2008-02-28 02:34:43 +01:00
|
|
|
# Example hostapd build time configuration
|
|
|
|
#
|
|
|
|
# This file lists the configuration options that are used when building the
|
|
|
|
# hostapd binary. All lines starting with # are ignored. Configuration option
|
|
|
|
# lines must be commented out complete, if they are not to be included, i.e.,
|
|
|
|
# just setting VARIABLE=n is not disabling that variable.
|
|
|
|
#
|
|
|
|
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
|
|
|
|
# be modified from here. In most cass, these lines should use += in order not
|
|
|
|
# to override previous values of the variables.
|
|
|
|
|
|
|
|
# Driver interface for Host AP driver
|
|
|
|
CONFIG_DRIVER_HOSTAP=y
|
|
|
|
|
|
|
|
# Driver interface for wired authenticator
|
|
|
|
#CONFIG_DRIVER_WIRED=y
|
|
|
|
|
|
|
|
# Driver interface for madwifi driver
|
|
|
|
#CONFIG_DRIVER_MADWIFI=y
|
2009-02-04 20:45:14 +01:00
|
|
|
#CFLAGS += -I../../madwifi # change to the madwifi source directory
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
# Driver interface for drivers using the nl80211 kernel interface
|
2011-05-16 20:07:47 +02:00
|
|
|
CONFIG_DRIVER_NL80211=y
|
2008-02-28 02:34:43 +01:00
|
|
|
|
|
|
|
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
|
|
|
|
#CONFIG_DRIVER_BSD=y
|
|
|
|
#CFLAGS += -I/usr/local/include
|
|
|
|
#LIBS += -L/usr/local/lib
|
2010-01-09 10:01:12 +01:00
|
|
|
#LIBS_p += -L/usr/local/lib
|
|
|
|
#LIBS_c += -L/usr/local/lib
|
2008-02-28 02:34:43 +01:00
|
|
|
|
2008-10-01 13:07:55 +02:00
|
|
|
# Driver interface for no driver (e.g., RADIUS server only)
|
|
|
|
#CONFIG_DRIVER_NONE=y
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
# IEEE 802.11F/IAPP
|
|
|
|
CONFIG_IAPP=y
|
|
|
|
|
|
|
|
# WPA2/IEEE 802.11i RSN pre-authentication
|
|
|
|
CONFIG_RSN_PREAUTH=y
|
|
|
|
|
|
|
|
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
|
|
|
|
CONFIG_PEERKEY=y
|
|
|
|
|
|
|
|
# IEEE 802.11w (management frame protection)
|
|
|
|
# This version is an experimental implementation based on IEEE 802.11w/D1.0
|
|
|
|
# draft and is subject to change since the standard has not yet been finalized.
|
|
|
|
# Driver support is also needed for IEEE 802.11w.
|
|
|
|
#CONFIG_IEEE80211W=y
|
|
|
|
|
|
|
|
# Integrated EAP server
|
|
|
|
CONFIG_EAP=y
|
|
|
|
|
|
|
|
# EAP-MD5 for the integrated EAP server
|
|
|
|
CONFIG_EAP_MD5=y
|
|
|
|
|
|
|
|
# EAP-TLS for the integrated EAP server
|
|
|
|
CONFIG_EAP_TLS=y
|
|
|
|
|
|
|
|
# EAP-MSCHAPv2 for the integrated EAP server
|
|
|
|
CONFIG_EAP_MSCHAPV2=y
|
|
|
|
|
|
|
|
# EAP-PEAP for the integrated EAP server
|
|
|
|
CONFIG_EAP_PEAP=y
|
|
|
|
|
|
|
|
# EAP-GTC for the integrated EAP server
|
|
|
|
CONFIG_EAP_GTC=y
|
|
|
|
|
|
|
|
# EAP-TTLS for the integrated EAP server
|
|
|
|
CONFIG_EAP_TTLS=y
|
|
|
|
|
|
|
|
# EAP-SIM for the integrated EAP server
|
|
|
|
#CONFIG_EAP_SIM=y
|
|
|
|
|
|
|
|
# EAP-AKA for the integrated EAP server
|
|
|
|
#CONFIG_EAP_AKA=y
|
|
|
|
|
2008-12-07 18:24:56 +01:00
|
|
|
# EAP-AKA' for the integrated EAP server
|
|
|
|
# This requires CONFIG_EAP_AKA to be enabled, too.
|
|
|
|
#CONFIG_EAP_AKA_PRIME=y
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
# EAP-PAX for the integrated EAP server
|
|
|
|
#CONFIG_EAP_PAX=y
|
|
|
|
|
|
|
|
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
|
|
|
|
#CONFIG_EAP_PSK=y
|
|
|
|
|
2012-02-11 11:17:58 +01:00
|
|
|
# EAP-pwd for the integrated EAP server (secure authentication with a password)
|
|
|
|
#CONFIG_EAP_PWD=y
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
# EAP-SAKE for the integrated EAP server
|
|
|
|
#CONFIG_EAP_SAKE=y
|
|
|
|
|
|
|
|
# EAP-GPSK for the integrated EAP server
|
|
|
|
#CONFIG_EAP_GPSK=y
|
|
|
|
# Include support for optional SHA256 cipher suite in EAP-GPSK
|
|
|
|
#CONFIG_EAP_GPSK_SHA256=y
|
|
|
|
|
|
|
|
# EAP-FAST for the integrated EAP server
|
|
|
|
# Note: Default OpenSSL package does not include support for all the
|
|
|
|
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
|
|
|
|
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch)
|
|
|
|
# to add the needed functions.
|
|
|
|
#CONFIG_EAP_FAST=y
|
|
|
|
|
2008-11-23 18:34:26 +01:00
|
|
|
# Wi-Fi Protected Setup (WPS)
|
|
|
|
#CONFIG_WPS=y
|
2010-06-18 03:35:18 +02:00
|
|
|
# Enable WSC 2.0 support
|
|
|
|
#CONFIG_WPS2=y
|
2009-01-29 18:19:30 +01:00
|
|
|
# Enable UPnP support for external WPS Registrars
|
|
|
|
#CONFIG_WPS_UPNP=y
|
2012-06-28 20:28:49 +02:00
|
|
|
# Enable WPS support with NFC config method
|
|
|
|
#CONFIG_WPS_NFC=y
|
2008-11-23 18:34:26 +01:00
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
# EAP-IKEv2
|
|
|
|
#CONFIG_EAP_IKEV2=y
|
|
|
|
|
2008-03-09 11:14:15 +01:00
|
|
|
# Trusted Network Connect (EAP-TNC)
|
|
|
|
#CONFIG_EAP_TNC=y
|
|
|
|
|
2008-02-28 02:34:43 +01:00
|
|
|
# PKCS#12 (PFX) support (used to read private key and certificate file from
|
|
|
|
# a file that usually has extension .p12 or .pfx)
|
|
|
|
CONFIG_PKCS12=y
|
|
|
|
|
|
|
|
# RADIUS authentication server. This provides access to the integrated EAP
|
|
|
|
# server from external hosts using RADIUS.
|
|
|
|
#CONFIG_RADIUS_SERVER=y
|
|
|
|
|
|
|
|
# Build IPv6 support for RADIUS operations
|
|
|
|
CONFIG_IPV6=y
|
|
|
|
|
2008-08-15 10:25:24 +02:00
|
|
|
# IEEE Std 802.11r-2008 (Fast BSS Transition)
|
2008-02-28 02:34:43 +01:00
|
|
|
#CONFIG_IEEE80211R=y
|
2008-03-12 10:43:55 +01:00
|
|
|
|
|
|
|
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
|
|
|
|
# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
|
|
|
|
#CONFIG_DRIVER_RADIUS_ACL=y
|
2008-12-09 23:46:55 +01:00
|
|
|
|
|
|
|
# IEEE 802.11n (High Throughput) support
|
|
|
|
#CONFIG_IEEE80211N=y
|
2009-01-08 15:47:04 +01:00
|
|
|
|
2012-05-28 02:35:00 +02:00
|
|
|
# Wireless Network Management (IEEE Std 802.11v-2011)
|
|
|
|
# Note: This is experimental and not complete implementation.
|
|
|
|
#CONFIG_WNM=y
|
|
|
|
|
2012-06-30 12:52:13 +02:00
|
|
|
# IEEE 802.11ac (Very High Throughput) support
|
|
|
|
#CONFIG_IEEE80211AC=y
|
|
|
|
|
2009-01-08 15:47:04 +01:00
|
|
|
# Remove debugging code that is printing out debug messages to stdout.
|
|
|
|
# This can be used to reduce the size of the hostapd considerably if debugging
|
|
|
|
# code is not needed.
|
|
|
|
#CONFIG_NO_STDOUT_DEBUG=y
|
2009-01-08 18:15:25 +01:00
|
|
|
|
2011-02-06 19:24:16 +01:00
|
|
|
# Add support for writing debug log to a file: -f /tmp/hostapd.log
|
|
|
|
# Disabled by default.
|
|
|
|
#CONFIG_DEBUG_FILE=y
|
|
|
|
|
2009-01-08 18:15:25 +01:00
|
|
|
# Remove support for RADIUS accounting
|
|
|
|
#CONFIG_NO_ACCOUNTING=y
|
|
|
|
|
|
|
|
# Remove support for RADIUS
|
|
|
|
#CONFIG_NO_RADIUS=y
|
2009-01-12 20:39:19 +01:00
|
|
|
|
|
|
|
# Remove support for VLANs
|
|
|
|
#CONFIG_NO_VLAN=y
|
2009-11-29 19:18:47 +01:00
|
|
|
|
2010-11-10 13:23:57 +01:00
|
|
|
# Enable support for fully dynamic VLANs. This enables hostapd to
|
2010-11-09 15:38:59 +01:00
|
|
|
# automatically create bridge and VLAN interfaces if necessary.
|
|
|
|
#CONFIG_FULL_DYNAMIC_VLAN=y
|
|
|
|
|
2009-11-29 19:18:47 +01:00
|
|
|
# Remove support for dumping state into a file on SIGUSR1 signal
|
|
|
|
# This can be used to reduce binary size at the cost of disabling a debugging
|
|
|
|
# option.
|
|
|
|
#CONFIG_NO_DUMP_STATE=y
|
2009-12-20 22:41:06 +01:00
|
|
|
|
|
|
|
# Enable tracing code for developer debugging
|
|
|
|
# This tracks use of memory allocations and other registrations and reports
|
|
|
|
# incorrect use with a backtrace of call (or allocation) location.
|
|
|
|
#CONFIG_WPA_TRACE=y
|
2010-01-09 10:01:12 +01:00
|
|
|
# For BSD, comment out these.
|
|
|
|
#LIBS += -lexecinfo
|
|
|
|
#LIBS_p += -lexecinfo
|
|
|
|
#LIBS_c += -lexecinfo
|
2009-12-20 22:41:06 +01:00
|
|
|
|
|
|
|
# Use libbfd to get more details for developer debugging
|
|
|
|
# This enables use of libbfd to get more detailed symbols for the backtraces
|
|
|
|
# generated by CONFIG_WPA_TRACE=y.
|
2009-12-23 22:20:11 +01:00
|
|
|
#CONFIG_WPA_TRACE_BFD=y
|
2010-01-09 10:01:12 +01:00
|
|
|
# For BSD, comment out these.
|
|
|
|
#LIBS += -lbfd -liberty -lz
|
|
|
|
#LIBS_p += -lbfd -liberty -lz
|
|
|
|
#LIBS_c += -lbfd -liberty -lz
|
Maintain internal entropy pool for augmenting random number generation
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:
hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants
wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)
The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).
This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.
If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
2010-11-24 00:29:40 +01:00
|
|
|
|
|
|
|
# hostapd depends on strong random number generation being available from the
|
|
|
|
# operating system. os_get_random() function is used to fetch random data when
|
|
|
|
# needed, e.g., for key generation. On Linux and BSD systems, this works by
|
|
|
|
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
|
|
|
|
# properly initialized before hostapd is started. This is important especially
|
|
|
|
# on embedded devices that do not have a hardware random number generator and
|
|
|
|
# may by default start up with minimal entropy available for random number
|
|
|
|
# generation.
|
|
|
|
#
|
|
|
|
# As a safety net, hostapd is by default trying to internally collect
|
|
|
|
# additional entropy for generating random data to mix in with the data
|
|
|
|
# fetched from the OS. This by itself is not considered to be very strong, but
|
|
|
|
# it may help in cases where the system pool is not initialized properly.
|
|
|
|
# However, it is very strongly recommended that the system pool is initialized
|
|
|
|
# with enough entropy either by using hardware assisted random number
|
2011-05-31 19:07:11 +02:00
|
|
|
# generator or by storing state over device reboots.
|
Maintain internal entropy pool for augmenting random number generation
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:
hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants
wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)
The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).
This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.
If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
2010-11-24 00:29:40 +01:00
|
|
|
#
|
2011-05-31 19:07:11 +02:00
|
|
|
# hostapd can be configured to maintain its own entropy store over restarts to
|
|
|
|
# enhance random number generation. This is not perfect, but it is much more
|
|
|
|
# secure than using the same sequence of random numbers after every reboot.
|
|
|
|
# This can be enabled with -e<entropy file> command line option. The specified
|
|
|
|
# file needs to be readable and writable by hostapd.
|
|
|
|
#
|
|
|
|
# If the os_get_random() is known to provide strong random data (e.g., on
|
Maintain internal entropy pool for augmenting random number generation
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:
hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants
wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)
The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).
This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.
If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
2010-11-24 00:29:40 +01:00
|
|
|
# Linux/BSD, the board in question is known to have reliable source of random
|
|
|
|
# data from /dev/urandom), the internal hostapd random pool can be disabled.
|
|
|
|
# This will save some in binary size and CPU use. However, this should only be
|
|
|
|
# considered for builds that are known to be used on devices that meet the
|
|
|
|
# requirements described above.
|
|
|
|
#CONFIG_NO_RANDOM_POOL=y
|
2011-09-25 16:24:46 +02:00
|
|
|
|
|
|
|
# Select TLS implementation
|
|
|
|
# openssl = OpenSSL (default)
|
2011-09-25 20:28:32 +02:00
|
|
|
# gnutls = GnuTLS
|
2011-09-25 16:24:46 +02:00
|
|
|
# internal = Internal TLSv1 implementation (experimental)
|
|
|
|
# none = Empty template
|
|
|
|
#CONFIG_TLS=openssl
|
|
|
|
|
|
|
|
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
|
|
|
|
# can be enabled to get a stronger construction of messages when block ciphers
|
|
|
|
# are used.
|
|
|
|
#CONFIG_TLSV11=y
|
|
|
|
|
2011-11-27 20:45:07 +01:00
|
|
|
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
|
|
|
|
# can be enabled to enable use of stronger crypto algorithms.
|
|
|
|
#CONFIG_TLSV12=y
|
|
|
|
|
2011-09-25 16:24:46 +02:00
|
|
|
# If CONFIG_TLS=internal is used, additional library and include paths are
|
|
|
|
# needed for LibTomMath. Alternatively, an integrated, minimal version of
|
|
|
|
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
|
|
|
|
# and drawbacks of this option.
|
|
|
|
#CONFIG_INTERNAL_LIBTOMMATH=y
|
|
|
|
#ifndef CONFIG_INTERNAL_LIBTOMMATH
|
|
|
|
#LTM_PATH=/usr/src/libtommath-0.39
|
|
|
|
#CFLAGS += -I$(LTM_PATH)
|
|
|
|
#LIBS += -L$(LTM_PATH)
|
|
|
|
#LIBS_p += -L$(LTM_PATH)
|
|
|
|
#endif
|
|
|
|
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
|
|
|
|
# can be configured to include faster routines for exptmod, sqr, and div to
|
|
|
|
# speed up DH and RSA calculation considerably
|
|
|
|
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
|
2011-09-23 19:26:17 +02:00
|
|
|
|
|
|
|
# Interworking (IEEE 802.11u)
|
|
|
|
# This can be used to enable functionality to improve interworking with
|
|
|
|
# external networks.
|
|
|
|
#CONFIG_INTERWORKING=y
|
2011-09-08 19:52:23 +02:00
|
|
|
|
|
|
|
# Hotspot 2.0
|
|
|
|
#CONFIG_HS20=y
|