1214503Srpaulo# Example hostapd build time configuration 2214503Srpaulo# 3214503Srpaulo# This file lists the configuration options that are used when building the 4214503Srpaulo# hostapd binary. All lines starting with # are ignored. Configuration option 5214503Srpaulo# lines must be commented out complete, if they are not to be included, i.e., 6214503Srpaulo# just setting VARIABLE=n is not disabling that variable. 7214503Srpaulo# 8214503Srpaulo# This file is included in Makefile, so variables like CFLAGS and LIBS can also 9214503Srpaulo# be modified from here. In most cass, these lines should use += in order not 10214503Srpaulo# to override previous values of the variables. 11214503Srpaulo 12214503Srpaulo# Driver interface for Host AP driver 13214503SrpauloCONFIG_DRIVER_HOSTAP=y 14214503Srpaulo 15214503Srpaulo# Driver interface for wired authenticator 16214503Srpaulo#CONFIG_DRIVER_WIRED=y 17214503Srpaulo 18214503Srpaulo# Driver interface for madwifi driver 19214503Srpaulo#CONFIG_DRIVER_MADWIFI=y 20214503Srpaulo#CFLAGS += -I../../madwifi # change to the madwifi source directory 21214503Srpaulo 22214503Srpaulo# Driver interface for drivers using the nl80211 kernel interface 23252726SrpauloCONFIG_DRIVER_NL80211=y 24214503Srpaulo 25214503Srpaulo# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) 26214503Srpaulo#CONFIG_DRIVER_BSD=y 27214503Srpaulo#CFLAGS += -I/usr/local/include 28214503Srpaulo#LIBS += -L/usr/local/lib 29214503Srpaulo#LIBS_p += -L/usr/local/lib 30214503Srpaulo#LIBS_c += -L/usr/local/lib 31214503Srpaulo 32214503Srpaulo# Driver interface for no driver (e.g., RADIUS server only) 33214503Srpaulo#CONFIG_DRIVER_NONE=y 34214503Srpaulo 35214503Srpaulo# IEEE 802.11F/IAPP 36214503SrpauloCONFIG_IAPP=y 37214503Srpaulo 38214503Srpaulo# WPA2/IEEE 802.11i RSN pre-authentication 39214503SrpauloCONFIG_RSN_PREAUTH=y 40214503Srpaulo 41214503Srpaulo# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) 42214503SrpauloCONFIG_PEERKEY=y 43214503Srpaulo 44214503Srpaulo# IEEE 802.11w (management frame protection) 45214503Srpaulo# This version is an experimental implementation based on IEEE 802.11w/D1.0 46214503Srpaulo# draft and is subject to change since the standard has not yet been finalized. 47214503Srpaulo# Driver support is also needed for IEEE 802.11w. 48214503Srpaulo#CONFIG_IEEE80211W=y 49214503Srpaulo 50214503Srpaulo# Integrated EAP server 51214503SrpauloCONFIG_EAP=y 52214503Srpaulo 53214503Srpaulo# EAP-MD5 for the integrated EAP server 54214503SrpauloCONFIG_EAP_MD5=y 55214503Srpaulo 56214503Srpaulo# EAP-TLS for the integrated EAP server 57214503SrpauloCONFIG_EAP_TLS=y 58214503Srpaulo 59214503Srpaulo# EAP-MSCHAPv2 for the integrated EAP server 60214503SrpauloCONFIG_EAP_MSCHAPV2=y 61214503Srpaulo 62214503Srpaulo# EAP-PEAP for the integrated EAP server 63214503SrpauloCONFIG_EAP_PEAP=y 64214503Srpaulo 65214503Srpaulo# EAP-GTC for the integrated EAP server 66214503SrpauloCONFIG_EAP_GTC=y 67214503Srpaulo 68214503Srpaulo# EAP-TTLS for the integrated EAP server 69214503SrpauloCONFIG_EAP_TTLS=y 70214503Srpaulo 71214503Srpaulo# EAP-SIM for the integrated EAP server 72214503Srpaulo#CONFIG_EAP_SIM=y 73214503Srpaulo 74214503Srpaulo# EAP-AKA for the integrated EAP server 75214503Srpaulo#CONFIG_EAP_AKA=y 76214503Srpaulo 77214503Srpaulo# EAP-AKA' for the integrated EAP server 78214503Srpaulo# This requires CONFIG_EAP_AKA to be enabled, too. 79214503Srpaulo#CONFIG_EAP_AKA_PRIME=y 80214503Srpaulo 81214503Srpaulo# EAP-PAX for the integrated EAP server 82214503Srpaulo#CONFIG_EAP_PAX=y 83214503Srpaulo 84214503Srpaulo# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) 85214503Srpaulo#CONFIG_EAP_PSK=y 86214503Srpaulo 87252726Srpaulo# EAP-pwd for the integrated EAP server (secure authentication with a password) 88252726Srpaulo#CONFIG_EAP_PWD=y 89252726Srpaulo 90214503Srpaulo# EAP-SAKE for the integrated EAP server 91214503Srpaulo#CONFIG_EAP_SAKE=y 92214503Srpaulo 93214503Srpaulo# EAP-GPSK for the integrated EAP server 94214503Srpaulo#CONFIG_EAP_GPSK=y 95214503Srpaulo# Include support for optional SHA256 cipher suite in EAP-GPSK 96214503Srpaulo#CONFIG_EAP_GPSK_SHA256=y 97214503Srpaulo 98214503Srpaulo# EAP-FAST for the integrated EAP server 99214503Srpaulo# Note: Default OpenSSL package does not include support for all the 100214503Srpaulo# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, 101214503Srpaulo# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch) 102214503Srpaulo# to add the needed functions. 103214503Srpaulo#CONFIG_EAP_FAST=y 104214503Srpaulo 105214503Srpaulo# Wi-Fi Protected Setup (WPS) 106214503Srpaulo#CONFIG_WPS=y 107252726Srpaulo# Enable WSC 2.0 support 108252726Srpaulo#CONFIG_WPS2=y 109214503Srpaulo# Enable UPnP support for external WPS Registrars 110214503Srpaulo#CONFIG_WPS_UPNP=y 111252726Srpaulo# Enable WPS support with NFC config method 112252726Srpaulo#CONFIG_WPS_NFC=y 113214503Srpaulo 114214503Srpaulo# EAP-IKEv2 115214503Srpaulo#CONFIG_EAP_IKEV2=y 116214503Srpaulo 117214503Srpaulo# Trusted Network Connect (EAP-TNC) 118214503Srpaulo#CONFIG_EAP_TNC=y 119214503Srpaulo 120214503Srpaulo# PKCS#12 (PFX) support (used to read private key and certificate file from 121214503Srpaulo# a file that usually has extension .p12 or .pfx) 122214503SrpauloCONFIG_PKCS12=y 123214503Srpaulo 124214503Srpaulo# RADIUS authentication server. This provides access to the integrated EAP 125214503Srpaulo# server from external hosts using RADIUS. 126214503Srpaulo#CONFIG_RADIUS_SERVER=y 127214503Srpaulo 128214503Srpaulo# Build IPv6 support for RADIUS operations 129214503SrpauloCONFIG_IPV6=y 130214503Srpaulo 131214503Srpaulo# IEEE Std 802.11r-2008 (Fast BSS Transition) 132214503Srpaulo#CONFIG_IEEE80211R=y 133214503Srpaulo 134214503Srpaulo# Use the hostapd's IEEE 802.11 authentication (ACL), but without 135214503Srpaulo# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211) 136214503Srpaulo#CONFIG_DRIVER_RADIUS_ACL=y 137214503Srpaulo 138214503Srpaulo# IEEE 802.11n (High Throughput) support 139214503Srpaulo#CONFIG_IEEE80211N=y 140214503Srpaulo 141252726Srpaulo# Wireless Network Management (IEEE Std 802.11v-2011) 142252726Srpaulo# Note: This is experimental and not complete implementation. 143252726Srpaulo#CONFIG_WNM=y 144252726Srpaulo 145252726Srpaulo# IEEE 802.11ac (Very High Throughput) support 146252726Srpaulo#CONFIG_IEEE80211AC=y 147252726Srpaulo 148214503Srpaulo# Remove debugging code that is printing out debug messages to stdout. 149214503Srpaulo# This can be used to reduce the size of the hostapd considerably if debugging 150214503Srpaulo# code is not needed. 151214503Srpaulo#CONFIG_NO_STDOUT_DEBUG=y 152214503Srpaulo 153252726Srpaulo# Add support for writing debug log to a file: -f /tmp/hostapd.log 154252726Srpaulo# Disabled by default. 155252726Srpaulo#CONFIG_DEBUG_FILE=y 156252726Srpaulo 157214503Srpaulo# Remove support for RADIUS accounting 158214503Srpaulo#CONFIG_NO_ACCOUNTING=y 159214503Srpaulo 160214503Srpaulo# Remove support for RADIUS 161214503Srpaulo#CONFIG_NO_RADIUS=y 162214503Srpaulo 163214503Srpaulo# Remove support for VLANs 164214503Srpaulo#CONFIG_NO_VLAN=y 165214503Srpaulo 166252726Srpaulo# Enable support for fully dynamic VLANs. This enables hostapd to 167252726Srpaulo# automatically create bridge and VLAN interfaces if necessary. 168252726Srpaulo#CONFIG_FULL_DYNAMIC_VLAN=y 169252726Srpaulo 170252726Srpaulo# Use netlink-based kernel API for VLAN operations instead of ioctl() 171252726Srpaulo# Note: This requires libnl 3.1 or newer. 172252726Srpaulo#CONFIG_VLAN_NETLINK=y 173252726Srpaulo 174214503Srpaulo# Remove support for dumping state into a file on SIGUSR1 signal 175214503Srpaulo# This can be used to reduce binary size at the cost of disabling a debugging 176214503Srpaulo# option. 177214503Srpaulo#CONFIG_NO_DUMP_STATE=y 178214503Srpaulo 179214503Srpaulo# Enable tracing code for developer debugging 180214503Srpaulo# This tracks use of memory allocations and other registrations and reports 181214503Srpaulo# incorrect use with a backtrace of call (or allocation) location. 182214503Srpaulo#CONFIG_WPA_TRACE=y 183214503Srpaulo# For BSD, comment out these. 184214503Srpaulo#LIBS += -lexecinfo 185214503Srpaulo#LIBS_p += -lexecinfo 186214503Srpaulo#LIBS_c += -lexecinfo 187214503Srpaulo 188214503Srpaulo# Use libbfd to get more details for developer debugging 189214503Srpaulo# This enables use of libbfd to get more detailed symbols for the backtraces 190214503Srpaulo# generated by CONFIG_WPA_TRACE=y. 191214503Srpaulo#CONFIG_WPA_TRACE_BFD=y 192214503Srpaulo# For BSD, comment out these. 193214503Srpaulo#LIBS += -lbfd -liberty -lz 194214503Srpaulo#LIBS_p += -lbfd -liberty -lz 195214503Srpaulo#LIBS_c += -lbfd -liberty -lz 196252726Srpaulo 197252726Srpaulo# hostapd depends on strong random number generation being available from the 198252726Srpaulo# operating system. os_get_random() function is used to fetch random data when 199252726Srpaulo# needed, e.g., for key generation. On Linux and BSD systems, this works by 200252726Srpaulo# reading /dev/urandom. It should be noted that the OS entropy pool needs to be 201252726Srpaulo# properly initialized before hostapd is started. This is important especially 202252726Srpaulo# on embedded devices that do not have a hardware random number generator and 203252726Srpaulo# may by default start up with minimal entropy available for random number 204252726Srpaulo# generation. 205252726Srpaulo# 206252726Srpaulo# As a safety net, hostapd is by default trying to internally collect 207252726Srpaulo# additional entropy for generating random data to mix in with the data 208252726Srpaulo# fetched from the OS. This by itself is not considered to be very strong, but 209252726Srpaulo# it may help in cases where the system pool is not initialized properly. 210252726Srpaulo# However, it is very strongly recommended that the system pool is initialized 211252726Srpaulo# with enough entropy either by using hardware assisted random number 212252726Srpaulo# generator or by storing state over device reboots. 213252726Srpaulo# 214252726Srpaulo# hostapd can be configured to maintain its own entropy store over restarts to 215252726Srpaulo# enhance random number generation. This is not perfect, but it is much more 216252726Srpaulo# secure than using the same sequence of random numbers after every reboot. 217252726Srpaulo# This can be enabled with -e<entropy file> command line option. The specified 218252726Srpaulo# file needs to be readable and writable by hostapd. 219252726Srpaulo# 220252726Srpaulo# If the os_get_random() is known to provide strong random data (e.g., on 221252726Srpaulo# Linux/BSD, the board in question is known to have reliable source of random 222252726Srpaulo# data from /dev/urandom), the internal hostapd random pool can be disabled. 223252726Srpaulo# This will save some in binary size and CPU use. However, this should only be 224252726Srpaulo# considered for builds that are known to be used on devices that meet the 225252726Srpaulo# requirements described above. 226252726Srpaulo#CONFIG_NO_RANDOM_POOL=y 227252726Srpaulo 228252726Srpaulo# Select TLS implementation 229252726Srpaulo# openssl = OpenSSL (default) 230252726Srpaulo# gnutls = GnuTLS 231252726Srpaulo# internal = Internal TLSv1 implementation (experimental) 232252726Srpaulo# none = Empty template 233252726Srpaulo#CONFIG_TLS=openssl 234252726Srpaulo 235252726Srpaulo# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) 236252726Srpaulo# can be enabled to get a stronger construction of messages when block ciphers 237252726Srpaulo# are used. 238252726Srpaulo#CONFIG_TLSV11=y 239252726Srpaulo 240252726Srpaulo# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) 241252726Srpaulo# can be enabled to enable use of stronger crypto algorithms. 242252726Srpaulo#CONFIG_TLSV12=y 243252726Srpaulo 244252726Srpaulo# If CONFIG_TLS=internal is used, additional library and include paths are 245252726Srpaulo# needed for LibTomMath. Alternatively, an integrated, minimal version of 246252726Srpaulo# LibTomMath can be used. See beginning of libtommath.c for details on benefits 247252726Srpaulo# and drawbacks of this option. 248252726Srpaulo#CONFIG_INTERNAL_LIBTOMMATH=y 249252726Srpaulo#ifndef CONFIG_INTERNAL_LIBTOMMATH 250252726Srpaulo#LTM_PATH=/usr/src/libtommath-0.39 251252726Srpaulo#CFLAGS += -I$(LTM_PATH) 252252726Srpaulo#LIBS += -L$(LTM_PATH) 253252726Srpaulo#LIBS_p += -L$(LTM_PATH) 254252726Srpaulo#endif 255252726Srpaulo# At the cost of about 4 kB of additional binary size, the internal LibTomMath 256252726Srpaulo# can be configured to include faster routines for exptmod, sqr, and div to 257252726Srpaulo# speed up DH and RSA calculation considerably 258252726Srpaulo#CONFIG_INTERNAL_LIBTOMMATH_FAST=y 259252726Srpaulo 260252726Srpaulo# Interworking (IEEE 802.11u) 261252726Srpaulo# This can be used to enable functionality to improve interworking with 262252726Srpaulo# external networks. 263252726Srpaulo#CONFIG_INTERWORKING=y 264252726Srpaulo 265252726Srpaulo# Hotspot 2.0 266252726Srpaulo#CONFIG_HS20=y 267252726Srpaulo 268252726Srpaulo# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file 269252726Srpaulo#CONFIG_SQLITE=y 270