From 010bc19ccb57c070fb80baa6a63d2e50ab3aea00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=AD=A6=E4=B8=B9?= Date: Fri, 31 Mar 2023 11:27:43 +0800 Subject: [PATCH] merge debian connect --- debian/NEWS | 39 + debian/NetworkManager/no-mac-addr-change.conf | 9 + debian/README.source | 130 +++ debian/changelog.hostapd | 483 +++++++++ debian/clean | 3 + debian/config/hostapd/kfreebsd | 401 +++++++ debian/config/hostapd/linux | 419 ++++++++ debian/config/wpasupplicant/kfreebsd | 616 +++++++++++ debian/config/wpasupplicant/kfreebsd-udeb | 13 + debian/config/wpasupplicant/linux | 622 +++++++++++ debian/config/wpasupplicant/linux-udeb | 20 + debian/control | 68 +- debian/copyright | 422 ++++++++ debian/eapoltest.install | 1 + debian/eapoltest.lintian-overrides | 3 + debian/eapoltest.manpages | 1 + debian/examples/wpa-roam.conf | 85 ++ debian/gbp.conf | 3 + debian/gitlab-ci.yml | 3 + debian/hostapd.NEWS | 29 + debian/hostapd.README.Debian | 43 + debian/hostapd.default | 23 + debian/hostapd.docs | 3 + debian/hostapd.examples | 6 + debian/hostapd.init | 80 ++ debian/hostapd.install | 3 + debian/hostapd.links | 2 + debian/hostapd.lintian-overrides | 9 + debian/hostapd.manpages | 2 + debian/hostapd.postinst | 19 + debian/hostapd.postrm | 11 + debian/hostapd.service | 16 + debian/hostapd@.service | 16 + debian/ifupdown/action_wpa.sh | 50 + debian/ifupdown/functions.sh | 993 ++++++++++++++++++ debian/ifupdown/hostapd/ifupdown.sh | 146 +++ debian/ifupdown/wpa_action | 81 ++ debian/ifupdown/wpa_action.8 | 148 +++ debian/ifupdown/wpasupplicant/ifupdown.sh | 172 +++ debian/libwpa-client-dev.examples | 1 + debian/libwpa-client-dev.install | 3 + debian/patches/02_dbus_group_policy.patch | 29 + debian/patches/07_dbus_service_syslog.patch | 36 + debian/patches/allow-tlsv1.patch | 28 + debian/patches/disable-eapol-werror.patch | 25 + debian/patches/series | 5 + .../wpa_service_ignore-on-isolate.patch | 36 + debian/rules | 111 ++ debian/source/format | 1 + debian/source/lintian-overrides | 3 + debian/tests/build-libwpa-test | 9 + debian/tests/control | 5 + debian/upstream/signing-key.asc | 36 + debian/watch | 13 + debian/wpagui.install | 3 + debian/wpagui.links | 1 + debian/wpagui.manpages | 1 + debian/wpasupplicant.README.Debian | 555 ++++++++++ debian/wpasupplicant.docs | 5 + debian/wpasupplicant.examples | 3 + debian/wpasupplicant.install | 11 + debian/wpasupplicant.links | 7 + debian/wpasupplicant.lintian-overrides | 12 + debian/wpasupplicant.manpages | 6 + debian/wpasupplicant.postinst | 36 + .../systemd/wpa_supplicant.service.arg.in | 2 +- wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop | 2 +- 67 files changed, 6157 insertions(+), 21 deletions(-) create mode 100644 debian/NEWS create mode 100644 debian/NetworkManager/no-mac-addr-change.conf create mode 100644 debian/README.source create mode 100644 debian/changelog.hostapd create mode 100644 debian/clean create mode 100644 debian/config/hostapd/kfreebsd create mode 100644 debian/config/hostapd/linux create mode 100644 debian/config/wpasupplicant/kfreebsd create mode 100644 debian/config/wpasupplicant/kfreebsd-udeb create mode 100644 debian/config/wpasupplicant/linux create mode 100644 debian/config/wpasupplicant/linux-udeb create mode 100644 debian/copyright create mode 100644 debian/eapoltest.install create mode 100644 debian/eapoltest.lintian-overrides create mode 100644 debian/eapoltest.manpages create mode 100644 debian/examples/wpa-roam.conf create mode 100644 debian/gbp.conf create mode 100644 debian/gitlab-ci.yml create mode 100644 debian/hostapd.NEWS create mode 100644 debian/hostapd.README.Debian create mode 100644 debian/hostapd.default create mode 100644 debian/hostapd.docs create mode 100644 debian/hostapd.examples create mode 100644 debian/hostapd.init create mode 100644 debian/hostapd.install create mode 100644 debian/hostapd.links create mode 100644 debian/hostapd.lintian-overrides create mode 100644 debian/hostapd.manpages create mode 100755 debian/hostapd.postinst create mode 100755 debian/hostapd.postrm create mode 100644 debian/hostapd.service create mode 100644 debian/hostapd@.service create mode 100755 debian/ifupdown/action_wpa.sh create mode 100644 debian/ifupdown/functions.sh create mode 100755 debian/ifupdown/hostapd/ifupdown.sh create mode 100755 debian/ifupdown/wpa_action create mode 100644 debian/ifupdown/wpa_action.8 create mode 100755 debian/ifupdown/wpasupplicant/ifupdown.sh create mode 100644 debian/libwpa-client-dev.examples create mode 100755 debian/libwpa-client-dev.install create mode 100644 debian/patches/02_dbus_group_policy.patch create mode 100644 debian/patches/07_dbus_service_syslog.patch create mode 100644 debian/patches/allow-tlsv1.patch create mode 100644 debian/patches/disable-eapol-werror.patch create mode 100644 debian/patches/series create mode 100644 debian/patches/wpa_service_ignore-on-isolate.patch create mode 100755 debian/rules create mode 100644 debian/source/format create mode 100644 debian/source/lintian-overrides create mode 100755 debian/tests/build-libwpa-test create mode 100644 debian/tests/control create mode 100644 debian/upstream/signing-key.asc create mode 100644 debian/watch create mode 100644 debian/wpagui.install create mode 100644 debian/wpagui.links create mode 100644 debian/wpagui.manpages create mode 100644 debian/wpasupplicant.README.Debian create mode 100644 debian/wpasupplicant.docs create mode 100644 debian/wpasupplicant.examples create mode 100644 debian/wpasupplicant.install create mode 100644 debian/wpasupplicant.links create mode 100644 debian/wpasupplicant.lintian-overrides create mode 100644 debian/wpasupplicant.manpages create mode 100755 debian/wpasupplicant.postinst diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..6f7e344 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,39 @@ +wpasupplicant (2:2.6-19) unstable; urgency=medium + + With this release, wpasupplicant no longer respects the system + default minimum TLS version, defaulting to TLSv1.0, not TLSv1.2. If + you're sure you will never connect to EAP networks requiring anything less + than 1.2, add this to your wpasupplicant configuration: + + tls_disable_tlsv1_0=1 + tls_disable_tlsv1_1=1 + + wpasupplicant also defaults to a security level 1, instead of the system + default 2. Should you need to change that, change this setting in your + wpasupplicant configuration: + + openssl_ciphers=DEFAULT@SECLEVEL=2 + + Unlike wpasupplicant, hostapd still respects system defaults. + + -- Andrej Shadura Sat, 15 Dec 2018 14:22:18 +0100 + +wpasupplicant (0.6.2-1) unstable; urgency=low + + The -w (wait for network interface to exist) command line option no longer + exists. If you have scripts that require this option, it is time to change + them, or use one of the two supported modes of operation explained at + /usr/share/doc/wpasupplicant/README.modes.gz. + + ifupdown supports hot-plugged network devices via the "allow-hotplug" class + of operation. An example /etc/network/interfaces configuration stanza would + look like: + + allow-hotplug wlan0 + iface wlan0 inet dhcp + wpa-ssid myssid + wpa-psk mysecretpassphrase + + network-manager is also able to handle hot-plugged network devices. + + -- Kel Modderman Mon, 14 Jan 2008 18:02:17 +1000 diff --git a/debian/NetworkManager/no-mac-addr-change.conf b/debian/NetworkManager/no-mac-addr-change.conf new file mode 100644 index 0000000..a153532 --- /dev/null +++ b/debian/NetworkManager/no-mac-addr-change.conf @@ -0,0 +1,9 @@ +# Certain drivers are known not to support changing the MAC address. +# Disable touching the MAC address on such devices. +# +# See man NetworkManager.conf +# +# https://bugzilla.gnome.org/show_bug.cgi?id=777523 +[device-31-mac-addr-change] +match-device=driver:eagle_sdio,driver:wl +wifi.scan-rand-mac-address=no diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..fa70a0b --- /dev/null +++ b/debian/README.source @@ -0,0 +1,130 @@ +"wpa" sources for Debian +------------------------ + +**WARNING**: THIS IS OUTDATED; check debian/watch for the actual URLs. + +This "wpa" source package merges wpa_supplicant and hostapd sources, which are +maintained in one source repository[1] upstream and share considerable/ +duplicate amounts of source. Starting with the 1.x branch, both wpa_supplicant +and hostapd are built from this common source package for Debian, while not +released together as tarball by upstream, the source can be obtained from the +upstream git repositories. + +The preferred way to generate the orig.tar.gz is by calling + + $ debian/rules get-orig-source + +which will clone the upstream git repository under $TMPDIR, using mktemp(1), +and create a new tarball based on the git tag corresponding to the top most +entry in debian/changelog. This newly generated tarball will be stored as +../wpa_${VERSION}.orig.tar.gz or ../tarballs/wpa_${VERSION}.orig.tar.gz, if +a directory called ../tarballs/ exists. Eventually existing tarballs +corresponding to the current version will not be overwritten. + +Required dependencies to generate a new orig.tar.gz: +- a SUSv3 compatible shell, like dash or bash +- dpkg-parsechangelog, available from dpkg-dev +- git +- xz, available from xz-utils or busybox +- mktemp and rm, available from coreutils or busybox +- sed, available from sed or busybox +- tar, available from tar or busybox + +It is recommended to base tarballs for development snapshots of "wpa" on +according git tags from the upstream git repository, the available git tags +can be queried by: + + $ git clone git://w1.fi/srv/git/hostap-1.git # 1.x branch + +or + + $ git clone git://w1.fi/srv/git/hostap.git # >= 2.x branches + +changing into the corresponding directory (hostap-1 or hostapd) and calling +git tag. + + $ cd hostapd-1 + $ git tag + hostap_0_6_3 + […] + hostap_1_0 + […] + hostap_1_0_rc3 + […] + +The Debian versions for these tags would be 0.6.3-1, 1.0 or 1.0~rc3 in +debian/changelog. Intermediate states between tags or HEAD are usually best +dealt with by creating a patch series based on the newest matching tag. + +Exporting commits between "hostap_1_0" and the current git HEAD: + + $ git format-patch hostap_1_0..HEAD + +Exporting commits between "hostap_1_0_rc3" and "hostap_1_0": + + $ git format-patch hostap_1_0_rc3..hostap_1_0 + +In both cases numbered patches will be dropped in the base directory of the +git clone. These numbered patches can be imported to the Debian package using +standard procedures for "3.0 (quilt)" source packages. + +Tarballs can also be created manually from the upstream git repository: + + $ git clone git://w1.fi/srv/git/hostap-1.git + $ cd hostap-1 + $ git archive \ + --format=tar \ + --prefix="wpa-1.0/" \ + hostap_1_0 \ + README COPYING patches src wpa_supplicant hostapd | \ + xz -c6 > wpa_1.0.orig.tar.gz + +Arbitrary git tags or commit IDs can be used for this purpose. + + +Upstream git snapshots can be exported by using a specially crafted version +syntax used in the top most (pending) changelog entry. The required syntax for +correctly parsing this is: + + +git.+- + upstream_version := [0-9\.]* --> 2.0 + date := [0-9]* --> 20131120 (YYYYMMDD) + revision := [0-9]* --> 1 + git_hash := [0-9a-f]* --> 594516b + debian_revision := [0-9*] --> 1 + +e.g.: + + 2.0+git20131120.1+594516b-1 + +Technically any incrementing number can be used for , but it's strongly +recommended to use YYYYMMDD (date --utc +%Y%m%d) and follow it by an +strictly incrementing arbitrary revision number (typically '.1'). The supplied +git hash can be abbreviated, but must be unique (see git describe, without +leading 'g'). + +The debian/rules get-orig-source target will automatically switch between +hostapd-1.git and hostapd.git (for >= 2.0) as needed, but it will only fetch +the explicitly specified version from a properly formatted, top most, +debian/changelog entry; it will not fetch the last upstream release or git +HEAD automatically. + + +The Debian packaging for wpa_supplicant/ hostapd is maintained in a subversion +repository at: + + Vcs-Svn: svn://anonscm.debian.org/svn/pkg-wpa/wpa/trunk/ + Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-wpa/wpa/trunk/ + +The development mailing list and its mailing list archive is located at: + + http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wpa-devel + +Work for the wpa package can be coordinated on this mailing list through: + + Debian wpasupplicant Maintainers + + -- Stefan Lippers-Hollmann Sat, 28 Dec 2013 22:37:03 +0100 + +[1] http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap-1.git [1.x branch] + http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git [development] diff --git a/debian/changelog.hostapd b/debian/changelog.hostapd new file mode 100644 index 0000000..02f678b --- /dev/null +++ b/debian/changelog.hostapd @@ -0,0 +1,483 @@ +hostapd (1:0.7.3-5) UNRELEASED; urgency=low + + * NOT RELEASED YET + * bump standards version to 3.9.3, no changes necessary. + * update dep-5 version to final 1.0: + - add format qualifier + - s/Upstream-Maintainer/Upstream-Contact/ + - s/Upstream-Source/Source/ + - use "or" instead of "BSD | GPL-2" for dual-licensed sources + - order licenses alphabetically. + - fix lists of copyright holders for the final syntax + - fix license continuation. + + -- Stefan Lippers-Hollmann Mon, 27 Feb 2012 22:07:19 +0100 + +hostapd (1:0.7.3-4) unstable; urgency=low + + * add myself to uploaders. + * add "hostap: Allow linking with libnl-3" from Ben Greear + to allow building against libnl3 3.2. + * switch build dependency from libnl-dev (libnl1) to libnl-3-dev && + libnl-genl-3-dev accordingly. + * add libpcap-dev and libbsd-dev to kFreeBSD specific build-depends. + * disable IAPP on kFreeBSD, to avoid FTBS. + * restrict hostapd to linux-any and kfreebsd-any, hurd lacks kernel support. + * raise versioned build-dependency to (>= 3.2.3-2~), we need + libnl-genl-3-200-udeb and expect it in /lib/. + * add "For MS-CHAP, convert the password from UTF-8 to UCS-2" from + Evan Broder , accepted upstream into hostap-1.git + * fix long description, driver_madwifi is no longer enabled, while driver_bsd + got enabled. + + -- Stefan Lippers-Hollmann Tue, 20 Dec 2011 02:51:49 +0100 + +hostapd (1:0.7.3-3) unstable; urgency=low + + [ Kel Modderman ] + * Use /run/sendsigs.omit.d/ for sendsigs omission pid file and depend on + initscripts (>= 2.88dsf-13.3). (Closes: #633026) + * Migrate existing sendsigs omission pid files from /lib/init/rw to /run. + * Add a loop to ifupdown.sh to wait for creation of hostapd pid file before + attempting creation of sensigs omission pid file, in some cases hostapd + daemon can return before creation of the pid file has been written to disk. + * Adjust standards version to 3.9.2, no further changes required to + satisfy that. + * Only test that DAEMON_CONF is set in init.d script, do not test if what is + set is readable (which assumes only one configuration file is being used). + (Closes: #615821) + + [ Stefan Lippers-Hollmann ] + * use new anonscm URIs for alioth. + + -- Kel Modderman Sun, 11 Dec 2011 20:32:06 +1000 + +hostapd (1:0.7.3-2) unstable; urgency=low + + * upload to unstable + + -- Jan Dittberner Sun, 06 Feb 2011 13:20:42 +0100 + +hostapd (1:0.7.3-1) experimental; urgency=low + + * New upstream release, upstream declares this as the new stable release. + * debian/control: update Standards-Version to 3.9.1 (no changes + necessary) + * debian/copyright: include license text of the BSD license variant, + add myself to the list of copyright holders for the debian/* files + * add debian/hostapd.lintian-overrides and install it as + /usr/share/lintian/overrides/hostapd to fix possible-gpl-code-linked- + with-openssl Lintian error + + -- Jan Dittberner Tue, 07 Sep 2010 20:43:01 +0200 + +hostapd (1:0.7.2-2) experimental; urgency=low + + * disable madwifi driver + - remove debian/driver_madwifi + - disable madwifi driver in debian/config/linux + + -- Jan Dittberner Tue, 27 Apr 2010 21:09:08 +0200 + +hostapd (1:0.7.2-1) experimental; urgency=low + + * New upstream release + * debian/control: add myself to Uploaders + * update debian/watch to track version 0.7.x + * disable debian/patches/DTIM.patch that does not apply to current upstream + sources + + -- Jan Dittberner Mon, 26 Apr 2010 20:21:00 +0200 + +hostapd (1:0.6.10-2) unstable; urgency=low + + * Switch to source format 3.0 (quilt). + * Add DTIM.patch, cherry picked from upstream, which works around + problem setting DTIM period too early causing hostapd to bail out + unceremoniously. (Closes: #570116) + * Fix syntax error in ifupdown.sh. (Closes: #571029) + + -- Kel Modderman Wed, 24 Feb 2010 19:36:11 +1000 + +hostapd (1:0.6.10-1) unstable; urgency=low + + * New upstream release. + - drop all patches applied upstream + * Install hostapd_cli to /usr/sbin/ from /usr/bin/, as it requires + explicit permissions to be usable by non-admin. + * Support the status command in init.d script. Depend on lsb-base (>= + 3.2-13) for status_of_proc. Patch thanks to Peter Eisentraut. + (Closes: #535633) + * Add debian/README.source to describe use of quilt patch system. + * Increase Standards-Version to 3.8.4 without extra changes. + * Reduce debian/rules by tweaking the sequence of a few things and + using the --sourcedirectory option of dh in debhelper (>= 7.3.7~). + Build-Depend on that debhelper version. + * No longer install /etc/hostapd/hostapd.conf per default as there are + no sane defaults. Instead provide the configuration as an example + only and take care to remove previously installed conffiles which + remain unedited on upgrade. + * Clean up init.d script a bit by using existence of hostapd daemon + configuration file as defined in /etc/default/hostapd as conditional + for starting instead of magic RUN_DAEMON variable. + * Update README.Debian to contain information about the example + hostapd.conf file. + * Remove Reinhard Tartler from uploaders at his request. Thanks for + past contribution. + * Remove uupdate command from debian/watch, unused by maintainer. + * Adjust debian/watch to scan for the 0.6.X stable releases only. + + -- Kel Modderman Thu, 11 Feb 2010 14:49:44 +1000 + +hostapd (1:0.6.9-3) unstable; urgency=low + + * Change Maintainer to pkg-wpa-devel team and add Reinhard and myself + to Uploaders to better reflect the organisation which makes the package + available. + * Import upstream patches: + - hostap_reuse_existing_ctrl_iface_socket.patch allows to reuse ctrl + interface sockets left over as result of unclean shutdown + - hostap_reject_conf_without_channel_nl80211.patch adds code to reject + configurations which use nl80211 driver without setting a channel + because this will always fail for the time being + * Build-Depend on quilt >= 0.46-7 for dh integration. + * Update debian/control long description to mention mac80211 based + drivers. Thanks to Jan Braunisch for noticing. + * Also remove reference to the Prism54 driver in package long + description, we do not support it. + + -- Kel Modderman Sun, 17 May 2009 04:35:12 +1000 + +hostapd (1:0.6.9-2) unstable; urgency=low + + * Enable CONFIG_IEEE80211W, IEEE 802.11w (management frame + protection). (Closes: #522328) + + -- Kel Modderman Fri, 03 Apr 2009 07:07:06 +1000 + +hostapd (1:0.6.9-1) unstable; urgency=low + + [ Kel Modderman ] + * New upstream release. (Closes: #521142) + * Document copyright errata of hostapd/driver_atheros.c in + debian/copyright. + - activate nl80211 driver backend (Closes: #429734) + - deactivate prism54 driver, it is now working. Do not mention it + in README.Debian (Closes: #475451) + * Add build dependency of libnl-dev (>= 1.1) for the nl80211 driver + backend. + * Remove need for patch system. + - ship madwifi headers in debian/driver_madwifi + - use sed to patch hostapd.conf in order to change /etc/hostapd.* to + /etc/hostapd/* + - copy in build configuration from debian/config/$(DEB_HOST_ARCH_OS) + to hostapd/.config rather than using a patch + * Add support for kfreebsd build by providing debian/config/kfreebsd + without Linux specific build options. + * Use dh-centric debian/rules and build-depend on debhelper (>= 7.0.50) + in order to take advantage of the override_dh_* feature. + * Bump debian/compat to 7. + * Adjust Standards-Version to 3.8.0, no further changes needed. + * Use machine parsable debian/copyright format. + * Add debian/manpages instead of using explicit dh_installmanpages + command in debian/rules. + * Rename debian/lintian-overrides to debian/hostapd.lintian-overrides + so that dh_lintian automatically picks it up. + * Bump Standards-Version to 3.8.1, no other changes required. + * Remove var/run/hostapd and usr/share/lintian/overrides from + debian/dirs. hostapd is able to create its own directory for unix + sockets (and that may be anywhere admin decides) and lintian stuff + is taken care of by debhelper now. + * Update copyright information in debian/ifupdown.sh + + [ Faidon Liambotis ] + * Switch Maintainer/Uploaders roles with Kel; he's the de facto maintainer + nowadays, he may as well listed as such. + + -- Faidon Liambotis Sun, 29 Mar 2009 21:37:22 +0300 + +hostapd (1:0.5.10-1) unstable; urgency=low + + * New upstream release. + * Document the two methods of managing hostapd in README.Debian. Also add a + hint to /etc/default/hostapd to consult README.Debian for more + information. (Closes: #443786) + * Cleanup of debian/rules, actually honor nostrip by specifying default + CFLAGS when invoking make. Remove redundant commented out content. + * Fix incorrect LSB dependency information, hostapd now requires $remote_fs + virtual facility for start and stop. Thanks to Petter Reinholdtsen. + (Closes: #466283) + + -- Kel Modderman Tue, 11 Mar 2008 12:36:03 +1000 + +hostapd (1:0.5.9-1) unstable; urgency=low + + * New upstream release. + * Bumped to Standards-Version 3.7.3, no changed needed. + * Switched to Vcs-* instead of XS-Vcs. + * Added Homepage field. + * Refer to GPL-2 explicitely, as this is a GPL v2-only software. + * Remove remnants of patches for dscape/mac80211. + * Update to madwifi 0.9.3.3 headers; no functional changes. + + -- Faidon Liambotis Wed, 12 Dec 2007 03:43:13 +0200 + +hostapd (1:0.5.8-1) unstable; urgency=low + + [ Kel Modderman ] + * New upstream release. + * Add bash script to prepare madwifi_headers.patch. + * patches/20_madwifi_headers.dpatch made from madwifi 0.9.3, which is what + is currently in the archive, and stable upstream release. + (Closes: #408642) + * Rename 21_madwifi_includes.dpatch to 21_madwifi_enable.dpatch. + * Make our new mac80211 header dpatches similar to that of madwifi; keep + upstream include directory tree intact and modify CFLAGS. + * Refresh our build config with upstreams current defconfig. + * CONFIG_STAKEY is deprecated in favour of CONFIG_PEERKEY. + + [ Faidon Liambotis ] + * Remove upgrade paths from pre-etch versions, we only support incremental + updates. Fix a lintian error in the process. + * Don't ignore "make clean" errors, if they exist; fixes a lintian warning. + + -- Faidon Liambotis Tue, 24 Jul 2007 17:43:44 +0300 + +hostapd (1:0.5.7-1) unstable; urgency=low + + * New upstream release. + * Drop backported code included in this upstream release. + * Bump debhelper compat level to 5, no other changes required. + * Include ifupdown integration; it is now possible to start + hostapd via a /etc/network/interfaces line such as: + 'hostapd /etc/hostapd/hostapd.conf' + for any given interface. The daemon will start in pre-up phase of ifup, + and be killed in post-down phase of ifdown. A pidfile of + /var/run/hostapd.$IFACE.pid will be created for each interface's daemon. + * Add XS-Vcs fields to debian/control. + * Change of Uploader email address in debian/control. + * Update madwifi includes to r2157 upstream madwifi.org/trunk. + * Update debian/copyright with new upstream URL, contact information and + copyright years. + * Modify debian/watch file for new upstream release URL. + * Make debian/watch version 3, remove useless comments from file. + + -- Kel Modderman Mon, 09 Apr 2007 18:31:22 +1000 + +hostapd (1:0.5.5-3.1) unstable; urgency=high + + * Non-maintainer upload. + * Urgency high for RC bugfix. + * Backport hostapd.c fix from CVS: (Closes: #398466) + - Allow hostapd_flush_old_stations to fail, otherwise configuration + of unencrypted modes failed with madwifi. (1.168) + The correct setup is handled by the backported fixes in the + previous revision. + + -- Matt Brown Sat, 9 Dec 2006 11:03:47 +1300 + +hostapd (1:0.5.5-3) unstable; urgency=medium + + * Update madwifi headers to r1757. + * Backport driver_madwifi.c fixes from CVS: + - Set forgotten im_op for sta_disassoc handlers (1.49) + - Fixed configuration of unencrypted modes (plaintext and IEEE 802.1X + without WEP) (1.51) + * Urgency medium because of a bugfix revision. + + -- Faidon Liambotis Sun, 12 Nov 2006 02:37:43 +0200 + +hostapd (1:0.5.5-2) unstable; urgency=low + + * Versioned dependency on lsb-base (>= 3.0-3) for log_daemon_message used in + hostapd init script. (Closes: #386156) + + -- Kel Modderman Wed, 6 Sep 2006 14:31:14 +1000 + +hostapd (1:0.5.5-1) unstable; urgency=low + + [ Kel Modderman ] + * New upstream release. + * Allow hostapd to install, by first checking for existence of + /etc/hostapd/hostapd.conf before attempting to change permissions. + + [ Faidon Liambotis ] + * Also fix ownership of hostapd.conf on upgrades. + + -- Faidon Liambotis Tue, 29 Aug 2006 15:29:47 +0300 + +hostapd (1:0.5.4-1) unstable; urgency=low + + [ Kel Modderman ] + * New upstream release. (Closes: #378703) + * Add LSB INIT info header to init script, as per specs. Source lsb-base + init functions, use them to report daemon status in a standard way. + (Closes: #376327) + * Add dpatch (30_hostapd_pidfile) to allow hostapd process to create a pid + file when daemonized. + * The init daemon now creates a pid file at /var/run/hostapd.pid. + * Allow multiple configuration files to be given to hostapd via + /etc/default/hostapd, enabling the possibility of managing multiple + interfaces with one process. If the configuration files are not specified + use /etc/hostapd/hostapd.conf to preserve backwards compatability. + This also allows the user to use a single configuration file != + /etc/hostapd/hostapd.conf. (Closes: #377054) + * Add 'reload' option to init script. Send HUP signal to hostapd, causing it + to reload its configuration file. + * Add some extra DAEMON_OPTIONS hints to the /etc/default/hostapd file. + * Set hostapd.conf permissions to 0600, it may contain sensitive details. + (Closes: #380632) + * Update madwifi headers to r1705. This should ensure maximum compatibility + with the madwifi-source package currently available. (Closes: #384504) + * Slightly change the way madwifi is activated, add an extra CFLAG instead of + hardcoding the paths to the headers in driver_madwifi.c. + * Add myself to uploaders. + + [ Faidon Liambotis ] + * Fixes a potential DoS fix in RSN preauthentication (upstream bug #152). + * Add lintian override for hostapd.conf unusual permissions. + * Exclude hostapd.conf from dh_fixperms. + * Fix permissions of hostapd.conf retroactively in upgrades. + + -- Faidon Liambotis Fri, 25 Aug 2006 04:28:00 +0300 + +hostapd (1:0.5.3-1) unstable; urgency=low + + * New upstream release + - Fix some warnings when compiling with GCC 4.1. + - Adapt 12_conf_etc_hostapd.dpatch to the new hostapd.conf. + * Include the test driver, for debugging purposes. (Closes: #372107) + * Delete unmodified obsolete conffiles when upgrading from a previous + version (namely, hostapd.{accept,deny}). + Thanks to Lars Wirzenius and piuparts! (Closes: #353191) + * Update madwifi-ng headers to version 0.9.0. + * Remove the suggestion of hostap-modules, hostap is merged to the latest + 2.6 kernels and it's one of the many options anyway. + * Changed maintainer's e-mail address. + * Updated Standards-Version to 3.7.2, no changes needed. + + -- Faidon Liambotis Fri, 9 Jun 2006 03:23:23 +0300 + +hostapd (1:0.5.0-1) unstable; urgency=low + + * New upstream release + - Removed patch 01-prism54-hostap_common, merged upstream. + * Update madwifi headers to madwifi-ng, rev1390. + * Updated 'Standards-Version' to 3.6.2.2 (no changes). + + -- Faidon Liambotis Thu, 5 Jan 2006 02:13:17 +0200 + +hostapd (1:0.4.5-2) unstable; urgency=low + + * No changes, previous version appeared as an NMU. + + -- Faidon Liambotis Tue, 11 Oct 2005 19:15:27 +0300 + +hostapd (1:0.4.5-1) unstable; urgency=low + + * New upstream release + - added experimental support for EAP-PSK + - added support for WE-19 + * Update madwifi headers to the latest CVS. (Closes: #326893) + * README.Debian: + - Document that in-kernel versions of prism54 won't work. (Closes: #315852) + - Mention Prism2/2.5/3.0's STA firmware limitations. + * Updated 'Standards-Version' to 3.6.2.1 (no changes). + + -- Faidon Liambotis Mon, 10 Oct 2005 15:55:13 +0300 + +hostapd (1:0.4.2-1) unstable; urgency=low + + * New upstream release + - Manpages incorporated upstream. + - Removed patches 01_makefile, 02_conf_wpa_to_hostapd, 03_usage_cleanup, + accepted upstream. + - Adapted patch 21_madwifi_includes + - Added support for RADIUS over IPv6 + - Added support for EAP-PAX + * Removed /etc/hostapd/hostapd.accept & hostapd.deny, now shipping all + example configuration files to /usr/share/doc/hostapd/examples/ + + -- Faidon Liambotis Wed, 15 Jun 2005 18:23:33 +0300 + +hostapd (1:0.3.7-2) unstable; urgency=medium + + * Better handling of patching upstream using dpatch. + * Added madwifi support. + Hack stolen from wpasupplicant, thanks to Kyle McMartin. + * Changed hostapd_cli path to /usr/bin/ from /usr/sbin/. + * Report failed start of hostapd when starting from the init.d script. + (Closes: #303206). + * Added hostapd(8) and hostapd_cli(1) manpages. + Now lintian & linda clean ;) + * Cleaned-up hostapd/hostapd_cli usage information. + + -- Faidon Liambotis Mon, 11 Apr 2005 11:53:58 +0300 + +hostapd (1:0.3.7-1) unstable; urgency=medium + + * New upstream release + - Changed license to Dual GPL/BSD. + - New tool hostapd_cli for command-line administration. + * Adapt description to reflect new features. + * Now Suggesting instead of Recommending hostap-modules, hostapd can now + work with other drivers. + + -- Faidon Liambotis Wed, 23 Feb 2005 10:12:06 +0200 + +hostapd (1:0.2.6-1) unstable; urgency=low + + * New upstream release. + * Modified description to match v0.2.x features. + * Modified debian/rules to use 'dh_install'. + * Removed source code documentation from /usr/share/doc/. + + -- Faidon Liambotis Tue, 28 Dec 2004 19:01:26 +0200 + +hostapd (1:0.2.5-1) unstable; urgency=low + + * Adopted by new maintainer (Closes: #265332). + * New upstream release (Closes: #255302). + * Create init.d script disabled by default + via /etc/default/hostapd (Closes: #208027). + * Updated 'Standards-Version' to 3.6.1. + * Other minor bugfixes. + + -- Faidon Liambotis Thu, 18 Nov 2004 18:11:57 +0200 + +hostapd (1:0.1.3-2) unstable; urgency=low + + * Orphaned + + -- Francois Gurin Thu, 12 Aug 2004 14:18:11 -0400 + +hostapd (1:0.1.3-1) unstable; urgency=low + + * New upstream release + + -- Francois Gurin Sun, 4 Apr 2004 19:05:28 -0400 + +hostapd (1:0.1.0-4) unstable; urgency=low + + * changed depends to recommends. + + -- Francois Gurin Mon, 8 Dec 2003 15:12:45 -0500 + +hostapd (1:0.1.0-3) unstable; urgency=low + + * fixed a pebcak issue with upload + + -- Francois Gurin Mon, 27 Oct 2003 01:37:06 -0500 + +hostapd (1:0.1.0-2) unstable; urgency=low + + * fixed version epoch + + -- Francois Gurin Mon, 27 Oct 2003 00:52:01 -0500 + +hostapd (0.1.0-1) unstable; urgency=low + + * Initial Release. + + -- Francois Gurin Sun, 26 Oct 2003 04:55:36 -0500 + diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..d6c8109 --- /dev/null +++ b/debian/clean @@ -0,0 +1,3 @@ +wpa_supplicant/.config +hostapd/.config +wpa_supplicant/wpa_supplicant-udeb diff --git a/debian/config/hostapd/kfreebsd b/debian/config/hostapd/kfreebsd new file mode 100644 index 0000000..e3df9f2 --- /dev/null +++ b/debian/config/hostapd/kfreebsd @@ -0,0 +1,401 @@ +# Debian hostapd build time configuration +# +# This file lists the configuration options that are used when building the +# hostapd binary. All lines starting with # are ignored. Configuration option +# lines must be commented out complete, if they are not to be included, i.e., +# just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cass, these lines should use += in order not +# to override previous values of the variables. + +# Driver interface for Host AP driver +#CONFIG_DRIVER_HOSTAP=y + +# Driver interface for wired authenticator +CONFIG_DRIVER_WIRED=y + +# Driver interface for drivers using the nl80211 kernel interface +#CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +#CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for no driver (e.g., RADIUS server only) +CONFIG_DRIVER_NONE=y + +# IEEE 802.11F/IAPP +#CONFIG_IAPP=y + +# WPA2/IEEE 802.11i RSN pre-authentication +CONFIG_RSN_PREAUTH=y + +# IEEE 802.11w (management frame protection) +CONFIG_IEEE80211W=y + +# Support Operating Channel Validation +#CONFIG_OCV=y + +# Integrated EAP server +CONFIG_EAP=y + +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + +# EAP-MD5 for the integrated EAP server +CONFIG_EAP_MD5=y + +# EAP-TLS for the integrated EAP server +CONFIG_EAP_TLS=y + +# EAP-MSCHAPv2 for the integrated EAP server +CONFIG_EAP_MSCHAPV2=y + +# EAP-PEAP for the integrated EAP server +CONFIG_EAP_PEAP=y + +# EAP-GTC for the integrated EAP server +CONFIG_EAP_GTC=y + +# EAP-TTLS for the integrated EAP server +CONFIG_EAP_TTLS=y + +# EAP-SIM for the integrated EAP server +CONFIG_EAP_SIM=y + +# EAP-AKA for the integrated EAP server +CONFIG_EAP_AKA=y + +# EAP-AKA' for the integrated EAP server +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# EAP-PAX for the integrated EAP server +CONFIG_EAP_PAX=y + +# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd for the integrated EAP server (secure authentication with a password) +CONFIG_EAP_PWD=y + +# EAP-SAKE for the integrated EAP server +CONFIG_EAP_SAKE=y + +# EAP-GPSK for the integrated EAP server +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-FAST for the integrated EAP server +# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed +# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., +# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. +CONFIG_EAP_FAST=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable UPnP support for external WPS Registrars +CONFIG_WPS_UPNP=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# Trusted Network Connect (EAP-TNC) +CONFIG_EAP_TNC=y + +# EAP-EKE for the integrated EAP server +CONFIG_EAP_EKE=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# RADIUS authentication server. This provides access to the integrated EAP +# server from external hosts using RADIUS. +CONFIG_RADIUS_SERVER=y + +# Build IPv6 support for RADIUS operations +CONFIG_IPV6=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) +CONFIG_IEEE80211R=y + +# Use the hostapd's IEEE 802.11 authentication (ACL), but without +# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) +#CONFIG_DRIVER_RADIUS_ACL=y + +# IEEE 802.11n (High Throughput) support +CONFIG_IEEE80211N=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# IEEE 802.11ac (Very High Throughput) support +CONFIG_IEEE80211AC=y + +# IEEE 802.11ax HE support +# Note: This is experimental and work in progress. The definitions are still +# subject to change and this should not be expected to interoperate with the +# final IEEE 802.11ax version. +#CONFIG_IEEE80211AX=y + +# Remove debugging code that is printing out debug messages to stdout. +# This can be used to reduce the size of the hostapd considerably if debugging +# code is not needed. +#CONFIG_NO_STDOUT_DEBUG=y + +# Add support for writing debug log to a file: -f /tmp/hostapd.log +# Disabled by default. +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +#CONFIG_DEBUG_SYSLOG=y + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Remove support for RADIUS accounting +#CONFIG_NO_ACCOUNTING=y + +# Remove support for RADIUS +#CONFIG_NO_RADIUS=y + +# Remove support for VLANs +#CONFIG_NO_VLAN=y + +# Enable support for fully dynamic VLANs. This enables hostapd to +# automatically create bridge and VLAN interfaces if necessary. +#CONFIG_FULL_DYNAMIC_VLAN=y + +# Use netlink-based kernel API for VLAN operations instead of ioctl() +# Note: This requires libnl 3.1 or newer. +CONFIG_VLAN_NETLINK=y + +# Remove support for dumping internal state through control interface commands +# This can be used to reduce binary size at the cost of disabling a debugging +# option. +#CONFIG_NO_DUMP_STATE=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, comment out these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, comment out these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# hostapd depends on strong random number generation being available from the +# operating system. os_get_random() function is used to fetch random data when +# needed, e.g., for key generation. On Linux and BSD systems, this works by +# reading /dev/urandom. It should be noted that the OS entropy pool needs to be +# properly initialized before hostapd is started. This is important especially +# on embedded devices that do not have a hardware random number generator and +# may by default start up with minimal entropy available for random number +# generation. +# +# As a safety net, hostapd is by default trying to internally collect +# additional entropy for generating random data to mix in with the data +# fetched from the OS. This by itself is not considered to be very strong, but +# it may help in cases where the system pool is not initialized properly. +# However, it is very strongly recommended that the system pool is initialized +# with enough entropy either by using hardware assisted random number +# generator or by storing state over device reboots. +# +# hostapd can be configured to maintain its own entropy store over restarts to +# enhance random number generation. This is not perfect, but it is much more +# secure than using the same sequence of random numbers after every reboot. +# This can be enabled with -e command line option. The specified +# file needs to be readable and writable by hostapd. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal hostapd random pool can be disabled. +# This will save some in binary size and CPU use. However, this should only be +# considered for builds that are known to be used on devices that meet the +# requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +#CONFIG_GETRANDOM=y + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks. +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file +#CONFIG_SQLITE=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# Testing options +# This can be used to enable some testing options (see also the example +# configuration file) that are really useful only for testing clients that +# connect to this hostapd. These options allow, for example, to drop a +# certain percentage of probe requests or auth/(re)assoc frames. +# +CONFIG_TESTING_OPTIONS=y + +# Automatic Channel Selection +# This will allow hostapd to pick the channel automatically when channel is set +# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# You can customize the ACS survey algorithm with the hostapd.conf variable +# acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +# +CONFIG_ACS=y + +# XXX: Debian #737465 +# fix FTBS using gcc-4.8 by linking with -ldl on kfreebsd-any. This is +# already accounted for by the upstream Makefile, however wrongly depending +# on !CONFIG_DRIVER_BSD, while it is actually depending on the target libc +# rather than the kernel. +LIBS += -ldl + +# Multiband Operation support +# These extentions facilitate efficient use of multiple frequency bands +# available to the AP and the devices that may associate with it. +CONFIG_MBO=y + +# Client Taxonomy +# Has the AP retain the Probe Request and (Re)Association Request frames from +# a client, from which a signature can be produced which can identify the model +# of client device like "Nexus 6P" or "iPhone 5s". +#CONFIG_TAXONOMY=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +CONFIG_FILS=y +# FILS shared key authentication with PFS +CONFIG_FILS_SK_PFS=y + +# Include internal line edit mode in hostapd_cli. This can be used to provide +# limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +CONFIG_OWE=y + +# Airtime policy support +CONFIG_AIRTIME_POLICY=y + +# Device Provisioning Protocol (DPP) +CONFIG_DPP=y + +# Simultaneous Authentication of Equals (SAE) +CONFIG_SAE=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# Override default value for the wpa_disable_eapol_key_retries configuration +# parameter. See that parameter in hostapd.conf for more details. +#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 diff --git a/debian/config/hostapd/linux b/debian/config/hostapd/linux new file mode 100644 index 0000000..126b856 --- /dev/null +++ b/debian/config/hostapd/linux @@ -0,0 +1,419 @@ +# Debian hostapd build time configuration +# +# This file lists the configuration options that are used when building the +# hostapd binary. All lines starting with # are ignored. Configuration option +# lines must be commented out complete, if they are not to be included, i.e., +# just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cass, these lines should use += in order not +# to override previous values of the variables. + +# Driver interface for Host AP driver +CONFIG_DRIVER_HOSTAP=y + +# Driver interface for wired authenticator +CONFIG_DRIVER_WIRED=y + +# Driver interface for drivers using the nl80211 kernel interface +CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +#CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for no driver (e.g., RADIUS server only) +CONFIG_DRIVER_NONE=y + +# IEEE 802.11F/IAPP +CONFIG_IAPP=y + +# WPA2/IEEE 802.11i RSN pre-authentication +CONFIG_RSN_PREAUTH=y + +# IEEE 802.11w (management frame protection) +CONFIG_IEEE80211W=y + +# Support Operating Channel Validation +#CONFIG_OCV=y + +# Integrated EAP server +CONFIG_EAP=y + +# EAP Re-authentication Protocol (ERP) in integrated EAP server +CONFIG_ERP=y + +# EAP-MD5 for the integrated EAP server +CONFIG_EAP_MD5=y + +# EAP-TLS for the integrated EAP server +CONFIG_EAP_TLS=y + +# EAP-MSCHAPv2 for the integrated EAP server +CONFIG_EAP_MSCHAPV2=y + +# EAP-PEAP for the integrated EAP server +CONFIG_EAP_PEAP=y + +# EAP-GTC for the integrated EAP server +CONFIG_EAP_GTC=y + +# EAP-TTLS for the integrated EAP server +CONFIG_EAP_TTLS=y + +# EAP-SIM for the integrated EAP server +CONFIG_EAP_SIM=y + +# EAP-AKA for the integrated EAP server +CONFIG_EAP_AKA=y + +# EAP-AKA' for the integrated EAP server +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# EAP-PAX for the integrated EAP server +CONFIG_EAP_PAX=y + +# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd for the integrated EAP server (secure authentication with a password) +CONFIG_EAP_PWD=y + +# EAP-SAKE for the integrated EAP server +CONFIG_EAP_SAKE=y + +# EAP-GPSK for the integrated EAP server +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-FAST for the integrated EAP server +CONFIG_EAP_FAST=y + +# EAP-TEAP for the integrated EAP server +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable UPnP support for external WPS Registrars +CONFIG_WPS_UPNP=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# Trusted Network Connect (EAP-TNC) +CONFIG_EAP_TNC=y + +# EAP-EKE for the integrated EAP server +CONFIG_EAP_EKE=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# RADIUS authentication server. This provides access to the integrated EAP +# server from external hosts using RADIUS. +CONFIG_RADIUS_SERVER=y + +# Build IPv6 support for RADIUS operations +CONFIG_IPV6=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) +CONFIG_IEEE80211R=y + +# Use the hostapd's IEEE 802.11 authentication (ACL), but without +# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) +#CONFIG_DRIVER_RADIUS_ACL=y + +# IEEE 802.11n (High Throughput) support +CONFIG_IEEE80211N=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# IEEE 802.11ac (Very High Throughput) support +CONFIG_IEEE80211AC=y + +# IEEE 802.11ax HE support +# Note: This is experimental and work in progress. The definitions are still +# subject to change and this should not be expected to interoperate with the +# final IEEE 802.11ax version. +#CONFIG_IEEE80211AX=y + +# Remove debugging code that is printing out debug messages to stdout. +# This can be used to reduce the size of the hostapd considerably if debugging +# code is not needed. +#CONFIG_NO_STDOUT_DEBUG=y + +# Add support for writing debug log to a file: -f /tmp/hostapd.log +# Disabled by default. +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +#CONFIG_DEBUG_SYSLOG=y + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +CONFIG_DEBUG_LINUX_TRACING=y + +# Remove support for RADIUS accounting +#CONFIG_NO_ACCOUNTING=y + +# Remove support for RADIUS +#CONFIG_NO_RADIUS=y + +# Remove support for VLANs +#CONFIG_NO_VLAN=y + +# Enable support for fully dynamic VLANs. This enables hostapd to +# automatically create bridge and VLAN interfaces if necessary. +CONFIG_FULL_DYNAMIC_VLAN=y + +# Use netlink-based kernel API for VLAN operations instead of ioctl() +# Note: This requires libnl 3.1 or newer. +CONFIG_VLAN_NETLINK=y + +# Remove support for dumping internal state through control interface commands +# This can be used to reduce binary size at the cost of disabling a debugging +# option. +#CONFIG_NO_DUMP_STATE=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, comment out these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, comment out these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# hostapd depends on strong random number generation being available from the +# operating system. os_get_random() function is used to fetch random data when +# needed, e.g., for key generation. On Linux and BSD systems, this works by +# reading /dev/urandom. It should be noted that the OS entropy pool needs to be +# properly initialized before hostapd is started. This is important especially +# on embedded devices that do not have a hardware random number generator and +# may by default start up with minimal entropy available for random number +# generation. +# +# As a safety net, hostapd is by default trying to internally collect +# additional entropy for generating random data to mix in with the data +# fetched from the OS. This by itself is not considered to be very strong, but +# it may help in cases where the system pool is not initialized properly. +# However, it is very strongly recommended that the system pool is initialized +# with enough entropy either by using hardware assisted random number +# generator or by storing state over device reboots. +# +# hostapd can be configured to maintain its own entropy store over restarts to +# enhance random number generation. This is not perfect, but it is much more +# secure than using the same sequence of random numbers after every reboot. +# This can be enabled with -e command line option. The specified +# file needs to be readable and writable by hostapd. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal hostapd random pool can be disabled. +# This will save some in binary size and CPU use. However, this should only be +# considered for builds that are known to be used on devices that meet the +# requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +CONFIG_GETRANDOM=y + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks. +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file +#CONFIG_SQLITE=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# Testing options +# This can be used to enable some testing options (see also the example +# configuration file) that are really useful only for testing clients that +# connect to this hostapd. These options allow, for example, to drop a +# certain percentage of probe requests or auth/(re)assoc frames. +# +CONFIG_TESTING_OPTIONS=y + +# Automatic Channel Selection +# This will allow hostapd to pick the channel automatically when channel is set +# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# You can customize the ACS survey algorithm with the hostapd.conf variable +# acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +# +CONFIG_ACS=y + +# Multiband Operation support +# These extensions facilitate efficient use of multiple frequency bands +# available to the AP and the devices that may associate with it. +CONFIG_MBO=y + +# Client Taxonomy +# Has the AP retain the Probe Request and (Re)Association Request frames from +# a client, from which a signature can be produced which can identify the model +# of client device like "Nexus 6P" or "iPhone 5s". +#CONFIG_TAXONOMY=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +CONFIG_FILS=y +# FILS shared key authentication with PFS +CONFIG_FILS_SK_PFS=y + +# Include internal line edit mode in hostapd_cli. This can be used to provide +# limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +CONFIG_OWE=y + +# Airtime policy support +CONFIG_AIRTIME_POLICY=y + +# Device Provisioning Protocol (DPP) +CONFIG_DPP=y + +# Simultaneous Authentication of Equals (SAE) +CONFIG_SAE=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# Airtime policy support +#CONFIG_AIRTIME_POLICY=y + +# Override default value for the wpa_disable_eapol_key_retries configuration +# parameter. See that parameter in hostapd.conf for more details. +#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 + +# Wired equivalent privacy (WEP) +# WEP is an obsolete cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used for anything anymore. The +# functionality needed to use WEP is available in the current hostapd +# release under this optional build parameter. This functionality is subject to +# be completely removed in a future release. +#CONFIG_WEP=y + +# Remove all TKIP functionality +# TKIP is an old cryptographic data confidentiality algorithm that is not +# considered secure. It should not be used anymore. For now, the default hostapd +# build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but +# that functionality is subject to be removed in the future. +#CONFIG_NO_TKIP=y diff --git a/debian/config/wpasupplicant/kfreebsd b/debian/config/wpasupplicant/kfreebsd new file mode 100644 index 0000000..18fb71c --- /dev/null +++ b/debian/config/wpasupplicant/kfreebsd @@ -0,0 +1,616 @@ +# Debian wpa_supplicant build time configuration +# +# This file lists the configuration options that are used when building the +# wpa_supplicant binary. All lines starting with # are ignored. Configuration +# option lines must be commented out complete, if they are not to be included, +# i.e., just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cases, these lines should use += in order not +# to override previous values of the variables. + + +# Uncomment following two lines and fix the paths if you have installed OpenSSL +# or GnuTLS in non-default location +#CFLAGS += -I/usr/local/openssl/include +#LIBS += -L/usr/local/openssl/lib + +# Some Red Hat versions seem to include kerberos header files from OpenSSL, but +# the kerberos files are not in the default include path. Following line can be +# used to fix build issues on such systems (krb5.h not found). +#CFLAGS += -I/usr/include/kerberos + +# Driver interface for generic Linux wireless extensions +# Note: WEXT is deprecated in the current Linux kernel version and no new +# functionality is added to it. nl80211-based interface is the new +# replacement for WEXT and its use allows wpa_supplicant to properly control +# the driver to improve existing functionality like roaming and to support new +# functionality. +#CONFIG_DRIVER_WEXT=y + +# Driver interface for Linux drivers using the nl80211 kernel interface +#CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +#CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +#CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for Windows NDIS +#CONFIG_DRIVER_NDIS=y +#CFLAGS += -I/usr/include/w32api/ddk +#LIBS += -L/usr/local/lib +# For native build using mingw +#CONFIG_NATIVE_WINDOWS=y +# Additional directories for cross-compilation on Linux host for mingw target +#CFLAGS += -I/opt/mingw/mingw32/include/ddk +#LIBS += -L/opt/mingw/mingw32/lib +#CC=mingw32-gcc +# By default, driver_ndis uses WinPcap for low-level operations. This can be +# replaced with the following option which replaces WinPcap calls with NDISUIO. +# However, this requires that WZC is disabled (net stop wzcsvc) before starting +# wpa_supplicant. +# CONFIG_USE_NDISUIO=y + +# Driver interface for wired Ethernet drivers +CONFIG_DRIVER_WIRED=y + +# Driver interface for MACsec capable Qualcomm Atheros drivers +#CONFIG_DRIVER_MACSEC_QCA=y + +# Driver interface for Linux MACsec drivers +#CONFIG_DRIVER_MACSEC_LINUX=y + +# Driver interface for the Broadcom RoboSwitch family +#CONFIG_DRIVER_ROBOSWITCH=y + +# Driver interface for no driver (e.g., WPS ER only) +CONFIG_DRIVER_NONE=y + +# Solaris libraries +#LIBS += -lsocket -ldlpi -lnsl +#LIBS_c += -lsocket + +# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or +# MACsec is included) +CONFIG_IEEE8021X_EAPOL=y + +# EAP-MD5 +CONFIG_EAP_MD5=y + +# EAP-MSCHAPv2 +CONFIG_EAP_MSCHAPV2=y + +# EAP-TLS +CONFIG_EAP_TLS=y + +# EAL-PEAP +CONFIG_EAP_PEAP=y + +# EAP-TTLS +CONFIG_EAP_TTLS=y + +# EAP-FAST +CONFIG_EAP_FAST=y + +# EAP-GTC +CONFIG_EAP_GTC=y + +# EAP-OTP +CONFIG_EAP_OTP=y + +# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) +CONFIG_EAP_SIM=y + +# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd (secure authentication using only a password) +CONFIG_EAP_PWD=y + +# EAP-PAX +CONFIG_EAP_PAX=y + +# LEAP +CONFIG_EAP_LEAP=y + +# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) +CONFIG_EAP_AKA=y + +# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# Enable USIM simulator (Milenage) for EAP-AKA +#CONFIG_USIM_SIMULATOR=y + +# EAP-SAKE +CONFIG_EAP_SAKE=y + +# EAP-GPSK +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-TNC and related Trusted Network Connect support (experimental) +CONFIG_EAP_TNC=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable WPS external registrar functionality +CONFIG_WPS_ER=y +# Disable credentials for an open network by default when acting as a WPS +# registrar. +CONFIG_WPS_REG_DISABLE_OPEN=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# EAP-EKE +CONFIG_EAP_EKE=y + +# MACsec +#CONFIG_MACSEC=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# Smartcard support (i.e., private key on a smartcard), e.g., with openssl +# engine. +CONFIG_SMARTCARD=y + +# PC/SC interface for smartcards (USIM, GSM SIM) +# Enable this if EAP-SIM or EAP-AKA is included +CONFIG_PCSC=y + +# Support HT overrides (disable HT/HT40, mask MCS rates, etc.) +CONFIG_HT_OVERRIDES=y + +# Support VHT overrides (disable VHT, mask MCS rates, etc.) +CONFIG_VHT_OVERRIDES=y + +# Development testing +CONFIG_EAPOL_TEST=y + +# Select control interface backend for external programs, e.g, wpa_cli: +# unix = UNIX domain sockets (default for Linux/*BSD) +# udp = UDP sockets using localhost (127.0.0.1) +# udp6 = UDP IPv6 sockets using localhost (::1) +# named_pipe = Windows Named Pipe (default for Windows) +# udp-remote = UDP sockets with remote access (only for tests systems/purpose) +# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose) +# y = use default (backwards compatibility) +# If this option is commented out, control interface is not included in the +# build. +CONFIG_CTRL_IFACE=y + +# Include support for GNU Readline and History Libraries in wpa_cli. +# When building a wpa_cli binary for distribution, please note that these +# libraries are licensed under GPL and as such, BSD license may not apply for +# the resulting binary. +CONFIG_READLINE=y + +# Include internal line edit mode in wpa_cli. This can be used as a replacement +# for GNU Readline to provide limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + +# Remove debugging code that is printing out debug message to stdout. +# This can be used to reduce the size of the wpa_supplicant considerably +# if debugging code is not needed. The size reduction can be around 35% +# (e.g., 90 kB). +#CONFIG_NO_STDOUT_DEBUG=y + +# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save +# 35-50 kB in code size. +#CONFIG_NO_WPA=y + +# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support +# This option can be used to reduce code size by removing support for +# converting ASCII passphrases into PSK. If this functionality is removed, the +# PSK can only be configured as the 64-octet hexstring (e.g., from +# wpa_passphrase). This saves about 0.5 kB in code size. +#CONFIG_NO_WPA_PASSPHRASE=y + +# Simultaneous Authentication of Equals (SAE), WPA3-Personal +CONFIG_SAE=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# Disable scan result processing (ap_mode=1) to save code size by about 1 kB. +# This can be used if ap_scan=1 mode is never enabled. +#CONFIG_NO_SCAN_PROCESSING=y + +# Select configuration backend: +# file = text file (e.g., wpa_supplicant.conf; note: the configuration file +# path is given on command line, not here; this option is just used to +# select the backend that allows configuration files to be used) +# winreg = Windows registry (see win_example.reg for an example) +CONFIG_BACKEND=file + +# Remove configuration write functionality (i.e., to allow the configuration +# file to be updated based on runtime configuration changes). The runtime +# configuration can still be changed, the changes are just not going to be +# persistent over restarts. This option can be used to reduce code size by +# about 3.5 kB. +#CONFIG_NO_CONFIG_WRITE=y + +# Remove support for configuration blobs to reduce code size by about 1.5 kB. +#CONFIG_NO_CONFIG_BLOBS=y + +# Select program entry point implementation: +# main = UNIX/POSIX like main() function (default) +# main_winsvc = Windows service (read parameters from registry) +# main_none = Very basic example (development use only) +CONFIG_MAIN=main + +# Select wrapper for operating system and C library specific functions +# unix = UNIX/POSIX like systems (default) +# win32 = Windows systems +# none = Empty template +CONFIG_OS=unix + +# Select event loop implementation +# eloop = select() loop (default) +# eloop_win = Windows events and WaitForMultipleObject() loop +CONFIG_ELOOP=eloop + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select layer 2 packet implementation +# linux = Linux packet socket (default) +# pcap = libpcap/libdnet/WinPcap +# freebsd = FreeBSD libpcap +# winpcap = WinPcap with receive thread +# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) +# none = Empty template +CONFIG_L2_PACKET=freebsd + +# Disable Linux packet socket workaround applicable for station interface +# in a bridge for EAPOL frames. This should be uncommented only if the kernel +# is known to not have the regression issue in packet socket behavior with +# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). +#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y + +# IEEE 802.11w (management frame protection), also known as PMF +# Driver support is also needed for IEEE 802.11w. +CONFIG_IEEE80211W=y + +# Support Operating Channel Validation +#CONFIG_OCV=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. It should be noted that some existing TLS v1.0 -based +# implementation may not be compatible with TLS v1.1 message (ClientHello is +# sent prior to negotiating which version will be used) +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. It should be +# noted that some existing TLS v1.0 -based implementation may not be compatible +# with TLS v1.2 message (ClientHello is sent prior to negotiating which version +# will be used) +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Include NDIS event processing through WMI into wpa_supplicant/wpasvc. +# This is only for Windows builds and requires WMI-related header files and +# WbemUuid.Lib from Platform SDK even when building with MinGW. +#CONFIG_NDIS_EVENTS_INTEGRATED=y +#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" + +# Add support for new DBus control interface +# (fi.w1.hostap.wpa_supplicant1) +CONFIG_CTRL_IFACE_DBUS_NEW=y + +# Add introspection support for new DBus control interface +CONFIG_CTRL_IFACE_DBUS_INTRO=y + +# Add support for loading EAP methods dynamically as shared libraries. +# When this option is enabled, each EAP method can be either included +# statically (CONFIG_EAP_=y) or dynamically (CONFIG_EAP_=dyn). +# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to +# be loaded in the beginning of the wpa_supplicant configuration file +# (see load_dynamic_eap parameter in the example file) before being used in +# the network blocks. +# +# Note that some shared parts of EAP methods are included in the main program +# and in order to be able to use dynamic EAP methods using these parts, the +# main program must have been build with the EAP method enabled (=y or =dyn). +# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries +# unless at least one of them was included in the main build to force inclusion +# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included +# in the main build to be able to load these methods dynamically. +# +# Please also note that using dynamic libraries will increase the total binary +# size. Thus, it may not be the best option for targets that have limited +# amount of memory/flash. +#CONFIG_DYNAMIC_EAP_METHODS=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode +CONFIG_IEEE80211R=y + +# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +CONFIG_DEBUG_SYSLOG=y +# Set syslog facility for debug messages +CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +#CONFIG_DEBUG_LINUX_TRACING=y + +# Add support for writing debug log to Android logcat instead of standard +# output +#CONFIG_ANDROID_LOG=y + +# Enable privilege separation (see README 'Privilege separation' for details) +#CONFIG_PRIVSEP=y + +# Enable mitigation against certain attacks against TKIP by delaying Michael +# MIC error reports by a random amount of time between 0 and 60 seconds +CONFIG_DELAYED_MIC_ERROR_REPORT=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, uncomment these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, uncomment these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# wpa_supplicant depends on strong random number generation being available +# from the operating system. os_get_random() function is used to fetch random +# data when needed, e.g., for key generation. On Linux and BSD systems, this +# works by reading /dev/urandom. It should be noted that the OS entropy pool +# needs to be properly initialized before wpa_supplicant is started. This is +# important especially on embedded devices that do not have a hardware random +# number generator and may by default start up with minimal entropy available +# for random number generation. +# +# As a safety net, wpa_supplicant is by default trying to internally collect +# additional entropy for generating random data to mix in with the data fetched +# from the OS. This by itself is not considered to be very strong, but it may +# help in cases where the system pool is not initialized properly. However, it +# is very strongly recommended that the system pool is initialized with enough +# entropy either by using hardware assisted random number generator or by +# storing state over device reboots. +# +# wpa_supplicant can be configured to maintain its own entropy store over +# restarts to enhance random number generation. This is not perfect, but it is +# much more secure than using the same sequence of random numbers after every +# reboot. This can be enabled with -e command line option. The +# specified file needs to be readable and writable by wpa_supplicant. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal wpa_supplicant random pool can be +# disabled. This will save some in binary size and CPU use. However, this +# should only be considered for builds that are known to be used on devices +# that meet the requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +#CONFIG_GETRANDOM=y + +# IEEE 802.11n (High Throughput) support (mainly for AP mode) +CONFIG_IEEE80211N=y + +# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) +# (depends on CONFIG_IEEE80211N) +CONFIG_IEEE80211AC=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks (GAS/ANQP to learn more about the networks and network +# selection based on available credentials). +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable interface matching in wpa_supplicant +#CONFIG_MATCH_IFACE=y + +# Disable roaming in wpa_supplicant +#CONFIG_NO_ROAMING=y + +# AP mode operations with wpa_supplicant +# This can be used for controlling AP mode operations with wpa_supplicant. It +# should be noted that this is mainly aimed at simple cases like +# WPA2-Personal while more complex configurations like WPA2-Enterprise with an +# external RADIUS server can be supported with hostapd. +CONFIG_AP=y + +# P2P (Wi-Fi Direct) +# This can be used to enable P2P support in wpa_supplicant. See README-P2P for +# more information on P2P operations. +CONFIG_P2P=y + +# Enable TDLS support +CONFIG_TDLS=y + +# Wi-Fi Display +# This can be used to enable Wi-Fi Display extensions for P2P using an external +# program to control the additional information exchanges in the messages. +CONFIG_WIFI_DISPLAY=y + +# Autoscan +# This can be used to enable automatic scan support in wpa_supplicant. +# See wpa_supplicant.conf for more information on autoscan usage. +# +# Enabling directly a module will enable autoscan support. +# For exponential module: +CONFIG_AUTOSCAN_EXPONENTIAL=y +# For periodic module: +CONFIG_AUTOSCAN_PERIODIC=y + +# Password (and passphrase, etc.) backend for external storage +# These optional mechanisms can be used to add support for storing passwords +# and other secrets in external (to wpa_supplicant) location. This allows, for +# example, operating system specific key storage to be used +# +# External password backend for testing purposes (developer use) +#CONFIG_EXT_PASSWORD_TEST=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# OS X builds. This is only for building eapol_test. +#CONFIG_OSX=y + +# Automatic Channel Selection +# This will allow wpa_supplicant to pick the channel automatically when channel +# is set to "0". +# +# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative +# to "channel=0". This would enable us to eventually add other ACS algorithms in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with +# a newly to create wpa_supplicant.conf variable acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +CONFIG_ACS=y + +# XXX: Debian #737465 +# fix FTBS using gcc-4.8 by linking with -ldl on kfreebsd-any. This is +# already accounted for by the upstream Makefile, however wrongly depending +# on !CONFIG_DRIVER_BSD, while it is actually depending on the target libc +# rather than the kernel. +LIBS += -ldl + +# Support Multi Band Operation +CONFIG_MBO=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +CONFIG_FILS=y +# FILS shared key authentication with PFS +CONFIG_FILS_SK_PFS=y + +# Support RSN on IBSS networks +# This is needed to be able to use mode=1 network profile with proto=RSN and +# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None). +CONFIG_IBSS_RSN=y + +# External PMKSA cache control +# This can be used to enable control interface commands that allow the current +# PMKSA cache entries to be fetched and new entries to be added. +CONFIG_PMKSA_CACHE_EXTERNAL=y + +# Mesh Networking (IEEE 802.11s) +CONFIG_MESH=y + +# Background scanning modules +# These can be used to request wpa_supplicant to perform background scanning +# operations for roaming within an ESS (same SSID). See the bgscan parameter in +# the wpa_supplicant.conf file for more details. +# Periodic background scans based on signal strength +CONFIG_BGSCAN_SIMPLE=y +# Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +CONFIG_BGSCAN_LEARN=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +CONFIG_OWE=y + +# Device Provisioning Protocol (DPP) +# This requires CONFIG_IEEE80211W=y to be enabled, too. (see +# wpa_supplicant/README-DPP for details) +CONFIG_DPP=y + +# Used by eapol_test only, see #985912 +CONFIG_IPV6=y diff --git a/debian/config/wpasupplicant/kfreebsd-udeb b/debian/config/wpasupplicant/kfreebsd-udeb new file mode 100644 index 0000000..c796b82 --- /dev/null +++ b/debian/config/wpasupplicant/kfreebsd-udeb @@ -0,0 +1,13 @@ +# Debian's wpa_supplicant build time configuration +CONFIG_DRIVER_BSD=y +LIBS += -ldl +CONFIG_CTRL_IFACE=y +CONFIG_BACKEND=file +CONFIG_MAIN=main +CONFIG_OS=unix +CONFIG_ELOOP=eloop +CONFIG_L2_PACKET=freebsd + +# enable syslog support, as requested by d-i/ netcfg +CONFIG_DEBUG_SYSLOG=y +CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON diff --git a/debian/config/wpasupplicant/linux b/debian/config/wpasupplicant/linux new file mode 100644 index 0000000..f470138 --- /dev/null +++ b/debian/config/wpasupplicant/linux @@ -0,0 +1,622 @@ +# Debian wpa_supplicant build time configuration +# +# This file lists the configuration options that are used when building the +# wpa_supplicant binary. All lines starting with # are ignored. Configuration +# option lines must be commented out complete, if they are not to be included, +# i.e., just setting VARIABLE=n is not disabling that variable. +# +# This file is included in Makefile, so variables like CFLAGS and LIBS can also +# be modified from here. In most cases, these lines should use += in order not +# to override previous values of the variables. + + +# Uncomment following two lines and fix the paths if you have installed OpenSSL +# or GnuTLS in non-default location +#CFLAGS += -I/usr/local/openssl/include +#LIBS += -L/usr/local/openssl/lib + +# Some Red Hat versions seem to include kerberos header files from OpenSSL, but +# the kerberos files are not in the default include path. Following line can be +# used to fix build issues on such systems (krb5.h not found). +#CFLAGS += -I/usr/include/kerberos + +# Driver interface for generic Linux wireless extensions +# Note: WEXT is deprecated in the current Linux kernel version and no new +# functionality is added to it. nl80211-based interface is the new +# replacement for WEXT and its use allows wpa_supplicant to properly control +# the driver to improve existing functionality like roaming and to support new +# functionality. +CONFIG_DRIVER_WEXT=y + +# Driver interface for Linux drivers using the nl80211 kernel interface +CONFIG_DRIVER_NL80211=y + +# QCA vendor extensions to nl80211 +CONFIG_DRIVER_NL80211_QCA=y + +# driver_nl80211.c requires libnl. If you are compiling it yourself +# you may need to point hostapd to your version of libnl. +# +#CFLAGS += -I$ +#LIBS += -L$ + +# Use libnl v2.0 (or 3.0) libraries. +#CONFIG_LIBNL20=y + +# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) +CONFIG_LIBNL32=y + + +# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) +#CONFIG_DRIVER_BSD=y +#CFLAGS += -I/usr/local/include +#LIBS += -L/usr/local/lib +#LIBS_p += -L/usr/local/lib +#LIBS_c += -L/usr/local/lib + +# Driver interface for Windows NDIS +#CONFIG_DRIVER_NDIS=y +#CFLAGS += -I/usr/include/w32api/ddk +#LIBS += -L/usr/local/lib +# For native build using mingw +#CONFIG_NATIVE_WINDOWS=y +# Additional directories for cross-compilation on Linux host for mingw target +#CFLAGS += -I/opt/mingw/mingw32/include/ddk +#LIBS += -L/opt/mingw/mingw32/lib +#CC=mingw32-gcc +# By default, driver_ndis uses WinPcap for low-level operations. This can be +# replaced with the following option which replaces WinPcap calls with NDISUIO. +# However, this requires that WZC is disabled (net stop wzcsvc) before starting +# wpa_supplicant. +# CONFIG_USE_NDISUIO=y + +# Driver interface for wired Ethernet drivers +CONFIG_DRIVER_WIRED=y + +# Driver interface for MACsec capable Qualcomm Atheros drivers +#CONFIG_DRIVER_MACSEC_QCA=y + +# Driver interface for Linux MACsec drivers +CONFIG_DRIVER_MACSEC_LINUX=y + +# Driver interface for the Broadcom RoboSwitch family +#CONFIG_DRIVER_ROBOSWITCH=y + +# Driver interface for no driver (e.g., WPS ER only) +CONFIG_DRIVER_NONE=y + +# Solaris libraries +#LIBS += -lsocket -ldlpi -lnsl +#LIBS_c += -lsocket + +# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or +# MACsec is included) +CONFIG_IEEE8021X_EAPOL=y + +# EAP-MD5 +CONFIG_EAP_MD5=y + +# EAP-MSCHAPv2 +CONFIG_EAP_MSCHAPV2=y + +# EAP-TLS +CONFIG_EAP_TLS=y + +# EAL-PEAP +CONFIG_EAP_PEAP=y + +# EAP-TTLS +CONFIG_EAP_TTLS=y + +# EAP-FAST +CONFIG_EAP_FAST=y + +# EAP-TEAP +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + +# EAP-GTC +CONFIG_EAP_GTC=y + +# EAP-OTP +CONFIG_EAP_OTP=y + +# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) +CONFIG_EAP_SIM=y + +# Enable SIM simulator (Milenage) for EAP-SIM +#CONFIG_SIM_SIMULATOR=y + +# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) +CONFIG_EAP_PSK=y + +# EAP-pwd (secure authentication using only a password) +CONFIG_EAP_PWD=y + +# EAP-PAX +CONFIG_EAP_PAX=y + +# LEAP +CONFIG_EAP_LEAP=y + +# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) +CONFIG_EAP_AKA=y + +# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used). +# This requires CONFIG_EAP_AKA to be enabled, too. +CONFIG_EAP_AKA_PRIME=y + +# Enable USIM simulator (Milenage) for EAP-AKA +#CONFIG_USIM_SIMULATOR=y + +# EAP-SAKE +CONFIG_EAP_SAKE=y + +# EAP-GPSK +CONFIG_EAP_GPSK=y +# Include support for optional SHA256 cipher suite in EAP-GPSK +CONFIG_EAP_GPSK_SHA256=y + +# EAP-TNC and related Trusted Network Connect support (experimental) +CONFIG_EAP_TNC=y + +# Wi-Fi Protected Setup (WPS) +CONFIG_WPS=y +# Enable WPS external registrar functionality +CONFIG_WPS_ER=y +# Disable credentials for an open network by default when acting as a WPS +# registrar. +CONFIG_WPS_REG_DISABLE_OPEN=y +# Enable WPS support with NFC config method +CONFIG_WPS_NFC=y + +# EAP-IKEv2 +CONFIG_EAP_IKEV2=y + +# EAP-EKE +CONFIG_EAP_EKE=y + +# MACsec +CONFIG_MACSEC=y + +# PKCS#12 (PFX) support (used to read private key and certificate file from +# a file that usually has extension .p12 or .pfx) +CONFIG_PKCS12=y + +# Smartcard support (i.e., private key on a smartcard), e.g., with openssl +# engine. +CONFIG_SMARTCARD=y + +# PC/SC interface for smartcards (USIM, GSM SIM) +# Enable this if EAP-SIM or EAP-AKA is included +CONFIG_PCSC=y + +# Support HT overrides (disable HT/HT40, mask MCS rates, etc.) +CONFIG_HT_OVERRIDES=y + +# Support VHT overrides (disable VHT, mask MCS rates, etc.) +CONFIG_VHT_OVERRIDES=y + +# Development testing +CONFIG_EAPOL_TEST=y + +# Select control interface backend for external programs, e.g, wpa_cli: +# unix = UNIX domain sockets (default for Linux/*BSD) +# udp = UDP sockets using localhost (127.0.0.1) +# udp6 = UDP IPv6 sockets using localhost (::1) +# named_pipe = Windows Named Pipe (default for Windows) +# udp-remote = UDP sockets with remote access (only for tests systems/purpose) +# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose) +# y = use default (backwards compatibility) +# If this option is commented out, control interface is not included in the +# build. +CONFIG_CTRL_IFACE=y + +# Include support for GNU Readline and History Libraries in wpa_cli. +# When building a wpa_cli binary for distribution, please note that these +# libraries are licensed under GPL and as such, BSD license may not apply for +# the resulting binary. +CONFIG_READLINE=y + +# Include internal line edit mode in wpa_cli. This can be used as a replacement +# for GNU Readline to provide limited command line editing and history support. +#CONFIG_WPA_CLI_EDIT=y + +# Remove debugging code that is printing out debug message to stdout. +# This can be used to reduce the size of the wpa_supplicant considerably +# if debugging code is not needed. The size reduction can be around 35% +# (e.g., 90 kB). +#CONFIG_NO_STDOUT_DEBUG=y + +# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save +# 35-50 kB in code size. +#CONFIG_NO_WPA=y + +# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support +# This option can be used to reduce code size by removing support for +# converting ASCII passphrases into PSK. If this functionality is removed, the +# PSK can only be configured as the 64-octet hexstring (e.g., from +# wpa_passphrase). This saves about 0.5 kB in code size. +#CONFIG_NO_WPA_PASSPHRASE=y + +# Simultaneous Authentication of Equals (SAE), WPA3-Personal +CONFIG_SAE=y + +# WPA3-Enterprise (SuiteB-192) +CONFIG_SUITEB=y +CONFIG_SUITEB192=y + +# Disable scan result processing (ap_scan=1) to save code size by about 1 kB. +# This can be used if ap_scan=1 mode is never enabled. +#CONFIG_NO_SCAN_PROCESSING=y + +# Select configuration backend: +# file = text file (e.g., wpa_supplicant.conf; note: the configuration file +# path is given on command line, not here; this option is just used to +# select the backend that allows configuration files to be used) +# winreg = Windows registry (see win_example.reg for an example) +CONFIG_BACKEND=file + +# Remove configuration write functionality (i.e., to allow the configuration +# file to be updated based on runtime configuration changes). The runtime +# configuration can still be changed, the changes are just not going to be +# persistent over restarts. This option can be used to reduce code size by +# about 3.5 kB. +#CONFIG_NO_CONFIG_WRITE=y + +# Remove support for configuration blobs to reduce code size by about 1.5 kB. +#CONFIG_NO_CONFIG_BLOBS=y + +# Select program entry point implementation: +# main = UNIX/POSIX like main() function (default) +# main_winsvc = Windows service (read parameters from registry) +# main_none = Very basic example (development use only) +CONFIG_MAIN=main + +# Select wrapper for operating system and C library specific functions +# unix = UNIX/POSIX like systems (default) +# win32 = Windows systems +# none = Empty template +CONFIG_OS=unix + +# Select event loop implementation +# eloop = select() loop (default) +# eloop_win = Windows events and WaitForMultipleObject() loop +CONFIG_ELOOP=eloop + +# Should we use poll instead of select? Select is used by default. +#CONFIG_ELOOP_POLL=y + +# Should we use epoll instead of select? Select is used by default. +#CONFIG_ELOOP_EPOLL=y + +# Should we use kqueue instead of select? Select is used by default. +#CONFIG_ELOOP_KQUEUE=y + +# Select layer 2 packet implementation +# linux = Linux packet socket (default) +# pcap = libpcap/libdnet/WinPcap +# freebsd = FreeBSD libpcap +# winpcap = WinPcap with receive thread +# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y) +# none = Empty template +CONFIG_L2_PACKET=linux + +# Disable Linux packet socket workaround applicable for station interface +# in a bridge for EAPOL frames. This should be uncommented only if the kernel +# is known to not have the regression issue in packet socket behavior with +# bridge interfaces (commit 'bridge: respect RFC2863 operational state')'). +#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y + +# IEEE 802.11w (management frame protection), also known as PMF +# Driver support is also needed for IEEE 802.11w. +CONFIG_IEEE80211W=y + +# Support Operating Channel Validation +#CONFIG_OCV=y + +# Select TLS implementation +# openssl = OpenSSL (default) +# gnutls = GnuTLS +# internal = Internal TLSv1 implementation (experimental) +# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) +# none = Empty template +CONFIG_TLS=openssl + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) +# can be enabled to get a stronger construction of messages when block ciphers +# are used. It should be noted that some existing TLS v1.0 -based +# implementation may not be compatible with TLS v1.1 message (ClientHello is +# sent prior to negotiating which version will be used) +CONFIG_TLSV11=y + +# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) +# can be enabled to enable use of stronger crypto algorithms. It should be +# noted that some existing TLS v1.0 -based implementation may not be compatible +# with TLS v1.2 message (ClientHello is sent prior to negotiating which version +# will be used) +CONFIG_TLSV12=y + +# Select which ciphers to use by default with OpenSSL if the user does not +# specify them. +CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT@SECLEVEL=1" + +# If CONFIG_TLS=internal is used, additional library and include paths are +# needed for LibTomMath. Alternatively, an integrated, minimal version of +# LibTomMath can be used. See beginning of libtommath.c for details on benefits +# and drawbacks of this option. +#CONFIG_INTERNAL_LIBTOMMATH=y +#ifndef CONFIG_INTERNAL_LIBTOMMATH +#LTM_PATH=/usr/src/libtommath-0.39 +#CFLAGS += -I$(LTM_PATH) +#LIBS += -L$(LTM_PATH) +#LIBS_p += -L$(LTM_PATH) +#endif +# At the cost of about 4 kB of additional binary size, the internal LibTomMath +# can be configured to include faster routines for exptmod, sqr, and div to +# speed up DH and RSA calculation considerably +#CONFIG_INTERNAL_LIBTOMMATH_FAST=y + +# Include NDIS event processing through WMI into wpa_supplicant/wpasvc. +# This is only for Windows builds and requires WMI-related header files and +# WbemUuid.Lib from Platform SDK even when building with MinGW. +#CONFIG_NDIS_EVENTS_INTEGRATED=y +#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib" + +# Add support for new DBus control interface +# (fi.w1.wpa_supplicant1) +CONFIG_CTRL_IFACE_DBUS_NEW=y + +# Add introspection support for new DBus control interface +CONFIG_CTRL_IFACE_DBUS_INTRO=y + +# Add support for loading EAP methods dynamically as shared libraries. +# When this option is enabled, each EAP method can be either included +# statically (CONFIG_EAP_=y) or dynamically (CONFIG_EAP_=dyn). +# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to +# be loaded in the beginning of the wpa_supplicant configuration file +# (see load_dynamic_eap parameter in the example file) before being used in +# the network blocks. +# +# Note that some shared parts of EAP methods are included in the main program +# and in order to be able to use dynamic EAP methods using these parts, the +# main program must have been build with the EAP method enabled (=y or =dyn). +# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries +# unless at least one of them was included in the main build to force inclusion +# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included +# in the main build to be able to load these methods dynamically. +# +# Please also note that using dynamic libraries will increase the total binary +# size. Thus, it may not be the best option for targets that have limited +# amount of memory/flash. +#CONFIG_DYNAMIC_EAP_METHODS=y + +# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode +CONFIG_IEEE80211R=y + +# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) +CONFIG_DEBUG_FILE=y + +# Send debug messages to syslog instead of stdout +CONFIG_DEBUG_SYSLOG=y +# Set syslog facility for debug messages +CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON + +# Add support for sending all debug messages (regardless of debug verbosity) +# to the Linux kernel tracing facility. This helps debug the entire stack by +# making it easy to record everything happening from the driver up into the +# same file, e.g., using trace-cmd. +CONFIG_DEBUG_LINUX_TRACING=y + +# Add support for writing debug log to Android logcat instead of standard +# output +#CONFIG_ANDROID_LOG=y + +# Enable privilege separation (see README 'Privilege separation' for details) +#CONFIG_PRIVSEP=y + +# Enable mitigation against certain attacks against TKIP by delaying Michael +# MIC error reports by a random amount of time between 0 and 60 seconds +CONFIG_DELAYED_MIC_ERROR_REPORT=y + +# Enable tracing code for developer debugging +# This tracks use of memory allocations and other registrations and reports +# incorrect use with a backtrace of call (or allocation) location. +#CONFIG_WPA_TRACE=y +# For BSD, uncomment these. +#LIBS += -lexecinfo +#LIBS_p += -lexecinfo +#LIBS_c += -lexecinfo + +# Use libbfd to get more details for developer debugging +# This enables use of libbfd to get more detailed symbols for the backtraces +# generated by CONFIG_WPA_TRACE=y. +#CONFIG_WPA_TRACE_BFD=y +# For BSD, uncomment these. +#LIBS += -lbfd -liberty -lz +#LIBS_p += -lbfd -liberty -lz +#LIBS_c += -lbfd -liberty -lz + +# wpa_supplicant depends on strong random number generation being available +# from the operating system. os_get_random() function is used to fetch random +# data when needed, e.g., for key generation. On Linux and BSD systems, this +# works by reading /dev/urandom. It should be noted that the OS entropy pool +# needs to be properly initialized before wpa_supplicant is started. This is +# important especially on embedded devices that do not have a hardware random +# number generator and may by default start up with minimal entropy available +# for random number generation. +# +# As a safety net, wpa_supplicant is by default trying to internally collect +# additional entropy for generating random data to mix in with the data fetched +# from the OS. This by itself is not considered to be very strong, but it may +# help in cases where the system pool is not initialized properly. However, it +# is very strongly recommended that the system pool is initialized with enough +# entropy either by using hardware assisted random number generator or by +# storing state over device reboots. +# +# wpa_supplicant can be configured to maintain its own entropy store over +# restarts to enhance random number generation. This is not perfect, but it is +# much more secure than using the same sequence of random numbers after every +# reboot. This can be enabled with -e command line option. The +# specified file needs to be readable and writable by wpa_supplicant. +# +# If the os_get_random() is known to provide strong random data (e.g., on +# Linux/BSD, the board in question is known to have reliable source of random +# data from /dev/urandom), the internal wpa_supplicant random pool can be +# disabled. This will save some in binary size and CPU use. However, this +# should only be considered for builds that are known to be used on devices +# that meet the requirements described above. +#CONFIG_NO_RANDOM_POOL=y + +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +CONFIG_GETRANDOM=y + +# IEEE 802.11n (High Throughput) support (mainly for AP mode) +CONFIG_IEEE80211N=y + +# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode) +# (depends on CONFIG_IEEE80211N) +CONFIG_IEEE80211AC=y + +# Wireless Network Management (IEEE Std 802.11v-2011) +# Note: This is experimental and not complete implementation. +CONFIG_WNM=y + +# Interworking (IEEE 802.11u) +# This can be used to enable functionality to improve interworking with +# external networks (GAS/ANQP to learn more about the networks and network +# selection based on available credentials). +CONFIG_INTERWORKING=y + +# Hotspot 2.0 +CONFIG_HS20=y + +# Enable interface matching in wpa_supplicant +#CONFIG_MATCH_IFACE=y + +# Disable roaming in wpa_supplicant +#CONFIG_NO_ROAMING=y + +# AP mode operations with wpa_supplicant +# This can be used for controlling AP mode operations with wpa_supplicant. It +# should be noted that this is mainly aimed at simple cases like +# WPA2-Personal while more complex configurations like WPA2-Enterprise with an +# external RADIUS server can be supported with hostapd. +CONFIG_AP=y + +# P2P (Wi-Fi Direct) +# This can be used to enable P2P support in wpa_supplicant. See README-P2P for +# more information on P2P operations. +CONFIG_P2P=y + +# Enable TDLS support +CONFIG_TDLS=y + +# Wi-Fi Display +# This can be used to enable Wi-Fi Display extensions for P2P using an external +# program to control the additional information exchanges in the messages. +CONFIG_WIFI_DISPLAY=y + +# Autoscan +# This can be used to enable automatic scan support in wpa_supplicant. +# See wpa_supplicant.conf for more information on autoscan usage. +# +# Enabling directly a module will enable autoscan support. +# For exponential module: +CONFIG_AUTOSCAN_EXPONENTIAL=y +# For periodic module: +CONFIG_AUTOSCAN_PERIODIC=y + +# Password (and passphrase, etc.) backend for external storage +# These optional mechanisms can be used to add support for storing passwords +# and other secrets in external (to wpa_supplicant) location. This allows, for +# example, operating system specific key storage to be used +# +# External password backend for testing purposes (developer use) +#CONFIG_EXT_PASSWORD_TEST=y + +# Enable Fast Session Transfer (FST) +CONFIG_FST=y + +# Enable CLI commands for FST testing +#CONFIG_FST_TEST=y + +# OS X builds. This is only for building eapol_test. +#CONFIG_OSX=y + +# Automatic Channel Selection +# This will allow wpa_supplicant to pick the channel automatically when channel +# is set to "0". +# +# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative +# to "channel=0". This would enable us to eventually add other ACS algorithms in +# similar way. +# +# Automatic selection is currently only done through initialization, later on +# we hope to do background checks to keep us moving to more ideal channels as +# time goes by. ACS is currently only supported through the nl80211 driver and +# your driver must have survey dump capability that is filled by the driver +# during scanning. +# +# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with +# a newly to create wpa_supplicant.conf variable acs_num_scans. +# +# Supported ACS drivers: +# * ath9k +# * ath5k +# * ath10k +# +# For more details refer to: +# http://wireless.kernel.org/en/users/Documentation/acs +CONFIG_ACS=y + +# Support Multi Band Operation +CONFIG_MBO=y + +# Fast Initial Link Setup (FILS) (IEEE 802.11ai) +CONFIG_FILS=y +# FILS shared key authentication with PFS +CONFIG_FILS_SK_PFS=y + +# Support RSN on IBSS networks +# This is needed to be able to use mode=1 network profile with proto=RSN and +# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None). +CONFIG_IBSS_RSN=y + +# External PMKSA cache control +# This can be used to enable control interface commands that allow the current +# PMKSA cache entries to be fetched and new entries to be added. +CONFIG_PMKSA_CACHE_EXTERNAL=y + +# Mesh Networking (IEEE 802.11s) +CONFIG_MESH=y + +# Background scanning modules +# These can be used to request wpa_supplicant to perform background scanning +# operations for roaming within an ESS (same SSID). See the bgscan parameter in +# the wpa_supplicant.conf file for more details. +# Periodic background scans based on signal strength +CONFIG_BGSCAN_SIMPLE=y +# Learn channels used by the network and try to avoid bgscans on other +# channels (experimental) +CONFIG_BGSCAN_LEARN=y + +# Opportunistic Wireless Encryption (OWE) +# Experimental implementation of draft-harkins-owe-07.txt +CONFIG_OWE=y + +# Device Provisioning Protocol (DPP) +# This requires CONFIG_IEEE80211W=y to be enabled, too. (see +# wpa_supplicant/README-DPP for details) +CONFIG_DPP=y + +# Used by eapol_test only, see #985912 +CONFIG_IPV6=y diff --git a/debian/config/wpasupplicant/linux-udeb b/debian/config/wpasupplicant/linux-udeb new file mode 100644 index 0000000..c5e3ff9 --- /dev/null +++ b/debian/config/wpasupplicant/linux-udeb @@ -0,0 +1,20 @@ +# Debian's wpa_supplicant build time configuration +CONFIG_DRIVER_WEXT=y +CONFIG_DRIVER_NL80211=y +CONFIG_LIBNL32=y +CONFIG_CTRL_IFACE=y +CONFIG_BACKEND=file +CONFIG_MAIN=main +CONFIG_OS=unix +CONFIG_ELOOP=eloop +CONFIG_L2_PACKET=linux + +# At least one of these two is needed to get +# the netlink driver working, why this is the case +# is currently mysterious +#CONFIG_IEEE8021X_EAPOL=y +CONFIG_WPS=y + +# enable syslog support, as requested by d-i/ netcfg +CONFIG_DEBUG_SYSLOG=y +CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON diff --git a/debian/control b/debian/control index 3d3a82e..9abdbc5 100644 --- a/debian/control +++ b/debian/control @@ -6,9 +6,10 @@ Uploaders: Section: net Priority: optional Build-Depends: debhelper-compat (= 12), + dh-exec, libdbus-1-dev, libssl-dev, - qtbase5-dev, + qtbase5-dev , libncurses5-dev, libpcsclite-dev, libnl-3-dev (>= 3.4.0~) [linux-any], @@ -17,13 +18,14 @@ Build-Depends: debhelper-compat (= 12), libpcap-dev [kfreebsd-any], libbsd-dev [kfreebsd-any], libreadline-dev, - pkg-config, + pkgconf | pkg-config, docbook-to-man, docbook-utils -Standards-Version: 4.3.0 -Vcs-Browser: https://salsa.debian.org/debian/wpa.git +Standards-Version: 4.4.1 +Rules-Requires-Root: no +Vcs-Browser: https://salsa.debian.org/debian/wpa Vcs-Git: https://salsa.debian.org/debian/wpa.git -Homepage: http://w1.fi/wpa_supplicant/ +Homepage: https://w1.fi/wpa_supplicant/ Package: hostapd Architecture: linux-any kfreebsd-any @@ -32,13 +34,15 @@ Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, lsb-base -Breaks: initscripts (<< 2.88dsf-0) -Description: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator +Breaks: initscripts (<< 2.88dsf-13.3) +Description: access point and authentication server for Wi-Fi and Ethernet + IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/WPA3/EAP Authenticator + . Originally, hostapd was an optional user space component for Host AP driver. It adds more features to the basic IEEE 802.11 management included in the kernel driver: using external RADIUS authentication server for MAC address based access control, IEEE 802.1X Authenticator - and dynamic WEP keying, RADIUS accounting, WPA/WPA2 (IEEE 802.11i/RSN) + and dynamic WEP keying, RADIUS accounting, WPA/WPA2/WPA3 (IEEE 802.11i/RSN) Authenticator and dynamic TKIP/CCMP keying. . The current version includes support for other drivers, an integrated @@ -55,12 +59,12 @@ Description: IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator Package: wpagui Architecture: linux-any kfreebsd-any +Build-Profiles: Multi-Arch: foreign Depends: ${shlibs:Depends}, ${misc:Depends}, wpasupplicant (>= 0.7.3~), libqt5svg5 -Recommends: menu Description: graphical user interface for wpa_supplicant wpagui provides a Qt interface for choosing which configured network to connect to. It also provides a method for browsing 802.11 SSID scan @@ -76,25 +80,51 @@ Depends: ${shlibs:Depends}, adduser Suggests: wpagui, libengine-pkcs11-openssl -Breaks: initscripts (<< 2.88dsf-0) +Breaks: initscripts (<< 2.88dsf-13.3) Description: client support for WPA and WPA2 (IEEE 802.11i) - WPA and WPA2 are methods for securing wireless networks, the former - using IEEE 802.1X, and the latter using IEEE 802.11i. This software - provides key negotiation with the WPA Authenticator, and controls - association with IEEE 802.11i networks. + wpa-supplicant is a userspace daemon handling connection and authentication + in wireless and wired networks, primarily secured with the WPA/WPA2/WPA3 + protocols. This software provides key negotiation with the access point + (WPA Authenticator), and controls association with IEEE 802.11i networks. Package: wpasupplicant-udeb Architecture: linux-any +Build-Profiles: Section: debian-installer Priority: standard Depends: ${shlibs:Depends}, ${misc:Depends}, busybox-udeb Package-Type: udeb -Description: Client support for WPA and WPA2 (IEEE 802.11i) - WPA and WPA2 are methods for securing wireless networks, the former - using IEEE 802.1X, and the latter using IEEE 802.11i. This software - provides key negotiation with the WPA Authenticator, and controls - association with IEEE 802.11i networks. +Description: client support for WPA and WPA2 (IEEE 802.11i) + wpa-supplicant is a userspace daemon handling connection and authentication + in wireless and wired networks, primarily secured with the WPA/WPA2/WPA3 + protocols. This software provides key negotiation with the access point + (WPA Authenticator), and controls association with IEEE 802.11i networks. . This is a udeb of wpasupplicant for use by the debian-installer. + +Package: eapoltest +Architecture: linux-any kfreebsd-any +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: EAPoL testing utility + eapol_test allows testing EAP authentication methods without using + a full 802.1X connection. It is frequently used to test the EAP + configuration of RADIUS systems. It is an administrator tool and not + required for standard 802.1X authentication. + +Package: libwpa-client-dev +Section: libdevel +Architecture: linux-any kfreebsd-any +Multi-Arch: same +Depends: ${shlibs:Depends}, ${misc:Depends} +Replaces: libwpa-dev +Breaks: libwpa-dev +Description: development files for WPA/WPA2 client support (IEEE 802.11i) + wpa-supplicant is a userspace daemon handling connection and authentication + in wireless and wired networks, primarily secured with the WPA/WPA2/WPA3 + protocols. This software provides key negotiation with the access point + (WPA Authenticator), and controls association with IEEE 802.11i networks. + . + This package contains static libwpa_client library and header files. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..fd97bd4 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,422 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: hostapd +Upstream-Contact: Jouni Malinen +Source: git://w1.fi/srv/git/hostap.git +Files-Excluded: + doc/* + eap_example/* + mac80211_hwsim/* + radius_example/* + tests/* + wlantest/* + wpadebug/* + wpaspy/* + Android.mk + build_release + +Files: * +Copyright: 2002-2021, Jouni Malinen +License: BSD-3-clause + +Files: hostapd/logwatch/* +Copyright: 2005, Henrik Brix Andersen +License: BSD-3-clause or GPL-2 + +Files: hostapd/Android.mk +Copyright: 2008, The Android Open Source Project +License: BSD-3-clause + +Files: hostapd/hostapd.8 + hostapd/hostapd_cli.1 +Copyright: 2005, Faidon Liambotis +License: BSD-3-clause + +Files: hs20/* +Copyright: 2012-2014, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/ap/acs.* +Copyright: 2011, Atheros Communications + 2013, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/ap/ap_list.* + src/ap/ap_mlme.* + src/ap/beacon.* + src/ap/hw_features.* + src/ap/vlan_init.* + src/ap/wmm.* +Copyright: 2002-2009, Jouni Malinen + 2002-2004, Instant802 Networks, Inc. + 2005-2006, Devicescape Software, Inc. +License: BSD-3-clause + +Files: src/ap/dfs.* +Copyright: 2002-2013, Jouni Malinen + 2013, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/ap/gas_serv.* + src/ap/wnm_ap.* + src/common/ieee802_1x_defs.h + src/common/qca-vendor* +Copyright: 2011-2014, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/ap/hs20.* + wpa_supplicant/hs20_supplicant.* +Copyright: 2009, Atheros Communications, Inc. + 2011-2013, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/ap/ieee802_11_ht.c +Copyright: 2002-2009, Jouni Malinen + 2007-2008, Intel Corporation +License: BSD-3-clause + +Files: src/ap/p2p_hostapd.* +Copyright: 2009-2010, Atheros Communications +License: BSD-3-clause + +Files: src/ap/vlan_util.* +Copyright: 2012, Michael Braun +License: BSD-3-clause + +Files: src/common/gas.* +Copyright: 2009, Atheros Communications + 2011-2012, Qualcomm Atheros +License: BSD-3-clause + +Files: src/common/ieee802_11_defs.h +Copyright: 2002-2009, Jouni Malinen + 2007-2008, Intel Corporation +License: BSD-3-clause + +Files: src/common/wpa_helpers.* +Copyright: 2010-2011, Atheros Communications, Inc. + 2011-2012, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/crypto/aes-internal* +Copyright: 2000, Vincent Rijmen + 2000, Antoon Bosselaers + 2000, Paulo Barreto + 2003-2012, Jouni Malinen +License: BSD-3-clause + +Files: src/crypto/des-internal.c +Copyright: 2005, Tom St Denis + 2006-2009, Jouni Malinen +License: BSD-3-clause + +Files: src/crypto/md4-internal.c +Copyright: 1993, Colin Plumb + 2004, Todd C. Miller + 2006, Jouni Malinen +License: BSD-3-clause + +Files: src/crypto/md5-internal.c +Copyright: 1993, Colin Plumb + 2003-2005, Jouni Malinen +License: BSD-3-clause + +Files: src/crypto/sha1-internal.c +Copyright: 1998, Steve Reid + 1998, James H. Brown + 2001, Saul Kravitz + 2001-2005, Jouni Malinen +License: BSD-3-clause + +Files: src/drivers/driver_atheros.c +Copyright: 2004, Sam Leffler + 2004, Video54 Technologies + 2005-2007, Jouni Malinen + 2009, Atheros Communications +License: BSD-3-clause + +Files: src/drivers/driver_bsd.c +Copyright: 2004, Sam Leffler + 2004, 2Wire, Inc +License: BSD-3-clause + +Files: src/drivers/driver_macsec_qca.c +Copyright: 2004, Gunter Burchardt + 2005-2009, Jouni Malinen + 2013-2014, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/drivers/driver_nl80211.c +Copyright: 2002-2014, Jouni Malinen + 2003-2004, Instant802 Networks, Inc. + 2005-2006, Devicescape Software, Inc. + 2007, Johannes Berg + 2009-2010, Atheros Communications +License: BSD-3-clause + +Files: src/drivers/driver_none.c +Copyright: 2008, Atheros Communications +License: BSD-3-clause + +Files: src/drivers/driver_openbsd.c +Copyright: 2013, Mark Kettenis +License: BSD-3-clause + +Files: src/drivers/driver_roboswitch.c +Copyright: 2008-2009, Jouke Witteveen +License: BSD-3-clause + +Files: src/drivers/driver_wired.c +Copyright: 2005-2009, Jouni Malinen + 2004, Gunter Burchardt +License: BSD-3-clause + +Files: src/drivers/nl80211_copy.h +Copyright: 2006-2010, Johannes Berg + 2008, Michael Wu + 2008, Luis Carlos Cobo + 2008, Michael Buesch + 2008-2009, Luis R. Rodriguez + 2008, Jouni Malinen + 2008, Colin McCabe +License: ISC + +Files: src/eap_common/eap_pwd_common.* + src/eap_peer/eap_pwd.c + src/eap_server/eap_server_pwd.c +Copyright: 2010, Dan Harkins +License: BSD-3-clause + +Files: src/eap_peer/eap_proxy* +Copyright: 2011-2013 Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/l2_packet/l2_packet_freebsd.c +Copyright: 2003-2005, Jouni Malinen + 2005, Sam Leffler +License: BSD-3-clause + +Files: src/p2p/* +Copyright: 2009-2010, Atheros Communications +License: BSD-3-clause + +Files: src/pae/* +Copyright: 2013-2014, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/rsn_supp/tdls.c +Copyright: 2010-2011, Atheros Communications +License: BSD-3-clause + +Files: src/tls/libtommath.c +Copyright: 2005-2007, Tom St Denis +License: public-domain + +Files: src/utils/browser* + src/utils/http* + src/utils/xml* +Copyright: 2012-2014, Qualcomm Atheros, Inc. +License: BSD-3-clause + +Files: src/utils/radiotap.c +Copyright: 2007, Andy Green + 2009, Johannes Berg +License: BSD-3-clause + +Files: src/utils/radiotap.h +Copyright: 2003-2004, David Young +License: BSD-3-clause + +Files: src/wps/http.h + src/wps/upnp_xml.* + src/wps/wps_upnp.* + src/wps/wps_upnp_event.c + src/wps/wps_upnp_i.h + src/wps/wps_upnp_ssdp.c + src/wps/wps_upnp_web.c +Copyright: 2000-2003, Intel Corporation + 2006-2007, Sony Corporation + 2008-2009, Atheros Communications + 2009, Jouni Malinen +License: BSD-3-clause + +Files: src/wps/httpread.* +Copyright: 2008, Ted Merrill, Atheros Communications +License: BSD-3-clause + +Files: src/wps/ndef.c +Copyright: 2009-2012, Masashi Honma +License: BSD-3-clause + +Files: src/wps/wps_validate.c +Copyright: 2010, Atheros Communications, Inc. +License: BSD-3-clause + +Files: wpa_supplicant/dbus/dbus_common.* + wpa_supplicant/dbus/dbus_common_i.h + wpa_supplicant/dbus/dbus_new.* + wpa_supplicant/dbus/dbus_new_handlers.* + wpa_supplicant/dbus/dbus_new_handlers_wps.c + wpa_supplicant/dbus/dbus_new_helpers.* + wpa_supplicant/dbus/dbus_new_introspect.c +Copyright: 2006, Dan Williams and Red Hat, Inc. + 2009-2010, Witold Sowa + 2009-2010, Jouni Malinen +License: BSD-3-clause + +Files: wpa_supplicant/dbus/dbus_dict_helpers.* +Copyright: 2006, Dan Williams and Red Hat, Inc. +License: BSD-3-clause + +Files: wpa_supplicant/dbus/dbus_new_handlers_p2p.* + wpa_supplicant/examples/p2p/* + wpa_supplicant/examples/dbus-listen-preq.py +Copyright: 2011-2012, Intel Corporation +License: BSD-3-clause + +Files: wpa_supplicant/utils/log2pcap.py +Copyright: Johannes Berg , Intel Corporation +License: BSD-3-clause + +Files: wpa_supplicant/wpa_gui-qt4/icons/ap.svg +Copyright: 2008, mystica +License: public-domain + +Files: wpa_supplicant/wpa_gui-qt4/icons/group.svg +Copyright: 2009, Andrew Fitzsimon / Anonymous +License: public-domain + +Files: wpa_supplicant/wpa_gui-qt4/icons/invitation.svg +Copyright: 2009, Jean Victor Balin +License: public-domain + +Files: wpa_supplicant/wpa_gui-qt4/icons/laptop.svg +Copyright: 2008, metalmarious +License: public-domain + +Files: wpa_supplicant/wpa_gui-qt4/icons/wpa_gui.svg +Copyright: 2008, Bernard Gray +License: BSD-3-clause or GPL-2 + +Files: wpa_supplicant/wpa_gui-qt4/peers.* + wpa_supplicant/wpa_gui-qt4/stringquery.* +Copyright: 2009-2010, Atheros Communications +License: BSD-3-clause + +Files: wpa_supplicant/wpa_gui-qt4/signalbar.* +Copyright: 2011, Kel Modderman +License: BSD-3-clause + +Files: wpa_supplicant/Android.mk + wpa_supplicant/wpa_supplicant_conf.* +Copyright: 2008-2010, The Android Open Source Project +License: BSD-3-clause + +Files: wpa_supplicant/ap.* +Copyright: 2003-2009, Jouni Malinen + 2009, Atheros Communications +License: BSD-3-clause + +Files: wpa_supplicant/autoscan* +Copyright: 2012, Intel Corporation +License: BSD-3-clause + +Files: wpa_supplicant/gas_query.* + wpa_supplicant/offchannel.* + wpa_supplicant/p2p_supplicant.* + wpa_supplicant/wifi_display.* +Copyright: 2009-2011, Atheros Communications + 2011-2014, Qualcomm Atheros + 2011-2014, Jouni Malinen +License: BSD-3-clause + +Files: wpa_supplicant/interworking.* + wpa_supplicant/wnm_sta.* + wpa_supplicant/wpas_kay.* +Copyright: 2011-2014, Qualcomm Atheros + 2011-2014, Jouni Malinen +License: BSD-3-clause + +Files: debian/* +Copyright: 2004-2006, Kyle McMartin + 2005-2009, Faidon Liambotis + 2006-2008, Reinhard Tartler + 2006-2012, Kel Modderman + 2010, Jan Dittberner + 2010-2014, Stefan Lippers-Hollmann + 2016-2021, Andrej Shadura +License: BSD-3-clause + +License: BSD-3-clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name(s) of the above-listed copyright holder(s) nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License version 2 as + published by the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + . + On Debian GNU/Linux systems, the complete text of the GNU General Public + License version 2 can be found in `/usr/share/common-licenses/GPL-2'. + . + Note that this distribution of hostapd comes with configuration options that + link it to the OpenSSL library. The OpenSSL license is GPL-incompatible, + therefore in this distribution only the BSD license applies. + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: public-domain + Minimal code for RSA support from LibTomMath 0.41 + http://libtom.org/ + http://libtom.org/files/ltm-0.41.tar.bz2 + This library was released in public domain by Tom St Denis. + . + The combination in this file may not use all of the optimized algorithms + from LibTomMath and may be considerable slower than the LibTomMath with its + default settings. The main purpose of having this version here is to make it + easier to build bignum.c wrapper without having to install and build an + external library. + diff --git a/debian/eapoltest.install b/debian/eapoltest.install new file mode 100644 index 0000000..d3fe2c3 --- /dev/null +++ b/debian/eapoltest.install @@ -0,0 +1 @@ +wpa_supplicant/eapol_test usr/bin/ diff --git a/debian/eapoltest.lintian-overrides b/debian/eapoltest.lintian-overrides new file mode 100644 index 0000000..9dea613 --- /dev/null +++ b/debian/eapoltest.lintian-overrides @@ -0,0 +1,3 @@ +# We distribute the package under the terms of the BSD license due to the +# openssl issue, tell lintian to not complain: +eapoltest: possible-gpl-code-linked-with-openssl diff --git a/debian/eapoltest.manpages b/debian/eapoltest.manpages new file mode 100644 index 0000000..1c02297 --- /dev/null +++ b/debian/eapoltest.manpages @@ -0,0 +1 @@ +wpa_supplicant/doc/docbook/eapol_test.8 diff --git a/debian/examples/wpa-roam.conf b/debian/examples/wpa-roam.conf new file mode 100644 index 0000000..5b88f6e --- /dev/null +++ b/debian/examples/wpa-roam.conf @@ -0,0 +1,85 @@ +######################## Debian wpa-roam Template ############################# +# +# Template configuration for wpa-roam mode of Debian's wpasupplicant package. +# wpa-roam mode is described in detail in the wpa_action(8) manpage, and also +# at /usr/share/doc/wpasupplicant/README.modes.gz. Please read these documents +# to get an overview of how to setup this mode. +# +# For a detailed set of configuration examples for different networks, refer to +# /usr/share/doc/wpasupplicant/README.wpa_supplicant.conf.gz +# +# Also see the other files in /usr/share/doc/wpasupplicant/examples/ for +# specific network configuration examples. +# +# Empty lines and lines starting with # are ignored +# +# NOTE! This file may contain password information and should be made readable +# only by root user or netdev group on multiuser systems. +# +######################## Global Configuration Options ######################### +# +# The update_config option can be used to allow wpa_supplicant to overwrite +# configuration file whenever configuration is changed (e.g., new network block +# is added with wpa_cli or wpa_gui, or a password is changed). This is required +# for wpa_cli/wpa_gui to be able to store the configuration changes +# permanently. +# +# NOTE! Any comments will be removed from the configuration file when the +# update_config option is used. +# +#update_config=1 + +# The ctrl_interface specifies the path to a unix socket through which the +# supplicant may be controlled and interacted with. +# +# DIR= Path to UNIX socket control interface, mandatory for wpa-roam mode +# GROUP= Users in this group to control wpa_supplicant via wpa_cli/wpa_gui +# +ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev +# +######################## Network Block Configurations ######################### +# +# Each network is configured as a separate block in this configuration file. +# The network blocks are listed in preference of order, the top most network +# to be found in scan results is used. +# +# By default, all networks will get same priority (0). If some of the networks +# are more desirable, the "priority=" network parameter can be used to change +# the order in which wpa_supplicant goes through the network blocks when +# selecting what network will be used. The priority groups will be iterated +# in decreasing priority, the network with the highest priority value will be +# considered for selection first and the network with the lowest priority value +# will be considered last. +# +# NOTE! The scan_ssid=1 and ap_scan=2 modes ignore the priority field. Instead, +# the networks will be considered in the order specified in this configuration +# file. +# +# The "id_str=" network identifier string parameter is given to wpa_action when +# a network has been selected, and contains this field in its configuration +# block. The given id_str string will be used to select a logical interfaces +# from ifupdown's /etc/network/interfaces file. +# +############################################################################### + +#network={ +# ssid="Example WEP Network" +# key_mgmt=NONE +# wep_key0=6162636465 +# wep_tx_keyidx=0 +# id_str="johns_house" +#} + +#network={ +# ssid="Example WPA Network" +# psk="mysecretpassphrase" +# id_str="home" +#} + +############################################################################### +# Default behaviour is to associate with any open access point, further +# networks can be configured with wpa_cli/wpa_gui. +# +network={ + key_mgmt=NONE +} diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..6443ae8 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch=debian/unstable +upstream-branch=upstream/latest diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml new file mode 100644 index 0000000..0c22dc4 --- /dev/null +++ b/debian/gitlab-ci.yml @@ -0,0 +1,3 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/hostapd.NEWS b/debian/hostapd.NEWS new file mode 100644 index 0000000..f45729f --- /dev/null +++ b/debian/hostapd.NEWS @@ -0,0 +1,29 @@ +wpa (2:2.7-3) unstable; urgency=medium + + Starting from this version, the init script of hostapd will display + a warning if DAEMON_CONF is set to a value different from + /etc/hostapd/hostapd.conf. A future upload will also attempt + to migrate the configuration file to the new location. + + -- Andrej Shadura Thu, 10 Jan 2019 21:29:31 +0100 + +wpa (2:2.6-10) unstable; urgency=medium + + The hostapd .service file is now automatically masked every time the + package is upgraded with no valid configuration. + + The plan is to deprecate /etc/default/hostapd at some point, making + /etc/hostapd/hostapd.conf the standard location for the configuration + file. + + -- Andrew Shadura Tue, 28 Nov 2017 12:29:21 +0100 + +wpa (2:2.6-8) unstable; urgency=medium + + Since 2:2.6-6, hostapd ships a systemd .service file. As hostapd comes + with /etc/default/hostapd file, which by default doesn't specify any + config file, to prevent installation or boot failures, the package's + postinst script masks the hostapd.service unit on the first install. + After editing the default file, users need to unmask it themselves. + + -- Andrew Shadura Sun, 26 Nov 2017 19:25:50 +0000 diff --git a/debian/hostapd.README.Debian b/debian/hostapd.README.Debian new file mode 100644 index 0000000..da5f000 --- /dev/null +++ b/debian/hostapd.README.Debian @@ -0,0 +1,43 @@ +hostapd for Debian +------------------ + +This package provides two methods for managing hostapd process(es); an +initscript and an ifupdown hook. Both methods require creation of a +hostapd daemon configuration file (/etc/hostapd/hostapd.conf) to +function correctly. + +An example hostapd.conf may be used as a template but _must_ be edited +to suit your local configuration. An example is located at: + /usr/share/doc/hostapd/examples/hostapd.conf.gz + +To use the example as a template: + # zcat /usr/share/doc/hostapd/examples/hostapd.conf.gz > \ + /etc/hostapd/hostapd.conf + # $EDITOR /etc/hostapd/hostapd.conf + +If you're running systemd, you need to unmask the hostapd unit by running: + + systemctl unmask hostapd + +If you want to run multiple instances of hostapd with different +configurations, consider using a service template hostapd@.service +shipped with the package. E.g. for a hostapd configuration file named +/etc/hostapd/wifi.conf, the service name will be hostapd@wifi.service. + +The previously supported configuration setting DAEMON_CONF in +/etc/default/hostapd is deprecated and its support will be removed. + +To use the ifupdown method, the path to hostapd configuration file can +be specified in a network interfaces configuration stanza in +/etc/network/interfaces like so: + +iface eth1 inet static + hostapd /etc/hostapd/hostapd.conf + ... + +The hostapd process will be started in the pre-up phase of ifup, and be +terminated in the post-down phase of ifdown. + +Please note: +* If you want to use hostapd with a Prism2/2.5/3 card in WPA mode, you'll need + STA firmware version >= 1.7.0. diff --git a/debian/hostapd.default b/debian/hostapd.default new file mode 100644 index 0000000..3e53c4a --- /dev/null +++ b/debian/hostapd.default @@ -0,0 +1,23 @@ +# Defaults for hostapd initscript +# +# WARNING: The DAEMON_CONF setting has been deprecated and will be removed +# in future package releases. +# +# See /usr/share/doc/hostapd/README.Debian for information about alternative +# methods of managing hostapd. +# +# Uncomment and set DAEMON_CONF to the absolute path of a hostapd configuration +# file and hostapd will be started during system boot. An example configuration +# file can be found at /usr/share/doc/hostapd/examples/hostapd.conf.gz +# +#DAEMON_CONF="" + +# Additional daemon options to be appended to hostapd command:- +# -d show more debug messages (-dd for even more) +# -K include key data in debug messages +# -t include timestamps in some debug messages +# +# Note that -B (daemon mode) and -P (pidfile) options are automatically +# configured by the init.d script and must not be added to DAEMON_OPTS. +# +#DAEMON_OPTS="" diff --git a/debian/hostapd.docs b/debian/hostapd.docs new file mode 100644 index 0000000..7fd262e --- /dev/null +++ b/debian/hostapd.docs @@ -0,0 +1,3 @@ +hostapd/README +hostapd/README-MULTI-AP +hostapd/README-WPS diff --git a/debian/hostapd.examples b/debian/hostapd.examples new file mode 100644 index 0000000..a02eefc --- /dev/null +++ b/debian/hostapd.examples @@ -0,0 +1,6 @@ +hostapd/hostapd.accept +hostapd/hostapd.conf +hostapd/hostapd.deny +hostapd/hostapd.eap_user +hostapd/hostapd.radius_clients +hostapd/hostapd.wpa_psk diff --git a/debian/hostapd.init b/debian/hostapd.init new file mode 100644 index 0000000..cc58747 --- /dev/null +++ b/debian/hostapd.init @@ -0,0 +1,80 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: hostapd +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Should-Start: $network +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Access point and authentication server for Wi-Fi and Ethernet +# Description: Access point and authentication server for Wi-Fi and Ethernet +# Userspace IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +DAEMON_SBIN=/usr/sbin/hostapd +DAEMON_DEFS=/etc/default/hostapd +DAEMON_CONF=/etc/hostapd/hostapd.conf +NAME=hostapd +DESC="advanced IEEE 802.11 management" +PIDFILE=/run/hostapd.pid + +[ -x "$DAEMON_SBIN" ] || exit 0 +[ -s "$DAEMON_DEFS" ] && . /etc/default/hostapd +[ -n "$DAEMON_CONF" ] || exit 0 + +DAEMON_OPTS="-B -P $PIDFILE $DAEMON_OPTS $DAEMON_CONF" + +. /lib/lsb/init-functions + +for conf in $DAEMON_CONF +do + if [ ! -r "$conf" ] + then + log_action_msg "hostapd config $conf not found, not starting hostapd." + exit 0 + fi +done + +case "$1" in + start) + if [ "$DAEMON_CONF" != /etc/hostapd/hostapd.conf ] + then + log_warning_msg "hostapd config not in /etc/hostapd/hostapd.conf -- please read /usr/share/doc/hostapd/NEWS.Debian.gz" + fi + log_daemon_msg "Starting $DESC" "$NAME" + start-stop-daemon --start --oknodo --quiet --exec "$DAEMON_SBIN" \ + --pidfile "$PIDFILE" -- $DAEMON_OPTS >/dev/null + log_end_msg "$?" + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + start-stop-daemon --stop --oknodo --quiet --exec "$DAEMON_SBIN" \ + --pidfile "$PIDFILE" + log_end_msg "$?" + ;; + reload) + log_daemon_msg "Reloading $DESC" "$NAME" + start-stop-daemon --stop --signal HUP --exec "$DAEMON_SBIN" \ + --pidfile "$PIDFILE" + log_end_msg "$?" + ;; + restart|force-reload) + $0 stop + sleep 8 + $0 start + ;; + status) + status_of_proc "$DAEMON_SBIN" "$NAME" + exit $? + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start|stop|restart|force-reload|reload|status}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/debian/hostapd.install b/debian/hostapd.install new file mode 100644 index 0000000..c7d5429 --- /dev/null +++ b/debian/hostapd.install @@ -0,0 +1,3 @@ +debian/ifupdown/hostapd/ifupdown.sh etc/hostapd/ +hostapd/hostapd usr/sbin/ +hostapd/hostapd_cli usr/sbin/ diff --git a/debian/hostapd.links b/debian/hostapd.links new file mode 100644 index 0000000..471b6f5 --- /dev/null +++ b/debian/hostapd.links @@ -0,0 +1,2 @@ +etc/hostapd/ifupdown.sh /etc/network/if-pre-up.d/hostapd +etc/hostapd/ifupdown.sh /etc/network/if-post-down.d/hostapd diff --git a/debian/hostapd.lintian-overrides b/debian/hostapd.lintian-overrides new file mode 100644 index 0000000..c101bf9 --- /dev/null +++ b/debian/hostapd.lintian-overrides @@ -0,0 +1,9 @@ +# We distribute the package under the terms of the BSD license due to the +# openssl issue, tell lintian to not complain: +hostapd binary: possible-gpl-code-linked-with-openssl + +# no need for per-interface init scripts since hostapd has ifupdown integration +hostapd: package-supports-alternative-init-but-no-init.d-script lib/systemd/system/hostapd@.service + +# we want to call systemctl and not anything else to mask a unit +hostapd: maintainer-script-calls-systemctl diff --git a/debian/hostapd.manpages b/debian/hostapd.manpages new file mode 100644 index 0000000..ef6882f --- /dev/null +++ b/debian/hostapd.manpages @@ -0,0 +1,2 @@ +hostapd/hostapd.8 +hostapd/hostapd_cli.1 diff --git a/debian/hostapd.postinst b/debian/hostapd.postinst new file mode 100755 index 0000000..1b8908a --- /dev/null +++ b/debian/hostapd.postinst @@ -0,0 +1,19 @@ +#!/bin/sh + +set -e + +: ${DPKG_ROOT=} + +#DEBHELPER# + +if [ -d /run/systemd/system ] && [ -x /bin/systemctl ] && [ "$1" = configure ] && [ -z "$DPKG_ROOT" ] +then + DAEMON_CONF= + . /etc/default/hostapd + if [ -z "$DAEMON_CONF" ] && [ ! -r /etc/hostapd/hostapd.conf ] && ! systemctl --quiet is-active hostapd.service + then + systemctl mask hostapd.service + fi +fi + +exit 0 diff --git a/debian/hostapd.postrm b/debian/hostapd.postrm new file mode 100755 index 0000000..49353dc --- /dev/null +++ b/debian/hostapd.postrm @@ -0,0 +1,11 @@ +#!/bin/sh + +set -e + +if [ -d /run/systemd/system ] && [ "$1" = purge ] +then + systemctl unmask hostapd.service +fi + +#DEBHELPER# +exit 0 diff --git a/debian/hostapd.service b/debian/hostapd.service new file mode 100644 index 0000000..7310c3a --- /dev/null +++ b/debian/hostapd.service @@ -0,0 +1,16 @@ +[Unit] +Description=Access point and authentication server for Wi-Fi and Ethernet +Documentation=man:hostapd(8) +After=network.target + +[Service] +Type=forking +PIDFile=/run/hostapd.pid +Restart=on-failure +RestartSec=2 +Environment=DAEMON_CONF=/etc/hostapd/hostapd.conf +EnvironmentFile=-/etc/default/hostapd +ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid $DAEMON_OPTS ${DAEMON_CONF} + +[Install] +WantedBy=multi-user.target diff --git a/debian/hostapd@.service b/debian/hostapd@.service new file mode 100644 index 0000000..44a1d9c --- /dev/null +++ b/debian/hostapd@.service @@ -0,0 +1,16 @@ +[Unit] +Description=Access point and authentication server for Wi-Fi and Ethernet (%I) +Documentation=man:hostapd(8) +After=network.target +BindsTo=sys-subsystem-net-devices-%i.device + +[Service] +Type=forking +PIDFile=/run/hostapd.%i.pid +Restart=on-failure +RestartSec=2 +EnvironmentFile=-/etc/default/hostapd +ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.%i.pid $DAEMON_OPTS /etc/hostapd/%i.conf + +[Install] +WantedBy=multi-user.target sys-subsystem-net-devices-%i.device diff --git a/debian/ifupdown/action_wpa.sh b/debian/ifupdown/action_wpa.sh new file mode 100755 index 0000000..bb4c7c1 --- /dev/null +++ b/debian/ifupdown/action_wpa.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# Action script to enable/disable wpa-roam interfaces in reaction to +# ifplugd events. +# +# Copyright: Copyright (c) 2008-2010, Kel Modderman +# License: GPL-2 +# + +PATH=/sbin:/usr/sbin:/bin:/usr/bin + +if [ ! -x /sbin/wpa_action ]; then + exit 0 +fi + +# ifplugd(8) - +# +# If an ifplugd managed interface is brought up, disconnect any +# wpa-roam managed interfaces so that only one "roaming" interface +# remains active on the system. + +IFPLUGD_IFACE="${1}" + +case "${2}" in + up) + COMMAND=disconnect + ;; + down) + COMMAND=reconnect + ;; + *) + echo "$0: unknown arguments: ${@}" >&2 + exit 1 + ;; +esac + +for CTRL in /run/wpa_supplicant/*; do + [ -S "${CTRL}" ] || continue + + IFACE="${CTRL#/run/wpa_supplicant/}" + + # skip if ifplugd is managing this interface + if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then + continue + fi + + if wpa_action "${IFACE}" check; then + wpa_cli -i "${IFACE}" "${COMMAND}" + fi +done diff --git a/debian/ifupdown/functions.sh b/debian/ifupdown/functions.sh new file mode 100644 index 0000000..26404e7 --- /dev/null +++ b/debian/ifupdown/functions.sh @@ -0,0 +1,993 @@ +#!/bin/sh + +##################################################################### +## Purpose +# This file contains common shell functions used by scripts of the +# wpasupplicant package to allow ifupdown to manage wpa_supplicant. +# It also contains some functions used by wpa_action(8) that allow +# ifupdown to be managed by wpa_cli(8) action events. +# +# This file is provided by the wpasupplicant package. + +##################################################################### +# Copyright (C) 2006 - 2009 Debian/Ubuntu wpasupplicant Maintainers +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# On Debian GNU/Linux systems, the text of the GPL license, +# version 2, can be found in /usr/share/common-licenses/GPL-2. + +##################################################################### +## global variables +# wpa_supplicant variables +WPA_SUP_BIN="/sbin/wpa_supplicant" +WPA_SUP_PNAME="wpa_supplicant" +WPA_SUP_PIDFILE="/run/wpa_supplicant.${WPA_IFACE}.pid" +WPA_SUP_OMIT_DIR="/run/sendsigs.omit.d" +WPA_SUP_OMIT_PIDFILE="${WPA_SUP_OMIT_DIR}/wpasupplicant.wpa_supplicant.${WPA_IFACE}.pid" + +# wpa_cli variables +WPA_CLI_BIN="/sbin/wpa_cli" +WPA_CLI_PNAME="wpa_cli" +WPA_CLI_PIDFILE="/run/wpa_action.${WPA_IFACE}.pid" +WPA_CLI_TIMESTAMP="/run/wpa_action.${WPA_IFACE}.timestamp" +WPA_CLI_IFUPDOWN="/run/wpa_action.${WPA_IFACE}.ifupdown" + +# default ctrl_interface socket directory +if [ -z "$WPA_CTRL_DIR" ]; then + WPA_CTRL_DIR="/run/wpa_supplicant" +fi + +# verbosity variables +if [ -n "$IF_WPA_VERBOSITY" ] || [ "$VERBOSITY" = "1" ]; then + TO_NULL="/dev/stdout" + DAEMON_VERBOSITY="--verbose" +else + TO_NULL="/dev/null" + DAEMON_VERBOSITY="--quiet" +fi + +##################################################################### +## wpa_cli wrapper +# Path to common ctrl_interface socket and iface supplied. +# NB: WPA_CTRL_DIR cannot be used for interactive commands, it is +# set only in the environment that wpa_cli provides when processing +# action events. +# +wpa_cli () { + "$WPA_CLI_BIN" -p "$WPA_CTRL_DIR" -i "$WPA_IFACE" "$@" + + return "$?" +} + +##################################################################### +## verbose and stderr message wrapper +# Ensures a standard and easily identifiable message is printed by +# scripts using this function library. +# +# log Log a message to syslog when called non-interactively +# by wpa_action +# +# verbose To stdout when IF_WPA_VERBOSITY or VERBOSITY is true +# +# action Same as verbose but without newline +# Useful for allowing wpa_cli commands to echo result +# value of 'OK' or 'FAILED' +# +# stderr Echo warning or error messages to stderr +# +# NB: when called by wpa_action, there is no redirection (verbose) +# +wpa_msg () { + if [ "$1" = "log" ]; then + shift + case "$WPA_ACTION" in + "CONNECTED"|"DISCONNECTED") + [ -x /usr/bin/logger ] || return + if [ "$#" -gt 0 ]; then + logger -t "wpa_action" "$@" + else + logger -t "wpa_action" + fi + ;; + *) + [ "$#" -gt 0 ] && echo "wpa_action: $@" + ;; + esac + return + fi + + case "$1" in + "verbose") + shift + echo "$WPA_SUP_PNAME: $@" >$TO_NULL + ;; + "action") + shift + echo -n "$WPA_SUP_PNAME: $@ -- " >$TO_NULL + ;; + "stderr") + shift + echo "$WPA_SUP_PNAME: $@" >/dev/stderr + ;; + *) + ;; + esac +} + +##################################################################### +## validate daemon pid files +# Test daemon process ID files via start-stop-daemon with a signal 0 +# given the exec binary and pidfile location. +# +# $1 daemon +# $2 pidfile +# +# Returns true when pidfile exists, the process ID exists _and_ was +# created by the exec binary. +# +# If the test fails, but the pidfile exists, it is stale +# +test_daemon_pidfile () { + local DAEMON + local PIDFILE + + if [ -n "$1" ]; then + DAEMON="$1" + fi + + if [ -f "$2" ]; then + PIDFILE="$2" + fi + + if [ -n "$DAEMON" ] && [ -f "$PIDFILE" ]; then + if start-stop-daemon --stop --quiet --signal 0 \ + --exec "$DAEMON" --pidfile "$PIDFILE"; then + return 0 + else + rm -f "$PIDFILE" + return 1 + fi + else + return 1 + fi +} + +# validate wpa_supplicant pidfile +test_wpa_supplicant () { + test_daemon_pidfile "$WPA_SUP_BIN" "$WPA_SUP_PIDFILE" +} + +# validate wpa_cli pidfile +test_wpa_cli () { + test_daemon_pidfile "$WPA_CLI_BIN" "$WPA_CLI_PIDFILE" +} + +##################################################################### +## daemonize wpa_supplicant +# Start wpa_supplicant via start-stop-dameon with all required +# options. Will start if environment variable WPA_SUP_CONF is present +# +# Default options: +# -B dameonize/background process +# -D driver backend ('wext' if none given) +# -P process ID file +# -C path to ctrl_interface socket directory +# -s log to syslog +# +# Conditional options: +# -c configuration file +# -W wait for wpa_cli to attach to ctrl_interface socket +# -b bridge interface name +# -f path to log file +# +init_wpa_supplicant () { + [ -n "$WPA_SUP_CONF" ] || return 0 + + local WPA_SUP_OPTIONS + WPA_SUP_OPTIONS="-s -B -P $WPA_SUP_PIDFILE -i $WPA_IFACE" + + if [ -n "$WPA_ACTION_SCRIPT" ]; then + if [ -x "$WPA_ACTION_SCRIPT" ]; then + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -W" + wpa_msg verbose "wait for wpa_cli to attach" + else + wpa_msg stderr "action script \"$WPA_ACTION_SCRIPT\" not executable" + return 1 + fi + fi + + if [ -n "$IF_WPA_BRIDGE" ]; then + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -b $IF_WPA_BRIDGE" + wpa_msg verbose "wpa-bridge $IF_WPA_BRIDGE" + fi + + if [ -n "$IF_WPA_DRIVER" ]; then + wpa_msg verbose "wpa-driver $IF_WPA_DRIVER" + case "$IF_WPA_DRIVER" in + hostap|ipw|madwifi|ndiswrapper) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -D nl80211,wext" + wpa_msg stderr "\"$IF_WPA_DRIVER\" wpa-driver is unsupported" + wpa_msg stderr "using \"nl80211,wext\" wpa-driver instead ..." + ;; + *) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -D $IF_WPA_DRIVER" + ;; + esac + else + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -D nl80211,wext" + wpa_msg verbose "wpa-driver nl80211,wext (default)" + fi + + if [ -n "$IF_WPA_DEBUG_LEVEL" ]; then + case "$IF_WPA_DEBUG_LEVEL" in + 3) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -t -ddd" + ;; + 2) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -t -dd" + ;; + 1) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -t -d" + ;; + 0) + # wpa_supplicant default verbosity + ;; + -1) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -q" + ;; + -2) + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -qq" + ;; + esac + wpa_msg verbose "using debug level: $IF_WPA_DEBUG_LEVEL" + fi + + if [ -n "$IF_WPA_LOGFILE" ]; then + # custom log file + WPA_SUP_OPTIONS="$WPA_SUP_OPTIONS -f $IF_WPA_LOGFILE" + WPA_SUP_LOGFILE="$IF_WPA_LOGFILE" + wpa_msg verbose "logging to $IF_WPA_LOGFILE" + fi + + wpa_msg verbose "$WPA_SUP_BIN $WPA_SUP_OPTIONS $WPA_SUP_CONF" + + start-stop-daemon --start --oknodo $DAEMON_VERBOSITY \ + --name $WPA_SUP_PNAME --startas $WPA_SUP_BIN --pidfile $WPA_SUP_PIDFILE \ + -- $WPA_SUP_OPTIONS $WPA_SUP_CONF + + if [ "$?" -ne 0 ]; then + wpa_msg stderr "$WPA_SUP_BIN daemon failed to start" + return 1 + fi + + local WPA_PIDFILE_WAIT + local MAX_WPA_PIDFILE_WAIT + WPA_PIDFILE_WAIT="0" + MAX_WPA_PIDFILE_WAIT="5" + until [ -s "$WPA_SUP_PIDFILE" ]; do + if [ "$WPA_PIDFILE_WAIT" -ge "$MAX_WPA_PIDFILE_WAIT" ]; then + wpa_msg stderr "timed out waiting for creation of $WPA_SUP_PIDFILE" + return 1 + else + wpa_msg verbose "waiting for \"$WPA_SUP_PIDFILE\": " \ + "$WPA_PIDFILE_WAIT (max. $MAX_WPA_PIDFILE_WAIT)" + fi + + WPA_PIDFILE_WAIT=$(($WPA_PIDFILE_WAIT + 1)) + sleep 1 + done + if [ -d "${WPA_SUP_OMIT_DIR}" ]; then + wpa_msg verbose "creating sendsigs omission pidfile: $WPA_SUP_OMIT_PIDFILE" + cat "$WPA_SUP_PIDFILE" > "$WPA_SUP_OMIT_PIDFILE" + fi + + local WPA_SOCKET_WAIT + local MAX_WPA_SOCKET_WAIT + WPA_SOCKET_WAIT="0" + MAX_WPA_SOCKET_WAIT="5" + until [ -S "$WPA_CTRL_DIR/$WPA_IFACE" ]; do + if [ "$WPA_SOCKET_WAIT" -ge "$MAX_WPA_SOCKET_WAIT" ]; then + wpa_msg stderr "ctrl_interface socket not found at $WPA_CTRL_DIR/$WPA_IFACE" + return 1 + else + wpa_msg verbose "waiting for \"$WPA_CTRL_DIR/$WPA_IFACE\": " \ + "$WPA_SOCKET_WAIT (max. $MAX_WPA_SOCKET_WAIT)" + fi + + WPA_SOCKET_WAIT=$(($WPA_SOCKET_WAIT + 1)) + sleep 1 + done + + wpa_msg verbose "ctrl_interface socket located at $WPA_CTRL_DIR/$WPA_IFACE" +} + +##################################################################### +## stop wpa_supplicant process +# Kill wpa_supplicant via start-stop-daemon, given the location of +# the pidfile or ctrl_interface socket path and interface name +# +kill_wpa_supplicant () { + test_wpa_supplicant || return 0 + + wpa_msg verbose "terminating $WPA_SUP_PNAME daemon via pidfile $WPA_SUP_PIDFILE" + + start-stop-daemon --stop --oknodo $DAEMON_VERBOSITY \ + --exec $WPA_SUP_BIN --pidfile $WPA_SUP_PIDFILE + + if [ -f "$WPA_SUP_PIDFILE" ]; then + rm -f "$WPA_SUP_PIDFILE" + fi + + if [ -f "$WPA_SUP_OMIT_PIDFILE" ]; then + wpa_msg verbose "removing $WPA_SUP_OMIT_PIDFILE" + rm -f "$WPA_SUP_OMIT_PIDFILE" + fi +} + +##################################################################### +## reload wpa_supplicant process +# Sending a HUP signal causes wpa_supplicant to reparse its +# configuration file +# +reload_wpa_supplicant () { + if test_wpa_supplicant; then + wpa_msg verbose "reloading wpa_supplicant configuration file via HUP signal" + start-stop-daemon --stop --signal HUP \ + --name "$WPA_SUP_PNAME" --pidfile "$WPA_SUP_PIDFILE" + else + wpa_msg verbose "cannot $WPA_ACTION, $WPA_SUP_PIDFILE does not exist" + fi +} + +##################################################################### +## daemonize wpa_cli and action script +# If environment variable WPA_ACTION_SCRIPT is present, wpa_cli will +# be spawned via start-stop-daemon +# +# Required options: +# -a action script => wpa_action +# -P process ID file +# -B background process +# +init_wpa_cli () { + [ -n "$WPA_ACTION_SCRIPT" ] || return 0 + + local WPA_CLI_OPTIONS + WPA_CLI_OPTIONS="-B -P $WPA_CLI_PIDFILE -i $WPA_IFACE" + + wpa_msg verbose "$WPA_CLI_BIN $WPA_CLI_OPTIONS -p $WPA_CTRL_DIR -a $WPA_ACTION_SCRIPT" + + start-stop-daemon --start --oknodo $DAEMON_VERBOSITY \ + --name $WPA_CLI_PNAME --startas $WPA_CLI_BIN --pidfile $WPA_CLI_PIDFILE \ + -- $WPA_CLI_OPTIONS -p $WPA_CTRL_DIR -a $WPA_ACTION_SCRIPT + + if [ "$?" -ne 0 ]; then + wpa_msg stderr "$WPA_CLI_BIN daemon failed to start" + return 1 + fi +} + +##################################################################### +## stop wpa_cli process +# Kill wpa_cli via start-stop-daemon, given the location of the +# pidfile +# +kill_wpa_cli () { + test_wpa_cli || return 0 + + wpa_msg verbose "terminating $WPA_CLI_PNAME daemon via pidfile $WPA_CLI_PIDFILE" + + start-stop-daemon --stop --oknodo $DAEMON_VERBOSITY \ + --exec $WPA_CLI_BIN --pidfile $WPA_CLI_PIDFILE + + if [ -f "$WPA_CLI_PIDFILE" ]; then + rm -f "$WPA_CLI_PIDFILE" + fi + + if [ -f "$WPA_CLI_TIMESTAMP" ]; then + rm -f "$WPA_CLI_TIMESTAMP" + fi + + if [ -L "$WPA_CLI_IFUPDOWN" ]; then + rm -f "$WPA_CLI_IFUPDOWN" + fi +} + +##################################################################### +## higher level wpa_cli wrapper for variable and set_network commands +# wpa_cli_do [set_network variable] +# +# $1 envorinment variable +# $2 data type of variable {raw|ascii} +# $3 wpa_cli variable, if $3 is set_network, shift and take +# set_network subvariable +# $4 wpa-* string as it would appear in interfaces file, enhances +# verbose messages +# +wpa_cli_do () { + if [ -z "$1" ]; then + return 0 + fi + + local WPACLISET_VALUE + local WPACLISET_VARIABLE + local WPACLISET_DESC + + case "$2" in + ascii) + # Double quote + WPACLISET_VALUE="\"$1\"" + ;; + raw|*) + # Provide raw value + WPACLISET_VALUE="$1" + ;; + esac + + case "$3" in + set_network) + if [ -z "$WPA_ID" ]; then + return 1 + fi + shift + WPACLISET_VARIABLE="set_network $WPA_ID $3" + ;; + *) + WPACLISET_VARIABLE="$3" + ;; + esac + + case "$4" in + *-psk|*-passphrase|*-passwd*|*-password*|*-wep-key*) + WPACLISET_DESC="$4 *****" + ;; + *) + WPACLISET_DESC="$4 $WPACLISET_VALUE" + ;; + esac + + wpa_msg action "$WPACLISET_DESC" + + wpa_cli $WPACLISET_VARIABLE "$WPACLISET_VALUE" >$TO_NULL + + if [ "$?" -ne 0 ]; then + wpa_msg stderr "$WPACLISET_DESC failed!" + fi +} + +##################################################################### +## check value data type in plaintext or hex +# returns 0 if input consists of hexadecimal digits only, 1 otherwise +# +ishex () { + if [ -z "$1" ]; then + return 0 + fi + + case "$1" in + *[!0-9a-fA-F]*) + # plaintext + return 1 + ;; + *) + # hexadecimal + return 0 + ;; + esac +} + +##################################################################### +## sanity check and set psk|passphrase +# Warn about strange psk|passphrase values +# +# $1 psk or passphrase value +# +# If psk is surrounded by quotes strip them. +# +# If psk contains all hexadecimal characters and string length is 64: +# is 256bit hexadecimal +# else: +# is plaintext +# +# plaintext passphrases must be 8 - 63 characters in length +# 256-bit hexadecimal key must be 64 characters in length +# +wpa_key_check_and_set () { + if [ "$#" -ne 3 ]; then + return 0 + fi + + local KEY + local KEY_LEN + local KEY_TYPE + local ENC_TYPE + + case "$1" in + '"'*'"') + # Strip surrounding quotation marks + KEY=$(echo -n "$1" | sed 's/^"//;s/"$//') + ;; + *) + KEY="$1" + ;; + esac + + KEY_LEN="${#KEY}" + + case "$2" in + wep_key*) + ENC_TYPE="WEP" + ;; + psk) + ENC_TYPE="WPA" + ;; + *) + return 0 + ;; + esac + + if [ "$ENC_TYPE" = "WEP" ]; then + if ishex "$KEY"; then + case "$KEY_LEN" in + 10|26|32|58) + # 64/128/152/256-bit WEP + KEY_TYPE="raw" + ;; + *) + KEY_TYPE="ascii" + ;; + esac + else + KEY_TYPE="ascii" + fi + + if [ "$KEY_TYPE" = "ascii" ]; then + if [ "$KEY_LEN" -lt "5" ]; then + wpa_msg stderr "WARNING: plaintext or ascii WEP key has $KEY_LEN characters," + wpa_msg stderr "it must have at least 5 to be valid." + fi + fi + elif [ "$ENC_TYPE" = "WPA" ]; then + if ishex "$KEY"; then + case "$KEY_LEN" in + 64) + # 256-bit WPA + KEY_TYPE="raw" + ;; + *) + KEY_TYPE="ascii" + ;; + esac + else + KEY_TYPE="ascii" + fi + + if [ "$KEY_TYPE" = "ascii" ]; then + if [ "$KEY_LEN" -lt "8" ] || [ "$KEY_LEN" -gt "63" ]; then + wpa_msg stderr "WARNING: plaintext or ascii WPA key has $KEY_LEN characters," + wpa_msg stderr "it must have between 8 and 63 to be valid." + wpa_msg stderr "If the WPA key is a 256-bit hexadecimal key, it must have" + wpa_msg stderr "exactly 64 characters." + fi + fi + fi + + wpa_cli_do "$KEY" "$KEY_TYPE" set_network "$2" "$3" +} + +##################################################################### +## formulate a usable configuration from interfaces(5) wpa- lines +# A series of wpa_cli commands corresponding to environment variables +# created as a result of wpa- lines in an interfaces stanza. +# +# NB: no-act when roaming daemon is used (to avoid prematurely +# attaching to ctrl_interface socket) +# +conf_wpa_supplicant () { + if [ -n "$WPA_ACTION_SCRIPT" ]; then + return 0 + fi + + if [ "$IF_WPA_DRIVER" = "wired" ]; then + IF_WPA_AP_SCAN="0" + wpa_msg verbose "forcing ap_scan=0 (required for wired IEEE8021X auth)" + fi + + if [ -n "$IF_WPA_ESSID" ]; then + # #403316, be similar to wireless tools + IF_WPA_SSID="$IF_WPA_ESSID" + fi + + wpa_cli_do "$IF_WPA_AP_SCAN" raw \ + ap_scan wpa-ap-scan + + wpa_cli_do "$IF_WPA_PREAUTHENTICATE" raw \ + preauthenticate wpa-preauthenticate + + if [ -n "$IF_WPA_SSID" ] || [ "$IF_WPA_DRIVER" = "wired" ] || \ + [ -n "$IF_WPA_KEY_MGMT" ]; then + + case "$IF_WPA_SSID" in + '"'*'"') + IF_WPA_SSID=$(echo -n "$IF_WPA_SSID" | sed 's/^"//;s/"$//') + ;; + *) + ;; + esac + + WPA_ID=$(wpa_cli add_network) + + wpa_msg verbose "configuring network block -- $WPA_ID" + + wpa_cli_do "$IF_WPA_SSID" ascii \ + set_network ssid wpa-ssid + + wpa_cli_do "$IF_WPA_PRIORITY" raw \ + set_network priority wpa-priority + + wpa_cli_do "$IF_WPA_BSSID" raw \ + set_network bssid wpa-bssid + + if [ -s "$IF_WPA_PSK_FILE" ]; then + IF_WPA_PSK=$(cat "$IF_WPA_PSK_FILE") + fi + + # remain compat with wpa-passphrase-file + if [ -s "$IF_WPA_PASSPHRASE_FILE" ]; then + IF_WPA_PSK=$(cat "$IF_WPA_PASSPHRASE_FILE") + fi + + # remain compat with wpa-passphrase + if [ -n "$IF_WPA_PASSPHRASE" ]; then + IF_WPA_PSK="$IF_WPA_PASSPHRASE" + fi + + if [ -n "$IF_WPA_PSK" ]; then + wpa_key_check_and_set "$IF_WPA_PSK" \ + psk wpa-psk + fi + + wpa_cli_do "$IF_WPA_PAIRWISE" raw \ + set_network pairwise wpa-pairwise + + wpa_cli_do "$IF_WPA_GROUP" raw \ + set_network group wpa-group + + wpa_cli_do "$IF_WPA_MODE" raw \ + set_network mode wpa-mode + + wpa_cli_do "$IF_WPA_FREQUENCY" raw \ + set_network frequency wpa-frequency + + wpa_cli_do "$IF_WPA_SCAN_FREQ" raw \ + set_network scan_freq wpa-scan-freq + + wpa_cli_do "$IF_WPA_FREQ_LIST" raw \ + set_network freq_list wpa-freq-list + + wpa_cli_do "$IF_WPA_KEY_MGMT" raw \ + set_network key_mgmt wpa-key-mgmt + + wpa_cli_do "$IF_WPA_PROTO" raw \ + set_network proto wpa-proto + + wpa_cli_do "$IF_WPA_AUTH_ALG" raw \ + set_network auth_alg wpa-auth-alg + + wpa_cli_do "$IF_WPA_SCAN_SSID" raw \ + set_network scan_ssid wpa-scan-ssid + + wpa_cli_do "$IF_WPA_IDENTITY" ascii \ + set_network identity wpa-identity + + wpa_cli_do "$IF_WPA_ANONYMOUS_IDENTITY" ascii \ + set_network anonymous_identity wpa-anonymous-identity + + wpa_cli_do "$IF_WPA_EAP" raw \ + set_network eap wpa-eap + + wpa_cli_do "$IF_WPA_EAPPSK" raw \ + set_network eappsk wpa-eappsk + + wpa_cli_do "$IF_WPA_NAI" ascii \ + set_network nai wpa-nai + + wpa_cli_do "$IF_WPA_PASSWORD" ascii \ + set_network password wpa-password + + wpa_cli_do "$IF_WPA_CA_CERT" ascii \ + set_network ca_cert wpa-ca-cert + + wpa_cli_do "$IF_WPA_CA_PATH" ascii \ + set_network ca_path wpa-ca-path + + wpa_cli_do "$IF_WPA_CLIENT_CERT" ascii \ + set_network client_cert wpa-client-cert + + wpa_cli_do "$IF_WPA_PRIVATE_KEY" ascii \ + set_network private_key wpa-private-key + + wpa_cli_do "$IF_WPA_PRIVATE_KEY_PASSWD" ascii \ + set_network private_key_passwd wpa-private-key-passwd + + wpa_cli_do "$IF_WPA_DH_FILE" ascii \ + set_network dh_file wpa-dh-file + + wpa_cli_do "$IF_WPA_SUBJECT_MATCH" ascii \ + set_network subject_match wpa-subject-match + + wpa_cli_do "$IF_WPA_ALTSUBJECT_MATCH" ascii \ + set_network altsubject_match wpa-altsubject-match + + wpa_cli_do "$IF_WPA_CA_CERT2" ascii \ + set_network ca_cert2 wpa-ca-cert2 + + wpa_cli_do "$IF_WPA_CA_PATH2" ascii \ + set_network ca_path2 wpa-ca-path2 + + wpa_cli_do "$IF_WPA_CLIENT_CERT2" ascii \ + set_network client_cert2 wpa-client-cert2 + + wpa_cli_do "$IF_WPA_PRIVATE_KEY2" ascii \ + set_network private_key2 wpa-private-key2 + + wpa_cli_do "$IF_WPA_PRIVATE_KEY_PASSWD2" ascii \ + set_network private_key_passwd2 wpa-private-key-passwd2 + + wpa_cli_do "$IF_WPA_DH_FILE2" ascii \ + set_network dh_file2 wpa-dh-file2 + + wpa_cli_do "$IF_WPA_SUBJECT_MATCH2" ascii \ + set_network subject_match2 wpa-subject-match2 + + wpa_cli_do "$IF_WPA_ALTSUBJECT_MATCH2" ascii \ + set_network altsubject_match2 wpa-altsubject-match2 + + wpa_cli_do "$IF_WPA_EAP_METHODS" raw \ + set_network eap_methods wpa-eap-methods + + wpa_cli_do "$IF_WPA_PHASE1" ascii \ + set_network phase1 wpa-phase1 + + wpa_cli_do "$IF_WPA_PHASE2" ascii \ + set_network phase2 wpa-phase2 + + wpa_cli_do "$IF_WPA_PCSC" raw \ + set_network pcsc wpa-pcsc + + wpa_cli_do "$IF_WPA_PIN" ascii \ + set_network pin wpa-pin + + wpa_cli_do "$IF_WPA_ENGINE" raw \ + set_network engine wpa-engine + + wpa_cli_do "$IF_WPA_ENGINE_ID" ascii \ + set_network engine_id wpa-engine-id + + wpa_cli_do "$IF_WPA_KEY_ID" ascii \ + set_network key_id wpa-key-id + + wpa_cli_do "$IF_WPA_EAPOL_FLAGS" raw \ + set_network eapol_flags wpa-eapol-flags + + if [ -n "$IF_WPA_WEP_KEY0" ]; then + wpa_key_check_and_set "$IF_WPA_WEP_KEY0" \ + wep_key0 wpa-wep-key0 + fi + + if [ -n "$IF_WPA_WEP_KEY1" ]; then + wpa_key_check_and_set "$IF_WPA_WEP_KEY1" \ + wep_key1 wpa-wep-key1 + fi + + if [ -n "$IF_WPA_WEP_KEY2" ]; then + wpa_key_check_and_set "$IF_WPA_WEP_KEY2" \ + wep_key2 wpa-wep-key2 + fi + + if [ -n "$IF_WPA_WEP_KEY3" ]; then + wpa_key_check_and_set "$IF_WPA_WEP_KEY3" \ + wep_key3 wpa-wep-key3 + fi + + wpa_cli_do "$IF_WPA_WEP_TX_KEYIDX" raw \ + set_network wep_tx_keyidx wpa-wep-tx-keyidx + + wpa_cli_do "$IF_WPA_PROACTIVE_KEY_CACHING" raw \ + set_network proactive_key_caching wpa-proactive-key-caching + + wpa_cli_do "$IF_WPA_PAC_FILE" ascii \ + set_network pac_file wpa-pac-file + + wpa_cli_do "$IF_WPA_PEERKEY" raw \ + set_network peerkey wpa-peerkey + + wpa_cli_do "$IF_FRAGMENT_SIZE" raw \ + set_network fragment_size wpa-fragment-size + + wpa_cli_do "$IF_WPA_ID_STR" ascii \ + set_network id_str wpa-id-str + + wpa_cli_do "$WPA_ID" raw \ + enable_network "enabling network block" + fi +} + +##################################################################### +## Log wpa_cli environment variables +wpa_log_env () { + wpa_msg log "WPA_IFACE=$WPA_IFACE WPA_ACTION=$WPA_ACTION" + wpa_msg log "WPA_ID=$WPA_ID WPA_ID_STR=$WPA_ID_STR WPA_CTRL_DIR=$WPA_CTRL_DIR" +} + +##################################################################### +## hysteresis checking +# Networking tools such as dhcp clients used with ifupdown can +# synthesize artificial ACTION events, particularly just after a +# DISCONNECTED/CONNECTED events are experienced in quick succession. +# This can lead to infinite event loops, and in extreme cases has the +# potential to cause system instability. +# +wpa_hysteresis_event () { + echo "$(date +%s)" > "$WPA_CLI_TIMESTAMP" 2>/dev/null +} + +wpa_hysteresis_check () { + if [ -f "$WPA_CLI_TIMESTAMP" ]; then + local TIME + local TIMESTAMP + local TIMEWAIT + TIME=$(date +%s) + # current time minus 4 second event buffer + TIMEWAIT=$(($TIME-4)) + # get time of last event + TIMESTAMP=$(cat $WPA_CLI_TIMESTAMP) + # compare values, allowing new action to be processed + # only if last action was more than 4 seconds ago + if [ "$TIMEWAIT" -le "$TIMESTAMP" ]; then + wpa_msg log "$WPA_ACTION event blocked by hysteresis check" + return 1 + fi + fi + + return 0 +} + +##################################################################### +## ifupdown locking functions +# A collection of rudimentary locking functions to lock ifup/ifdown +# actions. +# + +ifupdown_lock () { + ln -s lock "$WPA_CLI_IFUPDOWN" +} + +ifupdown_locked () { + [ -L "$WPA_CLI_IFUPDOWN" ] && return 0 + + return 1 +} + +ifupdown_unlock () { + rm -f "$WPA_CLI_IFUPDOWN" +} + +##################################################################### +## apply mapping logic and ifup logical interface +# Apply mapping logic via id_str or external mapping script, check +# state of IFACE with respect to ifupdown and ifup logical interaface +# +ifup () { + local INTERFACES_FILE + local IFUP_RETVAL + local WPA_LOGICAL_IFACE + + if [ -e /etc/network/interfaces ]; then + INTERFACES_FILE="/etc/network/interfaces" + else + wpa_msg log "/etc/network/interfaces does not exist, $WPA_IFACE will not be configured" + return 1 + fi + + if [ -z "$IF_WPA_MAPPING_SCRIPT_PRIORITY" ] && [ -n "$WPA_ID_STR" ]; then + WPA_LOGICAL_IFACE="$WPA_ID_STR" + fi + + if [ -z "$WPA_LOGICAL_IFACE" ] && [ -n "$IF_WPA_MAPPING_SCRIPT" ]; then + local WPA_MAP_STDIN + + WPA_MAP_STDIN=$(set | sed -n 's/^\(IF_WPA_MAP[0-9]*\)=.*/echo \$\1/p') + + if [ -n "$WPA_MAP_STDIN" ]; then + WPA_LOGICAL_IFACE=$(eval "$WPA_MAP_STDIN" | "$IF_WPA_MAPPING_SCRIPT" "$WPA_IFACE") + else + WPA_LOGICAL_IFACE=$("$IF_WPA_MAPPING_SCRIPT" "$WPA_IFACE") + fi + + if [ -n "$WPA_LOGICAL_IFACE" ]; then + wpa_msg log "mapping script result: $WPA_LOGICAL_IFACE" + else + wpa_msg log "mapping script failed." + fi + fi + + if [ -z "$WPA_LOGICAL_IFACE" ]; then + if [ -n "$IF_WPA_ROAM_DEFAULT_IFACE" ]; then + WPA_LOGICAL_IFACE="$IF_WPA_ROAM_DEFAULT_IFACE" + else + WPA_LOGICAL_IFACE="default" + fi + fi + + if [ -n "$WPA_LOGICAL_IFACE" ]; then + if ! /sbin/ifquery "${WPA_LOGICAL_IFACE}" > /dev/null 2>&1; then + wpa_msg log "network settings not defined for $WPA_LOGICAL_IFACE in $INTERFACES_FILE and included files." + WPA_LOGICAL_IFACE="default" + fi + + wpa_msg log "ifup $WPA_IFACE=$WPA_LOGICAL_IFACE" + + ifupdown_lock + + if /sbin/ifquery "$WPA_IFACE" | grep -q '^wpa-roam: ' ; then + # Force settings over the unconfigured "master" IFACE + /sbin/ifup -v --force "$WPA_IFACE=$WPA_LOGICAL_IFACE" + else + /sbin/ifup -v "$WPA_IFACE=$WPA_LOGICAL_IFACE" + fi + IFUP_RETVAL="$?" + + ifupdown_unlock + fi + + if [ -d "${WPA_SUP_OMIT_DIR}" ]; then + wpa_msg log "creating sendsigs omission pidfile: $WPA_SUP_OMIT_PIDFILE" + cat "$WPA_SUP_PIDFILE" > "$WPA_SUP_OMIT_PIDFILE" + fi + + return "$IFUP_RETVAL" +} + +##################################################################### +## ifdown IFACE +# Check IFACE state and ifdown as requested. +# +ifdown () { + wpa_msg log "ifdown $WPA_IFACE" + + ifupdown_lock + + /sbin/ifdown -v "$WPA_IFACE" + + ifupdown_unlock + + wpa_msg log "removing sendsigs omission pidfile: $WPA_SUP_OMIT_PIDFILE" + rm -f "$WPA_SUP_OMIT_PIDFILE" +} + +##################################################################### +## keep IFACE scanning +# After ifdown, the IFACE may be left "down", and inhibits +# wpa_supplicant's ability to continue roaming. +# +# NB: use iproute if present, flushing the IFACE first +# +if_post_down_up () { + if [ -x /bin/ip ]; then + ip addr flush dev "$WPA_IFACE" 2>/dev/null + ip link set "$WPA_IFACE" up + else + ifconfig "$WPA_IFACE" up + fi +} diff --git a/debian/ifupdown/hostapd/ifupdown.sh b/debian/ifupdown/hostapd/ifupdown.sh new file mode 100755 index 0000000..c5d2357 --- /dev/null +++ b/debian/ifupdown/hostapd/ifupdown.sh @@ -0,0 +1,146 @@ +#!/bin/sh + +# Copyright (C) 2006-2009 Debian hostapd maintainers +# Faidon Liambotis +# Kel Modderman +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# On Debian GNU/Linux systems, the text of the GPL license, +# version 2, can be found in /usr/share/common-licenses/GPL-2. + +# quit if we're called for lo +if [ "$IFACE" = lo ]; then + exit 0 +fi + +if [ -n "$IF_HOSTAPD" ]; then + HOSTAPD_CONF="$IF_HOSTAPD" +else + exit 0 +fi + +HOSTAPD_BIN="/usr/sbin/hostapd" +HOSTAPD_PNAME="hostapd" +HOSTAPD_PIDFILE="/run/hostapd.$IFACE.pid" +HOSTAPD_OMIT_PIDFILE="/run/sendsigs.omit.d/hostapd.$IFACE.pid" + +if [ ! -x "$HOSTAPD_BIN" ]; then + exit 0 +fi + +if [ "$VERBOSITY" = "1" ]; then + TO_NULL="/dev/stdout" +else + TO_NULL="/dev/null" +fi + +hostapd_msg () { + case "$1" in + verbose) + shift + echo "$HOSTAPD_PNAME: $@" > "$TO_NULL" + ;; + stderr) + shift + echo "$HOSTAPD_PNAME: $@" > /dev/stderr + ;; + *) + ;; + esac +} + +test_hostapd_pidfile () { + if [ -n "$1" ] && [ -f "$2" ]; then + if start-stop-daemon --stop --quiet --signal 0 \ + --exec "$1" --pidfile "$2"; then + return 0 + else + rm -f "$2" + return 1 + fi + else + return 1 + fi +} + +init_hostapd () { + HOSTAPD_OPTIONS="-B -P $HOSTAPD_PIDFILE $HOSTAPD_CONF" + HOSTAPD_MESSAGE="$HOSTAPD_BIN $HOSTAPD_OPTIONS" + + test_hostapd_pidfile "$HOSTAPD_BIN" "$HOSTAPD_PIDFILE" && return 0 + + hostapd_msg verbose "$HOSTAPD_MESSAGE" + start-stop-daemon --start --oknodo --quiet --exec "$HOSTAPD_BIN" \ + --pidfile "$HOSTAPD_PIDFILE" -- $HOSTAPD_OPTIONS > "$TO_NULL" + + if [ "$?" -ne 0 ]; then + return "$?" + fi + + HOSTAPD_PIDFILE_WAIT=0 + until [ -s "$HOSTAPD_PIDFILE" ]; do + if [ "$HOSTAPD_PIDFILE_WAIT" -ge 5 ]; then + hostapd_msg stderr \ + "timeout waiting for pid file creation" + return 1 + fi + + HOSTAPD_PIDFILE_WAIT=$(($HOSTAPD_PIDFILE_WAIT + 1)) + sleep 1 + done + cat "$HOSTAPD_PIDFILE" > "$HOSTAPD_OMIT_PIDFILE" + + return 0 +} + +kill_hostapd () { + HOSTAPD_MESSAGE="stopping $HOSTAPD_PNAME via pidfile: $HOSTAPD_PIDFILE" + + test_hostapd_pidfile "$HOSTAPD_BIN" "$HOSTAPD_PIDFILE" || return 0 + + hostapd_msg verbose "$HOSTAPD_MESSAGE" + start-stop-daemon --stop --oknodo --quiet --exec "$HOSTAPD_BIN" \ + --pidfile "$HOSTAPD_PIDFILE" > "$TO_NULL" + + [ "$HOSTAPD_OMIT_PIDFILE" ] && rm -f "$HOSTAPD_OMIT_PIDFILE" +} + +case "$MODE" in + start) + case "$PHASE" in + pre-up) + init_hostapd || exit 1 + ;; + *) + hostapd_msg stderr "unknown phase: \"$PHASE\"" + exit 1 + ;; + esac + ;; + stop) + case "$PHASE" in + post-down) + kill_hostapd + ;; + *) + hostapd_msg stderr "unknown phase: \"$PHASE\"" + exit 1 + ;; + esac + ;; + *) + hostapd_msg stderr "unknown mode: \"$MODE\"" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/ifupdown/wpa_action b/debian/ifupdown/wpa_action new file mode 100755 index 0000000..7ef57ac --- /dev/null +++ b/debian/ifupdown/wpa_action @@ -0,0 +1,81 @@ +#!/bin/sh + +# Copyright (C) 2006 - 2009 Debian/Ubuntu wpasupplicant Maintainers +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# On Debian GNU/Linux systems, the text of the GPL license, +# version 2, can be found in /usr/share/common-licenses/GPL-2. + +if [ -n "$IF_WPA_ROAM_MAINT_DEBUG" ]; then + set -x +fi + +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Usage: $0 IFACE ACTION" + exit 1 +fi + +# network interface +WPA_IFACE="$1" +# [CONNECTED|DISCONNECTED|stop|reload|check] +WPA_ACTION="$2" + +if [ -f /etc/wpa_supplicant/functions.sh ]; then + . /etc/wpa_supplicant/functions.sh +else + exit 0 +fi + +case "$WPA_ACTION" in + "CONNECTED") + wpa_log_env + wpa_hysteresis_check || exit 1 + wpa_hysteresis_event + if ifup; then + wpa_cli status | wpa_msg log + else + wpa_cli status | wpa_msg log + wpa_cli reassociate + fi + ;; + + "DISCONNECTED") + wpa_log_env + wpa_hysteresis_check || exit 1 + ifdown + if_post_down_up + ;; + + "stop"|"down") + test_wpa_cli && kill_wpa_cli + ifdown + test_wpa_supplicant && kill_wpa_supplicant + ;; + + "restart"|"reload") + test_wpa_supplicant || exit 1 + reload_wpa_supplicant + ;; + + "check") + test_wpa_supplicant || exit 1 + test_wpa_cli || exit 1 + ;; + + *) + echo "Unknown action: \"$WPA_ACTION\"" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/ifupdown/wpa_action.8 b/debian/ifupdown/wpa_action.8 new file mode 100644 index 0000000..8a043a7 --- /dev/null +++ b/debian/ifupdown/wpa_action.8 @@ -0,0 +1,148 @@ +.TH WPA_ACTION "8" "26 May 2006" "" "" +.SH NAME +wpa_action \- wpa_cli action script +.SH SYNOPSIS +\fBwpa_action\fR \fIIFACE ACTION\fR +.SH "DESCRIPTION" +\fBwpa_action\fR is a shell script designed to control the \fBifupdown\fR +framework according to \fIACTION\fR events received from \fBwpa_supplicant\fR. +\fBwpa_cli\fR receives \fICONNECTED\fR and \fIDISCONNECTED\fR events from +\fBwpa_supplicant\fR via the crtl_iface socket and gives the \fIACTION\fR event +to the \fBwpa_action\fR script as an argument, along with the \fIIFACE\fR to be +acted upon. +.PP +\fBwpa_action\fR also receives an environment variable from \fBwpa_cli\fR, +\fIWPA_ID_STR\fR, containing an alphanumeric identification string for the +\fICURRENT\fR network block. \fIWPA_ID_STR\fR is provided by the 'id_str' +network block option of \fBwpa_supplicant.conf\fR, and provides a means to map +the \fIACTION\fR to a \fILOGICAL\fR interface configured in the \fBinterfaces\fR +file. +.PP +If either the ifupdown \fBinterfaces\fR or \fIifstate\fR file cannot be found, +\fBwpa_action\fR will exit silently (status 0). \fBwpa_action\fR will search +the following locations for their existence: +.nf + /etc/network/run/ifstate + /run/network/ifstate + /etc/network/interfaces +.fi +.PP +.SH IFACE +Network interface to be acted upon, for example 'eth1' or 'wlan0'. +.SH ACTION +An \fIACTION\fR to be performed on the \fIIFACE\fR. +.TP +\fBCONNECTED\fR +\fBwpa_supplicant\fR has completed authentication. +\fBifup\fR \fIIFACE=WPA_ID_STR\fR is invoked and the action is logged to +syslog. Network settings for the \fILOGICAL\fR interface \fIWPA_ID_STR\fR +are applied. +.TP +\fBDISCONNECTED\fR +\fBwpa_supplicant\fR has detected disconnection. +\fBifdown\fR \fIIFACE=WPA_ID_STR\fR is invoked and the action is logged to +syslog. Network settings for the \fILOGICAL\fR interface \fIWPA_ID_STR\fR +are undone. +.TP +\fBstop\fR +The 'stop' \fIACTION\fR is a called manually by the user, to stop the +\fBwpa_cli\fR daemon, invoke \fBifdown\fR \fIIFACE\fR (if the \fIIFACE\fR is +present in the \fIifstate\fR file) and stop the \fBwpa_supplicant\fR daemon. +.TP +\fBreload\fR +The 'reload' \fIACTION\fR can be used to reload the \fBwpa_supplicant\fR +configuration file specified by \fIwpa-roam\fR . 'restart' is a synonym +for 'reload' and can be used equally. The action is logged to +\fI/var/log/wpa_action.log\fR. +.SH ENVIRONMENT +An alphanumeric identification string provided by the 'id_str' network block +option of \fBwpa_supplicant.conf\fR is exported to \fBwpa_action\fR as an +environment variable, \fIWPA_ID_STR\fR. When 'id_str' is not configured for the +\fICURRENT\fR network block, 'default' is substituted for the absent +\fIWPA_ID_STR\fR environment variable. +.PP +A unique network identifier, \fIWPA_ID\fR, is exported to \fBwpa_action\fR. It +is the number assigned to the \fICURRENT\fR \fBwpa_supplicant\fR network block +(network_id). +.SH USAGE +The only reasons for \fBwpa_action\fR to be explicitly executed by the user is +to stop \fBwpa_cli\fR from controlling \fBifupdown\fR or reload the +\fIwpa_supplicant.conf\fR file after editing. +.PP +.RS +\fBwpa_action\fR \fIeth1 stop\fR +.RE +.PP +Otherwise, \fBwpa_action\fR is given as an argument to a \fBwpa_cli\fR +daemon. +.PP +.RS +\fBwpa_cli\fR \fI-i eth1 -a /sbin/wpa_action -B\fR +.RE +.PP +This can be done by using the \fIwpa-roam\fR option in the \fBinterfaces\fR +file. \fIwpa-roam\fR takes one argument, a user provided +\fBwpa_supplicant.conf\fR file. +.PP +The inet \fIMETHOD\fR must be 'manual' for this interface, as it will +be configured according to \fBwpa_cli\fR action events. Also supply a 'default' +\fBinterfaces\fR stanza using the dhcp inet \fIMETHOD\fR so that networks +without an 'id_str' option can fallback to attempting to receive an ip via +dhcp. If one or more networks requires additional network configuration, +provide an unique 'id_str' for each network, and an \fBinterfaces\fR stanza +using the 'id_str' value as a \fILOGICAL\fR interface. The following interfaces +file is configured to use dhcp for any network without an 'id_str', a static ip +for the network with an 'id_str' of 'home_static' and dhcp plus an additional +post-up command for the network with an 'id_str' of 'uni'. +.PP +An example wpa_supplicant.conf configured to roam between 3 different networks: +.PP +.RS +.nf +network={ + ssid="foo" + id_str="uni" + key_mgmt=NONE +} + +network={ + ssid="bar" + id_str="home_static" + psk=123456789... +} + +network={ + ssid="" + key_mgmt=NONE +} +.fi +.RE +.PP +The corresponding \fBinterfaces\fR file would contain \fILOGICAL\fR interfaces, +that correlate to each unique 'id_str' provided by the configuration file: +.PP +.RS +.nf +iface eth1 inet manual + wpa-driver wext + wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf + +iface default inet dhcp + +iface uni inet dhcp + +iface home_static inet static + address 192.168.0.20 + netmask 255.255.255.0 + network 192.168.0.0 + broadcast 192.168.0.255 + gateway 192.168.0.1 +.fi +.RE +.PP +.SH SEE ALSO +\fBwpa_cli(8)\fR, \fBwpa_supplicant(8)\fR, \fBwpa_supplicant.conf(5)\fR, +\fBifup(8)\fR, \fBinterfaces(5)\fR +.SH AUTHOR +This manual page was written by Kel Modderman for +the Debian GNU system (but may be used by others). diff --git a/debian/ifupdown/wpasupplicant/ifupdown.sh b/debian/ifupdown/wpasupplicant/ifupdown.sh new file mode 100755 index 0000000..2c5b060 --- /dev/null +++ b/debian/ifupdown/wpasupplicant/ifupdown.sh @@ -0,0 +1,172 @@ +#!/bin/sh + +##################################################################### +## Purpose +# This file is executed by ifupdown in pre-up, post-up, pre-down and +# post-down phases of network interface configuration. It allows +# ifup(8), and ifdown(8) to manage wpa_supplicant(8) and wpa_cli(8) +# processes running in daemon mode. +# +# /etc/wpa_supplicant/functions.sh is sourced by this file. +# +# This file is provided by the wpasupplicant package. + +##################################################################### +# Copyright (C) 2006 - 2009 Debian/Ubuntu wpasupplicant Maintainers +# +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# On Debian GNU/Linux systems, the text of the GPL license, +# version 2, can be found in /usr/share/common-licenses/GPL-2. + +if [ -n "$IF_WPA_MAINT_DEBUG" ]; then + set -x +fi + +# quit if we're called for the loopback +if [ "$IFACE" = lo ]; then + exit 0 +fi + +# allow wpa_supplicant interface to be specified via wpa-iface +# useful for starting wpa_supplicant on one interface of a bridge +if [ -n "$IF_WPA_IFACE" ]; then + WPA_IFACE="$IF_WPA_IFACE" +else + WPA_IFACE="$IFACE" +fi + +# source functions +if [ -f /etc/wpa_supplicant/functions.sh ]; then + . /etc/wpa_supplicant/functions.sh +else + exit 0 +fi + +# quit if executables are not installed +if [ ! -x "$WPA_SUP_BIN" ] || [ ! -x "$WPA_CLI_BIN" ]; then + exit 0 +fi + +do_start () { + if test_wpa_cli; then + # if wpa_action is active for this IFACE, do nothing + ifupdown_locked && exit 0 + + # if the administrator is calling ifup, say something useful + if [ "$PHASE" = "pre-up" ]; then + wpa_msg stderr "wpa_action is managing ifup/ifdown state of $WPA_IFACE" + wpa_msg stderr "execute \`ifdown --force $WPA_IFACE' to stop wpa_action" + fi + exit 1 + elif ! set | grep -q "^IF_WPA"; then + # no wpa- option defined for IFACE, do nothing + exit 0 + fi + + # ensure stale ifupdown_lock marker is purged + ifupdown_unlock + + # preliminary sanity checks for roaming daemon + if [ -n "$IF_WPA_ROAM" ]; then + if [ "$METHOD" != "manual" ]; then + wpa_msg stderr "wpa-roam can only be used with the \"manual\" inet METHOD" + exit 1 + fi + if [ -n "$IF_WPA_MAPPING_SCRIPT" ]; then + if ! type "$IF_WPA_MAPPING_SCRIPT" >/dev/null; then + wpa_msg stderr "wpa-mapping-script \"$IF_WPA_MAPPING_SCRIPT\" is not valid" + exit 1 + fi + fi + if [ -n "$IF_WPA_MAPPING_SCRIPT_PRIORITY" ] && [ -z "$IF_WPA_MAPPING_SCRIPT" ]; then + wpa_msg stderr "\"wpa-mapping-script-priority 1\" is invalid without a wpa-mapping-script" + exit 1 + fi + IF_WPA_CONF="$IF_WPA_ROAM" + WPA_ACTION_SCRIPT="/sbin/wpa_action" + fi + + # master function; determines if ifupdown.sh should do something or not + if [ -n "$IF_WPA_CONF" ] && [ "$IF_WPA_CONF" != "managed" ]; then + if [ ! -s "$IF_WPA_CONF" ]; then + wpa_msg stderr "cannot read contents of $IF_WPA_CONF" + exit 1 + fi + WPA_SUP_CONF_CTRL_DIR=$(sed -n -e 's/[[:space:]]*#.*//g' -e 's/[[:space:]]\+.*$//g' \ + -e 's/^ctrl_interface=\(DIR=\)\?\(.*\)/\2/p' "$IF_WPA_CONF") + if [ -n "$WPA_SUP_CONF_CTRL_DIR" ]; then + WPA_CTRL_DIR="$WPA_SUP_CONF_CTRL_DIR" + WPA_SUP_CONF="-c $IF_WPA_CONF" + else + # specify the default ctrl_interface since none was defined in + # the given IF_WPA_CONF + WPA_SUP_CONF="-c $IF_WPA_CONF -C $WPA_CTRL_DIR" + fi + else + # specify the default ctrl_interface + WPA_SUP_CONF="-C $WPA_CTRL_DIR" + fi +} + +do_stop () { + if test_wpa_cli; then + # if wpa_action is active for this IFACE and calling ifdown, + # do nothing + ifupdown_locked && exit 0 + elif test_wpa_supplicant; then + # wpa_supplicant process exists for this IFACE, but wpa_cli + # process does not. Allow stop mode to kill this process. + : + else + exit 0 + fi +} + +case "$MODE" in + start) + do_start + case "$PHASE" in + pre-up) + kill_wpa_supplicant + init_wpa_supplicant || exit 1 + conf_wpa_supplicant || { kill_wpa_supplicant; exit 1; } + ;; + post-up) + init_wpa_cli || { kill_wpa_supplicant; exit 1; } + ;; + esac + ;; + + stop) + do_stop + case "$PHASE" in + pre-down) + kill_wpa_cli + ;; + post-down) + kill_wpa_supplicant + ;; + *) + wpa_msg stderr "unknown phase: \"$PHASE\"" + exit 1 + ;; + esac + ;; + + *) + wpa_msg stderr "unknown mode: \"$MODE\"" + exit 1 + ;; +esac + +exit 0 diff --git a/debian/libwpa-client-dev.examples b/debian/libwpa-client-dev.examples new file mode 100644 index 0000000..5258945 --- /dev/null +++ b/debian/libwpa-client-dev.examples @@ -0,0 +1 @@ +wpa_supplicant/libwpa_test.c diff --git a/debian/libwpa-client-dev.install b/debian/libwpa-client-dev.install new file mode 100755 index 0000000..bd8a077 --- /dev/null +++ b/debian/libwpa-client-dev.install @@ -0,0 +1,3 @@ +#!/usr/bin/dh-exec +wpa_supplicant/libwpa_client.a /usr/lib/${DEB_HOST_MULTIARCH}/ +src/common/wpa_ctrl.h usr/include diff --git a/debian/patches/02_dbus_group_policy.patch b/debian/patches/02_dbus_group_policy.patch new file mode 100644 index 0000000..64da288 --- /dev/null +++ b/debian/patches/02_dbus_group_policy.patch @@ -0,0 +1,29 @@ +From: Michael Biebl +Date: Thu, 8 Mar 2007 03:23:51 +1000 +Subject: Add D-Bus group policy + +Debian does not use pam_console but uses group membership +to control access to D-Bus. Activating both options in the conf file +makes it work on Debian and Ubuntu. + +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;bug=412179 +--- + wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf +index e81b495..413c049 100644 +--- a/wpa_supplicant/dbus/dbus-wpa_supplicant.conf ++++ b/wpa_supplicant/dbus/dbus-wpa_supplicant.conf +@@ -9,6 +9,11 @@ + + + ++ ++ ++ ++ ++ + + + diff --git a/debian/patches/07_dbus_service_syslog.patch b/debian/patches/07_dbus_service_syslog.patch new file mode 100644 index 0000000..5abc41b --- /dev/null +++ b/debian/patches/07_dbus_service_syslog.patch @@ -0,0 +1,36 @@ +From: Kel Modderman +Date: Sat, 21 Apr 2012 15:59:32 +1000 +Subject: Tweak D-Bus/systemd service activation configuration files: + + * log wpa_supplicant messages to syslog + * activate control socket interface so that wpa_cli can be used by D-Bus + activated wpa_supplicant daemon +--- + wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 +- + wpa_supplicant/systemd/wpa_supplicant.service.in | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +index d97ff39..3b0af67 100644 +--- a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in ++++ b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in +@@ -1,5 +1,5 @@ + [D-BUS Service] + Name=fi.w1.wpa_supplicant1 +-Exec=@BINDIR@/wpa_supplicant -u ++Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + User=root + SystemdService=wpa_supplicant.service +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index 58a6228..bc0688a 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -7,7 +7,7 @@ Wants=network.target + [Service] + Type=dbus + BusName=fi.w1.wpa_supplicant1 +-ExecStart=@BINDIR@/wpa_supplicant -u ++ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant + + [Install] + WantedBy=multi-user.target diff --git a/debian/patches/allow-tlsv1.patch b/debian/patches/allow-tlsv1.patch new file mode 100644 index 0000000..ca1028b --- /dev/null +++ b/debian/patches/allow-tlsv1.patch @@ -0,0 +1,28 @@ +From: Andrej Shadura +Date: Sat, 15 Dec 2018 14:19:22 +0100 +Subject: Enable TLSv1.0 by default + +OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2. +Some older networks may support for TLSv1.0 and less secure cyphers. +--- + src/crypto/tls_openssl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index c9e00b3..273e5cb 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -1040,6 +1040,13 @@ void * tls_init(const struct tls_config *conf) + os_free(data); + return NULL; + } ++ ++#ifndef EAP_SERVER_TLS ++ /* Enable TLSv1.0 by default to allow connecting to legacy ++ * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */ ++ SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION); ++#endif ++ + data->ssl = ssl; + if (conf) { + data->tls_session_lifetime = conf->tls_session_lifetime; diff --git a/debian/patches/disable-eapol-werror.patch b/debian/patches/disable-eapol-werror.patch new file mode 100644 index 0000000..3a2163a --- /dev/null +++ b/debian/patches/disable-eapol-werror.patch @@ -0,0 +1,25 @@ +From: Andrej Shadura +Date: Fri, 12 Feb 2021 14:28:19 +0100 +Subject: Disable -Werror for eapol_test + +This may make sense for the upstream, but we just want to build +the tool to be useful to our users; dealing with build errors due +to issues normally manifesting themselves as warnings is burdening +for Debian and its downstreams. +--- + wpa_supplicant/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile +index cb66def..26b0c93 100644 +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -170,7 +170,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE + endif + + ifdef CONFIG_EAPOL_TEST +-CFLAGS += -Werror -DEAPOL_TEST ++CFLAGS += -DEAPOL_TEST + endif + + ifdef CONFIG_CODE_COVERAGE diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..6289a7b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +02_dbus_group_policy.patch +07_dbus_service_syslog.patch +allow-tlsv1.patch +disable-eapol-werror.patch +wpa_service_ignore-on-isolate.patch diff --git a/debian/patches/wpa_service_ignore-on-isolate.patch b/debian/patches/wpa_service_ignore-on-isolate.patch new file mode 100644 index 0000000..454030d --- /dev/null +++ b/debian/patches/wpa_service_ignore-on-isolate.patch @@ -0,0 +1,36 @@ +From: Mathieu Trudel-Lapierre +Date: Mon, 13 Mar 2017 13:46:12 -0400 +Subject: Add IgnoreOnIsolate=yes to keep wpa-supplicant running while + systemctl isolate + +> Add IgnoreOnIsolate=yes so that when switching "runlevels" in +> oem-config will not kill off wpa and cause wireless to be +> unavailable on first boot. (LP: #1576024) + +Also happens when running systemctl isolate default.target: + +> NM should be detecting that wpasupplicant is not running and start +> it -- this should already have been working by way of wpasupplicant +> being dbus-activated. +[...] +> It seems to me like IgnoreOnIsolate for wpasupplicant would be the +> right thing to do, or to figure out why it isn't being properly +> started when NM tries to use it. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1576024 +--- + wpa_supplicant/systemd/wpa_supplicant.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in +index bc0688a..561ae8f 100644 +--- a/wpa_supplicant/systemd/wpa_supplicant.service.in ++++ b/wpa_supplicant/systemd/wpa_supplicant.service.in +@@ -3,6 +3,7 @@ Description=WPA supplicant + Before=network.target + After=dbus.service + Wants=network.target ++IgnoreOnIsolate=true + + [Service] + Type=dbus diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..c901030 --- /dev/null +++ b/debian/rules @@ -0,0 +1,111 @@ +#!/usr/bin/make -f + +export QT_SELECT=qt5 +export DEB_BUILD_MAINT_OPTIONS=hardening=+all +DPKG_EXPORT_BUILDFLAGS = 1 +include /usr/share/dpkg/default.mk + +# The build system doesn't use CPPFLAGS, pass them to CFLAGS/CXXFLAGS to +# enable the missing (hardening) flags +DEB_CFLAGS_MAINT_APPEND = -MMD -Wall $(shell dpkg-buildflags --get CPPFLAGS) -Wno-error=array-bounds $(warning WARNING: Building with -Wno-error=array-bounds) +DEB_CXXFLAGS_MAINT_APPEND = $(shell dpkg-buildflags --get CPPFLAGS) +DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed +export DEB_CFLAGS_MAINT_APPEND DEB_CXXFLAGS_MAINT_APPEND DEB_LDFLAGS_MAINT_APPEND + +UCFLAGS = -MMD -Wall -fPIC $(shell dpkg-buildflags --get CPPFLAGS) $(shell dpkg-buildflags --get CFLAGS) + +BINDIR = /sbin +V = 1 + +PKG_CONFIG ?= $(DEB_HOST_GNU_TYPE)-pkg-config + +export BINDIR V PKG_CONFIG + +include /usr/share/dpkg/architecture.mk +HOSTAPD_DOT_CONFIG := debian/config/hostapd/$(DEB_HOST_ARCH_OS) +WPASUPPLICANT_DOT_CONFIG := debian/config/wpasupplicant/$(DEB_HOST_ARCH_OS) +WPASUPPLICANT_UDEB_DOT_CONFIG := debian/config/wpasupplicant/$(DEB_HOST_ARCH_OS)-udeb + +### start dh overrides +override_dh_auto_configure: +ifeq (,$(filter pkg.wpa.nogui,$(DEB_BUILD_PROFILES))) + dh_auto_configure --sourcedirectory=wpa_supplicant/wpa_gui-qt4 \ + --buildsystem=qmake +endif + +override_dh_auto_build: + # build documentation + dh_auto_build --sourcedirectory=wpa_supplicant/doc/docbook \ + --buildsystem=makefile \ + -- man +ifeq (,$(filter noudeb,$(DEB_BUILD_PROFILES))) + # build wpasupplicant-udeb + cp -v --remove-destination $(WPASUPPLICANT_UDEB_DOT_CONFIG) wpa_supplicant/.config + CFLAGS="$(UCFLAGS)" dh_auto_build --sourcedirectory=wpa_supplicant \ + --buildsystem=makefile + mv -v wpa_supplicant/wpa_supplicant wpa_supplicant/wpa_supplicant-udeb + dh_auto_clean --sourcedirectory=wpa_supplicant \ + --buildsystem=makefile +endif + # build wpasupplicant, libwpa_client and eapol_test + cp -v --remove-destination $(WPASUPPLICANT_DOT_CONFIG) wpa_supplicant/.config + dh_auto_build --sourcedirectory=wpa_supplicant \ + --buildsystem=makefile -- all libwpa_client.a eapol_test +ifeq (,$(filter pkg.wpa.nogui,$(DEB_BUILD_PROFILES))) + # build wpa_gui-qt4 + dh_auto_build --sourcedirectory=wpa_supplicant/wpa_gui-qt4 \ + --buildsystem=qmake +endif + dh_auto_clean --sourcedirectory=src --buildsystem=makefile + # build hostapd + cp -v --remove-destination $(HOSTAPD_DOT_CONFIG) hostapd/.config + dh_auto_build --sourcedirectory=hostapd \ + --buildsystem=makefile + dh_auto_clean --sourcedirectory=src --buildsystem=makefile + +override_dh_auto_clean: + dh_auto_clean --sourcedirectory=wpa_supplicant/doc/docbook \ + --buildsystem=makefile + dh_auto_clean --sourcedirectory=wpa_supplicant \ + --buildsystem=makefile +ifeq (,$(filter pkg.wpa.nogui,$(DEB_BUILD_PROFILES))) + dh_auto_clean --sourcedirectory=wpa_supplicant/wpa_gui-qt4 \ + --buildsystem=qmake + -find wpa_supplicant/wpa_gui-qt4 -type d -name \.moc -exec rm -rf {} \; + -find wpa_supplicant/wpa_gui-qt4 -type d -name \.ui -exec rm -rf {} \; + -find wpa_supplicant/wpa_gui-qt4 -type d -name \.obj -exec rm -rf {} \; +endif + dh_auto_clean --sourcedirectory=hostapd \ + --buildsystem=makefile + +override_dh_auto_install: + $(info Skip dh_auto_install ...) + +execute_before_dh_clean: + # make sure to remove the staging directory for the udeb + rm -rf debian/wpasupplicant-udeb + +execute_after_dh_install: + # install D-Bus service activation files & configuration + install --mode=644 -D wpa_supplicant/dbus/dbus-wpa_supplicant.conf \ + debian/wpasupplicant/etc/dbus-1/system.d/wpa_supplicant.conf +ifeq (,$(filter noudeb,$(DEB_BUILD_PROFILES))) + # Install udeb + install --mode=755 -D wpa_supplicant/wpa_supplicant-udeb \ + debian/wpasupplicant-udeb/sbin/wpa_supplicant +endif + +override_dh_installchangelogs: + dh_installchangelogs --package=hostapd hostapd/ChangeLog + dh_installchangelogs --package=wpasupplicant wpa_supplicant/ChangeLog +ifeq (,$(filter pkg.wpa.nogui,$(DEB_BUILD_PROFILES))) + dh_installchangelogs --package=wpagui wpa_supplicant/ChangeLog +endif + dh_installchangelogs --remaining-packages +### end dh overrides + +execute_after_dh_installexamples: + sed -e 's="includes.h"==' -e 's="common/wpa_ctrl.h"==' -i debian/*/usr/share/doc/*/examples/*.c + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 0000000..0d51e6e --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,3 @@ +# there are no upstream tarballs for the hostapd.git branch at the moment, +# please use debian/rules' get-orig-source target instead +wpa source: debian-watch-file-is-missing diff --git a/debian/tests/build-libwpa-test b/debian/tests/build-libwpa-test new file mode 100755 index 0000000..a67031d --- /dev/null +++ b/debian/tests/build-libwpa-test @@ -0,0 +1,9 @@ +#!/bin/sh + +set -ex + +cc -o /tmp/libwpa_test /usr/share/doc/libwpa-client-dev/examples/libwpa_test.c -lwpa_client + +ls -l /tmp/libwpa_test + +objdump -t /tmp/libwpa_test diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..9cec013 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,5 @@ +Tests: build-libwpa-test +Depends: + build-essential, + @ +Restrictions: allow-stderr diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..2896588 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,36 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGiBDoydw4RBAC9vfqCsU+dgrxUSdGf70zrEAIBxcjeqHusovztR65XOWE0ccjm +QS2TVgJM+OzYg9FJG7DuLQZDwhR10BZKJfG97fNyZVBCoO90bEcTufn96oceJlz/ +MHmy99+i6wYdIKYzvmaxcC1QPhENr1scgin9nMiW1MTPJ7sSgjDqd0QPVwCgmaZU +pzhKRusR5E/MmgI2kz73Ui0D/03lVNypkQTbuBp1q71YqT9qjO8+5kXU5QXJhel0 +qUgJHcu3rdnIVaiANw1qauMM0DtnRKOtcaZntn03sFNnaJRx0JlmLa/cMP0nm1kP +nR6Q3Cruz7InJnJZDXGsGH/ku4OcYLUJ8UgqzaO0J5o66j7pxQQDo1UAs4PQaoYq +/ECbA/9B6b3TzuHdqUgS/g2AYTc5MU+i92ydrBv2g9SPuH78m/X4YicGR1HF7yNi +J/hiVa/axBUHpXE4vW0Bndj1bN4sctFeGGezGRaLiiggZkBBNnL8nF5eZebLvPrv +4kr8Cchz+lGF5UFNVyLWwi/I5CSUqUtSXOD1Q9WcXoqJcrE2brQXSm91bmkgTWFs +aW5lbiA8akB3MS5maT6IYgQTEQIAIgIbIwYLCQgHAwIEFQIIAwMWAgECHgECF4AF +AkZbB/QCGQEACgkQK270Mu/IlfpuGACfd0WargWDeja0VW+R9TSKjRIfO1cAn1A8 +nkiso1bg/CvU56wSvpU4MpF6tBlKb3VuaSBNYWxpbmVuIDxqbUBraXIubnU+iF8E +ExECAB8FAkZbB5sCGyMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJECtu9DLvyJX6 +BmAAnRSeK5z2ClLwuV5i1CtP9w2v85TkAJ9XLkaqrNqX4yDxoHqbEpHkHZ6d17Qg +Sm91bmkgTWFsaW5lbiA8am1Aam0uZXBpdGVzdC5maT6IVwQTEQIAFwUCOjJ3DgUL +BwoDBAMVAwIDFgIBAheAAAoJECtu9DLvyJX6jS8AnixjTt+aerNHx8woqO7WGGqQ +h15YAJ4iIDUXZ/vQZny1FG/ewzE/rdUVmrQiSm91bmkgTWFsaW5lbiA8amttYWxp +bmVAY2MuaHV0LmZpPohXBBMRAgAXBQI6Mn1JBQsHCgMEAxUDAgMWAgECF4AACgkQ +K270Mu/IlfqZmQCeN9xC1eqSD3xiUa/z+SMA2Gd5NvkAnRuwbogLyTyBb8HqC1Lx +ISWkTSBvuQINBDoyd1sQCAC8qbv50m22q9hhs54GMD+Xemg0dHiHuuTtVPYugJqT +SlhSS8QJBdulR8hYYDGHbTzjB/ksiQFOcISZZ+zQRIGqLbNldf6taGUTIhZkIh09 +0RYLXCYoMFB8XLBOaLVRy7SMwsPXdbIRkT9v9CzMjZcTUVjwObQKRpTie0JZhc// +CUmY76scpRY5ifDXT9NOr5uMA3W5FI1AFc3d856BYhdnhcuJn+QQS+Xsj3r2vpVz +YHoS+nT0nQ9iwmqPtRHep+t1cudqEouaWT8tpXkSB0Y0MjOPyGnNDkg9om3gj5QK +zMDcQCxCVTHjqVUrmW6Bs2Rm2YVMBu/TIG4E9hEK8Ma/AAMFB/4pOot8lGbAJcov +gtSEvna6WyOnFtmC8UCXJyf1MnzzLAO6Fvf8cz16ig2o+7bgKiQeWxwd7LJEicv2 +kD33fZl3OqSZbNdfsOxB9g+jtWC+vOXGKzr6Pi7fIBXgkhxF/eWbhFg7Kj4rd+jB +I9F7uK/wPyY8JivH8vy2w6Boipc3S7qcUn5Gk58w0EuZrAHSGKt9QWd/p7ppIfgg +mbc77YFWzM/z9fiMWp4+YIJkEH6unz3+91qQXUC4JGL6QMnsIoieqoAk/6rHMCTf +hFSvQxuhxpLUI+PT9sAvIBZLZta6hvIiYVpSTzZxiVmuioVHUhPVQdcpO5Mrr1VH +DwC+ZH8miEYEGBECAAYFAjoyd1sACgkQK270Mu/IlfrRCACfWEtm3et85knJeUK2 +ApdQ54Evxn4AoIYi35jctzD/SfJzPiE15zTRS8NN +=UdTW +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..0a4462d --- /dev/null +++ b/debian/watch @@ -0,0 +1,13 @@ +# Find hostapd tarball in http://w1.fi/releases/. +# We need to generate a merged wpa tarball from wpa_supplicant and hostapd, +# so use our own script instead of uupdate. +version=4 +#opts=pgpmode=auto http://w1.fi/releases/hostapd-([\.0-9]+)\.tar\.gz debian debian/uscan-hook + +opts="mode=git, pgpmode=none, repack, compression=xz" \ + git://w1.fi/hostap.git \ + refs/tags/hostap_([\d]+)_([\d]+) + +opts="mode=git, pgpmode=none, pretty=2.9.0+git%cd+%h, repack, compression=xz" \ + git://w1.fi/hostap.git \ + HEAD diff --git a/debian/wpagui.install b/debian/wpagui.install new file mode 100644 index 0000000..b0b4f00 --- /dev/null +++ b/debian/wpagui.install @@ -0,0 +1,3 @@ +wpa_supplicant/wpa_gui-qt4/wpa_gui usr/bin/ +wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop usr/share/applications/ +wpa_supplicant/wpa_gui-qt4/icons/wpa_gui.svg usr/share/icons/hicolor/scalable/apps/ diff --git a/debian/wpagui.links b/debian/wpagui.links new file mode 100644 index 0000000..b6d7b09 --- /dev/null +++ b/debian/wpagui.links @@ -0,0 +1 @@ +/usr/bin/wpa_gui usr/sbin/wpa_gui diff --git a/debian/wpagui.manpages b/debian/wpagui.manpages new file mode 100644 index 0000000..6667f65 --- /dev/null +++ b/debian/wpagui.manpages @@ -0,0 +1 @@ +wpa_supplicant/doc/docbook/wpa_gui.8 diff --git a/debian/wpasupplicant.README.Debian b/debian/wpasupplicant.README.Debian new file mode 100644 index 0000000..3c32cac --- /dev/null +++ b/debian/wpasupplicant.README.Debian @@ -0,0 +1,555 @@ +Modes of Operation in wpasupplicant for Debian +============================================== + +The Debian wpasupplicant package provides two (2) convenient modes of operation +that are closely integrated to the core networking infrastructure; ifupdown. + +Apart from that, wpa_supplicant supports D-Bus-activated operation, when the +daemon is spawned on demand by software needing it, e.g. NetworkManager or connman. +When used in that mode, wpa_supplicant does't require any manual configuration and +is configured using its D-Bus API. + +Table of Contents +================= + +1. Specifying the wpa_supplicant driver backend + - Table of supported drivers + - Choosing driver backend + +2. Mode #1: Managed Mode + - Examples + - Table of Common Options + - Important Notes About Managed Mode + - How It Works + +3. Mode #2: Roaming Mode + - wpa_supplicant.conf + - /etc/network/interfaces + - Interacting with wpa_supplicant with wpa_cli and wpa_gui + - Controlling the Roaming Daemon with wpa_action + - Fine Tuning the Roaming Setup + - Using External Mapping Scripts (e.g. guessnet) + - /etc/network/interfaces with external mapping + +4. Troubleshooting + - Hidden ssids + +5. Security Considerations + - Configuration File Permissions + + +1. Specifying the wpa_supplicant driver backend +=============================================== + +The wext driver backend will be used for all interfaces that do not explicitly +set 'wpa-driver' to the driver type required for that device. Users of linux +2.4 kernels, or 2.6 kernels less than 2.6.14 will be required to specify a +wpa-driver type. + +Table of supported drivers +========================== + +A summary of supported drivers follows: + +Driver Description +====== =========== +nl80211 Linux 802.11 netlink interface +wext Linux wireless extensions (generic) +wired driver for wired Ethernet + +Choosing driver backend +======================= + +Set the driver type in the interfaces(5) stanza for your device with the +'wpa-driver' option. For example: + +iface eth0 inet dhcp + wpa-driver wext + . . . . . more options + +If no wpa-driver configuration is supplied, the wext backend is used. + +2. Mode #1: Managed Mode +======================== + +This mode provides the ability to establish a connection via wpa_supplicant to +one known network. It is similar to how the wireless-tools package works. Each +element required to establish the connection via wpa_supplicant is prefixed +with 'wpa-' and followed by the value that will be used for that element. + +Examples +======== + +NOTE: the 'wpa-psk' value is only valid if: + 1) It is a plaintext (ascii) string between 8 and 63 characters in + length + 2) It is a hexadecimal string of 64 characters + +# Connect to access point of ssid 'NyNetWork' with an encryption type of +# WPA-PSK/WPA2-PSK. It assumes the driver will use the 'wext' driver backend +# of wpa_supplicant because no wpa-driver option has been specified. +# The passphrase is given as a ASCII (plaintext) string. DHCP is used to +# obtain a network address. +# +iface wlan0 inet dhcp + wpa-ssid MyNetWork + # plaintext passphrase + wpa-psk plaintextsecret + +# Connect to access point of ssid 'homezone' with an encryption type of +# WPA-PSK/WPA2-PSK, using the 'wext' driver backend of wpa_supplicant. +# The psk is given as an encoded hexadecimal string. DHCP is used to obtain +# a network address. +# +iface wlan0 inet dhcp + wpa-driver wext + wpa-ssid homezone + # hexadecimal psk is encoded from a plaintext passphrase + wpa-psk 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f + +# Connect to access point of ssid 'HotSpot1' and bssid of '00:1a:2b:3c:4d:5e' +# with an encryption type of WPA-PSK/WPA2-PSK, using the 'nl80211' driver +# backend of wpa_supplicant. The passphrase is given as a plaintext string. +# A static network address assignment is used. +# +iface wlan0 inet static + wpa-driver nl80211 + wpa-ssid HotSpot1 + wpa-bssid 00:1a:2b:3c:4d:5e + # plaintext passphrase + wpa-psk madhotspot + wpa-key-mgmt WPA-PSK + wpa-pairwise TKIP CCMP + wpa-group TKIP CCMP + wpa-proto WPA RSN + # static ip settings + address 192.168.0.100 + netmask 255.255.255.0 + network 192.168.0.0 + broadcast 192.168.0.255 + gateway 192.168.0.1 + +# User supplied wpa_supplicant.conf is used for eth1. All network information +# is contained within the user supplied wpa_supplicant.conf. No wpa-driver type +# is specified, so wext is used. DHCP is used to obtain a network address. +# +iface eth1 inet dhcp + wpa-conf /path/to/wpa_supplicant.conf + +Table of Common Options +======================= + +A brief summary of common 'wpa-' options that may be used in the +/etc/network/interfaces stanza for a wireless device. See the +'Important Notes About Managed Mode' section for information about +valid and invalid 'wpa-' values. + +NOTE: ALL values are CASE SeNsItVe + +Element Example Value Description +======= ============= =========== +wpa-ssid plaintextstring sets the ssid of your network + +wpa-bssid 00:1a:2b:3c:4d:5e the bssid of your AP + +wpa-psk 0123456789...... your preshared wpa key. Use + wpa_passphrase(8) to generate your psk + from a passphrase and ssid pair + +wpa-key-mgmt NONE, WPA-PSK, WPA-EAP, list of accepted authenticated key + IEEE8021X management protocols + +wpa-group CCMP, TKIP, WEP104, list of accepted group ciphers for WPA + WEP40 + +wpa-pairwise CCMP, TKIP, NONE list of accepted pairwise ciphers for + WPA + +wpa-auth-alg OPEN, SHARED, LEAP list of allowed IEEE 802.11 + authentication algorithms + +wpa-proto WPA, RSN list of accepted protocols + +wpa-identity myplaintextname administrator provided username + (EAP authentication) + +wpa-password myplaintextpassword your password (EAP authentication) + +wpa-scan-ssid 0 or 1 toggles scanning of ssid with specific + Probe Request frames + +wpa-ap-scan 0 or 1 or 2 adjusts the scanning logic of + wpa_supplicant + +The complete functionality of wpa_cli(8) should be implemented. Anything +missing is considered a bug and should be reported as such. Patches are always +welcome. + +Important Notes About Managed Mode +================================== + +Almost all 'wpa-' options require there is at least a ssid specified. Only a +handful of options have a global effect. These are: 'wpa-ap-scan' and +'wpa-preauthenticate'. + +Any 'wpa-' option given for a device in the interfaces(5) file is sufficient to +trigger the wpa_supplicant daemon into action. + +The wpasupplicant ifupdown script makes assumptions about the 'type' of input +that is valid for each option. For example, it assumes that some input is +plaintext and wraps quotation marks around the input before passing it on +to wpa_cli, which then adds the input to the network block being formed via +the wpa_supplicant ctrl_interface socket. Running ifup manually with the +'--verbose' option will reveal all of the commands used to form the network +block via wpa_cli. If the value you used for any wpa-* option in +/etc/network/interfaces is surrounded by double quotes, than it has been +assumed to be of "plaintext" or "ascii" type input. + +Some input is assumed to be a hexadecimal string (eg. wpa-wep-key*). The value +'type' of the wpa-psk option however, is determined via a simple check for more +than one non hexadecimal character. + + +How It Works +============ + +As mentioned earlier, each wpa_supplicant specific element is prefixed with +'wpa-'. Each element correlates to a property of wpa_supplicant described in +the wpa_supplicant.conf(5), wpa_supplicant(8) and wpa_cli(8) manpages. The +supplicant is launched without any pre-configuration whatsoever, and wpa_cli +forms a network configuration from the input provided by the 'wpa-*' lines. +Initially, wpa_supplicant/wpa_cli does not directly set the properties of the +device (like setting an essid with iwconfig, for example), rather it informs +the device of what access point is suitable to associate with. Once the device +has scanned the area, and found that the suitable access point is available for +use, these properties are set. + +The scripts that do all the work are located at: + + /etc/wpa_supplicant/ifupdown.sh + /etc/wpa_supplicant/functions.sh + +ifupdown.sh is executed by run-parts, which in turn is invoked by ifupdown +during the 'pre-up', 'pre-down' and 'post-down' phases. + +In the 'pre-up' phase, a wpa_supplicant daemon is launched followed by a series +of wpa_cli commands that set up a network configuration according to what +'wpa-' options were used in /etc/network/interfaces for the physical device. + +If wpa-roam is used, a wpa_cli daemon is launched in the 'post-up' phase. + +In the 'pre-down' phase, the wpa_cli daemon is terminated. + +In the 'post-down' phase, the wpa_supplicant daemon is terminated. + + +3. Mode #2: Roaming Mode +======================== + +A self contained, simplistic roaming mechanism is provided by this package. It +is in the form of a wpa_cli action script, /sbin/wpa_action, and it assumes +control of ifupdown once activated. The wpa_action(8) manpage describes its +technical details in great depth. + +To activate a roaming interface, adapt the following example interfaces(5) +stanza: + +iface eth1 inet manual + wpa-driver wext + wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf + +Two daemons are spawned from the above example; wpa_supplicant and wpa_cli. It +is required to provide a wpa_supplicant.conf containing a minimal amount of +global options, and any known network blocks that should be connected to +without interaction. A good starting point is provided by an example +configuration file: + + # copy the template to /etc/wpa_supplicant/ + cp /usr/share/doc/wpasupplicant/examples/wpa-roam.conf \ + /etc/wpa_supplicant/wpa_supplicant.conf + # allow only root to read and write to file + chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf + +NOTE: it is critical that the used wpa_supplicant.conf defines the location of + the 'ctrl_interface' so that a communication socket is created for the + wpa_cli (wpa-roam daemon) to attach. The mentioned example configuration, + /usr/share/doc/wpasupplicant/examples/wpa-roam.conf, has been set to a + sane default. + +It is required to edit this configuration file, and add the network blocks for +all known networks. If you do not understand what this means, start reading the +wpa_supplicant.conf(5) manpage now. + +For each network, you may specify a special option 'id_str'. It should be set to +a simple text string. This text string forms the basis for network profiling; it +correlates to a logical interface defined in the interfaces(5) file. When no +'id_str' is given for a network, wpa_action assumes it will use the 'default' +logical interface as fallback. The fallback interface can be chosen via the +'wpa-roam-default-iface' option. + +So what does all this mean? Lets illustrate it with a small example taken from +the wpa_action(8) manpage. + +wpa_supplicant.conf +=================== +network={ + ssid="foo" + key_mgmt=NONE + # this id_str will notify /sbin/wpa_action to 'ifup uni' + id_str="uni" +} + +network={ + ssid="bar" + psk=123456789... + # this id_str will notify /sbin/wpa_action to 'ifup home_static' + id_str="home_static" +} + +network={ + ssid="" + key_mgmt=NONE + # no 'id_str' parameter is given, /sbin/wpa_action will 'ifup default' +} + +/etc/network/interfaces +======================= +# the roaming interface MUST use the manual inet method +# 'allow-hotplug' or 'auto' ensures the daemon starts automatically +allow-hotplug eth1 +iface eth1 inet manual + wpa-driver wext + wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf + +# no id_str, 'default' is used as the fallback mapping target +iface default inet dhcp + +# id_str="uni" +iface uni inet dhcp + +# id_str="home_static" +iface home_static inet static + address 192.168.0.20 + netmask 255.255.255.0 + network 192.168.0.0 + broadcast 192.168.0.255 + gateway 192.168.0.1 + +A logical interface is brought up via ifup, and taken down via ifdown, as +wpa_supplicant associates and de-associates with the network associated +to it by the 'id_str' option used in the wpa_supplicant.conf configuration file. + +/sbin/wpa_action's actions are logged to syslog. + +Interacting with wpa_supplicant with wpa_cli and wpa_gui +======================================================== + +The wpa_supplicant process can be interacted with by members of the "netdev" +group if the example roaming configuration was used as is (or by whatever +group or gid specified by the GROUP= crtl_interface parameter). + + # the default ctrl_interface option used in the example file + # /usr/share/doc/wpasupplicant/examples/wpa-roam.conf + ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev + +To interact with the supplicant, the wpa_cli (command line) and wpa_gui (QT) +have been provided. With these you may connect, disconnect, add/delete new +network blocks, provide required interactive security information and so on. + +Controlling the Roaming Daemon with wpa_action +============================================== + +Once the roaming daemon is started, it assumes control of ifupdown. That is; +wpa_cli calls ifup when wpa_supplicant has successfully associated with an +access point, and calls ifdown when the connection is lost or terminated. +While the roaming daemon is active, ifupdown should not be controlled directly +by manually issued commands, rather /sbin/wpa_action is supplied to stop and +reload the roaming daemon. For example, to stop the +romaing daemon on the device 'eth1': + + wpa_action eth1 stop + +When it is required to update the roaming daemon with a new networks details, +it can be done without stopping it. Edit the wpa_supplicant.conf file that is +being used by the daemon with the new networks details, add optional network +settings to /etc/network/interfaces that are specific to the new network +(linked by the 'id_str') and then 'reload' the daemon like so: + + wpa_action eth1 reload + +For the complete technical details of what wpa_action can do, read the +wpa_action(8) manpage. + +Fine Tuning the Roaming Setup +============================= + +You may face situations where multiple known access points are in close +proximity. You can choose which one is preferred manually, with wpa_cli or +wpa_gui, or you can give each network its own priority. This is provided by the +'priority' option of wpa_supplicant.conf. + +Using External Mapping Scripts (e.g. guessnet) +============================================== + +In addition to the internal mapping of logical interfaces via 'id_str', +wpa_action can call external mapping scripts. A mapping script should return +the name of the logical interface which should be brought up. Any mapping +script that works from ifupdowns mapping mechanism (see man interfaces) should +also work when called from wpa_action. + +To call a mapping script add a line 'wpa-mapping-script name-of-the-script' to +the interfaces stanza of the physical roaming device. (You may have to specify +the absolute path to the mapping script.) + +The contents of lines starting with wpa-map are passed to stdin of the mapping +script. Since ifupdown allows only one wpa-map line you can append any number +to wpa-map for additional lines. For example: + +iface wlan0 inet manual + wpa-driver wext + wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf + wpa-mapping-script guessnet-ifupdown + wpa-map0 home + wpa-map1 work + wpa-map2 school + # ... additional wpa-mapX lines as required + + +By default the mapping script will only be used when no 'id_str' is available +for the current network. If you want to completely disable 'id_str' matching +and use only an external mapping script, use the +'wpa-mapping-script-priority 1' option to override default behaviour. + +If the mapping script returns an empty string wpa_action will fallback to using +the 'default' interface, unless an alternative is defined by the +'wpa-roam-default-iface' option. + +Below is an advanced example, using guessnet-ifupdown as the external mapping +script. + +/etc/network/interfaces with external mapping +============================================= + +allow-hotplug wlan0 +iface wlan0 inet manual + wpa-driver wext + wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf + wpa-roam-default-iface default-wparoam + wpa-mapping-script guessnet-ifupdown + wpa-map default: default-guessnet + wpa-map0 home_static + wpa-map1 work_static + +# school can only be chosen via 'id_str' matching +iface school inet dhcp + # resolvconf + dns-nameservers 11.22.33.44 55.66.77.88 + +iface home_static inet static + address 192.168.0.20 + netmask 255.255.255.0 + network 192.168.0.0 + broadcast 192.168.0.255 + gateway 192.168.0.1 + test peer address 192.168.0.1 mac 00:01:02:03:04:05 + +iface work_static inet static + address 192.168.3.200 + netmask 255.255.255.0 + network 192.168.3.0 + broadcast 192.168.3.255 + gateway 192.168.3.1 + test peer address 192.168.3.1 mac 00:01:02:03:04:05 + +iface default-guessnet inet dhcp + +iface default-wparoam inet dhcp + +In this example wpa_action will use guessnet for the selection of a suitable +logical interface only when no 'id_str' option has been provided for the +current network in the provided wpa_supplicant.conf. + +The 'wpa-map' lines provide guessnet with the logical interfaces that are to be +tested as well as the default interface to be used when all tests fail. The +'test' lines of each logical interface are used by guessnet to determine if +we are actually connected to that network. For instance, guessnet will choose +the logical interface 'home_static' if there's a device with an IP address of +192.168.0.1 and MAC of 00:01:02:03:04:05 on the current network. If all tests +fail, the 'default-guessnet' interface will be configured. + +Please, read the guessnet(8) manpage for more information. + + +4. Troubleshooting +================== + +In order to debug connection, association and authentication problems, +increase the verbosity level of wpa_supplicant to log debug output by +adding the wpa-debug-level option to /etc/network/interfaces like in +the following example: + +iface eth1 inet dhcp + wpa-debug-level 3 + ... + +Debug level number 3 starts the supplicant with the -ddd command line option, +level 2 with -dd an level 1 with -d. Values of -1 and -2 will cause +wpa_supplicant to be started with -q and -qq options respectively (quiet mode). +Any other wpa-debug-level value will cause the supplicant to be started +with default debug level. + +If wpa_supplicant is started via D-Bus, then you must edit +/usr/share/dbus-1/system-services/fi.epitest.hostap.WPASupplicant.service and +add the debugging command line option to the Exec field. + +It is also possible to have wpa_supplicant write all debug output to a text +file with the -f command line option. You may specify a file to log to with +the wpa-logfile in /etc/network/interfaces if starting wpa_supplicant via +ifupdown. + +Another method is to start `wpa_cli -i ` in another shell before +starting the interface. Use the command 'level 0' first, to get all debug +messages sent to the control socket by wpa_supplicant. + +To debug the ifupdown scripts that start wpa_supplicant and friends, use +`ifup --verbose ` to get verbose messages, or set +wpa-maint-debug to any value to see shell code execution (set -x). + +Hidden ssids +============ + +For reference, see #358137 [1]. In order to be able to associate to hidden +ssids, please try to set the option 'ap_scan=1' in the global section, and +'scan_ssid=1' in your network block section of your wpa_supplicant.conf file. +If you are using the managed mode, you can do so by these stanzas: + +iface eth1 inet dhcp + wpa-ap-scan 1 + wpa-scan-ssid 1 + # ... additional options for your setup + +According to #368770 [2], association can take a very long time under certain +circumstances. In some cases, setting the parameter 'ap_scan=2' in the +config file, (or using a 'wpa-ap-scan 2' stanza, which is equivalent) can +greatly help to speed up association. Please note that setting ap_scan to the +value of 2 also requires that all networks have a precisely defined security +policy for key_mgmt, pairwise, group and proto network policy variables. + +[1] http://bugs.debian.org/358137 +[2] http://bugs.debian.org/368770 + + +5. Security Considerations +========================== + +Configuration File Permissions +============================== +It is important to keep PSK's and other sensitive information concerning your +network settings private, therefore ensure that important configuration files +containing such data are only readable by their owner. For example: + + chmod 0600 /etc/network/interfaces + chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf + +By default, /etc/network/interfaces is world readable, and thus unsuitable for +containing secret keys and passwords. diff --git a/debian/wpasupplicant.docs b/debian/wpasupplicant.docs new file mode 100644 index 0000000..2fb3001 --- /dev/null +++ b/debian/wpasupplicant.docs @@ -0,0 +1,5 @@ +wpa_supplicant/README +wpa_supplicant/README-DPP +wpa_supplicant/README-HS20 +wpa_supplicant/README-WPS +wpa_supplicant/README-P2P diff --git a/debian/wpasupplicant.examples b/debian/wpasupplicant.examples new file mode 100644 index 0000000..d70f559 --- /dev/null +++ b/debian/wpasupplicant.examples @@ -0,0 +1,3 @@ +wpa_supplicant/wpa_supplicant.conf +wpa_supplicant/examples/*.conf +debian/examples/*.conf diff --git a/debian/wpasupplicant.install b/debian/wpasupplicant.install new file mode 100644 index 0000000..a5c0ab4 --- /dev/null +++ b/debian/wpasupplicant.install @@ -0,0 +1,11 @@ +debian/ifupdown/wpa_action sbin/ +debian/ifupdown/action_wpa.sh etc/wpa_supplicant/ +debian/ifupdown/functions.sh etc/wpa_supplicant/ +debian/ifupdown/wpasupplicant/ifupdown.sh etc/wpa_supplicant/ +wpa_supplicant/dbus/fi.*.service usr/share/dbus-1/system-services/ +wpa_supplicant/examples/60_wpa_supplicant usr/lib/pm-utils/sleep.d/ +wpa_supplicant/systemd/*.service lib/systemd/system/ +wpa_supplicant/wpa_cli sbin/ +wpa_supplicant/wpa_passphrase usr/bin/ +wpa_supplicant/wpa_supplicant sbin/ +debian/NetworkManager/no-mac-addr-change.conf usr/lib/NetworkManager/conf.d/ diff --git a/debian/wpasupplicant.links b/debian/wpasupplicant.links new file mode 100644 index 0000000..0101b66 --- /dev/null +++ b/debian/wpasupplicant.links @@ -0,0 +1,7 @@ +etc/wpa_supplicant/ifupdown.sh etc/network/if-pre-up.d/wpasupplicant +etc/wpa_supplicant/ifupdown.sh etc/network/if-up.d/wpasupplicant +etc/wpa_supplicant/ifupdown.sh etc/network/if-down.d/wpasupplicant +etc/wpa_supplicant/ifupdown.sh etc/network/if-post-down.d/wpasupplicant +etc/wpa_supplicant/action_wpa.sh etc/ifplugd/action.d/action_wpa +usr/share/doc/wpasupplicant usr/share/doc/wpa_supplicant +usr/share/doc/wpasupplicant/README.Debian usr/share/doc/wpasupplicant/README.modes diff --git a/debian/wpasupplicant.lintian-overrides b/debian/wpasupplicant.lintian-overrides new file mode 100644 index 0000000..460414b --- /dev/null +++ b/debian/wpasupplicant.lintian-overrides @@ -0,0 +1,12 @@ +# We distribute the package under the terms of the BSD license due to the +# openssl issue, tell lintian to not complain: +wpasupplicant binary: possible-gpl-code-linked-with-openssl + +# false positive spelling complaints +wpasupplicant binary: spelling-error-in-binary sbin/wpa_supplicant ment meant + +# no need for init scripts since wpa-supplicant has NM and ifupdown integration +wpasupplicant: package-supports-alternative-init-but-no-init.d-script + +# this is a library +wpasupplicant: script-not-executable etc/wpa_supplicant/functions.sh diff --git a/debian/wpasupplicant.manpages b/debian/wpasupplicant.manpages new file mode 100644 index 0000000..97c3489 --- /dev/null +++ b/debian/wpasupplicant.manpages @@ -0,0 +1,6 @@ +debian/ifupdown/wpa_action.8 +wpa_supplicant/doc/docbook/wpa_background.8 +wpa_supplicant/doc/docbook/wpa_cli.8 +wpa_supplicant/doc/docbook/wpa_passphrase.8 +wpa_supplicant/doc/docbook/wpa_supplicant.8 +wpa_supplicant/doc/docbook/wpa_supplicant.conf.5 diff --git a/debian/wpasupplicant.postinst b/debian/wpasupplicant.postinst new file mode 100755 index 0000000..2611983 --- /dev/null +++ b/debian/wpasupplicant.postinst @@ -0,0 +1,36 @@ +#!/bin/sh +# This script can be called in the following ways: +# +# After the package was installed: +# configure +# +# +# If prerm fails during upgrade or fails on failed upgrade: +# abort-upgrade +# +# If prerm fails during deconfiguration of a package: +# abort-deconfigure in-favour +# removing +# +# If prerm fails during replacement due to conflict: +# abort-remove in-favour + +set -e + +case "$1" in + configure) + # Add the netdev group unless it's already there + if ! getent group netdev >/dev/null; then + addgroup --quiet --system netdev || true + fi + ;; + abort-upgrade|abort-deconfigure|abort-remove) + ;; + *) + echo "$0 called with unknown argument \`$1'" 1>&2 + exit 1 + ;; +esac + +#DEBHELPER# +exit 0 diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in index e0d0c3a..55d2b9c 100644 --- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in +++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in @@ -9,7 +9,7 @@ Wants=network.target [Service] Type=simple -ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -Dnl80211,wext -i%I +ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I [Install] WantedBy=multi-user.target diff --git a/wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop b/wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop index e560f3d..ccc7d87 100644 --- a/wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop +++ b/wpa_supplicant/wpa_gui-qt4/wpa_gui.desktop @@ -2,7 +2,7 @@ Version=1.0 Name=wpa_gui Comment=Graphical user interface for wpa_supplicant -Exec=/usr/sbin/wpa_gui +Exec=wpa_gui Icon=wpa_gui GenericName=wpa_supplicant user interface Terminal=false