Hello community, here is the log from the commit of package hostapd for openSUSE:Leap:15.2 checked in at 2020-02-16 18:30:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/hostapd (Old) and /work/SRC/openSUSE:Leap:15.2/.hostapd.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "hostapd" Sun Feb 16 18:30:17 2020 rev:13 rq:774594 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/hostapd/hostapd.changes 2020-01-15 15:11:00.618092869 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.hostapd.new.26092/hostapd.changes 2020-02-16 18:30:54.618799352 +0100 @@ -1,0 +2,239 @@ +Thu Sep 5 17:58:05 UTC 2019 - Michael Ströder <[email protected]> + +- Update to version 2.9 + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + * added configuration of airtime policy + * fixed FILS to and RSNE into (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * added support for regulatory WMM limitation (for ETSI) + * added support for MACsec Key Agreement using IEEE 802.1X/PSK + * added experimental support for EAP-TEAP server (RFC 7170) + * added experimental support for EAP-TLS server with TLS v1.3 + * added support for two server certificates/keys (RSA/ECC) + * added AKMSuiteSelector into "STA <addr>" control interface data to + determine with AKM was used for an association + * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and + fast reauthentication use to be disabled + * fixed an ECDH operation corner case with OpenSSL + +------------------------------------------------------------------- +Wed Apr 24 07:22:30 UTC 2019 - Michael Ströder <[email protected]> + +- Update to version 2.8 + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only group 19 + (i.e., disable groups 20, 21, 25, 26 from default configuration) and + disable all unsuitable groups completely based on REVmd changes + - improved anti-clogging token mechanism and SAE authentication + frame processing during heavy CPU load; this mitigates some issues + with potential DoS attacks trying to flood an AP with large number + of SAE messages + - added Finite Cyclic Group field in status code 77 responses + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + - fixed confirm message validation in error cases + [https://w1.fi/security/2019-3/] (CVE-2019-9496) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify peer scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * Hotspot 2.0 changes + - added support for release number 3 + - reject release 2 or newer association without PMF + * added support for RSN operating channel validation + (CONFIG_OCV=y and configuration parameter ocv=1) + * added Multi-AP protocol support + * added FTM responder configuration + * fixed build with LibreSSL + * added FT/RRB workaround for short Ethernet frame padding + * fixed KEK2 derivation for FILS+FT + * added RSSI-based association rejection from OCE + * extended beacon reporting functionality + * VLAN changes + - allow local VLAN management with remote RADIUS authentication + - add WPA/WPA2 passphrase/PSK -based VLAN assignment + * OpenSSL: allow systemwide policies to be overridden + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * fixed FT and SA Query Action frame with AP-MLME-in-driver cases + * OWE: allow Diffie-Hellman Parameter element to be included with DPP + in preparation for DPP protocol extension + * RADIUS server: started to accept ERP keyName-NAI as user identity + automatically without matching EAP database entry + * fixed PTK rekeying with FILS and FT + + wpa_supplicant: + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only groups 19, 20, 21 + (i.e., disable groups 25 and 26) and disable all unsuitable groups + completely based on REVmd changes + - do not regenerate PWE unnecessarily when the AP uses the + anti-clogging token mechanisms + - fixed some association cases where both SAE and FT-SAE were enabled + on both the station and the selected AP + - started to prefer FT-SAE over SAE AKM if both are enabled + - started to prefer FT-SAE over FT-PSK if both are enabled + - fixed FT-SAE when SAE PMKSA caching is used + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify server scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9499) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y + * Hotspot 2.0 changes + - do not indicate release number that is higher than the one + AP supports + - added support for release number 3 + - enable PMF automatically for network profiles created from + credentials + * fixed OWE network profile saving + * fixed DPP network profile saving + * added support for RSN operating channel validation + (CONFIG_OCV=y and network profile parameter ocv=1) + * added Multi-AP backhaul STA support + * fixed build with LibreSSL + * number of MKA/MACsec fixes and extensions + * extended domain_match and domain_suffix_match to allow list of values + * fixed dNSName matching in domain_match and domain_suffix_match when + using wolfSSL + * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both + are enabled + * extended nl80211 Connect and external authentication to support + SAE, FT-SAE, FT-EAP-SHA384 + * fixed KEK2 derivation for FILS+FT + * extended client_cert file to allow loading of a chain of PEM + encoded certificates + * extended beacon reporting functionality + * extended D-Bus interface with number of new properties + * fixed a regression in FT-over-DS with mac80211-based drivers + * OpenSSL: allow systemwide policies to be overridden + * extended driver flags indication for separate 802.1X and PSK + 4-way handshake offload capability + * added support for random P2P Device/Interface Address use + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) + * extended domain_match and domain_suffix_match to allow list of values + * added a RSN workaround for misbehaving PMF APs that advertise + IGTK/BIP KeyID using incorrect byte order + * fixed PTK rekeying with FILS and FT + +------------------------------------------------------------------- +Fri Dec 28 12:01:55 UTC 2018 - Jan Engelhardt <[email protected]> + +- Use noun phrase in summary. + +------------------------------------------------------------------- +Mon Dec 17 09:07:15 UTC 2018 - Karol Babioch <[email protected]> + +- Applied spec-cleaner +- Added bug reference +- Use defconfig file as template for configuration instead of patching it + during build. This is easier to maintain in the long run. This removes the + patch hostapd-2.6-defconfig.patch in favor of a simple config file, which is + copied over from the source directory. +- Enabled CLI editing and history support. + +------------------------------------------------------------------- +Fri Dec 7 20:46:47 UTC 2018 - [email protected] + +- Update to version 2.7 + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [http://w1.fi/security/2017-1/] (CVE-2017-13082) (bsc#1056061) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * FT: + - added local generation of PMK-R0/PMK-R1 for FT-PSK + (ft_psk_generate_local=1) + - replaced inter-AP protocol with a cleaner design that is more + easily extensible; this breaks backward compatibility and requires + all APs in the ESS to be updated at the same time to maintain FT + functionality + - added support for wildcard R0KH/R1KH + - replaced r0_key_lifetime (minutes) parameter with + ft_r0_key_lifetime (seconds) + - fixed wpa_psk_file use for FT-PSK + - fixed FT-SAE PMKID matching + - added expiration to PMK-R0 and PMK-R1 cache + - added IEEE VLAN support (including tagged VLANs) + - added support for SHA384 based AKM + * SAE + - fixed some PMKSA caching cases with SAE ++++ 42 more lines (skipped) ++++ between /work/SRC/openSUSE:Leap:15.2/hostapd/hostapd.changes ++++ and /work/SRC/openSUSE:Leap:15.2/.hostapd.new.26092/hostapd.changes Old: ---- hostapd-2.6-defconfig.patch hostapd-2.6.tar.gz rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch New: ---- config hostapd-2.9.tar.gz hostapd-2.9.tar.gz.asc hostapd.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ hostapd.spec ++++++ --- /var/tmp/diff_new_pack.KjG9cO/_old 2020-02-16 18:30:55.082799595 +0100 +++ /var/tmp/diff_new_pack.KjG9cO/_new 2020-02-16 18:30:55.086799597 +0100 @@ -17,30 +17,24 @@ Name: hostapd +Version: 2.9 +Release: 0 +Summary: Daemon for running a WPA capable Access Point +License: GPL-2.0-only OR BSD-3-Clause +Group: Hardware/Wifi +URL: https://w1.fi/ +Source: https://w1.fi/releases/hostapd-%{version}.tar.gz +Source1: https://w1.fi/releases/hostapd-%{version}.tar.gz.asc +# https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x2B6EF432EFC895FA#/%%{name}.keyring +Source2: %{name}.keyring +Source3: config +Source4: hostapd.service BuildRequires: libnl3-devel BuildRequires: openssl-devel -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: sqlite3-devel BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(systemd) -Summary: Turns Your WLAN Card into a WPA capable Access Point -License: GPL-2.0-only OR BSD-3-Clause -Group: Hardware/Wifi -Version: 2.6 -Release: 0 -BuildRoot: %{_tmppath}/%{name}-%{version}-build -Url: http://w1.fi/ -Source: http://w1.fi/releases/hostapd-%{version}.tar.gz -Source1: hostapd.service -Patch0: hostapd-2.6-defconfig.patch -Patch1: rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch -Patch2: rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch -Patch3: rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch -Patch4: rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch -Patch5: rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch -Patch6: rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch -Patch7: rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch -Patch8: rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch %{?systemd_requires} %description @@ -51,44 +45,32 @@ madwifi, and prism54 drivers. It also supports wired IEEE 802.1X authentication via any ethernet driver. - %prep -%setup -q -n hostapd-%{version} -%patch0 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 - -cd hostapd -cp defconfig .config +%setup -q +cp %{SOURCE3} hostapd/.config %build cd hostapd -CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE $(getconf LFS_CFLAGS)" CC="%{__cc}" make %{?_smp_mflags} V=1 +CFLAGS="%{optflags} -D_GNU_SOURCE $(getconf LFS_CFLAGS)" CC="gcc" make %{?_smp_mflags} V=1 %install cd hostapd -mkdir -p %{buildroot}/%{_sbindir} -mkdir %{buildroot}/etc -mkdir -p %{buildroot}/%{_mandir}/man8 +install -d %{buildroot}/%{_sbindir} +install -d %{buildroot}%{_sysconfdir} +install -d %{buildroot}/%{_mandir}/man8 install -m 755 hostapd %{buildroot}/%{_sbindir} -ln -s /usr/sbin/service %{buildroot}/%{_sbindir}/rchostapd +ln -s %{_sbindir}/service %{buildroot}/%{_sbindir}/rchostapd install -m 755 hostapd_cli %{buildroot}/%{_sbindir} -install -m 600 hostapd.conf %{buildroot}/etc -install -m 644 hostapd.accept %{buildroot}/etc -install -m 644 hostapd.deny %{buildroot}/etc -install -m 600 hostapd.eap_user %{buildroot}/etc -install -m 600 hostapd.radius_clients %{buildroot}/etc -install -m 644 hostapd.sim_db %{buildroot}/etc -install -m 644 hostapd.vlan %{buildroot}/etc -install -m 600 hostapd.wpa_psk %{buildroot}/etc +install -m 600 hostapd.conf %{buildroot}%{_sysconfdir} +install -m 644 hostapd.accept %{buildroot}%{_sysconfdir} +install -m 644 hostapd.deny %{buildroot}%{_sysconfdir} +install -m 600 hostapd.eap_user %{buildroot}%{_sysconfdir} +install -m 600 hostapd.radius_clients %{buildroot}%{_sysconfdir} +install -m 644 hostapd.sim_db %{buildroot}%{_sysconfdir} +install -m 644 hostapd.vlan %{buildroot}%{_sysconfdir} +install -m 600 hostapd.wpa_psk %{buildroot}%{_sysconfdir} install -m 644 hostapd.8 %{buildroot}/%{_mandir}/man8 -install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/hostapd.service +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/hostapd.service %pre %service_add_pre hostapd.service @@ -103,11 +85,11 @@ %service_del_postun hostapd.service %files -%defattr(-,root,root) -%config(noreplace) /etc/hostapd.* +%config(noreplace) %{_sysconfdir}/hostapd.* %{_sbindir}/* -%doc hostapd/ChangeLog COPYING hostapd/README hostapd/wired.conf hostapd/hostapd.conf -%doc %{_mandir}/man8/* +%license COPYING +%doc hostapd/ChangeLog hostapd/README hostapd/wired.conf hostapd/hostapd.conf +%{_mandir}/man8/* %{_unitdir}/hostapd.service %changelog ++++++ config ++++++ # Example hostapd build time configuration # # This file lists the configuration options that are used when building the # hostapd binary. All lines starting with # are ignored. Configuration option # lines must be commented out complete, if they are not to be included, i.e., # just setting VARIABLE=n is not disabling that variable. # # This file is included in Makefile, so variables like CFLAGS and LIBS can also # be modified from here. In most cass, these lines should use += in order not # to override previous values of the variables. # Driver interface for Host AP driver CONFIG_DRIVER_HOSTAP=y # Driver interface for wired authenticator #CONFIG_DRIVER_WIRED=y # Driver interface for drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y # QCA vendor extensions to nl80211 #CONFIG_DRIVER_NL80211_QCA=y # driver_nl80211.c requires libnl. If you are compiling it yourself # you may need to point hostapd to your version of libnl. # #CFLAGS += -I$<path to libnl include files> #LIBS += -L$<path to libnl library files> # Use libnl v2.0 (or 3.0) libraries. #CONFIG_LIBNL20=y # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) CONFIG_LIBNL32=y # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=y #CFLAGS += -I/usr/local/include #LIBS += -L/usr/local/lib #LIBS_p += -L/usr/local/lib #LIBS_c += -L/usr/local/lib # Driver interface for no driver (e.g., RADIUS server only) CONFIG_DRIVER_NONE=y # IEEE 802.11F/IAPP CONFIG_IAPP=y # WPA2/IEEE 802.11i RSN pre-authentication CONFIG_RSN_PREAUTH=y # IEEE 802.11w (management frame protection) CONFIG_IEEE80211W=y # Support Operating Channel Validation #CONFIG_OCV=y # Integrated EAP server CONFIG_EAP=y # EAP Re-authentication Protocol (ERP) in integrated EAP server CONFIG_ERP=y # EAP-MD5 for the integrated EAP server CONFIG_EAP_MD5=y # EAP-TLS for the integrated EAP server CONFIG_EAP_TLS=y # EAP-MSCHAPv2 for the integrated EAP server CONFIG_EAP_MSCHAPV2=y # EAP-PEAP for the integrated EAP server CONFIG_EAP_PEAP=y # EAP-GTC for the integrated EAP server CONFIG_EAP_GTC=y # EAP-TTLS for the integrated EAP server CONFIG_EAP_TTLS=y # EAP-SIM for the integrated EAP server CONFIG_EAP_SIM=y # EAP-AKA for the integrated EAP server CONFIG_EAP_AKA=y # EAP-AKA' for the integrated EAP server # This requires CONFIG_EAP_AKA to be enabled, too. CONFIG_EAP_AKA_PRIME=y # EAP-PAX for the integrated EAP server CONFIG_EAP_PAX=y # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) CONFIG_EAP_PSK=y # EAP-pwd for the integrated EAP server (secure authentication with a password) CONFIG_EAP_PWD=y # EAP-SAKE for the integrated EAP server CONFIG_EAP_SAKE=y # EAP-GPSK for the integrated EAP server CONFIG_EAP_GPSK=y # Include support for optional SHA256 cipher suite in EAP-GPSK CONFIG_EAP_GPSK_SHA256=y # EAP-FAST for the integrated EAP server # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. #CONFIG_EAP_FAST=y # Wi-Fi Protected Setup (WPS) CONFIG_WPS=y # Enable UPnP support for external WPS Registrars CONFIG_WPS_UPNP=y # Enable WPS support with NFC config method CONFIG_WPS_NFC=y # EAP-IKEv2 CONFIG_EAP_IKEV2=y # Trusted Network Connect (EAP-TNC) CONFIG_EAP_TNC=y # EAP-EKE for the integrated EAP server CONFIG_EAP_EKE=y # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y # RADIUS authentication server. This provides access to the integrated EAP # server from external hosts using RADIUS. #CONFIG_RADIUS_SERVER=y # Build IPv6 support for RADIUS operations CONFIG_IPV6=y # IEEE Std 802.11r-2008 (Fast BSS Transition) CONFIG_IEEE80211R=y # Use the hostapd's IEEE 802.11 authentication (ACL), but without # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) CONFIG_DRIVER_RADIUS_ACL=y # IEEE 802.11n (High Throughput) support CONFIG_IEEE80211N=y # Wireless Network Management (IEEE Std 802.11v-2011) # Note: This is experimental and not complete implementation. CONFIG_WNM=y # IEEE 802.11ac (Very High Throughput) support CONFIG_IEEE80211AC=y # IEEE 802.11ax HE support # Note: This is experimental and work in progress. The definitions are still # subject to change and this should not be expected to interoperate with the # final IEEE 802.11ax version. #CONFIG_IEEE80211AX=y # Remove debugging code that is printing out debug messages to stdout. # This can be used to reduce the size of the hostapd considerably if debugging # code is not needed. #CONFIG_NO_STDOUT_DEBUG=y # Add support for writing debug log to a file: -f /tmp/hostapd.log # Disabled by default. #CONFIG_DEBUG_FILE=y # Send debug messages to syslog instead of stdout #CONFIG_DEBUG_SYSLOG=y # Add support for sending all debug messages (regardless of debug verbosity) # to the Linux kernel tracing facility. This helps debug the entire stack by # making it easy to record everything happening from the driver up into the # same file, e.g., using trace-cmd. #CONFIG_DEBUG_LINUX_TRACING=y # Remove support for RADIUS accounting #CONFIG_NO_ACCOUNTING=y # Remove support for RADIUS #CONFIG_NO_RADIUS=y # Remove support for VLANs #CONFIG_NO_VLAN=y # Enable support for fully dynamic VLANs. This enables hostapd to # automatically create bridge and VLAN interfaces if necessary. CONFIG_FULL_DYNAMIC_VLAN=y # Use netlink-based kernel API for VLAN operations instead of ioctl() # Note: This requires libnl 3.1 or newer. CONFIG_VLAN_NETLINK=y # Remove support for dumping internal state through control interface commands # This can be used to reduce binary size at the cost of disabling a debugging # option. #CONFIG_NO_DUMP_STATE=y # Enable tracing code for developer debugging # This tracks use of memory allocations and other registrations and reports # incorrect use with a backtrace of call (or allocation) location. #CONFIG_WPA_TRACE=y # For BSD, comment out these. #LIBS += -lexecinfo #LIBS_p += -lexecinfo #LIBS_c += -lexecinfo # Use libbfd to get more details for developer debugging # This enables use of libbfd to get more detailed symbols for the backtraces # generated by CONFIG_WPA_TRACE=y. #CONFIG_WPA_TRACE_BFD=y # For BSD, comment out these. #LIBS += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz # hostapd depends on strong random number generation being available from the # operating system. os_get_random() function is used to fetch random data when # needed, e.g., for key generation. On Linux and BSD systems, this works by # reading /dev/urandom. It should be noted that the OS entropy pool needs to be # properly initialized before hostapd is started. This is important especially # on embedded devices that do not have a hardware random number generator and # may by default start up with minimal entropy available for random number # generation. # # As a safety net, hostapd is by default trying to internally collect # additional entropy for generating random data to mix in with the data # fetched from the OS. This by itself is not considered to be very strong, but # it may help in cases where the system pool is not initialized properly. # However, it is very strongly recommended that the system pool is initialized # with enough entropy either by using hardware assisted random number # generator or by storing state over device reboots. # # hostapd can be configured to maintain its own entropy store over restarts to # enhance random number generation. This is not perfect, but it is much more # secure than using the same sequence of random numbers after every reboot. # This can be enabled with -e<entropy file> command line option. The specified # file needs to be readable and writable by hostapd. # # If the os_get_random() is known to provide strong random data (e.g., on # Linux/BSD, the board in question is known to have reliable source of random # data from /dev/urandom), the internal hostapd random pool can be disabled. # This will save some in binary size and CPU use. However, this should only be # considered for builds that are known to be used on devices that meet the # requirements described above. #CONFIG_NO_RANDOM_POOL=y # Should we attempt to use the getrandom(2) call that provides more reliable # yet secure randomness source than /dev/random on Linux 3.17 and newer. # Requires glibc 2.25 to build, falls back to /dev/random if unavailable. #CONFIG_GETRANDOM=y # Should we use poll instead of select? Select is used by default. #CONFIG_ELOOP_POLL=y # Should we use epoll instead of select? Select is used by default. #CONFIG_ELOOP_EPOLL=y # Should we use kqueue instead of select? Select is used by default. #CONFIG_ELOOP_KQUEUE=y # Select TLS implementation # openssl = OpenSSL (default) # gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template CONFIG_TLS=openssl # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) # can be enabled to get a stronger construction of messages when block ciphers # are used. CONFIG_TLSV11=y # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) # can be enabled to enable use of stronger crypto algorithms. CONFIG_TLSV12=y # Select which ciphers to use by default with OpenSSL if the user does not # specify them. #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of # LibTomMath can be used. See beginning of libtommath.c for details on benefits # and drawbacks of this option. #CONFIG_INTERNAL_LIBTOMMATH=y #ifndef CONFIG_INTERNAL_LIBTOMMATH #LTM_PATH=/usr/src/libtommath-0.39 #CFLAGS += -I$(LTM_PATH) #LIBS += -L$(LTM_PATH) #LIBS_p += -L$(LTM_PATH) #endif # At the cost of about 4 kB of additional binary size, the internal LibTomMath # can be configured to include faster routines for exptmod, sqr, and div to # speed up DH and RSA calculation considerably #CONFIG_INTERNAL_LIBTOMMATH_FAST=y # Interworking (IEEE 802.11u) # This can be used to enable functionality to improve interworking with # external networks. CONFIG_INTERWORKING=y # Hotspot 2.0 CONFIG_HS20=y # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file CONFIG_SQLITE=y # Enable Fast Session Transfer (FST) CONFIG_FST=y # Enable CLI commands for FST testing CONFIG_FST_TEST=y # Testing options # This can be used to enable some testing options (see also the example # configuration file) that are really useful only for testing clients that # connect to this hostapd. These options allow, for example, to drop a # certain percentage of probe requests or auth/(re)assoc frames. # #CONFIG_TESTING_OPTIONS=y # Automatic Channel Selection # This will allow hostapd to pick the channel automatically when channel is set # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in # similar way. # # Automatic selection is currently only done through initialization, later on # we hope to do background checks to keep us moving to more ideal channels as # time goes by. ACS is currently only supported through the nl80211 driver and # your driver must have survey dump capability that is filled by the driver # during scanning. # # You can customize the ACS survey algorithm with the hostapd.conf variable # acs_num_scans. # # Supported ACS drivers: # * ath9k # * ath5k # * ath10k # # For more details refer to: # http://wireless.kernel.org/en/users/Documentation/acs # CONFIG_ACS=y # Multiband Operation support # These extentions facilitate efficient use of multiple frequency bands # available to the AP and the devices that may associate with it. CONFIG_MBO=y # Client Taxonomy # Has the AP retain the Probe Request and (Re)Association Request frames from # a client, from which a signature can be produced which can identify the model # of client device like "Nexus 6P" or "iPhone 5s". #CONFIG_TAXONOMY=y # Fast Initial Link Setup (FILS) (IEEE 802.11ai) #CONFIG_FILS=y # FILS shared key authentication with PFS #CONFIG_FILS_SK_PFS=y # Include internal line edit mode in hostapd_cli. This can be used to provide # limited command line editing and history support. CONFIG_WPA_CLI_EDIT=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt #CONFIG_OWE=y # Override default value for the wpa_disable_eapol_key_retries configuration # parameter. See that parameter in hostapd.conf for more details. #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 ++++++ hostapd-2.6.tar.gz -> hostapd-2.9.tar.gz ++++++ ++++ 122965 lines of diff (skipped)
