From patchwork Wed Jan 6 14:43:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3793 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYP5d5Cz3wgP for ; Wed, 6 Jan 2021 14:43:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D9sYN1Wt5z141; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D9sYN0RhWz2yYg; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYM0q5dz2xfh for ; Wed, 6 Jan 2021 14:43:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D9sYL35GJzj1; Wed, 6 Jan 2021 14:43:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609944198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oD9YTxt3gLuZYTWkvJQkpzFtiTFDZLFsupd5t9cyuvo=; b=dct6jGwGdMsa6D7b12hCRYJh68xCGH5oqbTjK8VFlOlV67zVNH+kDVBcVj+cbLGpphOu/x WSmG42QPjk4EceCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609944198; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=oD9YTxt3gLuZYTWkvJQkpzFtiTFDZLFsupd5t9cyuvo=; b=elUTaLcihc78yOm49e/C+KN0V7CMHc2WPopRVQSdAw4NXp1FeQUOy9HmDHJqk7IfFu1nEw 2nK0+o6AF0TB84bXXtsZYIDncWBw83IuyFXoPyTbAIZOZsbfY0WYAFIvq7CPBqJ/dP16Y5 h7KOvuk6n0DZvaxPdTx3YhZoqQUVraa4VCoznwrbCiU05KTH2/Uq+5VJXr3PqfQnUheveq 8wR88aoi48RbYiGqfTeExUI1YF7P4ggZSLX4EFYt8flpous+0+deEL+sYR7L+E9QE74rQP 5ZmqjsS3+Dc2FYeMa9+ovDH8Cs34A8i87PKNY/xUM6Dc0GJrRFNPxG7wUSOm0g== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 1/3] wireless client: Add support for WPA3 Date: Wed, 6 Jan 2021 14:43:12 +0000 Message-Id: <20210106144314.2732-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_missings | 8 ++++++++ html/cgi-bin/wirelessclient.cgi | 5 +++-- langs/en/cgi-bin/en.pl | 1 + src/initscripts/system/wlanclient | 15 ++++++++++++++- 13 files changed, 35 insertions(+), 3 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 6d22fcea4..5d9cbcebc 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -887,6 +887,7 @@ WARNING: untranslated string: show tls-auth key = Show tls-auth key WARNING: untranslated string: smb daemon = SMB Daemon WARNING: untranslated string: user management = User Management WARNING: untranslated string: winbind daemon = Winbind Daemon +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlanap 802.11w disabled = Disabled WARNING: untranslated string: wlanap 802.11w enforced = Enforced WARNING: untranslated string: wlanap 802.11w optional = Optional diff --git a/doc/language_issues.en b/doc/language_issues.en index b3c46de5e..c1e0ec33f 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -2124,6 +2124,7 @@ WARNING: untranslated string: wlan client encryption none = None WARNING: untranslated string: wlan client encryption wep = WEP WARNING: untranslated string: wlan client encryption wpa = WPA WARNING: untranslated string: wlan client encryption wpa2 = WPA2 +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity diff --git a/doc/language_issues.es b/doc/language_issues.es index 9f62f03f2..9c41d68be 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1499,6 +1499,7 @@ WARNING: untranslated string: wlan client encryption none = None WARNING: untranslated string: wlan client encryption wep = WEP WARNING: untranslated string: wlan client encryption wpa = WPA WARNING: untranslated string: wlan client encryption wpa2 = WPA2 +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 90a745360..aad3667c4 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -921,3 +921,4 @@ WARNING: untranslated string: tor guard country any = Any country WARNING: untranslated string: tor guard nodes = Guard Nodes WARNING: untranslated string: tor use guard nodes = Use only these guard nodes (one fingerprint per line) WARNING: untranslated string: whois results from = WHOIS results from +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 diff --git a/doc/language_issues.it b/doc/language_issues.it index 62e4f9953..83229dad2 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1191,6 +1191,7 @@ WARNING: untranslated string: wlan client eap authentication method = EAP Authen WARNING: untranslated string: wlan client eap phase2 method = EAP Phase 2 Method WARNING: untranslated string: wlan client eap state = EAP Status WARNING: untranslated string: wlan client encryption eap = EAP +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client password = Password diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9a767322e..fc5915883 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1232,6 +1232,7 @@ WARNING: untranslated string: wlan client eap authentication method = EAP Authen WARNING: untranslated string: wlan client eap phase2 method = EAP Phase 2 Method WARNING: untranslated string: wlan client eap state = EAP Status WARNING: untranslated string: wlan client encryption eap = EAP +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client identity = Identity WARNING: untranslated string: wlan client method = Method WARNING: untranslated string: wlan client password = Password diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 9f62f03f2..9c41d68be 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1499,6 +1499,7 @@ WARNING: untranslated string: wlan client encryption none = None WARNING: untranslated string: wlan client encryption wep = WEP WARNING: untranslated string: wlan client encryption wpa = WPA WARNING: untranslated string: wlan client encryption wpa2 = WPA2 +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 5d16e0b18..3ec377f5e 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1492,6 +1492,7 @@ WARNING: untranslated string: wlan client encryption none = None WARNING: untranslated string: wlan client encryption wep = WEP WARNING: untranslated string: wlan client encryption wpa = WPA WARNING: untranslated string: wlan client encryption wpa2 = WPA2 +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlan client group cipher = Group cipher WARNING: untranslated string: wlan client group key algorithm = GKA WARNING: untranslated string: wlan client identity = Identity diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 26530a923..3c6b44a63 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1061,6 +1061,7 @@ WARNING: untranslated string: vulnerability = Vulnerability WARNING: untranslated string: vulnerable = Vulnerable WARNING: untranslated string: whois results from = WHOIS results from WARNING: untranslated string: winbind daemon = Winbind Daemon +WARNING: untranslated string: wlan client encryption wpa3 = WPA3 WARNING: untranslated string: wlanap 802.11w disabled = Disabled WARNING: untranslated string: wlanap 802.11w enforced = Enforced WARNING: untranslated string: wlanap 802.11w optional = Optional diff --git a/doc/language_missings b/doc/language_missings index 12e341402..946d7d1fe 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -64,6 +64,7 @@ < wlanap 802.11w disabled < wlanap 802.11w enforced < wlanap 802.11w optional +< wlan client encryption wpa3 ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ @@ -917,6 +918,7 @@ < wlan client encryption wep < wlan client encryption wpa < wlan client encryption wpa2 +< wlan client encryption wpa3 < wlan client group cipher < wlan client group key algorithm < wlan client identity @@ -973,6 +975,7 @@ < tor use guard nodes < upload fcdsl.o < whois results from +< wlan client encryption wpa3 ############################################################################ # Checking cgi-bin translations for language: it # ############################################################################ @@ -1332,6 +1335,7 @@ < wlan client eap phase2 method < wlan client eap state < wlan client encryption eap +< wlan client encryption wpa3 < wlan client identity < wlan client method < wlan client password @@ -1767,6 +1771,7 @@ < wlan client eap phase2 method < wlan client eap state < wlan client encryption eap +< wlan client encryption wpa3 < wlan client identity < wlan client method < wlan client password @@ -2625,6 +2630,7 @@ < wlan client encryption wep < wlan client encryption wpa < wlan client encryption wpa2 +< wlan client encryption wpa3 < wlan client group cipher < wlan client group key algorithm < wlan client identity @@ -3506,6 +3512,7 @@ < wlan client encryption wep < wlan client encryption wpa < wlan client encryption wpa2 +< wlan client encryption wpa3 < wlan client group cipher < wlan client group key algorithm < wlan client identity @@ -3714,6 +3721,7 @@ < wlanap neighbor scan < wlanap neighbor scan warning < wlanap ssid +< wlan client encryption wpa3 < working < zoneconf access native < zoneconf access none diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi index bbb71a984..440a9e887 100644 --- a/html/cgi-bin/wirelessclient.cgi +++ b/html/cgi-bin/wirelessclient.cgi @@ -462,6 +462,7 @@ sub showEditBox() { my %selected = (); $selected{'ENCRYPTION'} = (); $selected{'ENCRYPTION'}{'NONE'} = ''; + $selected{'ENCRYPTION'}{'WPA3'} = ''; $selected{'ENCRYPTION'}{'WPA2'} = ''; $selected{'ENCRYPTION'}{'WPA'} = ''; $selected{'ENCRYPTION'}{'WEP'} = ''; @@ -505,9 +506,10 @@ sub showEditBox() { @@ -839,7 +841,6 @@ sub ValidateInput($) { # Check for invalid key length. } elsif (ValidKeyLength($settings{'ENCRYPTION'}, $settings{'PSK'})) { return "$Lang::tr{'wlan client invalid key length'}"; - } # Reset WPA mode, if WPA(2) is not selected. diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index b5284effa..9190eab57 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2948,6 +2948,7 @@ 'wlan client encryption wep' => 'WEP', 'wlan client encryption wpa' => 'WPA', 'wlan client encryption wpa2' => 'WPA2', +'wlan client encryption wpa3' => 'WPA3', 'wlan client group cipher' => 'Group cipher', 'wlan client group key algorithm' => 'GKA', 'wlan client identity' => 'Identity', diff --git a/src/initscripts/system/wlanclient b/src/initscripts/system/wlanclient index b32a4cb4a..27a144f72 100644 --- a/src/initscripts/system/wlanclient +++ b/src/initscripts/system/wlanclient @@ -86,6 +86,7 @@ function wpa_supplicant_config_line() { local config=${2} shift 2 + local ieee80211w local anonymous_identity local auth_alg local auth_mode @@ -144,6 +145,11 @@ function wpa_supplicant_config_line() { EAP) key_mgmt="WPA-EAP" ;; + WPA3) + key_mgmt="SAE" + + ieee80211w="2" + ;; WPA2) auth_alg="OPEN" proto="RSN" @@ -209,7 +215,11 @@ function wpa_supplicant_config_line() { echo " key_mgmt=${key_mgmt}" fi if [ -n "${psk}" ]; then - echo " psk=\"${psk}\"" + if [ "${key_mgmt}" = "SAE" ]; then + echo " sae_password=\"${psk}\"" + else + echo " psk=\"${psk}\"" + fi fi if [ -n "${wep_tx_keyidx}" ]; then echo " wep_tx_keyidx=${wep_tx_keyidx}" @@ -227,6 +237,9 @@ function wpa_supplicant_config_line() { if [ -n "${priority}" ]; then echo " priority=${priority}" fi + if [ -n "${ieee80211w}" ]; then + echo " ieee80211w=${ieee80211w}" + fi # EAP if [ "${mode}" = "EAP" ]; then From patchwork Wed Jan 6 14:43:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3794 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYP72rDz3wgX for ; Wed, 6 Jan 2021 14:43:21 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D9sYN367Nz1nW; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D9sYN1Fh9z302c; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYM1JjKz2xmM for ; Wed, 6 Jan 2021 14:43:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D9sYM08GXz141; Wed, 6 Jan 2021 14:43:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609944199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=asN3yQzs3EqO8WubcCGLDJvmyt9ISIiSaoPw4yWazzM=; b=Z7L95yzf/djcDH9LGqbsC3rHgDA3pFlgpxsJiIZ7LSqe7hYeqCPHSbaiEnIhB3GXqISglZ 5Y33BvQ94hNZDHAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609944199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=asN3yQzs3EqO8WubcCGLDJvmyt9ISIiSaoPw4yWazzM=; b=ok1RmeAepF92DBmKjWLircas5bBy2IuSM+3QOhAvOAUMK3xceOnPIv7lLekV+mZKAF/lLX JrgOJl1VbSvninyfJ7UWptbzqg4N+C3RjUpb0SJTp1OgiAkdmNKprQYzY+OdY1lcwJjvl4 inOdqlvvPCHS4X/X7ejpXzmvZgaQDJKTW01DrZGPwclM93r+gQCq1l10iWSCPAsdzPIWhs VkgZYsuxMYWk3nCVMwPzJW3oKg6ixF5XqNdj4HP4OkHWreunZHM3cUjiN0nVufxbGdGvfa vthBStgv1wPiJSUc/n/Ah8Rj1WRltDohLf6AksEi2CwGH8KCqR84qp7G/7IJSw== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 2/3] wireless client: Try using SHA256 over SHA1 when possible Date: Wed, 6 Jan 2021 14:43:13 +0000 Message-Id: <20210106144314.2732-2-michael.tremer@ipfire.org> In-Reply-To: <20210106144314.2732-1-michael.tremer@ipfire.org> References: <20210106144314.2732-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- src/initscripts/system/wlanclient | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/wlanclient b/src/initscripts/system/wlanclient index 27a144f72..4b3938b46 100644 --- a/src/initscripts/system/wlanclient +++ b/src/initscripts/system/wlanclient @@ -143,7 +143,7 @@ function wpa_supplicant_config_line() { case "${mode}" in EAP) - key_mgmt="WPA-EAP" + key_mgmt="WPA-EAP-SHA256 WPA-EAP" ;; WPA3) key_mgmt="SAE" @@ -153,12 +153,12 @@ function wpa_supplicant_config_line() { WPA2) auth_alg="OPEN" proto="RSN" - key_mgmt="WPA-PSK" + key_mgmt="WPA-PSK-SHA256 WPA-PSK" ;; WPA) auth_alg="OPEN" proto="WPA" - key_mgmt="WPA-PSK" + key_mgmt="WPA-PSK-SHA256 WPA-PSK" ;; WEP) auth_alg="SHARED" From patchwork Wed Jan 6 14:43:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3795 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYR1sdjz3wgP for ; Wed, 6 Jan 2021 14:43:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4D9sYN4JgKz1vd; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4D9sYN1xLQz30DP; Wed, 6 Jan 2021 14:43:20 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4D9sYM2bGpz2xmM for ; Wed, 6 Jan 2021 14:43:19 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4D9sYM0rnpz1Jd; Wed, 6 Jan 2021 14:43:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1609944199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tPL8jKOMXH/ZEu4a5OE1DTRGiLYtW994zMDHym114Ws=; b=vEI752+U8C9aXYhFYFaj3/rkUdsoaajnxTxR1QvC8N3Eojg7eW9/Ic2CxTzoTCYBEjZofY Mrxdszew4+PS1yBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1609944199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tPL8jKOMXH/ZEu4a5OE1DTRGiLYtW994zMDHym114Ws=; b=Ur8as+SNIdX3o5DGwkJdSaDs23UtLm2LIe7H03W0vd/BZTz7OGZGs5gSNXdh4FUX/nL7v5 MU0k9Ak93kvUDWbxnzRiiw7JM0AYM0aB8tdfLm+FUOWwtIRxgVi9DSpL45Mq8jvf+5LAlx VZfr2qu3S2/QwObXLx8Fvs6fWJPEIZFYDcSpH3Ev6lnk1M+tRpBDqagmIlfy9Ne/9sTmxy yMDLW6grq6piQRd2FER/tN5YHCOwEQ6bLVsrYeOKlPmr+yFqfIsU6XyrIOHTnOi2u2Iw1U hCkB3HfnsU9ku6GDAEMtUKGiCBNeEBi34x9VseSSGrQ9pmfpFv3CRRZXgOZ80A== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH 3/3] wpa_supplicant: Import fresh default configuration Date: Wed, 6 Jan 2021 14:43:14 +0000 Message-Id: <20210106144314.2732-3-michael.tremer@ipfire.org> In-Reply-To: <20210106144314.2732-1-michael.tremer@ipfire.org> References: <20210106144314.2732-1-michael.tremer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This enables some more features that have been added to wpa_supplicant over time. In our case we need SAE for WPA3 support. Signed-off-by: Michael Tremer --- config/wpa_supplicant/config | 475 ++++++++++++++++++++++++++--------- 1 file changed, 359 insertions(+), 116 deletions(-) diff --git a/config/wpa_supplicant/config b/config/wpa_supplicant/config index f3e114bfd..d2fed45cd 100644 --- a/config/wpa_supplicant/config +++ b/config/wpa_supplicant/config @@ -1,9 +1,9 @@ # Example wpa_supplicant build time configuration # # This file lists the configuration options that are used when building the -# hostapd binary. All lines starting with # are ignored. Configuration option -# lines must be commented out complete, if they are not to be included, i.e., -# just setting VARIABLE=n is not disabling that variable. +# wpa_supplicant binary. All lines starting with # are ignored. Configuration +# option lines must be commented out complete, if they are not to be included, +# i.e., just setting VARIABLE=n is not disabling that variable. # # This file is included in Makefile, so variables like CFLAGS and LIBS can also # be modified from here. In most cases, these lines should use += in order not @@ -20,75 +20,39 @@ # used to fix build issues on such systems (krb5.h not found). #CFLAGS += -I/usr/include/kerberos -# Example configuration for various cross-compilation platforms - -#### sveasoft (e.g., for Linksys WRT54G) ###################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS += -I../src/include -I../../src/router/openssl/include -#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl -############################################################################### - -#### openwrt (e.g., for Linksys WRT54G) ####################################### -#CC=mipsel-uclibc-gcc -#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc -#CFLAGS += -Os -#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \ -# -I../WRT54GS/release/src/include -#LIBS = -lssl -############################################################################### - - -# Driver interface for Host AP driver -CONFIG_DRIVER_HOSTAP=y - -# Driver interface for Agere driver -#CONFIG_DRIVER_HERMES=y -# Change include directories to match with the local setup -#CFLAGS += -I../../hcf -I../../include -I../../include/hcf -#CFLAGS += -I../../include/wireless - -# Driver interface for madwifi driver -#CONFIG_DRIVER_MADWIFI=y -# Set include directory to the madwifi source tree -#CFLAGS += -I/usr/src/madwifi - -# Driver interface for Prism54 driver -# (Note: Prism54 is not yet supported, i.e., this will not work as-is and is -# for developers only) -CONFIG_DRIVER_PRISM54=y - -# Driver interface for ndiswrapper -CONFIG_DRIVER_NDISWRAPPER=y - -# Driver interface for Atmel driver -CONFIG_DRIVER_ATMEL=y - -# Driver interface for old Broadcom driver -# Please note that the newer Broadcom driver ("hybrid Linux driver") supports -# Linux wireless extensions and does not need (or even work) with the old -# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver. -#CONFIG_DRIVER_BROADCOM=y -# Example path for wlioctl.h; change to match your configuration -#CFLAGS += -I/opt/WRT54GS/release/src/include - -# Driver interface for Intel ipw2100/2200 driver -CONFIG_DRIVER_IPW=y - -# Driver interface for Ralink driver -CONFIG_DRIVER_RALINK=y - # Driver interface for generic Linux wireless extensions +# Note: WEXT is deprecated in the current Linux kernel version and no new +# functionality is added to it. nl80211-based interface is the new +# replacement for WEXT and its use allows wpa_supplicant to properly control +# the driver to improve existing functionality like roaming and to support new +# functionality. CONFIG_DRIVER_WEXT=y # Driver interface for Linux drivers using the nl80211 kernel interface CONFIG_DRIVER_NL80211=y +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) #CONFIG_DRIVER_BSD=y #CFLAGS += -I/usr/local/include #LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib # Driver interface for Windows NDIS #CONFIG_DRIVER_NDIS=y @@ -106,17 +70,27 @@ CONFIG_DRIVER_NL80211=y # wpa_supplicant. # CONFIG_USE_NDISUIO=y -# Driver interface for development testing -#CONFIG_DRIVER_TEST=y - # Driver interface for wired Ethernet drivers CONFIG_DRIVER_WIRED=y +# Driver interface for MACsec capable Qualcomm Atheros drivers +#CONFIG_DRIVER_MACSEC_QCA=y + +# Driver interface for Linux MACsec drivers +#CONFIG_DRIVER_MACSEC_LINUX=y + # Driver interface for the Broadcom RoboSwitch family #CONFIG_DRIVER_ROBOSWITCH=y -# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is -# included) +# Driver interface for no driver (e.g., WPS ER only) +#CONFIG_DRIVER_NONE=y + +# Solaris libraries +#LIBS += -lsocket -ldlpi -lnsl +#LIBS_c += -lsocket + +# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or +# MACsec is included) CONFIG_IEEE8021X_EAPOL=y # EAP-MD5 @@ -135,11 +109,17 @@ CONFIG_EAP_PEAP=y CONFIG_EAP_TTLS=y # EAP-FAST -# Note: Default OpenSSL package does not include support for all the -# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, -# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch) -# to add the needed functions. -#CONFIG_EAP_FAST=y +CONFIG_EAP_FAST=y + +# EAP-TEAP +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y # EAP-GTC CONFIG_EAP_GTC=y @@ -150,11 +130,17 @@ CONFIG_EAP_OTP=y # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) #CONFIG_EAP_SIM=y +# Enable SIM simulator (Milenage) for EAP-SIM +#CONFIG_SIM_SIMULATOR=y + # EAP-PSK (experimental; this is _not_ needed for WPA-PSK) #CONFIG_EAP_PSK=y +# EAP-pwd (secure authentication using only a password) +CONFIG_EAP_PWD=y + # EAP-PAX -#CONFIG_EAP_PAX=y +CONFIG_EAP_PAX=y # LEAP CONFIG_EAP_LEAP=y @@ -170,22 +156,35 @@ CONFIG_EAP_LEAP=y #CONFIG_USIM_SIMULATOR=y # EAP-SAKE -#CONFIG_EAP_SAKE=y +CONFIG_EAP_SAKE=y # EAP-GPSK -#CONFIG_EAP_GPSK=y +CONFIG_EAP_GPSK=y # Include support for optional SHA256 cipher suite in EAP-GPSK -#CONFIG_EAP_GPSK_SHA256=y +CONFIG_EAP_GPSK_SHA256=y # EAP-TNC and related Trusted Network Connect support (experimental) -#CONFIG_EAP_TNC=y +CONFIG_EAP_TNC=y # Wi-Fi Protected Setup (WPS) CONFIG_WPS=y +# Enable WPS external registrar functionality +#CONFIG_WPS_ER=y +# Disable credentials for an open network by default when acting as a WPS +# registrar. +#CONFIG_WPS_REG_DISABLE_OPEN=y +# Enable WPS support with NFC config method +#CONFIG_WPS_NFC=y # EAP-IKEv2 CONFIG_EAP_IKEV2=y +# EAP-EKE +#CONFIG_EAP_EKE=y + +# MACsec +CONFIG_MACSEC=y + # PKCS#12 (PFX) support (used to read private key and certificate file from # a file that usually has extension .p12 or .pfx) CONFIG_PKCS12=y @@ -198,13 +197,22 @@ CONFIG_SMARTCARD=y # Enable this if EAP-SIM or EAP-AKA is included #CONFIG_PCSC=y +# Support HT overrides (disable HT/HT40, mask MCS rates, etc.) +#CONFIG_HT_OVERRIDES=y + +# Support VHT overrides (disable VHT, mask MCS rates, etc.) +#CONFIG_VHT_OVERRIDES=y + # Development testing #CONFIG_EAPOL_TEST=y # Select control interface backend for external programs, e.g, wpa_cli: # unix = UNIX domain sockets (default for Linux/*BSD) # udp = UDP sockets using localhost (127.0.0.1) +# udp6 = UDP IPv6 sockets using localhost (::1) # named_pipe = Windows Named Pipe (default for Windows) +# udp-remote = UDP sockets with remote access (only for tests systems/purpose) +# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose) # y = use default (backwards compatibility) # If this option is commented out, control interface is not included in the # build. @@ -216,6 +224,10 @@ CONFIG_CTRL_IFACE=y # the resulting binary. #CONFIG_READLINE=y +# Include internal line edit mode in wpa_cli. This can be used as a replacement +# for GNU Readline to provide limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + # Remove debugging code that is printing out debug message to stdout. # This can be used to reduce the size of the wpa_supplicant considerably # if debugging code is not needed. The size reduction can be around 35% @@ -226,11 +238,6 @@ CONFIG_CTRL_IFACE=y # 35-50 kB in code size. #CONFIG_NO_WPA=y -# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to -# save about 1 kB in code size when building only WPA-Personal (no EAP support) -# or 6 kB if building for WPA-Enterprise. -#CONFIG_NO_WPA2=y - # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # This option can be used to reduce code size by removing support for # converting ASCII passphrases into PSK. If this functionality is removed, the @@ -238,12 +245,10 @@ CONFIG_CTRL_IFACE=y # wpa_passphrase). This saves about 0.5 kB in code size. #CONFIG_NO_WPA_PASSPHRASE=y -# Remove AES extra functions. This can be used to reduce code size by about -# 1.5 kB by removing extra AES modes that are not needed for commonly used -# client configurations (they are needed for some EAP types). -#CONFIG_NO_AES_EXTRAS=y +# Simultaneous Authentication of Equals (SAE), WPA3-Personal +CONFIG_SAE=y -# Disable scan result processing (ap_mode=1) to save code size by about 1 kB. +# Disable scan result processing (ap_scan=1) to save code size by about 1 kB. # This can be used if ap_scan=1 mode is never enabled. #CONFIG_NO_SCAN_PROCESSING=y @@ -270,7 +275,7 @@ CONFIG_BACKEND=file # main_none = Very basic example (development use only) #CONFIG_MAIN=main -# Select wrapper for operatins system and C library specific functions +# Select wrapper for operating system and C library specific functions # unix = UNIX/POSIX like systems (default) # win32 = Windows systems # none = Empty template @@ -279,9 +284,17 @@ CONFIG_BACKEND=file # Select event loop implementation # eloop = select() loop (default) # eloop_win = Windows events and WaitForMultipleObject() loop -# eloop_none = Empty template #CONFIG_ELOOP=eloop +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + # Select layer 2 packet implementation # linux = Linux packet socket (default) # pcap = libpcap/libdnet/WinPcap @@ -291,29 +304,40 @@ CONFIG_BACKEND=file # none = Empty template #CONFIG_L2_PACKET=linux -# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -CONFIG_PEERKEY=y +# Disable Linux packet socket workaround applicable for station interface +# in a bridge for EAPOL frames. This should be uncommented only if the kernel +# is known to not have the regression issue in packet socket behavior with +# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). +#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y -# IEEE 802.11w (management frame protection) -# This version is an experimental implementation based on IEEE 802.11w/D1.0 -# draft and is subject to change since the standard has not yet been finalized. -# Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y +# Support Operating Channel Validation +#CONFIG_OCV=y # Select TLS implementation # openssl = OpenSSL (default) -# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA) +# gnutls = GnuTLS # internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) # none = Empty template #CONFIG_TLS=openssl -# Whether to enable TLS/IA support, which is required for EAP-TTLSv1. -# You need CONFIG_TLS=gnutls for this to have any effect. Please note that -# even though the core GnuTLS library is released under LGPL, this extra -# library uses GPL and as such, the terms of GPL apply to the combination -# of wpa_supplicant and GnuTLS if this option is enabled. BSD license may not -# apply for distribution of the resulting binary. -#CONFIG_GNUTLS_EXTRA=y +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. It should be noted that some existing TLS v1.0 -based +# implementation may not be compatible with TLS v1.1 message (ClientHello is +# sent prior to negotiating which version will be used) +#CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. It should be +# noted that some existing TLS v1.0 -based implementation may not be compatible +# with TLS v1.2 message (ClientHello is sent prior to negotiating which version +# will be used) +#CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" # If CONFIG_TLS=internal is used, additional library and include paths are # needed for LibTomMath. Alternatively, an integrated, minimal version of @@ -337,8 +361,12 @@ CONFIG_PEERKEY=y #CONFIG_NDIS_EVENTS_INTEGRATED=y #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" -# Add support for DBus control interface -#CONFIG_CTRL_IFACE_DBUS=y +# Add support for new DBus control interface +# (fi.w1.wpa_supplicant1) +#CONFIG_CTRL_IFACE_DBUS_NEW=y + +# Add introspection support for new DBus control interface +#CONFIG_CTRL_IFACE_DBUS_INTRO=y # Add support for loading EAP methods dynamically as shared libraries. # When this option is enabled, each EAP method can be either included @@ -361,18 +389,26 @@ CONFIG_PEERKEY=y # amount of memory/flash. #CONFIG_DYNAMIC_EAP_METHODS=y -# Include client MLME (management frame processing). -# This can be used to move MLME processing of Linux mac80211 stack into user -# space. Please note that this is currently only available with -# driver_nl80211.c and only with a modified version of Linux kernel and -# wpa_supplicant. -#CONFIG_CLIENT_MLME=y - -# IEEE Std 802.11r-2008 (Fast BSS Transition) -#CONFIG_IEEE80211R=y +# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode +CONFIG_IEEE80211R=y # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) -#CONFIG_DEBUG_FILE=y +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +CONFIG_DEBUG_SYSLOG=y +# Set syslog facility for debug messages +#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Add support for writing debug log to Android logcat instead of standard +# output +#CONFIG_ANDROID_LOG=y # Enable privilege separation (see README 'Privilege separation' for details) #CONFIG_PRIVSEP=y @@ -380,3 +416,210 @@ CONFIG_PEERKEY=y # Enable mitigation against certain attacks against TKIP by delaying Michael # MIC error reports by a random amount of time between 0 and 60 seconds #CONFIG_DELAYED_MIC_ERROR_REPORT=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, uncomment these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, uncomment these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# wpa_supplicant depends on strong random number generation being available +# from the operating system. os_get_random() function is used to fetch random +# data when needed, e.g., for key generation. On Linux and BSD systems, this +# works by reading /dev/urandom. It should be noted that the OS entropy pool +# needs to be properly initialized before wpa_supplicant is started. This is +# important especially on embedded devices that do not have a hardware random +# number generator and may by default start up with minimal entropy available +# for random number generation. +# +# As a safety net, wpa_supplicant is by default trying to internally collect +# additional entropy for generating random data to mix in with the data fetched +# from the OS. This by itself is not considered to be very strong, but it may +# help in cases where the system pool is not initialized properly. However, it +# is very strongly recommended that the system pool is initialized with enough +# entropy either by using hardware assisted random number generator or by +# storing state over device reboots. +# +# wpa_supplicant can be configured to maintain its own entropy store over +# restarts to enhance random number generation. This is not perfect, but it is +# much more secure than using the same sequence of random numbers after every +# reboot. This can be enabled with -e command line option. The +# specified file needs to be readable and writable by wpa_supplicant. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal wpa_supplicant random pool can be +# disabled. This will save some in binary size and CPU use. However, this +# should only be considered for builds that are known to be used on devices +# that meet the requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +CONFIG_GETRANDOM=y + +# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) +CONFIG_IEEE80211AC=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +#CONFIG_WNM=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks (GAS/ANQP to learn more about the networks and network +# selection based on available credentials). +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable interface matching in wpa_supplicant +#CONFIG_MATCH_IFACE=y + +# Disable roaming in wpa_supplicant +#CONFIG_NO_ROAMING=y + +# AP mode operations with wpa_supplicant +# This can be used for controlling AP mode operations with wpa_supplicant. It +# should be noted that this is mainly aimed at simple cases like +# WPA2-Personal while more complex configurations like WPA2-Enterprise with an +# external RADIUS server can be supported with hostapd. +CONFIG_AP=y + +# P2P (Wi-Fi Direct) +# This can be used to enable P2P support in wpa_supplicant. See README-P2P for +# more information on P2P operations. +CONFIG_P2P=y + +# Enable TDLS support +CONFIG_TDLS=y + +# Wi-Fi Display +# This can be used to enable Wi-Fi Display extensions for P2P using an external +# program to control the additional information exchanges in the messages. +CONFIG_WIFI_DISPLAY=y + +# Autoscan +# This can be used to enable automatic scan support in wpa_supplicant. +# See wpa_supplicant.conf for more information on autoscan usage. +# +# Enabling directly a module will enable autoscan support. +# For exponential module: +#CONFIG_AUTOSCAN_EXPONENTIAL=y +# For periodic module: +#CONFIG_AUTOSCAN_PERIODIC=y + +# Password (and passphrase, etc.) backend for external storage +# These optional mechanisms can be used to add support for storing passwords +# and other secrets in external (to wpa_supplicant) location. This allows, for +# example, operating system specific key storage to be used +# +# External password backend for testing purposes (developer use) +#CONFIG_EXT_PASSWORD_TEST=y + +# Enable Fast Session Transfer (FST) +#CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# OS X builds. This is only for building eapol_test. +#CONFIG_OSX=y + +# Automatic Channel Selection +# This will allow wpa_supplicant to pick the channel automatically when channel +# is set to "0". +# +# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative +# to "channel=0". This would enable us to eventually add other ACS algorithms in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with +# a newly to create wpa_supplicant.conf variable acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +#CONFIG_ACS=y + +# Support Multi Band Operation +#CONFIG_MBO=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +#CONFIG_FILS=y +# FILS shared key authentication with PFS +#CONFIG_FILS_SK_PFS=y + +# Support RSN on IBSS networks +# This is needed to be able to use mode=1 network profile with proto=RSN and +# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None). +CONFIG_IBSS_RSN=y + +# External PMKSA cache control +# This can be used to enable control interface commands that allow the current +# PMKSA cache entries to be fetched and new entries to be added. +#CONFIG_PMKSA_CACHE_EXTERNAL=y + +# Mesh Networking (IEEE 802.11s) +#CONFIG_MESH=y + +# Background scanning modules +# These can be used to request wpa_supplicant to perform background scanning +# operations for roaming within an ESS (same SSID). See the bgscan parameter in +# the wpa_supplicant.conf file for more details. +# Periodic background scans based on signal strength +CONFIG_BGSCAN_SIMPLE=y +# Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +#CONFIG_BGSCAN_LEARN=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +#CONFIG_OWE=y + +# Device Provisioning Protocol (DPP) +CONFIG_DPP=y + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current wpa_supplicant +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +#CONFIG_WEP=y + +# Remove all TKIP functionality +# TKIP is an old cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used anymore for anything else than a +# backwards compatibility option as a group cipher when connecting to APs that +# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes +# support for this by default, but that functionality is subject to be removed +# in the future. +#CONFIG_NO_TKIP=y + +# Enable 802.11w +CONFIG_IEEE80211W=y