EAP_EKE=y
# MACsec
#CONFIG_MACSEC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y CONFIG_PKCS12=y
@ -288,9 +297,6 @@ CONFIG_BACKEND=file
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF # IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
@ -378,10 +384,6 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
CONFIG_IEEE80211R=y CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y

20
package/network/services/hostapd/files/wpa_supplicant-mini.config
View File

@ -73,6 +73,12 @@ CONFIG_DRIVER_NL80211=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
# Driver interface for MACsec capable Qualcomm Atheros drivers
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
#CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family # Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y #CONFIG_DRIVER_ROBOSWITCH=y
@ -83,8 +89,8 @@ CONFIG_DRIVER_WIRED=y
#LIBS += -lsocket -ldlpi -lnsl #LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket #LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
# included) # MACsec is included)
#CONFIG_IEEE8021X_EAPOL=y #CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5 # EAP-MD5
@ -166,6 +172,9 @@ CONFIG_DRIVER_WIRED=y
# EAP-EKE # EAP-EKE
#CONFIG_EAP_EKE=y #CONFIG_EAP_EKE=y
# MACsec
#CONFIG_MACSEC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
#CONFIG_PKCS12=y #CONFIG_PKCS12=y
@ -288,9 +297,6 @@ CONFIG_BACKEND=file
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
#CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF # IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
@ -378,10 +384,6 @@ CONFIG_TLS=internal
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y

20
package/network/services/hostapd/files/wpa_supplicant-p2p.config
View File

@ -73,6 +73,12 @@ CONFIG_DRIVER_NL80211=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
# Driver interface for MACsec capable Qualcomm Atheros drivers
#CONFIG_DRIVER_MACSEC_QCA=y
# Driver interface for Linux MACsec drivers
#CONFIG_DRIVER_MACSEC_LINUX=y
# Driver interface for the Broadcom RoboSwitch family # Driver interface for the Broadcom RoboSwitch family
#CONFIG_DRIVER_ROBOSWITCH=y #CONFIG_DRIVER_ROBOSWITCH=y
@ -83,8 +89,8 @@ CONFIG_DRIVER_WIRED=y
#LIBS += -lsocket -ldlpi -lnsl #LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket #LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
# included) # MACsec is included)
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5 # EAP-MD5
@ -166,6 +172,9 @@ CONFIG_WPS=y
# EAP-EKE # EAP-EKE
#CONFIG_EAP_EKE=y #CONFIG_EAP_EKE=y
# MACsec
#CONFIG_MACSEC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y CONFIG_PKCS12=y
@ -288,9 +297,6 @@ CONFIG_BACKEND=file
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y #CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection), also known as PMF # IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y CONFIG_IEEE80211W=y
@ -378,10 +384,6 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y

39
package/network/services/hostapd/patches/000-0001-Reduce-undesired-logging-of-ACL-rejection.patch Normal file
View File

@ -0,0 +1,39 @@
From 6588f712220797c69dbd019daa19b82a50d92782 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 14 Oct 2018 19:57:22 +0300
Subject: Reduce undesired logging of ACL rejection events from AP mode
When Probe Request frame handling was extended to use MAC ACL through
ieee802_11_allowed_address(), the MSG_INFO level log print ("Station
<addr> not allowed to authenticate") from that function ended up getting
printed even for Probe Request frames. That was not by design and it can
result in excessive logging and MSG_INFO level if MAC ACL is used.
Fix this by printing this log entry only for authentication and
association frames. In addition, drop the priority of that log entry to
MSG_DEBUG since this is not really an unexpected behavior in most MAC
ACL use cases.
Fixes: 92eb00aec2a0 ("Extend ACL check for Probe Request frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/ieee802_11.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1636,9 +1636,11 @@ ieee802_11_allowed_address(struct hostap
is_probe_req);
if (res == HOSTAPD_ACL_REJECT) {
- wpa_printf(MSG_INFO,
- "Station " MACSTR " not allowed to authenticate",
- MAC2STR(addr));
+ if (!is_probe_req)
+ wpa_printf(MSG_DEBUG,
+ "Station " MACSTR
+ " not allowed to authenticate",
+ MAC2STR(addr));
return HOSTAPD_ACL_REJECT;
}

28
package/network/services/hostapd/patches/000-0002-Drop-logging-priority-for-handle_auth_cb.patch Normal file
View File

@ -0,0 +1,28 @@
From dc1b1c8db7905639be6f4de8173e2d97bf6df90d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 14 Oct 2018 20:03:55 +0300
Subject: Drop logging priority for handle_auth_cb no-STA-match messages
This message was printed and MSG_INFO level which would be more
reasonable for error cases where hostapd has accepted authentication.
However, this is not really an error case for the cases where
authentication was rejected (e.g., due to MAC ACL). Drop this to use
MSG_DEBUG level.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
src/ap/ieee802_11.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -4018,7 +4018,8 @@ static void handle_auth_cb(struct hostap
sta = ap_get_sta(hapd, mgmt->da);
if (!sta) {
- wpa_printf(MSG_INFO, "handle_auth_cb: STA " MACSTR " not found",
+ wpa_printf(MSG_DEBUG, "handle_auth_cb: STA " MACSTR
+ " not found",
MAC2STR(mgmt->da));
return;
}

7
package/network/services/hostapd/patches/0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
View File

@ -21,11 +21,9 @@ Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
src/rsn_supp/wpa.c | 11 +++++++++++ src/rsn_supp/wpa.c | 11 +++++++++++
1 file changed, 11 insertions(+) 1 file changed, 11 insertions(+)
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 56f3af7..db94a49 100644
--- a/src/rsn_supp/wpa.c --- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c
@@ -2215,6 +2215,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr, @@ -2208,6 +2208,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) && if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
(key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) { (key_info & WPA_KEY_INFO_ENCR_KEY_DATA) && mic_len) {
@ -43,6 +41,3 @@ index 56f3af7..db94a49 100644
if (wpa_supplicant_decrypt_key_data(sm, key, mic_len, if (wpa_supplicant_decrypt_key_data(sm, key, mic_len,
ver, key_data, ver, key_data,
&key_data_len)) &key_data_len))
--
2.7.4

29
package/network/services/hostapd/patches/040-OWE-Fix-build-error-in-AP-code-without-CONFIG_IEEE80.patch Normal file
View File

@ -0,0 +1,29 @@
From 410e2dd1d6b645bf5ed3ed55a9a415acbd993532 Mon Sep 17 00:00:00 2001
From: Chaitanya T K <Chaitanya.Mgit@gmail.com>
Date: Wed, 29 Aug 2018 02:14:33 +0530
Subject: [PATCH] OWE: Fix build error in AP code without CONFIG_IEEE80211W=y
When CONFIG_OWE is enabled but none of 11R/11W/FILS are enabled hostapd
(and wpa_supplicant with AP mode support) build failed. Fix this by
adding OWE to the list of conditions for including the local variables.
Signed-off-by: Chaitanya T K <chaitanya.mgit@gmail.com>
---
src/ap/drv_callbacks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
@@ -109,10 +109,10 @@ int hostapd_notif_assoc(struct hostapd_d
struct ieee802_11_elems elems;
const u8 *ie;
size_t ielen;
-#if defined(CONFIG_IEEE80211R_AP) || defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS)
+#if defined(CONFIG_IEEE80211R_AP) || defined(CONFIG_IEEE80211W) || defined(CONFIG_FILS) || defined(CONFIG_OWE)
u8 buf[sizeof(struct ieee80211_mgmt) + 1024];
u8 *p = buf;
-#endif /* CONFIG_IEEE80211R_AP || CONFIG_IEEE80211W || CONFIG_FILS */
+#endif /* CONFIG_IEEE80211R_AP || CONFIG_IEEE80211W || CONFIG_FILS || CONFIG_OWE */
u16 reason = WLAN_REASON_UNSPECIFIED;
u16 status = WLAN_STATUS_SUCCESS;
const u8 *p2p_dev_addr = NULL;

26
package/network/services/hostapd/patches/130-SAE-Do-not-ignore-option-sae_require_mfp.patch Normal file
View File

@ -0,0 +1,26 @@
From 54e0de1a9ee81477e9dfb93985c1fbf105b3d1d4 Mon Sep 17 00:00:00 2001
From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Wed, 10 Oct 2018 23:22:23 +0200
Subject: SAE: Do not ignore option sae_require_mfp
Without this patch sae_require_mfp is always activate, when ieee80211w
is set to optional all stations negotiating SAEs are being rejected when
they do not support PMF. With this patch hostapd only rejects these
stations in case sae_require_mfp is set to some value and not null.
Fixes ba3d435fe43 ("SAE: Add option to require MFP for SAE associations")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
src/ap/wpa_auth_ie.c | 1 +
1 file changed, 1 insertion(+)
--- a/src/ap/wpa_auth_ie.c
+++ b/src/ap/wpa_auth_ie.c
@@ -721,6 +721,7 @@ int wpa_validate_wpa_ie(struct wpa_authe
#ifdef CONFIG_SAE
if (wpa_auth->conf.ieee80211w == MGMT_FRAME_PROTECTION_OPTIONAL &&
+ wpa_auth->conf.sae_require_mfp &&
wpa_key_mgmt_sae(sm->wpa_key_mgmt) &&
!(data.capabilities & WPA_CAPABILITY_MFPC)) {
wpa_printf(MSG_DEBUG,

4
package/network/services/hostapd/patches/380-disable_ctrl_iface_mib.patch
View File

@ -163,7 +163,7 @@
{ {
--- a/src/rsn_supp/wpa.c --- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c
@@ -2295,6 +2295,8 @@ static u32 wpa_key_mgmt_suite(struct wpa @@ -2306,6 +2306,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
} }
@ -172,7 +172,7 @@
#define RSN_SUITE "%02x-%02x-%02x-%d" #define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \ #define RSN_SUITE_ARG(s) \
((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
@@ -2378,6 +2380,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch @@ -2389,6 +2391,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
return (int) len; return (int) len;
} }

4
package/network/services/hostapd/patches/381-hostapd_cli_UNKNOWN-COMMAND.patch
View File

@ -1,6 +1,6 @@
--- a/hostapd/hostapd_cli.c --- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c
@@ -743,7 +743,7 @@ static int wpa_ctrl_command_sta(struct wpa_ctrl *ctrl, const char *cmd, @@ -743,7 +743,7 @@ static int wpa_ctrl_command_sta(struct w
} }
buf[len] = '\0'; buf[len] = '\0';
@ -9,5 +9,3 @@
return -1; return -1;
if (print) if (print)
printf("%s", buf); printf("%s", buf);
--
2.11.0

20
package/network/services/hostapd/patches/600-ubus_support.patch
View File

@ -92,7 +92,7 @@
__func__, driver, drv_priv); __func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c --- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c
@@ -1712,12 +1712,13 @@ ieee802_11_set_radius_info(struct hostap @@ -1714,12 +1714,13 @@ ieee802_11_set_radius_info(struct hostap
static void handle_auth(struct hostapd_data *hapd, static void handle_auth(struct hostapd_data *hapd,
@ -108,7 +108,7 @@
u16 fc; u16 fc;
const u8 *challenge = NULL; const u8 *challenge = NULL;
u32 session_timeout, acct_interim_interval; u32 session_timeout, acct_interim_interval;
@@ -1728,6 +1729,11 @@ static void handle_auth(struct hostapd_d @@ -1730,6 +1731,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL; char *identity = NULL;
char *radius_cui = NULL; char *radius_cui = NULL;
u16 seq_ctrl; u16 seq_ctrl;
@ -120,7 +120,7 @@
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) { if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)", wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -1888,6 +1894,13 @@ static void handle_auth(struct hostapd_d @@ -1890,6 +1896,13 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE; resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail; goto fail;
} }
@ -134,7 +134,7 @@
if (res == HOSTAPD_ACL_PENDING) if (res == HOSTAPD_ACL_PENDING)
return; return;
@@ -3167,12 +3180,12 @@ void fils_hlp_timeout(void *eloop_ctx, v @@ -3169,12 +3182,12 @@ void fils_hlp_timeout(void *eloop_ctx, v
static void handle_assoc(struct hostapd_data *hapd, static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len, const struct ieee80211_mgmt *mgmt, size_t len,
@ -149,7 +149,7 @@
struct sta_info *sta; struct sta_info *sta;
u8 *tmp = NULL; u8 *tmp = NULL;
struct hostapd_sta_wpa_psk_short *psk = NULL; struct hostapd_sta_wpa_psk_short *psk = NULL;
@@ -3181,6 +3194,11 @@ static void handle_assoc(struct hostapd_ @@ -3183,6 +3196,11 @@ static void handle_assoc(struct hostapd_
#ifdef CONFIG_FILS #ifdef CONFIG_FILS
int delay_assoc = 0; int delay_assoc = 0;
#endif /* CONFIG_FILS */ #endif /* CONFIG_FILS */
@ -161,7 +161,7 @@
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) { sizeof(mgmt->u.assoc_req))) {
@@ -3352,6 +3370,14 @@ static void handle_assoc(struct hostapd_ @@ -3354,6 +3372,14 @@ static void handle_assoc(struct hostapd_
} }
#endif /* CONFIG_MBO */ #endif /* CONFIG_MBO */
@ -176,7 +176,7 @@
/* /*
* sta->capability is used in check_assoc_ies() for RRM enabled * sta->capability is used in check_assoc_ies() for RRM enabled
* capability element. * capability element.
@@ -3565,6 +3591,7 @@ static void handle_disassoc(struct hosta @@ -3567,6 +3593,7 @@ static void handle_disassoc(struct hosta
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
MAC2STR(mgmt->sa), MAC2STR(mgmt->sa),
le_to_host16(mgmt->u.disassoc.reason_code)); le_to_host16(mgmt->u.disassoc.reason_code));
@ -184,7 +184,7 @@
sta = ap_get_sta(hapd, mgmt->sa); sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) { if (sta == NULL) {
@@ -3630,6 +3657,8 @@ static void handle_deauth(struct hostapd @@ -3632,6 +3659,8 @@ static void handle_deauth(struct hostapd
" reason_code=%d", " reason_code=%d",
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
@ -193,7 +193,7 @@
sta = ap_get_sta(hapd, mgmt->sa); sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) { if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
@@ -3949,7 +3978,7 @@ int ieee802_11_mgmt(struct hostapd_data @@ -3951,7 +3980,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) { if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@ -202,7 +202,7 @@
return 1; return 1;
} }
@@ -3969,17 +3998,17 @@ int ieee802_11_mgmt(struct hostapd_data @@ -3971,17 +4000,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) { switch (stype) {
case WLAN_FC_STYPE_AUTH: case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth"); wpa_printf(MSG_DEBUG, "mgmt::auth");

35
package/network/services/hostapd/patches/700-fix-openssl11.patch Normal file
View File

@ -0,0 +1,35 @@
From 672540d4ddbd24782b5c65b35d636bdfe8a90d0f Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Fri, 15 Jun 2018 18:35:30 -0700
Subject: [PATCH] Fix compile with OpenSSL 1.1.0 and deprecated APIs
SSL_session_reused is the same as SSL_cache_hit. The engine load stuff is
now handled by OPENSSL_init.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
src/crypto/tls_openssl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1024,8 +1024,10 @@ void * tls_init(const struct tls_config
#ifndef OPENSSL_NO_ENGINE
wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_ENGINE_strings();
ENGINE_load_dynamic();
+#endif /* OPENSSL_VERSION_NUMBER */
if (conf &&
(conf->opensc_engine_path || conf->pkcs11_engine_path ||
@@ -3874,7 +3876,7 @@ struct wpabuf * tls_connection_decrypt(v
int tls_connection_resumed(void *ssl_ctx, struct tls_connection *conn)
{
- return conn ? SSL_cache_hit(conn->ssl) : 0;
+ return conn ? SSL_session_reused(conn->ssl) : 0;
}

16
package/network/services/hostapd/src/src/utils/build_features.h
View File

@ -22,6 +22,22 @@ static inline int has_feature(const char *feat)
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
if (!strcmp(feat, "11w")) if (!strcmp(feat, "11w"))
return 1; return 1;
#endif
#ifdef CONFIG_ACS
if (!strcmp(feat, "acs"))
return 1;
#endif
#ifdef CONFIG_SAE
if (!strcmp(feat, "sae"))
return 1;
#endif
#ifdef CONFIG_OWE
if (!strcmp(feat, "owe"))
return 1;
#endif
#ifdef CONFIG_SUITEB192
if (!strcmp(feat, "suiteb192"))
return 1;
#endif #endif
return 0; return 0;
} }