mediatek-sdk: Support AN8801SB PHY for EAP112

Signed-off-by: Sebastian Huang <sebastian_huang@accton.com>

.github/workflows/build-dev.yml

@@ -15,17 +15,21 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       x64_vm_image_name: ${{ steps.package_and_upload_image.outputs.x64_vm_image_name }}
     strategy:
       fail-fast: false
       matrix:
-        target: ['actiontec_web7200', 'cig_wf186w', 'cig_wf188n', 'cig_wf194c4', 'cig_wf196-us', 'cig_wf196-ca', 'cig_wf196-ca-ath12', 'cig_wf610d', 'cig_wf660a', 'cig_wf660a', 'cig_wf808', 'cybertan_eww622-a1', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'edgecore_eap101', 'edgecore_eap101-ath12', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap104-ath12', 'liteon_wpx8324', 'edgecore_ecs4100-12ph', 'edgecore_ecw5211', 'edgecore_ecw5410', 'edgecore_oap100', 'edgecore_oap101_6e', 'edgecore_oap101e', 'edgecore_ssw2ac2600', 'edgecore_spw2ac1200', 'edgecore_spw2ac1200-lan-poe', 'hfcl_ion4','hfcl_ion4xi_wp', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'indio_um-305ac', 'indio_um-305ax', 'indio_um-325ac', 'indio_um-510ac-v3', 'indio_um-550ac', 'indio_um-310ax-v1', 'indio_um-510axp-v1', 'indio_um-510axm-v1', 'linksys_ea6350-v4', 'linksys_e8450-ubi', 'linksys_ea8300', 'meshpp_s618_cp03', 'meshpp_s618_cp01', 'udaya_a5-id2', 'wallys_dr40x9', 'wallys_dr6018', 'wallys_dr6018_v4', 'x64_vm', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655' ]
-
+        target: [ 'cig_wf189h', 'cig_wf189w', 'cig_wf660a', 'cig_wf672', 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf189', 'cig_wf196', 'cig_wf196', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'sonicfi_rap630w-312g', 'sonicfi_rap63xc-211g', 'sonicfi_rap630c-311g', 'sonicfi_rap630w-311g', 'sonicfi_rap630w-211g', 'sonicfi_rap650c', 'sonicfi_rap7110c-341x', 'sonicfi_rap750e-h', 'sonicfi_rap750e-s', 'sonicfi_rap750w-311a', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap105', 'edgecore_eap111', 'edgecore_eap112', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap103', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4x_3', 'hfcl_ion4xi_w', 'hfcl_ion4x_w', 'indio_um-305ax', 'senao_iap4300m', 'senao_iap2300m', 'senao_jeap6500', 'udaya_a6-id2', 'udaya_a6-od2', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655', 'emplus_wap588m', 'zyxel_nwa130be', 'sercomm_ap72tip-v4' ]
     steps:
     - uses: actions/checkout@v3
 
+    # Clean unnecessary files to save disk space
+    - name: clean unncessary files to save space
+      run: |
+        docker rmi `docker images -q` || true
+
     - name: Build image for ${{ matrix.target }}
       id: build
       run: |
@@ -76,7 +80,7 @@ jobs:
         fi
 
   trigger-testing:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build
     if: startsWith(github.ref, 'refs/tags/v')
     steps:
@@ -89,7 +93,7 @@ jobs:
         client-payload: '{"ref": "${GITHUB_REF#refs/tags/}", "sha": "${{ github.sha }}"}'
 
   create-x64_vm-ami:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs: build
     if: startsWith(github.ref, 'refs/tags/v')
     steps:

.github/workflows/x64_vm-build-test.yml

@@ -29,7 +29,7 @@ jobs:
       run: |
         git config --global user.email "you@example.com"
         git config --global user.name "Your Name"
-        make -j TARGET=${{ matrix.target }}
+        make -j TARGET=${{ matrix.target }}        make -j TARGET=${{ matrix.target }}
 
     - name: Package and upload image for ${{ matrix.target }}
       id: package_and_upload_image

LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2024, Telecom Infra Project
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

config.yml

@@ -1,16 +1,7 @@
 repo:  https://github.com/openwrt/openwrt.git
-branch: openwrt-21.02
-revision: c67509efd7d0c43eb3f622f06c8a31aa28d22f6e
+branch: openwrt-23.05
+revision: e92cf0c46ffe3ac7fca936c18577bfb19eb4ce9e
 output_dir: ./output
 
 patch_folders:
-  - patches/backports/
-  - patches/base
-  - patches/wifi
-  - patches/ath79
-  - patches/ramips
-  - patches/ipq40xx
-  - patches/ipq806x
-  - patches/ipq807x
-  - patches/rest
-  - patches/x86
+  - patches

feeds/bluetooth/nrf52840/files/etc/init.d/nrf52840

@@ -5,7 +5,9 @@ START=80
 boot() {
 	. /lib/functions/system.sh
 	case $(board_name) in
-	edgecore,eap102)
+	edgecore,eap102|\
+	edgecore,oap102|\
+	edgecore,oap103)
 		echo 54 > /sys/class/gpio/export
 		echo out > /sys/class/gpio/gpio54/direction
 		echo 0 > /sys/class/gpio/gpio54/value

feeds/hfcl/hfcl/Makefile

@@ -0,0 +1,29 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=hfcl
+PKG_VERSION:=1.0
+PKG_BUILD_DIR:= $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/hfcl
+        SECTION:=base
+        CATEGORY:=Utilities
+        TITLE:=hfcl
+endef
+
+define Build/Prepare
+        mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Compile/Default
+
+endef
+
+Build/Compile = $(Build/Compile/Default)
+
+define Package/hfcl/install
+	cp -rf ./files/* $(1)
+endef
+
+$(eval $(call BuildPackage,hfcl))

feeds/hfcl/hfcl/files/etc/ucentral_check.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+echo "Start Websocket check/recovery script"
+
+ucentral_conn=$(netstat -atulpn | grep -i ucentral | awk '{print $6}')
+hostname_AP=$(uci get system.@system[0].hostname)
+uc_file_check=$(du /etc/config/ucentral | awk '{print $1}' )
+sleep 20
+
+curr_date=$(date)
+
+if [[ "$uc_file_check" = 0 ]]
+then
+	echo "[[$curr_date]]  empty ucentral file found, need to factory reset"
+	ubi_mount=$(mount | grep ubifs | grep noatime | awk '{print $1}')
+	if [[ "$ubi_mount" != "/dev/ubi0_3" ]]
+	then
+		echo "[[$curr_date]]  ubifs not mounted, need to reboot before factory reset, mount was $ubi_mount"
+		/sbin/reboot
+	else
+		/sbin/jffs2reset -y -r
+	fi
+elif [[ "$hostname_AP" = "OpenWrt" ]]
+then
+	echo "[[$curr_date]] hostname set to openwrt, doing ucentral and capabilities load"
+	/usr/share/ucentral/capabilities.uc
+	rlink=$(readlink -f /etc/ucentral/ucentral.active)
+	/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.active
+	rm -rf /etc/ucentral/ucentral.active
+	ln -s $rlink /etc/ucentral/ucentral.active
+	sleep 60
+	ucentral_check=$(netstat -atulpn | grep -i ucentral | awk '{print $6}')
+	if [[ "$ucentral_check" != "ESTABLIHED" ]]
+	then
+		echo "[[$curr_date]] loading didn't work, need to factory reset"
+		/sbin/jffs2reset -y -r
+	fi
+elif [[ "$ucentral_conn" != "ESTABLISHED" ]]
+then
+	echo "[[$curr_date]]  Ucentral either crashed or stopped, restarting the same"
+        /etc/init.d/ucentral restart
+else
+        echo "[[$curr_date]]  Ucentral working all fine, nothing to do"
+fi

feeds/hfcl/hfcl/files/etc/uci-defaults/abc-hfcl-ucentral

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+#rm -f /etc/rc.local
+#cp -f /etc/loop.local /etc/rc.local
+
+crontab -r
+
+/etc/init.d/cron enable
+
+/etc/init.d/cron start
+
+sleep 60
+
+crontab -l | { cat; echo "*/3 * * * * /bin/sh /etc/ucentral_check.sh >> /tmp/ucentral_check";} | crontab -
+
+crontab -l | { cat; echo "* */4 * * * rm -rf /tmp/ucentral_check";} | crontab -
+
+/etc/init.d/cron restart

feeds/hostapd/hostapd/Config.in

@@ -0,0 +1,108 @@
+# wpa_supplicant config
+config WPA_RFKILL_SUPPORT
+	bool "Add rfkill support"
+	depends on PACKAGE_wpa-supplicant || \
+		   PACKAGE_wpa-supplicant-openssl || \
+		   PACKAGE_wpa-supplicant-wolfssl || \
+		   PACKAGE_wpa-supplicant-mbedtls || \
+		   PACKAGE_wpa-supplicant-mesh-openssl || \
+		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
+		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
+		   PACKAGE_wpa-supplicant-basic || \
+		   PACKAGE_wpa-supplicant-mini || \
+		   PACKAGE_wpa-supplicant-p2p || \
+		   PACKAGE_wpad || \
+		   PACKAGE_wpad-openssl || \
+		   PACKAGE_wpad-wolfssl || \
+		   PACKAGE_wpad-mbedtls || \
+		   PACKAGE_wpad-basic || \
+		   PACKAGE_wpad-basic-openssl || \
+		   PACKAGE_wpad-basic-wolfssl || \
+		   PACKAGE_wpad-basic-mbedtls || \
+		   PACKAGE_wpad-mini || \
+		   PACKAGE_wpad-mesh-openssl || \
+		   PACKAGE_wpad-mesh-wolfssl || \
+		   PACKAGE_wpad-mesh-mbedtls
+	default n
+
+config WPA_MSG_MIN_PRIORITY
+	int "Minimum debug message priority"
+	depends on PACKAGE_wpa-supplicant || \
+		   PACKAGE_wpa-supplicant-openssl || \
+		   PACKAGE_wpa-supplicant-wolfssl || \
+		   PACKAGE_wpa-supplicant-mbedtls || \
+		   PACKAGE_wpa-supplicant-mesh-openssl || \
+		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
+		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
+		   PACKAGE_wpa-supplicant-basic || \
+		   PACKAGE_wpa-supplicant-mini || \
+		   PACKAGE_wpa-supplicant-p2p || \
+		   PACKAGE_wpad || \
+		   PACKAGE_wpad-openssl || \
+		   PACKAGE_wpad-wolfssl || \
+		   PACKAGE_wpad-mbedtls || \
+		   PACKAGE_wpad-basic || \
+		   PACKAGE_wpad-basic-openssl || \
+		   PACKAGE_wpad-basic-wolfssl || \
+		   PACKAGE_wpad-basic-mbedtls || \
+		   PACKAGE_wpad-mini || \
+		   PACKAGE_wpad-mesh-openssl || \
+		   PACKAGE_wpad-mesh-wolfssl || \
+		   PACKAGE_wpad-mesh-mbedtls
+	default 3
+	help
+	  Useful values are:
+	    0 = all messages
+		1 = raw message dumps
+		2 = most debugging messages
+		3 = info messages
+		4 = warnings
+		5 = errors
+
+config WPA_WOLFSSL
+	bool
+	default PACKAGE_wpa-supplicant-wolfssl ||\
+	        PACKAGE_wpad-wolfssl ||\
+	        PACKAGE_wpad-basic-wolfssl || \
+	        PACKAGE_wpad-mesh-wolfssl ||\
+	        PACKAGE_eapol-test-wolfssl
+	select WOLFSSL_HAS_AES_CCM
+	select WOLFSSL_HAS_ARC4
+	select WOLFSSL_HAS_DH
+	select WOLFSSL_HAS_OCSP
+	select WOLFSSL_HAS_SESSION_TICKET
+	select WOLFSSL_HAS_WPAS
+
+config DRIVER_11AC_SUPPORT
+	bool
+	default n
+
+config DRIVER_11AX_SUPPORT
+	bool
+	default n
+	select WPA_MBO_SUPPORT
+
+config WPA_ENABLE_WEP
+	bool "Enable support for unsecure and obsolete WEP"
+	help
+	  Wired equivalent privacy (WEP) is an obsolete cryptographic data
+	  confidentiality algorithm that is not considered secure. It should not be used
+	  for anything anymore. The functionality needed to use WEP is available in the
+	  current hostapd release under this optional build parameter and completely
+	  removed in a future release.
+
+config WPA_MBO_SUPPORT
+	bool "Multi Band Operation (Agile Multiband)"
+	default PACKAGE_wpa-supplicant || \
+		PACKAGE_wpa-supplicant-openssl || \
+		PACKAGE_wpa-supplicant-wolfssl || \
+		PACKAGE_wpa-supplicant-mbedtls || \
+		PACKAGE_wpad || \
+		PACKAGE_wpad-openssl || \
+		PACKAGE_wpad-wolfssl || \
+		PACKAGE_wpad-mbedtls
+	help
+	  Multi Band Operation aka (Agile Multiband) enables features
+	  that facilitate efficient use of multiple frequency bands.
+	  Enabling MBO on an AP using RSN requires 802.11w to be enabled.
+	  Hostapd will refuse to start if MBO and RSN are enabled without 11w.

feeds/hostapd/hostapd/Makefile

@@ -0,0 +1,851 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2006-2021 OpenWrt.org
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=hostapd
+PKG_RELEASE:=4
+
+PKG_SOURCE_URL:=http://w1.fi/hostap.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_DATE:=2023-09-08
+PKG_SOURCE_VERSION:=e5ccbfc69ecf297590341ae8b461edba9d8e964c
+PKG_MIRROR_HASH:=fcc6550f46c7f8bbdbf71e63f8f699b9a0878565ad1b90a17855f5ec21283b8f
+
+PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+PKG_LICENSE:=BSD-3-Clause
+PKG_CPE_ID:=cpe:/a:w1.fi:hostapd
+
+PKG_BUILD_PARALLEL:=1
+PKG_ASLR_PIE_REGULAR:=1
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_PACKAGE_hostapd \
+	CONFIG_PACKAGE_hostapd-basic \
+	CONFIG_PACKAGE_hostapd-mini \
+	CONFIG_WPA_RFKILL_SUPPORT \
+	CONFIG_DRIVER_11AC_SUPPORT \
+	CONFIG_DRIVER_11AX_SUPPORT \
+	CONFIG_WPA_ENABLE_WEP
+
+PKG_BUILD_FLAGS:=gc-sections lto
+
+EAPOL_TEST_PROVIDERS:=eapol-test eapol-test-openssl eapol-test-wolfssl
+
+SUPPLICANT_PROVIDERS:=
+HOSTAPD_PROVIDERS:=
+
+LOCAL_TYPE=$(strip \
+		$(if $(findstring wpad,$(BUILD_VARIANT)),wpad, \
+		$(if $(findstring supplicant,$(BUILD_VARIANT)),supplicant, \
+		hostapd \
+		)))
+
+LOCAL_AND_LIB_VARIANT=$(patsubst hostapd-%,%,\
+		      $(patsubst wpad-%,%,\
+		      $(patsubst supplicant-%,%,\
+		      $(BUILD_VARIANT)\
+		      )))
+
+LOCAL_VARIANT=$(patsubst %-internal,%,\
+	      $(patsubst %-openssl,%,\
+	      $(patsubst %-wolfssl,%,\
+	      $(patsubst %-mbedtls,%,\
+	      $(LOCAL_AND_LIB_VARIANT)\
+	      ))))
+
+SSL_VARIANT=$(strip \
+		$(if $(findstring openssl,$(LOCAL_AND_LIB_VARIANT)),openssl,\
+		$(if $(findstring wolfssl,$(LOCAL_AND_LIB_VARIANT)),wolfssl,\
+		$(if $(findstring mbedtls,$(LOCAL_AND_LIB_VARIANT)),mbedtls,\
+		internal\
+		))))
+
+CONFIG_VARIANT:=$(LOCAL_VARIANT)
+ifeq ($(LOCAL_VARIANT),mesh)
+  CONFIG_VARIANT:=full
+endif
+
+include $(INCLUDE_DIR)/package.mk
+
+STAMP_CONFIGURED:=$(STAMP_CONFIGURED)_$(CONFIG_WPA_MSG_MIN_PRIORITY)
+
+ifneq ($(CONFIG_DRIVER_11AC_SUPPORT),)
+  HOSTAPD_IEEE80211AC:=y
+endif
+
+ifneq ($(CONFIG_DRIVER_11AX_SUPPORT),)
+  HOSTAPD_IEEE80211AX:=y
+endif
+
+CORE_DEPENDS = +ucode +libubus +libucode +ucode-mod-fs +ucode-mod-nl80211 +ucode-mod-rtnl +ucode-mod-ubus +ucode-mod-uloop +libblobmsg-json
+OPENSSL_DEPENDS = +PACKAGE_$(1):libopenssl +PACKAGE_$(1):libopenssl-legacy
+
+DRIVER_MAKEOPTS= \
+	CONFIG_ACS=y CONFIG_DRIVER_NL80211=y \
+	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
+	CONFIG_IEEE80211AX=$(HOSTAPD_IEEE80211AX) \
+	CONFIG_MBO=$(CONFIG_WPA_MBO_SUPPORT) \
+	CONFIG_UCODE=y
+
+ifeq ($(SSL_VARIANT),openssl)
+  DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y
+  TARGET_LDFLAGS += -lcrypto -lssl
+
+  ifeq ($(LOCAL_VARIANT),basic)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y
+  endif
+  ifeq ($(LOCAL_VARIANT),mesh)
+    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y
+  endif
+  ifeq ($(LOCAL_VARIANT),full)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y
+  endif
+endif
+
+ifeq ($(SSL_VARIANT),wolfssl)
+  DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_SAE=y
+  TARGET_LDFLAGS += -lwolfssl
+
+  ifeq ($(LOCAL_VARIANT),basic)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y
+  endif
+  ifeq ($(LOCAL_VARIANT),mesh)
+    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+  ifeq ($(LOCAL_VARIANT),full)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+endif
+
+ifeq ($(SSL_VARIANT),mbedtls)
+  DRIVER_MAKEOPTS += CONFIG_TLS=mbedtls CONFIG_SAE=y
+  TARGET_LDFLAGS += -lmbedcrypto -lmbedx509 -lmbedtls
+
+  ifeq ($(LOCAL_VARIANT),basic)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y
+  endif
+  ifeq ($(LOCAL_VARIANT),mesh)
+    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+  ifeq ($(LOCAL_VARIANT),full)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+endif
+
+ifneq ($(LOCAL_TYPE),hostapd)
+  ifdef CONFIG_WPA_RFKILL_SUPPORT
+    DRIVER_MAKEOPTS += NEED_RFKILL=y
+  endif
+endif
+
+DRV_DEPENDS:=+libnl-tiny
+
+
+define Package/hostapd/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+  TITLE:=IEEE 802.1x Authenticator
+  URL:=http://hostap.epitest.fi/
+  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
+  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
+  USERID:=network=101:network=101
+  PROVIDES:=hostapd
+  CONFLICTS:=$(HOSTAPD_PROVIDERS)
+  HOSTAPD_PROVIDERS+=$(1)
+endef
+
+define Package/hostapd
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (built-in full)
+  VARIANT:=full-internal
+endef
+
+define Package/hostapd/description
+ This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
+ Authenticator.
+endef
+
+define Package/hostapd-openssl
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (OpenSSL full)
+  VARIANT:=full-openssl
+  DEPENDS+=$(OPENSSL_DEPENDS)
+endef
+
+Package/hostapd-openssl/description = $(Package/hostapd/description)
+
+define Package/hostapd-wolfssl
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (wolfSSL full)
+  VARIANT:=full-wolfssl
+  DEPENDS+=+PACKAGE_hostapd-wolfssl:libwolfssl
+endef
+
+Package/hostapd-wolfssl/description = $(Package/hostapd/description)
+
+define Package/hostapd-mbedtls
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=full-mbedtls
+  DEPENDS+=+PACKAGE_hostapd-mbedtls:libmbedtls
+endef
+
+Package/hostapd-mbedtls/description = $(Package/hostapd/description)
+
+define Package/hostapd-basic
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK, 11r, 11w)
+  VARIANT:=basic
+endef
+
+define Package/hostapd-basic/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
+endef
+
+define Package/hostapd-basic-openssl
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK, 11r and 11w)
+  VARIANT:=basic-openssl
+  DEPENDS+=+PACKAGE_hostapd-basic-openssl:libopenssl
+endef
+
+define Package/hostapd-basic-openssl/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
+endef
+
+define Package/hostapd-basic-wolfssl
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK, 11r and 11w)
+  VARIANT:=basic-wolfssl
+  DEPENDS+=+PACKAGE_hostapd-basic-wolfssl:libwolfssl
+endef
+
+define Package/hostapd-basic-wolfssl/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
+endef
+
+define Package/hostapd-basic-mbedtls
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK, 11r and 11w)
+  VARIANT:=basic-mbedtls
+  DEPENDS+=+PACKAGE_hostapd-basic-mbedtls:libmbedtls
+endef
+
+define Package/hostapd-basic-mbedtls/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
+endef
+
+define Package/hostapd-mini
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK only)
+  VARIANT:=mini
+endef
+
+define Package/hostapd-mini/description
+ This package contains a minimal IEEE 802.1x/WPA Authenticator (WPA-PSK only).
+endef
+
+
+define Package/wpad/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+  TITLE:=IEEE 802.1x Auth/Supplicant
+  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
+  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
+  USERID:=network=101:network=101
+  URL:=http://hostap.epitest.fi/
+  PROVIDES:=hostapd wpa-supplicant
+  CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
+  HOSTAPD_PROVIDERS+=$(1)
+  SUPPLICANT_PROVIDERS+=$(1)
+endef
+
+define Package/wpad
+$(call Package/wpad/Default,$(1))
+  TITLE+= (built-in full)
+  VARIANT:=wpad-full-internal
+endef
+
+define Package/wpad/description
+ This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
+ Authenticator and Supplicant
+endef
+
+define Package/wpad-openssl
+$(call Package/wpad/Default,$(1))
+  TITLE+= (OpenSSL full)
+  VARIANT:=wpad-full-openssl
+  DEPENDS+=$(OPENSSL_DEPENDS)
+endef
+
+Package/wpad-openssl/description = $(Package/wpad/description)
+
+define Package/wpad-wolfssl
+$(call Package/wpad/Default,$(1))
+  TITLE+= (wolfSSL full)
+  VARIANT:=wpad-full-wolfssl
+  DEPENDS+=+PACKAGE_wpad-wolfssl:libwolfssl
+endef
+
+Package/wpad-wolfssl/description = $(Package/wpad/description)
+
+define Package/wpad-mbedtls
+$(call Package/wpad/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=wpad-full-mbedtls
+  DEPENDS+=+PACKAGE_wpad-mbedtls:libmbedtls
+endef
+
+Package/wpad-mbedtls/description = $(Package/wpad/description)
+
+define Package/wpad-basic
+$(call Package/wpad/Default,$(1))
+  TITLE+= (WPA-PSK, 11r, 11w)
+  VARIANT:=wpad-basic
+endef
+
+define Package/wpad-basic/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, 802.11r and 802.11w support.
+endef
+
+define Package/wpad-basic-openssl
+$(call Package/wpad/Default,$(1))
+  TITLE+= (OpenSSL, 11r, 11w)
+  VARIANT:=wpad-basic-openssl
+  DEPENDS+=$(OPENSSL_DEPENDS)
+endef
+
+define Package/wpad-basic-openssl/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
+endef
+
+define Package/wpad-basic-wolfssl
+$(call Package/wpad/Default,$(1))
+  TITLE+= (wolfSSL, 11r, 11w)
+  VARIANT:=wpad-basic-wolfssl
+  DEPENDS+=+PACKAGE_wpad-basic-wolfssl:libwolfssl
+endef
+
+define Package/wpad-basic-wolfssl/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
+endef
+
+define Package/wpad-basic-mbedtls
+$(call Package/wpad/Default,$(1))
+  TITLE+= (mbedTLS, 11r, 11w)
+  VARIANT:=wpad-basic-mbedtls
+  DEPENDS+=+PACKAGE_wpad-basic-mbedtls:libmbedtls
+endef
+
+define Package/wpad-basic-mbedtls/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
+endef
+
+define Package/wpad-mini
+$(call Package/wpad/Default,$(1))
+  TITLE+= (WPA-PSK only)
+  VARIANT:=wpad-mini
+endef
+
+define Package/wpad-mini/description
+ This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (WPA-PSK only).
+endef
+
+define Package/wpad-mesh
+$(call Package/wpad/Default,$(1))
+  DEPENDS+=@(!TARGET_uml||BROKEN)
+  PROVIDES+=wpa-supplicant-mesh wpad-mesh
+endef
+
+define Package/wpad-mesh/description
+ This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (with 802.11s mesh and SAE support).
+endef
+
+define Package/wpad-mesh-openssl
+$(call Package/wpad-mesh,$(1))
+  TITLE+= (OpenSSL, 11s, SAE)
+  DEPENDS+=$(OPENSSL_DEPENDS)
+  VARIANT:=wpad-mesh-openssl
+endef
+
+Package/wpad-mesh-openssl/description = $(Package/wpad-mesh/description)
+
+define Package/wpad-mesh-wolfssl
+$(call Package/wpad-mesh,$(1))
+  TITLE+= (wolfSSL, 11s, SAE)
+  DEPENDS+=+PACKAGE_wpad-mesh-wolfssl:libwolfssl
+  VARIANT:=wpad-mesh-wolfssl
+endef
+
+Package/wpad-mesh-wolfssl/description = $(Package/wpad-mesh/description)
+
+define Package/wpad-mesh-mbedtls
+$(call Package/wpad-mesh,$(1))
+  TITLE+= (mbedTLS, 11s, SAE)
+  DEPENDS+=+PACKAGE_wpad-mesh-mbedtls:libmbedtls
+  VARIANT:=wpad-mesh-mbedtls
+endef
+
+Package/wpad-mesh-mbedtls/description = $(Package/wpad-mesh/description)
+
+
+define Package/wpa-supplicant/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+  TITLE:=WPA Supplicant
+  URL:=http://hostap.epitest.fi/wpa_supplicant/
+  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
+  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
+  USERID:=network=101:network=101
+  PROVIDES:=wpa-supplicant
+  CONFLICTS:=$(SUPPLICANT_PROVIDERS)
+  SUPPLICANT_PROVIDERS+=$(1)
+endef
+
+define Package/wpa-supplicant
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (built-in full)
+  VARIANT:=supplicant-full-internal
+endef
+
+define Package/wpa-supplicant-openssl
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (OpenSSL full)
+  VARIANT:=supplicant-full-openssl
+  DEPENDS+=$(OPENSSL_DEPENDS)
+endef
+
+define Package/wpa-supplicant-wolfssl
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (wolfSSL full)
+  VARIANT:=supplicant-full-wolfssl
+  DEPENDS+=+PACKAGE_wpa-supplicant-wolfssl:libwolfssl
+endef
+
+define Package/wpa-supplicant-mbedtls
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=supplicant-full-mbedtls
+  DEPENDS+=+PACKAGE_wpa-supplicant-mbedtls:libmbedtls
+endef
+
+define Package/wpa-supplicant/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/wpa-supplicant-p2p
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (Wi-Fi P2P support)
+  VARIANT:=supplicant-p2p-internal
+endef
+
+define Package/wpa-supplicant-mesh/Default
+$(call Package/wpa-supplicant/Default,$(1))
+  DEPENDS+=@(!TARGET_uml||BROKEN)
+  PROVIDES+=wpa-supplicant-mesh
+endef
+
+define Package/wpa-supplicant-mesh-openssl
+$(call Package/wpa-supplicant-mesh/Default,$(1))
+  TITLE+= (OpenSSL, 11s, SAE)
+  VARIANT:=supplicant-mesh-openssl
+  DEPENDS+=$(OPENSSL_DEPENDS)
+endef
+
+define Package/wpa-supplicant-mesh-wolfssl
+$(call Package/wpa-supplicant-mesh/Default,$(1))
+  TITLE+= (wolfSSL, 11s, SAE)
+  VARIANT:=supplicant-mesh-wolfssl
+  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-wolfssl:libwolfssl
+endef
+
+define Package/wpa-supplicant-mesh-mbedtls
+$(call Package/wpa-supplicant-mesh/Default,$(1))
+  TITLE+= (mbedTLS, 11s, SAE)
+  VARIANT:=supplicant-mesh-mbedtls
+  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-mbedtls:libmbedtls
+endef
+
+define Package/wpa-supplicant-basic
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (11r, 11w)
+  VARIANT:=supplicant-basic
+endef
+
+define Package/wpa-supplicant-mini
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (minimal)
+  VARIANT:=supplicant-mini
+endef
+
+
+define Package/hostapd-common
+  TITLE:=hostapd/wpa_supplicant common support files
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+endef
+
+define Package/hostapd-utils
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+  TITLE:=IEEE 802.1x Authenticator (utils)
+  URL:=http://hostap.epitest.fi/
+  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(HOSTAPD_PROVIDERS),PACKAGE_$(pkg)))
+  VARIANT:=*
+endef
+
+define Package/hostapd-utils/description
+ This package contains a command line utility to control the
+ IEEE 802.1x/WPA/EAP/RADIUS Authenticator.
+endef
+
+define Package/wpa-cli
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=WirelessAPD
+  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(SUPPLICANT_PROVIDERS),PACKAGE_$(pkg)))
+  TITLE:=WPA Supplicant command line control utility
+  VARIANT:=*
+endef
+
+define Package/eapol-test/Default
+  TITLE:=802.1x auth test utility
+  SECTION:=net
+  SUBMENU:=WirelessAPD
+  CATEGORY:=Network
+  DEPENDS:=$(DRV_DEPENDS) $(CORE_DEPENDS)
+endef
+
+define Package/eapol-test
+  $(call Package/eapol-test/Default,$(1))
+  TITLE+= (built-in full)
+  VARIANT:=supplicant-full-internal
+endef
+
+define Package/eapol-test-openssl
+  $(call Package/eapol-test/Default,$(1))
+  TITLE+= (OpenSSL full)
+  VARIANT:=supplicant-full-openssl
+  CONFLICTS:=$(filter-out eapol-test-openssl ,$(EAPOL_TEST_PROVIDERS))
+  DEPENDS+=$(OPENSSL_DEPENDS)
+  PROVIDES:=eapol-test
+endef
+
+define Package/eapol-test-wolfssl
+  $(call Package/eapol-test/Default,$(1))
+  TITLE+= (wolfSSL full)
+  VARIANT:=supplicant-full-wolfssl
+  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-wolfssl ,$(EAPOL_TEST_PROVIDERS)))
+  DEPENDS+=+PACKAGE_eapol-test-wolfssl:libwolfssl
+  PROVIDES:=eapol-test
+endef
+
+define Package/eapol-test-mbedtls
+  $(call Package/eapol-test/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=supplicant-full-mbedtls
+  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-mbedtls ,$(EAPOL_TEST_PROVIDERS)))
+  DEPENDS+=+PACKAGE_eapol-test-mbedtls:libmbedtls
+  PROVIDES:=eapol-test
+endef
+
+
+ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
+  define Build/Configure/rebuild
+	$(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.a | $(XARGS) rm -f
+	rm -f $(PKG_BUILD_DIR)/hostapd/hostapd
+	rm -f $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant
+	rm -f $(PKG_BUILD_DIR)/.config_*
+	touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
+  endef
+endif
+
+define Build/Configure
+	$(Build/Configure/rebuild)
+	$(if $(wildcard ./files/hostapd-$(CONFIG_VARIANT).config), \
+		$(CP) ./files/hostapd-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/hostapd/.config \
+	)
+	$(if $(wildcard ./files/wpa_supplicant-$(CONFIG_VARIANT).config), \
+		$(CP) ./files/wpa_supplicant-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/wpa_supplicant/.config
+	)
+endef
+
+TARGET_CPPFLAGS := \
+	-I$(STAGING_DIR)/usr/include/libnl-tiny \
+	-I$(PKG_BUILD_DIR)/src/crypto \
+	$(TARGET_CPPFLAGS) \
+	-DCONFIG_LIBNL20 \
+	-D_GNU_SOURCE \
+	$(if $(CONFIG_WPA_MSG_MIN_PRIORITY),-DCONFIG_MSG_MIN_PRIORITY=$(CONFIG_WPA_MSG_MIN_PRIORITY))
+
+TARGET_LDFLAGS += -lubox -lubus -lblobmsg_json -lucode -lm -lnl-tiny
+
+ifdef CONFIG_WPA_ENABLE_WEP
+    DRIVER_MAKEOPTS += CONFIG_WEP=y
+endif
+
+define Build/RunMake
+	CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \
+	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(1) \
+		$(TARGET_CONFIGURE_OPTS) \
+		$(DRIVER_MAKEOPTS) \
+		LIBS="$(TARGET_LDFLAGS)" \
+		LIBS_c="$(TARGET_LDFLAGS_C)" \
+		AR="$(TARGET_CROSS)gcc-ar" \
+		BCHECK= \
+		$(if $(findstring s,$(OPENWRT_VERBOSE)),V=1) \
+		$(2)
+endef
+
+define Build/Compile/wpad
+	echo ` \
+		$(call Build/RunMake,hostapd,-s MULTICALL=1 dump_cflags); \
+		$(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \
+		sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \
+	` > $(PKG_BUILD_DIR)/.cflags
+	sed -i 's/"/\\"/g' $(PKG_BUILD_DIR)/.cflags
+	+$(call Build/RunMake,hostapd, \
+		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
+		MULTICALL=1 \
+		hostapd_cli hostapd_multi.a \
+	)
+	+$(call Build/RunMake,wpa_supplicant, \
+		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
+		MULTICALL=1 \
+		wpa_cli wpa_supplicant_multi.a \
+	)
+	+export MAKEFLAGS="$(MAKE_JOBSERVER)"; $(TARGET_CC) -o $(PKG_BUILD_DIR)/wpad \
+		$(TARGET_CFLAGS) \
+		./files/multicall.c \
+		$(PKG_BUILD_DIR)/hostapd/hostapd_multi.a \
+		$(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant_multi.a \
+		$(TARGET_LDFLAGS)
+endef
+
+define Build/Compile/hostapd
+	+$(call Build/RunMake,hostapd, \
+		hostapd hostapd_cli \
+	)
+endef
+
+define Build/Compile/supplicant
+	+$(call Build/RunMake,wpa_supplicant, \
+		wpa_cli wpa_supplicant \
+	)
+endef
+
+define Build/Compile/supplicant-full-internal
+	+$(call Build/RunMake,wpa_supplicant, \
+		eapol_test \
+	)
+endef
+
+define Build/Compile/supplicant-full-openssl
+	+$(call Build/RunMake,wpa_supplicant, \
+		eapol_test \
+	)
+endef
+
+define Build/Compile/supplicant-full-wolfssl
+	+$(call Build/RunMake,wpa_supplicant, \
+		eapol_test \
+	)
+endef
+
+define Build/Compile/supplicant-full-mbedtls
+	+$(call Build/RunMake,wpa_supplicant, \
+		eapol_test \
+	)
+endef
+
+define Build/Compile
+	$(Build/Compile/$(LOCAL_TYPE))
+	$(Build/Compile/$(BUILD_VARIANT))
+endef
+
+define Install/hostapd/full
+	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/radius
+	ln -sf hostapd $(1)/usr/sbin/hostapd-radius
+	$(INSTALL_BIN) ./files/radius.init $(1)/etc/init.d/radius
+	$(INSTALL_DATA) ./files/radius.config $(1)/etc/config/radius
+	$(INSTALL_DATA) ./files/radius.clients $(1)/etc/radius/clients
+	$(INSTALL_DATA) ./files/radius.users $(1)/etc/radius/users
+endef
+
+define Package/hostapd-full/conffiles
+/etc/config/radius
+/etc/radius
+endef
+
+ifeq ($(CONFIG_VARIANT),full)
+Package/wpad-mesh-openssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad-openssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/wpad-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
+Package/hostapd/conffiles = $(Package/hostapd-full/conffiles)
+Package/hostapd-openssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/hostapd-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
+Package/hostapd-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
+endif
+
+define Install/hostapd
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
+	$(INSTALL_DATA) ./files/hostapd.uc $(1)/usr/share/hostap/
+	$(if $(findstring full,$(CONFIG_VARIANT)),$(Install/hostapd/full))
+endef
+
+define Install/supplicant
+	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
+	$(INSTALL_DATA) ./files/wpa_supplicant.uc $(1)/usr/share/hostap/
+endef
+
+define Package/hostapd-common/install
+	$(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd  $(1)/usr/share/acl.d $(1)/usr/share/hostap
+	$(INSTALL_BIN) ./files/dhcp-get-server.sh $(1)/lib/netifd/dhcp-get-server.sh
+	$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
+	$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
+	$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
+	$(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
+	$(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
+	$(INSTALL_DATA) ./files/common.uc $(1)/usr/share/hostap/
+	$(INSTALL_DATA) ./files/wdev.uc $(1)/usr/share/hostap/
+endef
+
+define Package/hostapd/install
+	$(call Install/hostapd,$(1))
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd $(1)/usr/sbin/
+endef
+Package/hostapd-basic/install = $(Package/hostapd/install)
+Package/hostapd-basic-openssl/install = $(Package/hostapd/install)
+Package/hostapd-basic-wolfssl/install = $(Package/hostapd/install)
+Package/hostapd-basic-mbedtls/install = $(Package/hostapd/install)
+Package/hostapd-mini/install = $(Package/hostapd/install)
+Package/hostapd-openssl/install = $(Package/hostapd/install)
+Package/hostapd-wolfssl/install = $(Package/hostapd/install)
+Package/hostapd-mbedtls/install = $(Package/hostapd/install)
+
+ifneq ($(LOCAL_TYPE),supplicant)
+  define Package/hostapd-utils/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd_cli $(1)/usr/sbin/
+  endef
+endif
+
+define Package/wpad/install
+	$(call Install/hostapd,$(1))
+	$(call Install/supplicant,$(1))
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpad $(1)/usr/sbin/
+	$(LN) wpad $(1)/usr/sbin/hostapd
+	$(LN) wpad $(1)/usr/sbin/wpa_supplicant
+endef
+Package/wpad-basic/install = $(Package/wpad/install)
+Package/wpad-basic-openssl/install = $(Package/wpad/install)
+Package/wpad-basic-wolfssl/install = $(Package/wpad/install)
+Package/wpad-basic-mbedtls/install = $(Package/wpad/install)
+Package/wpad-mini/install = $(Package/wpad/install)
+Package/wpad-openssl/install = $(Package/wpad/install)
+Package/wpad-wolfssl/install = $(Package/wpad/install)
+Package/wpad-mbedtls/install = $(Package/wpad/install)
+Package/wpad-mesh-openssl/install = $(Package/wpad/install)
+Package/wpad-mesh-wolfssl/install = $(Package/wpad/install)
+Package/wpad-mesh-mbedtls/install = $(Package/wpad/install)
+
+define Package/wpa-supplicant/install
+	$(call Install/supplicant,$(1))
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant $(1)/usr/sbin/
+endef
+Package/wpa-supplicant-basic/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-wolfssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mbedtls/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mesh-openssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mesh-wolfssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mesh-mbedtls/install = $(Package/wpa-supplicant/install)
+
+ifneq ($(LOCAL_TYPE),hostapd)
+  define Package/wpa-cli/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_cli $(1)/usr/sbin/
+  endef
+endif
+
+ifeq ($(BUILD_VARIANT),supplicant-full-internal)
+  define Package/eapol-test/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
+  endef
+endif
+
+ifeq ($(BUILD_VARIANT),supplicant-full-openssl)
+  define Package/eapol-test-openssl/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
+  endef
+endif
+
+ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
+  define Package/eapol-test-wolfssl/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
+  endef
+endif
+
+ifeq ($(BUILD_VARIANT),supplicant-full-mbedtls)
+  define Package/eapol-test-mbedtls/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
+  endef
+endif
+
+# Build hostapd-common before its dependents, to avoid
+# spurious rebuilds when building multiple variants.
+$(eval $(call BuildPackage,hostapd-common))
+$(eval $(call BuildPackage,hostapd))
+$(eval $(call BuildPackage,hostapd-basic))
+$(eval $(call BuildPackage,hostapd-basic-openssl))
+$(eval $(call BuildPackage,hostapd-basic-wolfssl))
+$(eval $(call BuildPackage,hostapd-basic-mbedtls))
+$(eval $(call BuildPackage,hostapd-mini))
+$(eval $(call BuildPackage,hostapd-openssl))
+$(eval $(call BuildPackage,hostapd-wolfssl))
+$(eval $(call BuildPackage,hostapd-mbedtls))
+$(eval $(call BuildPackage,wpad))
+$(eval $(call BuildPackage,wpad-mesh-openssl))
+$(eval $(call BuildPackage,wpad-mesh-wolfssl))
+$(eval $(call BuildPackage,wpad-mesh-mbedtls))
+$(eval $(call BuildPackage,wpad-basic))
+$(eval $(call BuildPackage,wpad-basic-openssl))
+$(eval $(call BuildPackage,wpad-basic-wolfssl))
+$(eval $(call BuildPackage,wpad-basic-mbedtls))
+$(eval $(call BuildPackage,wpad-mini))
+$(eval $(call BuildPackage,wpad-openssl))
+$(eval $(call BuildPackage,wpad-wolfssl))
+$(eval $(call BuildPackage,wpad-mbedtls))
+$(eval $(call BuildPackage,wpa-supplicant))
+$(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
+$(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
+$(eval $(call BuildPackage,wpa-supplicant-mesh-mbedtls))
+$(eval $(call BuildPackage,wpa-supplicant-basic))
+$(eval $(call BuildPackage,wpa-supplicant-mini))
+$(eval $(call BuildPackage,wpa-supplicant-p2p))
+$(eval $(call BuildPackage,wpa-supplicant-openssl))
+$(eval $(call BuildPackage,wpa-supplicant-wolfssl))
+$(eval $(call BuildPackage,wpa-supplicant-mbedtls))
+$(eval $(call BuildPackage,wpa-cli))
+$(eval $(call BuildPackage,hostapd-utils))
+$(eval $(call BuildPackage,eapol-test))
+$(eval $(call BuildPackage,eapol-test-openssl))
+$(eval $(call BuildPackage,eapol-test-wolfssl))
+$(eval $(call BuildPackage,eapol-test-mbedtls))

feeds/hostapd/hostapd/README.md

@@ -0,0 +1,419 @@
+# UBUS methods - hostapd
+
+## bss_mgmt_enable
+Enable 802.11k/v features.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| neighbor_report | bool | no | enable 802.11k neighbor reports |
+| beacon_report | bool | no | enable 802.11k beacon reports |
+| link_measurements | bool | no | enable 802.11k link measurements |
+| bss_transition | bool | no | enable 802.11v BSS transition support |
+
+### example
+`ubus call hostapd.wl5-fb bss_mgmt_enable '{ "neighbor_report": true, "beacon_report": true, "link_measurements": true, "bss_transition": true
+}'`
+
+
+## bss_transition_request
+Initiate an 802.11v transition request.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| addr | string | yes | client MAC address |
+| disassociation_imminent | bool | no | set Disassociation Imminent bit |
+| disassociation_timer | int32 | no | disassociate client if it doesn't roam after this time |
+| validity_period | int32 | no | validity of the BSS Transition Candiate List |
+| neighbors | array | no | BSS Transition Candidate List |
+| abridged | bool | no | prefer APs in the BSS Transition Candidate List |
+| dialog_token | int32 | no | identifier for the request/report transaction |
+| mbo_reason | int32 | no | MBO Transition Reason Code Attribute |
+| cell_pref | int32 | no | MBO Cellular Data Connection Preference Attribute |
+| reassoc_delay | int32 | no | MBO Re-association retry delay |
+
+### example
+`ubus call hostapd.wl5-fb bss_transition_request '{ "addr": "68:2F:67:8B:98:ED", "disassociation_imminent": false, "disassociation_timer": 0, "validity_period": 30, "neighbors": ["b6a7b9cbeebabf5900008064090603026a00"], "abridged": 1 }'`
+
+
+## config_add
+Dynamically load a BSS configuration from a file. This is used by netifd's mac80211 support script to configure BSSes on multiple PHYs in a single hostapd instance.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| iface | string | yes | WiFi interface name |
+| config | string | yes | path to hostapd config file |
+
+
+## config_remove
+Dynamically remove a BSS configuration.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| iface | string | yes | WiFi interface name |
+
+
+## del_client
+Kick a client off the network.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| addr | string | yes | client MAC address |
+| reason | int32 | no | 802.11 reason code |
+| deauth | bool | no | deauthenticates client instead of disassociating |
+| ban_time | int32 | no | ban client for N milliseconds |
+
+### example
+`ubus call hostapd.wl5-fb del_client '{ "addr": "68:2f:67:8b:98:ed", "reason": 5, "deauth": true, "ban_time": 10000 }'`
+
+
+## get_clients
+Show associated clients.
+
+### example
+`ubus call hostapd.wl5-fb get_clients`
+
+### output
+```json
+{
+        "freq": 5260,
+        "clients": {
+                "68:2f:67:8b:98:ed": {
+                        "auth": true,
+                        "assoc": true,
+                        "authorized": true,
+                        "preauth": false,
+                        "wds": false,
+                        "wmm": true,
+                        "ht": true,
+                        "vht": true,
+                        "he": false,
+                        "wps": false,
+                        "mfp": true,
+                        "rrm": [
+                                0,
+                                0,
+                                0,
+                                0,
+                                0
+                        ],
+                        "extended_capabilities": [
+                                0,
+                                0,
+                                0,
+                                0,
+                                0,
+                                0,
+                                0,
+                                64
+                        ],
+                        "aid": 3,
+                        "signature": "wifi4|probe:0,1,45,127,107,191,221(0017f2,10),221(001018,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,extcap:0000008000000040|assoc:0,1,33,36,48,45,127,191,221(0017f2,10),221(001018,2),221(0050f2,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,txpow:14f9,extcap:0000000000000040",
+                        "bytes": {
+                                "rx": 1933667,
+                                "tx": 746805
+                        },
+                        "airtime": {
+                                "rx": 208863,
+                                "tx": 9037883
+                        },
+                        "packets": {
+                                "rx": 3587,
+                                "tx": 2185
+                        },
+                        "rate": {
+                                "rx": 866700,
+                                "tx": 866700
+                        },
+                        "signal": -50,
+                        "capabilities": {
+                                "vht": {
+                                        "su_beamformee": true,
+                                        "mu_beamformee": false,
+                                        "mcs_map": {
+                                                "rx": {
+                                                        "1ss": 9,
+                                                        "2ss": 9,
+                                                        "3ss": 9,
+                                                        "4ss": -1,
+                                                        "5ss": -1,
+                                                        "6ss": -1,
+                                                        "7ss": -1,
+                                                        "8ss": -1
+                                                },
+                                                "tx": {
+                                                        "1ss": 9,
+                                                        "2ss": 9,
+                                                        "3ss": 9,
+                                                        "4ss": -1,
+                                                        "5ss": -1,
+                                                        "6ss": -1,
+                                                        "7ss": -1,
+                                                        "8ss": -1
+                                                }
+                                        }
+                                }
+                        }
+                }
+        }
+}
+```
+
+
+## get_features
+Show HT/VHT support.
+
+### example
+`ubus call hostapd.wl5-fb get_features`
+
+### output
+```json
+{
+        "ht_supported": true,
+        "vht_supported": true
+}
+```
+
+
+## get_status
+Get BSS status.
+
+### example
+`ubus call hostapd.wl5-fb get_status`
+
+### output
+```json
+{
+        "status": "ENABLED",
+        "bssid": "b6:a7:b9:cb:ee:bc",
+        "ssid": "fb",
+        "freq": 5260,
+        "channel": 52,
+        "op_class": 128,
+        "beacon_interval": 100,
+        "phy": "wl5-lan",
+        "rrm": {
+                "neighbor_report_tx": 0
+        },
+        "wnm": {
+                "bss_transition_query_rx": 0,
+                "bss_transition_request_tx": 0,
+                "bss_transition_response_rx": 0
+        },
+        "airtime": {
+                "time": 259561738,
+                "time_busy": 2844249,
+                "utilization": 0
+        },
+        "dfs": {
+                "cac_seconds": 60,
+                "cac_active": false,
+                "cac_seconds_left": 0
+        }
+}
+```
+
+
+## link_measurement_req
+Initiate an 802.11k Link Measurement Request.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| addr | string | yes | client MAC address |
+| tx-power-used | int32 | no | transmit power used to transmit the Link Measurement Request frame |
+| tx-power-max | int32 | no | upper limit of transmit power to be used by the client |
+
+
+## list_bans
+List banned clients.
+
+### example
+`ubus call hostapd.wl5-fb list_bans`
+
+### output
+```json
+{
+        "clients": [
+                "68:2f:67:8b:98:ed"
+        ]
+}
+```
+
+
+## notify_response
+When enabled, hostapd will send a ubus notification and wait for a response before responding to various requests. This is used by e.g. usteer to make it possible to ignore probe requests.
+
+:warning: enabling this will cause hostapd to stop responding to probe requests unless a ubus subscriber responds to the ubus notifications.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| notify_response | int32 | yes | disable (0) or enable (!0) |
+
+### example
+`ubus call hostapd.wl5-fb notify_response '{ "notify_response": 1 }'`
+
+## reload
+Reload BSS configuration.
+
+:warning: this can cause problems for certain configurations:
+
+```
+Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
+Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
+Mon May 16 16:09:08 2022 daemon.err hostapd: Wrong coupling between HT and VHT/HE channel setting
+```
+
+### example
+`ubus call hostapd.wl5-fb reload`
+
+
+## rrm_beacon_req
+Send a Beacon Measurement Request to a client.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| addr | string | yes | client MAC address |
+| op_class | int32 | yes | the Regulatory Class for which this Measurement Request applies |
+| channel | int32 | yes | channel to measure |
+| duration | int32 | yes | compile Beacon Measurement Report after N TU |
+| mode | int32 | yes | mode to be used for measurement (0: passive, 1: active, 2: beacon table) |
+| bssid | string | no | filter BSSes in Beacon Measurement Report by BSSID |
+| ssid | string | no | filter BSSes in Beacon Measurement Report by SSID|
+
+
+## rrm_nr_get_own
+Show Neighbor Report Element for this BSS.
+
+### example
+`ubus call hostapd.wl5-fb rrm_nr_get_own`
+
+### output
+```json
+{
+        "value": [
+                "b6:a7:b9:cb:ee:bc",
+                "fb",
+                "b6a7b9cbeebcaf5900008095090603029b00"
+        ]
+}
+```
+
+
+## rrm_nr_list
+Show Neighbor Report Elements for other BSSes in this ESS.
+
+### example
+`ubus call hostapd.wl5-fb rrm_nr_list`
+
+### output
+```json
+{
+        "list": [
+                [
+                        "b6:a7:b9:cb:ee:ba",
+                        "fb",
+                        "b6a7b9cbeebabf5900008064090603026a00"
+                ]
+        ]
+}
+```
+
+## rrm_nr_set
+Set the Neighbor Report Elements. An element for the node on which this command is executed will always be added.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| list | array | yes | array of Neighbor Report Elements in the format of the rrm_nr_list output |
+
+### example
+`ubus call hostapd.wl5-fb rrm_nr_set '{ "list": [ [ "b6:a7:b9:cb:ee:ba", "fb", "b6a7b9cbeebabf5900008064090603026a00" ] ] }'`
+
+
+## set_vendor_elements
+Configure Vendor-specific Information Elements for BSS.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| vendor_elements | string | yes | Vendor-specific Information Elements as hex string |
+
+### example
+`ubus call hostapd.wl5-fb set_vendor_elements '{ "vendor_elements": "dd054857dd6662" }'`
+
+
+## switch_chan
+Initiate a channel switch.
+
+:warning: trying to switch to the channel that is currently in use will fail: `Command failed: Operation not supported`
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| freq | int32 | yes | frequency in MHz to switch to |
+| bcn_count | int32 | no | count in Beacon frames (TBTT) to perform the switch |
+| center_freq1 | int32 | no | segment 0 center frequency in MHz (valid for HT and VHT) |
+| center_freq2 | int32 | no | segment 1 center frequency in MHz (valid only for 80 MHz channel width and an 80+80 channel) |
+| bandwidth | int32 | no | channel width to use |
+| sec_channel_offset| int32 | no | secondary channel offset for HT40 (0 = disabled, 1 = HT40+, -1 = HT40-) |
+| ht | bool | no | enable 802.11n |
+| vht | bool | no | enable 802.11ac |
+| he | bool | no | enable 802.11ax |
+| block_tx | bool | no | block transmission during CSA period |
+| csa_force | bool | no | restart the interface in case the CSA fails |
+
+## example
+`ubus call hostapd.wl5-fb switch_chan '{ "freq": 5180, "bcn_count": 10, "center_freq1": 5210, "bandwidth": 80, "he": 1, "block_tx": 1, "csa_force": 0 }'`
+
+
+## update_airtime
+Set dynamic airtime weight for client.
+
+### arguments
+| Name | Type | Required | Description |
+|---|---|---|---|
+| sta | string | yes | client MAC address |
+| weight | int32 | yes | airtime weight |
+
+
+## update_beacon
+Force beacon frame content to be updated and to start beaconing on an interface that uses start_disabled=1.
+
+### example
+`ubus call hostapd.wl5-fb update_beacon`
+
+
+## wps_status
+Get WPS status for BSS.
+
+### example
+`ubus call hostapd.wl5-fb wps_status`
+
+### output
+```json
+{
+        "pbc_status": "Disabled",
+        "last_wps_result": "None"
+}
+```
+
+
+## wps_cancel
+Cancel WPS Push Button Configuration.
+
+### example
+`ubus call hostapd.wl5-fb wps_cancel`
+
+
+## wps_start
+Start WPS Push Button Configuration.
+
+### example
+`ubus call hostapd.wl5-fb wps_start`

feeds/hostapd/hostapd/files/common.uc

@@ -0,0 +1,318 @@
+import * as nl80211 from "nl80211";
+import * as rtnl from "rtnl";
+import { readfile, glob, basename, readlink } from "fs";
+
+const iftypes = {
+	ap: nl80211.const.NL80211_IFTYPE_AP,
+	mesh: nl80211.const.NL80211_IFTYPE_MESH_POINT,
+	sta: nl80211.const.NL80211_IFTYPE_STATION,
+	adhoc: nl80211.const.NL80211_IFTYPE_ADHOC,
+	monitor: nl80211.const.NL80211_IFTYPE_MONITOR,
+};
+
+function wdev_remove(name)
+{
+	nl80211.request(nl80211.const.NL80211_CMD_DEL_INTERFACE, 0, { dev: name });
+}
+
+function __phy_is_fullmac(phyidx)
+{
+	let data = nl80211.request(nl80211.const.NL80211_CMD_GET_WIPHY, 0, { wiphy: phyidx });
+
+	return !data.software_iftypes.ap_vlan;
+}
+
+function phy_is_fullmac(phy)
+{
+	let phyidx = int(trim(readfile(`/sys/class/ieee80211/${phy}/index`)));
+
+	return __phy_is_fullmac(phyidx);
+}
+
+function find_reusable_wdev(phyidx)
+{
+	if (!__phy_is_fullmac(phyidx))
+		return null;
+
+	let data = nl80211.request(
+		nl80211.const.NL80211_CMD_GET_INTERFACE,
+		nl80211.const.NLM_F_DUMP,
+		{ wiphy: phyidx });
+	for (let res in data)
+		if (trim(readfile(`/sys/class/net/${res.ifname}/operstate`)) == "down")
+			return res.ifname;
+	return null;
+}
+
+function wdev_create(phy, name, data)
+{
+	let phyidx = int(readfile(`/sys/class/ieee80211/${phy}/index`));
+
+	wdev_remove(name);
+
+	if (!iftypes[data.mode])
+		return `Invalid mode: ${data.mode}`;
+
+	let req = {
+		wiphy: phyidx,
+		ifname: name,
+		iftype: iftypes[data.mode],
+	};
+
+	if (data["4addr"])
+		req["4addr"] = data["4addr"];
+	if (data.macaddr)
+		req.mac = data.macaddr;
+
+	nl80211.error();
+
+	let reuse_ifname = find_reusable_wdev(phyidx);
+	if (reuse_ifname &&
+	    (reuse_ifname == name ||
+	     rtnl.request(rtnl.const.RTM_SETLINK, 0, { dev: reuse_ifname, ifname: name}) != false))
+		nl80211.request(
+			nl80211.const.NL80211_CMD_SET_INTERFACE, 0, {
+				wiphy: phyidx,
+				dev: name,
+				iftype: iftypes[data.mode],
+			});
+	else
+		nl80211.request(
+			nl80211.const.NL80211_CMD_NEW_INTERFACE,
+			nl80211.const.NLM_F_CREATE,
+			req);
+
+	let error = nl80211.error();
+	if (error)
+		return error;
+
+	if (data.powersave != null) {
+		nl80211.request(nl80211.const.NL80211_CMD_SET_POWER_SAVE, 0,
+			{ dev: name, ps_state: data.powersave ? 1 : 0});
+	}
+
+	return null;
+}
+
+function phy_sysfs_file(phy, name)
+{
+	return trim(readfile(`/sys/class/ieee80211/${phy}/${name}`));
+}
+
+function macaddr_split(str)
+{
+	return map(split(str, ":"), (val) => hex(val));
+}
+
+function macaddr_join(addr)
+{
+	return join(":", map(addr, (val) => sprintf("%02x", val)));
+}
+
+function wdev_macaddr(wdev)
+{
+	return trim(readfile(`/sys/class/net/${wdev}/address`));
+}
+
+const phy_proto = {
+	macaddr_init: function(used, options) {
+		this.macaddr_options = options ?? {};
+		this.macaddr_list = {};
+
+		if (type(used) == "object")
+			for (let addr in used)
+				this.macaddr_list[addr] = used[addr];
+		else
+			for (let addr in used)
+				this.macaddr_list[addr] = -1;
+
+		this.for_each_wdev((wdev) => {
+			let macaddr = wdev_macaddr(wdev);
+			this.macaddr_list[macaddr] ??= -1;
+		});
+
+		return this.macaddr_list;
+	},
+
+	macaddr_generate: function(data) {
+		let phy = this.name;
+		let idx = int(data.id ?? 0);
+		let mbssid = int(data.mbssid ?? 0) > 0;
+		let num_global = int(data.num_global ?? 1);
+		let use_global = !mbssid && idx < num_global;
+
+		let base_addr = phy_sysfs_file(phy, "macaddress");
+		if (!base_addr)
+			return null;
+
+		if (!idx && !mbssid)
+			return base_addr;
+
+		let base_mask = phy_sysfs_file(phy, "address_mask");
+		if (!base_mask)
+			return null;
+
+		if (base_mask == "00:00:00:00:00:00" && idx >= num_global) {
+			let addrs = split(phy_sysfs_file(phy, "addresses"), "\n");
+
+			if (idx < length(addrs))
+				return addrs[idx];
+
+			base_mask = "ff:ff:ff:ff:ff:ff";
+		}
+
+		let addr = macaddr_split(base_addr);
+		let mask = macaddr_split(base_mask);
+		let type;
+
+		if (mbssid)
+			type = "b5";
+		else if (use_global)
+			type = "add";
+		else if (mask[0] > 0)
+			type = "b1";
+		else if (mask[5] < 0xff)
+			type = "b5";
+		else
+			type = "add";
+
+		switch (type) {
+		case "b1":
+			if (!(addr[0] & 2))
+				idx--;
+			addr[0] |= 2;
+			addr[0] ^= idx << 2;
+			break;
+		case "b5":
+			if (mbssid)
+				addr[0] |= 2;
+			addr[5] ^= idx;
+			break;
+		default:
+			for (let i = 5; i > 0; i--) {
+				addr[i] += idx;
+				if (addr[i] < 256)
+					break;
+				addr[i] %= 256;
+			}
+			break;
+		}
+
+		return macaddr_join(addr);
+	},
+
+	macaddr_next: function(val) {
+		let data = this.macaddr_options ?? {};
+		let list = this.macaddr_list;
+
+		for (let i = 0; i < 32; i++) {
+			data.id = i;
+
+			let mac = this.macaddr_generate(data);
+			if (!mac)
+				return null;
+
+			if (list[mac] != null)
+				continue;
+
+			list[mac] = val != null ? val : -1;
+			return mac;
+		}
+	},
+
+	for_each_wdev: function(cb) {
+		let wdevs = glob(`/sys/class/ieee80211/${this.name}/device/net/*`);
+		wdevs = map(wdevs, (arg) => basename(arg));
+		for (let wdev in wdevs) {
+			if (basename(readlink(`/sys/class/net/${wdev}/phy80211`)) != this.name)
+				continue;
+
+			cb(wdev);
+		}
+	}
+};
+
+function phy_open(phy)
+{
+	let phyidx = readfile(`/sys/class/ieee80211/${phy}/index`);
+	if (!phyidx)
+		return null;
+
+	return proto({
+		name: phy,
+		idx: int(phyidx)
+	}, phy_proto);
+}
+
+const vlist_proto = {
+	update: function(values, arg) {
+		let data = this.data;
+		let cb = this.cb;
+		let seq = { };
+		let new_data = {};
+		let old_data = {};
+
+		this.data = new_data;
+
+		if (type(values) == "object") {
+			for (let key in values) {
+				old_data[key] = data[key];
+				new_data[key] = values[key];
+				delete data[key];
+			}
+		} else {
+			for (let val in values) {
+				let cur_key = val[0];
+				let cur_obj = val[1];
+
+				old_data[cur_key] = data[cur_key];
+				new_data[cur_key] = val[1];
+				delete data[cur_key];
+			}
+		}
+
+		for (let key in data) {
+			cb(null, data[key], arg);
+			delete data[key];
+		}
+		for (let key in new_data)
+			cb(new_data[key], old_data[key], arg);
+	}
+};
+
+function is_equal(val1, val2) {
+	let t1 = type(val1);
+
+	if (t1 != type(val2))
+		return false;
+
+	if (t1 == "array") {
+		if (length(val1) != length(val2))
+			return false;
+
+		for (let i = 0; i < length(val1); i++)
+			if (!is_equal(val1[i], val2[i]))
+				return false;
+
+		return true;
+	} else if (t1 == "object") {
+		for (let key in val1)
+			if (!is_equal(val1[key], val2[key]))
+				return false;
+		for (let key in val2)
+			if (val1[key] == null)
+				return false;
+		return true;
+	} else {
+		return val1 == val2;
+	}
+}
+
+function vlist_new(cb) {
+	return proto({
+			cb: cb,
+			data: {}
+		}, vlist_proto);
+}
+
+export { wdev_remove, wdev_create, is_equal, vlist_new, phy_is_fullmac, phy_open };

feeds/hostapd/hostapd/files/dhcp-get-server.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+[ "$1" = bound ] && echo "$serverid"

feeds/hostapd/hostapd/files/hostapd-basic.config

@@ -0,0 +1,404 @@
+# Example hostapd build time configuration
+#
+# This file lists the configuration options that are used when building the
+# hostapd binary. All lines starting with # are ignored. Configuration option
+# lines must be commented out complete, if they are not to be included, i.e.,
+# just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cass, these lines should use += in order not
+# to override previous values of the variables.
+
+# Driver interface for Host AP driver
+#CONFIG_DRIVER_HOSTAP=y
+
+# Driver interface for wired authenticator
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for no driver (e.g., RADIUS server only)
+#CONFIG_DRIVER_NONE=y
+
+# IEEE 802.11F/IAPP
+#CONFIG_IAPP=y
+
+# WPA2/IEEE 802.11i RSN pre-authentication
+CONFIG_RSN_PREAUTH=y
+
+# IEEE 802.11w (management frame protection)
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+CONFIG_OCV=y
+
+# Integrated EAP server
+#CONFIG_EAP=y
+
+# EAP Re-authentication Protocol (ERP) in integrated EAP server
+#CONFIG_ERP=y
+
+# EAP-MD5 for the integrated EAP server
+#CONFIG_EAP_MD5=y
+
+# EAP-TLS for the integrated EAP server
+#CONFIG_EAP_TLS=y
+
+# EAP-MSCHAPv2 for the integrated EAP server
+#CONFIG_EAP_MSCHAPV2=y
+
+# EAP-PEAP for the integrated EAP server
+#CONFIG_EAP_PEAP=y
+
+# EAP-GTC for the integrated EAP server
+#CONFIG_EAP_GTC=y
+
+# EAP-TTLS for the integrated EAP server
+#CONFIG_EAP_TTLS=y
+
+# EAP-SIM for the integrated EAP server
+#CONFIG_EAP_SIM=y
+
+# EAP-AKA for the integrated EAP server
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' for the integrated EAP server
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# EAP-PAX for the integrated EAP server
+#CONFIG_EAP_PAX=y
+
+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd for the integrated EAP server (secure authentication with a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-SAKE for the integrated EAP server
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK for the integrated EAP server
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-FAST for the integrated EAP server
+#CONFIG_EAP_FAST=y
+
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# Wi-Fi Protected Setup (WPS)
+#CONFIG_WPS=y
+# Enable UPnP support for external WPS Registrars
+#CONFIG_WPS_UPNP=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# Trusted Network Connect (EAP-TNC)
+#CONFIG_EAP_TNC=y
+
+# EAP-EKE for the integrated EAP server
+#CONFIG_EAP_EKE=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+#CONFIG_PKCS12=y
+
+# RADIUS authentication server. This provides access to the integrated EAP
+# server from external hosts using RADIUS.
+#CONFIG_RADIUS_SERVER=y
+
+# Build IPv6 support for RADIUS operations
+#CONFIG_IPV6=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition)
+CONFIG_IEEE80211R=y
+
+# Use the hostapd's IEEE 802.11 authentication (ACL), but without
+# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
+#CONFIG_DRIVER_RADIUS_ACL=y
+
+# IEEE 802.11n (High Throughput) support
+CONFIG_IEEE80211N=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# IEEE 802.11ac (Very High Throughput) support
+CONFIG_IEEE80211AC=y
+
+# IEEE 802.11ax HE support
+# Note: This is experimental and work in progress. The definitions are still
+# subject to change and this should not be expected to interoperate with the
+# final IEEE 802.11ax version.
+#CONFIG_IEEE80211AX=y
+
+# Remove debugging code that is printing out debug messages to stdout.
+# This can be used to reduce the size of the hostapd considerably if debugging
+# code is not needed.
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Add support for writing debug log to a file: -f /tmp/hostapd.log
+# Disabled by default.
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Remove support for RADIUS accounting
+CONFIG_NO_ACCOUNTING=y
+
+# Remove support for RADIUS
+CONFIG_NO_RADIUS=y
+
+# Remove support for VLANs
+#CONFIG_NO_VLAN=y
+
+# Enable support for fully dynamic VLANs. This enables hostapd to
+# automatically create bridge and VLAN interfaces if necessary.
+#CONFIG_FULL_DYNAMIC_VLAN=y
+
+# Use netlink-based kernel API for VLAN operations instead of ioctl()
+# Note: This requires libnl 3.1 or newer.
+#CONFIG_VLAN_NETLINK=y
+
+# Remove support for dumping internal state through control interface commands
+# This can be used to reduce binary size at the cost of disabling a debugging
+# option.
+CONFIG_NO_DUMP_STATE=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, comment out these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, comment out these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# hostapd depends on strong random number generation being available from the
+# operating system. os_get_random() function is used to fetch random data when
+# needed, e.g., for key generation. On Linux and BSD systems, this works by
+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
+# properly initialized before hostapd is started. This is important especially
+# on embedded devices that do not have a hardware random number generator and
+# may by default start up with minimal entropy available for random number
+# generation.
+#
+# As a safety net, hostapd is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data
+# fetched from the OS. This by itself is not considered to be very strong, but
+# it may help in cases where the system pool is not initialized properly.
+# However, it is very strongly recommended that the system pool is initialized
+# with enough entropy either by using hardware assisted random number
+# generator or by storing state over device reboots.
+#
+# hostapd can be configured to maintain its own entropy store over restarts to
+# enhance random number generation. This is not perfect, but it is much more
+# secure than using the same sequence of random numbers after every reboot.
+# This can be enabled with -e<entropy file> command line option. The specified
+# file needs to be readable and writable by hostapd.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal hostapd random pool can be disabled.
+# This will save some in binary size and CPU use. However, this should only be
+# considered for builds that are known to be used on devices that meet the
+# requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used.
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks.
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
+#CONFIG_SQLITE=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# Testing options
+# This can be used to enable some testing options (see also the example
+# configuration file) that are really useful only for testing clients that
+# connect to this hostapd. These options allow, for example, to drop a
+# certain percentage of probe requests or auth/(re)assoc frames.
+#
+#CONFIG_TESTING_OPTIONS=y
+
+# Automatic Channel Selection
+# This will allow hostapd to pick the channel automatically when channel is set
+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# You can customize the ACS survey algorithm with the hostapd.conf variable
+# acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#
+#CONFIG_ACS=y
+
+# Multiband Operation support
+# These extentions facilitate efficient use of multiple frequency bands
+# available to the AP and the devices that may associate with it.
+#CONFIG_MBO=y
+
+# Client Taxonomy
+# Has the AP retain the Probe Request and (Re)Association Request frames from
+# a client, from which a signature can be produced which can identify the model
+# of client device like "Nexus 6P" or "iPhone 5s".
+#CONFIG_TAXONOMY=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Include internal line edit mode in hostapd_cli. This can be used to provide
+# limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Airtime policy support
+CONFIG_AIRTIME_POLICY=y
+
+# Proxy ARP support
+#CONFIG_PROXYARP=y
+
+# Override default value for the wpa_disable_eapol_key_retries configuration
+# parameter. See that parameter in hostapd.conf for more details.
+#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+#CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/hostapd-full.config

@@ -0,0 +1,404 @@
+# Example hostapd build time configuration
+#
+# This file lists the configuration options that are used when building the
+# hostapd binary. All lines starting with # are ignored. Configuration option
+# lines must be commented out complete, if they are not to be included, i.e.,
+# just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cass, these lines should use += in order not
+# to override previous values of the variables.
+
+# Driver interface for Host AP driver
+#CONFIG_DRIVER_HOSTAP=y
+
+# Driver interface for wired authenticator
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for no driver (e.g., RADIUS server only)
+#CONFIG_DRIVER_NONE=y
+
+# IEEE 802.11F/IAPP
+CONFIG_IAPP=y
+
+# WPA2/IEEE 802.11i RSN pre-authentication
+CONFIG_RSN_PREAUTH=y
+
+# IEEE 802.11w (management frame protection)
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+CONFIG_OCV=y
+
+# Integrated EAP server
+CONFIG_EAP=y
+
+# EAP Re-authentication Protocol (ERP) in integrated EAP server
+CONFIG_ERP=y
+
+# EAP-MD5 for the integrated EAP server
+CONFIG_EAP_MD5=y
+
+# EAP-TLS for the integrated EAP server
+CONFIG_EAP_TLS=y
+
+# EAP-MSCHAPv2 for the integrated EAP server
+CONFIG_EAP_MSCHAPV2=y
+
+# EAP-PEAP for the integrated EAP server
+CONFIG_EAP_PEAP=y
+
+# EAP-GTC for the integrated EAP server
+CONFIG_EAP_GTC=y
+
+# EAP-TTLS for the integrated EAP server
+CONFIG_EAP_TTLS=y
+
+# EAP-SIM for the integrated EAP server
+#CONFIG_EAP_SIM=y
+
+# EAP-AKA for the integrated EAP server
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' for the integrated EAP server
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# EAP-PAX for the integrated EAP server
+#CONFIG_EAP_PAX=y
+
+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
+CONFIG_EAP_PSK=y
+
+# EAP-pwd for the integrated EAP server (secure authentication with a password)
+CONFIG_EAP_PWD=y
+
+# EAP-SAKE for the integrated EAP server
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK for the integrated EAP server
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-FAST for the integrated EAP server
+CONFIG_EAP_FAST=y
+
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# Wi-Fi Protected Setup (WPS)
+CONFIG_WPS=y
+# Enable UPnP support for external WPS Registrars
+#CONFIG_WPS_UPNP=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# Trusted Network Connect (EAP-TNC)
+#CONFIG_EAP_TNC=y
+
+# EAP-EKE for the integrated EAP server
+#CONFIG_EAP_EKE=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+CONFIG_PKCS12=y
+
+# RADIUS authentication server. This provides access to the integrated EAP
+# server from external hosts using RADIUS.
+CONFIG_RADIUS_SERVER=y
+
+# Build IPv6 support for RADIUS operations
+CONFIG_IPV6=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition)
+CONFIG_IEEE80211R=y
+
+# Use the hostapd's IEEE 802.11 authentication (ACL), but without
+# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
+#CONFIG_DRIVER_RADIUS_ACL=y
+
+# IEEE 802.11n (High Throughput) support
+CONFIG_IEEE80211N=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+CONFIG_WNM=y
+
+# IEEE 802.11ac (Very High Throughput) support
+CONFIG_IEEE80211AC=y
+
+# IEEE 802.11ax HE support
+# Note: This is experimental and work in progress. The definitions are still
+# subject to change and this should not be expected to interoperate with the
+# final IEEE 802.11ax version.
+#CONFIG_IEEE80211AX=y
+
+# Remove debugging code that is printing out debug messages to stdout.
+# This can be used to reduce the size of the hostapd considerably if debugging
+# code is not needed.
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Add support for writing debug log to a file: -f /tmp/hostapd.log
+# Disabled by default.
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Remove support for RADIUS accounting
+#CONFIG_NO_ACCOUNTING=y
+
+# Remove support for RADIUS
+#CONFIG_NO_RADIUS=y
+
+# Remove support for VLANs
+#CONFIG_NO_VLAN=y
+
+# Enable support for fully dynamic VLANs. This enables hostapd to
+# automatically create bridge and VLAN interfaces if necessary.
+CONFIG_FULL_DYNAMIC_VLAN=y
+
+# Use netlink-based kernel API for VLAN operations instead of ioctl()
+# Note: This requires libnl 3.1 or newer.
+#CONFIG_VLAN_NETLINK=y
+
+# Remove support for dumping internal state through control interface commands
+# This can be used to reduce binary size at the cost of disabling a debugging
+# option.
+CONFIG_NO_DUMP_STATE=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, comment out these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, comment out these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# hostapd depends on strong random number generation being available from the
+# operating system. os_get_random() function is used to fetch random data when
+# needed, e.g., for key generation. On Linux and BSD systems, this works by
+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
+# properly initialized before hostapd is started. This is important especially
+# on embedded devices that do not have a hardware random number generator and
+# may by default start up with minimal entropy available for random number
+# generation.
+#
+# As a safety net, hostapd is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data
+# fetched from the OS. This by itself is not considered to be very strong, but
+# it may help in cases where the system pool is not initialized properly.
+# However, it is very strongly recommended that the system pool is initialized
+# with enough entropy either by using hardware assisted random number
+# generator or by storing state over device reboots.
+#
+# hostapd can be configured to maintain its own entropy store over restarts to
+# enhance random number generation. This is not perfect, but it is much more
+# secure than using the same sequence of random numbers after every reboot.
+# This can be enabled with -e<entropy file> command line option. The specified
+# file needs to be readable and writable by hostapd.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal hostapd random pool can be disabled.
+# This will save some in binary size and CPU use. However, this should only be
+# considered for builds that are known to be used on devices that meet the
+# requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used.
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks.
+CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+CONFIG_HS20=y
+
+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
+#CONFIG_SQLITE=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# Testing options
+# This can be used to enable some testing options (see also the example
+# configuration file) that are really useful only for testing clients that
+# connect to this hostapd. These options allow, for example, to drop a
+# certain percentage of probe requests or auth/(re)assoc frames.
+#
+#CONFIG_TESTING_OPTIONS=y
+
+# Automatic Channel Selection
+# This will allow hostapd to pick the channel automatically when channel is set
+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# You can customize the ACS survey algorithm with the hostapd.conf variable
+# acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#
+#CONFIG_ACS=y
+
+# Multiband Operation support
+# These extentions facilitate efficient use of multiple frequency bands
+# available to the AP and the devices that may associate with it.
+#CONFIG_MBO=y
+
+# Client Taxonomy
+# Has the AP retain the Probe Request and (Re)Association Request frames from
+# a client, from which a signature can be produced which can identify the model
+# of client device like "Nexus 6P" or "iPhone 5s".
+CONFIG_TAXONOMY=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Include internal line edit mode in hostapd_cli. This can be used to provide
+# limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Airtime policy support
+CONFIG_AIRTIME_POLICY=y
+
+# Proxy ARP support
+CONFIG_PROXYARP=y
+
+# Override default value for the wpa_disable_eapol_key_retries configuration
+# parameter. See that parameter in hostapd.conf for more details.
+#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/hostapd-mini.config

@@ -0,0 +1,404 @@
+# Example hostapd build time configuration
+#
+# This file lists the configuration options that are used when building the
+# hostapd binary. All lines starting with # are ignored. Configuration option
+# lines must be commented out complete, if they are not to be included, i.e.,
+# just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cass, these lines should use += in order not
+# to override previous values of the variables.
+
+# Driver interface for Host AP driver
+#CONFIG_DRIVER_HOSTAP=y
+
+# Driver interface for wired authenticator
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for no driver (e.g., RADIUS server only)
+#CONFIG_DRIVER_NONE=y
+
+# IEEE 802.11F/IAPP
+#CONFIG_IAPP=y
+
+# WPA2/IEEE 802.11i RSN pre-authentication
+CONFIG_RSN_PREAUTH=y
+
+# IEEE 802.11w (management frame protection)
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
+# Integrated EAP server
+#CONFIG_EAP=y
+
+# EAP Re-authentication Protocol (ERP) in integrated EAP server
+#CONFIG_ERP=y
+
+# EAP-MD5 for the integrated EAP server
+#CONFIG_EAP_MD5=y
+
+# EAP-TLS for the integrated EAP server
+#CONFIG_EAP_TLS=y
+
+# EAP-MSCHAPv2 for the integrated EAP server
+#CONFIG_EAP_MSCHAPV2=y
+
+# EAP-PEAP for the integrated EAP server
+#CONFIG_EAP_PEAP=y
+
+# EAP-GTC for the integrated EAP server
+#CONFIG_EAP_GTC=y
+
+# EAP-TTLS for the integrated EAP server
+#CONFIG_EAP_TTLS=y
+
+# EAP-SIM for the integrated EAP server
+#CONFIG_EAP_SIM=y
+
+# EAP-AKA for the integrated EAP server
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' for the integrated EAP server
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# EAP-PAX for the integrated EAP server
+#CONFIG_EAP_PAX=y
+
+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd for the integrated EAP server (secure authentication with a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-SAKE for the integrated EAP server
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK for the integrated EAP server
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-FAST for the integrated EAP server
+#CONFIG_EAP_FAST=y
+
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# Wi-Fi Protected Setup (WPS)
+#CONFIG_WPS=y
+# Enable UPnP support for external WPS Registrars
+#CONFIG_WPS_UPNP=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# Trusted Network Connect (EAP-TNC)
+#CONFIG_EAP_TNC=y
+
+# EAP-EKE for the integrated EAP server
+#CONFIG_EAP_EKE=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+#CONFIG_PKCS12=y
+
+# RADIUS authentication server. This provides access to the integrated EAP
+# server from external hosts using RADIUS.
+#CONFIG_RADIUS_SERVER=y
+
+# Build IPv6 support for RADIUS operations
+#CONFIG_IPV6=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition)
+#CONFIG_IEEE80211R=y
+
+# Use the hostapd's IEEE 802.11 authentication (ACL), but without
+# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
+#CONFIG_DRIVER_RADIUS_ACL=y
+
+# IEEE 802.11n (High Throughput) support
+CONFIG_IEEE80211N=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# IEEE 802.11ac (Very High Throughput) support
+CONFIG_IEEE80211AC=y
+
+# IEEE 802.11ax HE support
+# Note: This is experimental and work in progress. The definitions are still
+# subject to change and this should not be expected to interoperate with the
+# final IEEE 802.11ax version.
+#CONFIG_IEEE80211AX=y
+
+# Remove debugging code that is printing out debug messages to stdout.
+# This can be used to reduce the size of the hostapd considerably if debugging
+# code is not needed.
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Add support for writing debug log to a file: -f /tmp/hostapd.log
+# Disabled by default.
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Remove support for RADIUS accounting
+CONFIG_NO_ACCOUNTING=y
+
+# Remove support for RADIUS
+CONFIG_NO_RADIUS=y
+
+# Remove support for VLANs
+#CONFIG_NO_VLAN=y
+
+# Enable support for fully dynamic VLANs. This enables hostapd to
+# automatically create bridge and VLAN interfaces if necessary.
+#CONFIG_FULL_DYNAMIC_VLAN=y
+
+# Use netlink-based kernel API for VLAN operations instead of ioctl()
+# Note: This requires libnl 3.1 or newer.
+#CONFIG_VLAN_NETLINK=y
+
+# Remove support for dumping internal state through control interface commands
+# This can be used to reduce binary size at the cost of disabling a debugging
+# option.
+CONFIG_NO_DUMP_STATE=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, comment out these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, comment out these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# hostapd depends on strong random number generation being available from the
+# operating system. os_get_random() function is used to fetch random data when
+# needed, e.g., for key generation. On Linux and BSD systems, this works by
+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
+# properly initialized before hostapd is started. This is important especially
+# on embedded devices that do not have a hardware random number generator and
+# may by default start up with minimal entropy available for random number
+# generation.
+#
+# As a safety net, hostapd is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data
+# fetched from the OS. This by itself is not considered to be very strong, but
+# it may help in cases where the system pool is not initialized properly.
+# However, it is very strongly recommended that the system pool is initialized
+# with enough entropy either by using hardware assisted random number
+# generator or by storing state over device reboots.
+#
+# hostapd can be configured to maintain its own entropy store over restarts to
+# enhance random number generation. This is not perfect, but it is much more
+# secure than using the same sequence of random numbers after every reboot.
+# This can be enabled with -e<entropy file> command line option. The specified
+# file needs to be readable and writable by hostapd.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal hostapd random pool can be disabled.
+# This will save some in binary size and CPU use. However, this should only be
+# considered for builds that are known to be used on devices that meet the
+# requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used.
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks.
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
+#CONFIG_SQLITE=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# Testing options
+# This can be used to enable some testing options (see also the example
+# configuration file) that are really useful only for testing clients that
+# connect to this hostapd. These options allow, for example, to drop a
+# certain percentage of probe requests or auth/(re)assoc frames.
+#
+#CONFIG_TESTING_OPTIONS=y
+
+# Automatic Channel Selection
+# This will allow hostapd to pick the channel automatically when channel is set
+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# You can customize the ACS survey algorithm with the hostapd.conf variable
+# acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#
+#CONFIG_ACS=y
+
+# Multiband Operation support
+# These extentions facilitate efficient use of multiple frequency bands
+# available to the AP and the devices that may associate with it.
+#CONFIG_MBO=y
+
+# Client Taxonomy
+# Has the AP retain the Probe Request and (Re)Association Request frames from
+# a client, from which a signature can be produced which can identify the model
+# of client device like "Nexus 6P" or "iPhone 5s".
+#CONFIG_TAXONOMY=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Include internal line edit mode in hostapd_cli. This can be used to provide
+# limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Airtime policy support
+#CONFIG_AIRTIME_POLICY=y
+
+# Proxy ARP support
+#CONFIG_PROXYARP=y
+
+# Override default value for the wpa_disable_eapol_key_retries configuration
+# parameter. See that parameter in hostapd.conf for more details.
+#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+#CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/hostapd.uc

@@ -0,0 +1,812 @@
+let libubus = require("ubus");
+import { open, readfile } from "fs";
+import { wdev_create, wdev_remove, is_equal, vlist_new, phy_is_fullmac, phy_open } from "common";
+
+let ubus = libubus.connect();
+
+hostapd.data.config = {};
+
+hostapd.data.file_fields = {
+	vlan_file: true,
+	wpa_psk_file: true,
+	accept_mac_file: true,
+	deny_mac_file: true,
+	eap_user_file: true,
+	ca_cert: true,
+	server_cert: true,
+	server_cert2: true,
+	private_key: true,
+	private_key2: true,
+	dh_file: true,
+	eap_sim_db: true,
+};
+
+function iface_remove(cfg)
+{
+	if (!cfg || !cfg.bss || !cfg.bss[0] || !cfg.bss[0].ifname)
+		return;
+
+	for (let bss in cfg.bss)
+		wdev_remove(bss.ifname);
+}
+
+function iface_gen_config(phy, config, start_disabled)
+{
+	let str = `data:
+${join("\n", config.radio.data)}
+channel=${config.radio.channel}
+`;
+
+	for (let i = 0; i < length(config.bss); i++) {
+		let bss = config.bss[i];
+		let type = i > 0 ? "bss" : "interface";
+		let nasid = bss.nasid ?? replace(bss.bssid, ":", "");
+
+		str += `
+${type}=${bss.ifname}
+bssid=${bss.bssid}
+${join("\n", bss.data)}
+nas_identifier=${nasid}
+`;
+		if (start_disabled)
+			str += `
+start_disabled=1
+`;
+	}
+
+	return str;
+}
+
+function iface_freq_info(iface, config, params)
+{
+	let freq = params.frequency;
+	if (!freq)
+		return null;
+
+	let sec_offset = params.sec_chan_offset;
+	if (sec_offset != -1 && sec_offset != 1)
+		sec_offset = 0;
+
+	let width = 0;
+	for (let line in config.radio.data) {
+		if (!sec_offset && match(line, /^ht_capab=.*HT40/)) {
+			sec_offset = null; // auto-detect
+			continue;
+		}
+
+		let val = match(line, /^(vht_oper_chwidth|he_oper_chwidth)=(\d+)/);
+		if (!val)
+			continue;
+
+		val = int(val[2]);
+		if (val > width)
+			width = val;
+	}
+
+	if (freq < 4000)
+		width = 0;
+
+	return hostapd.freq_info(freq, sec_offset, width);
+}
+
+function iface_add(phy, config, phy_status)
+{
+	let config_inline = iface_gen_config(phy, config, !!phy_status);
+
+	let bss = config.bss[0];
+	let ret = hostapd.add_iface(`bss_config=${phy}:${config_inline}`);
+	if (ret < 0)
+		return false;
+
+	if (!phy_status)
+		return true;
+
+	let iface = hostapd.interfaces[phy];
+	if (!iface)
+		return false;
+
+	let freq_info = iface_freq_info(iface, config, phy_status);
+
+	return iface.start(freq_info) >= 0;
+}
+
+function iface_config_macaddr_list(config)
+{
+	let macaddr_list = {};
+	for (let i = 0; i < length(config.bss); i++) {
+		let bss = config.bss[i];
+		if (!bss.default_macaddr)
+			macaddr_list[bss.bssid] = i;
+	}
+
+	return macaddr_list;
+}
+
+function iface_update_supplicant_macaddr(phy, config)
+{
+	let macaddr_list = [];
+	for (let i = 0; i < length(config.bss); i++)
+		push(macaddr_list, config.bss[i].bssid);
+	ubus.call("wpa_supplicant", "phy_set_macaddr_list", { phy: phy, macaddr: macaddr_list });
+}
+
+function iface_restart(phydev, config, old_config)
+{
+	let phy = phydev.name;
+
+	hostapd.remove_iface(phy);
+	iface_remove(old_config);
+	iface_remove(config);
+
+	if (!config.bss || !config.bss[0]) {
+		hostapd.printf(`No bss for phy ${phy}`);
+		return;
+	}
+
+	phydev.macaddr_init(iface_config_macaddr_list(config));
+	for (let i = 0; i < length(config.bss); i++) {
+		let bss = config.bss[i];
+		if (bss.default_macaddr)
+			bss.bssid = phydev.macaddr_next();
+	}
+
+	iface_update_supplicant_macaddr(phy, config);
+
+	let bss = config.bss[0];
+	let err = wdev_create(phy, bss.ifname, { mode: "ap" });
+	if (err)
+		hostapd.printf(`Failed to create ${bss.ifname} on phy ${phy}: ${err}`);
+
+	let ubus = hostapd.data.ubus;
+	let phy_status = ubus.call("wpa_supplicant", "phy_status", { phy: phy });
+	if (phy_status && phy_status.state == "COMPLETED") {
+		if (iface_add(phy, config, phy_status))
+			return;
+
+		hostapd.printf(`Failed to bring up phy ${phy} ifname=${bss.ifname} with supplicant provided frequency`);
+	}
+
+	ubus.call("wpa_supplicant", "phy_set_state", { phy: phy, stop: true });
+	if (!iface_add(phy, config))
+		hostapd.printf(`hostapd.add_iface failed for phy ${phy} ifname=${bss.ifname}`);
+	ubus.call("wpa_supplicant", "phy_set_state", { phy: phy, stop: false });
+}
+
+function array_to_obj(arr, key, start)
+{
+	let obj = {};
+
+	start ??= 0;
+	for (let i = start; i < length(arr); i++) {
+		let cur = arr[i];
+		obj[cur[key]] = cur;
+	}
+
+	return obj;
+}
+
+function find_array_idx(arr, key, val)
+{
+	for (let i = 0; i < length(arr); i++)
+		if (arr[i][key] == val)
+			return i;
+
+	return -1;
+}
+
+function bss_reload_psk(bss, config, old_config)
+{
+	if (is_equal(old_config.hash.wpa_psk_file, config.hash.wpa_psk_file))
+		return;
+
+	old_config.hash.wpa_psk_file = config.hash.wpa_psk_file;
+	if (!is_equal(old_config, config))
+		return;
+
+	let ret = bss.ctrl("RELOAD_WPA_PSK");
+	ret ??= "failed";
+
+	hostapd.printf(`Reload WPA PSK file for bss ${config.ifname}: ${ret}`);
+}
+
+function remove_file_fields(config)
+{
+	return filter(config, (line) => !hostapd.data.file_fields[split(line, "=")[0]]);
+}
+
+function bss_remove_file_fields(config)
+{
+	let new_cfg = {};
+
+	for (let key in config)
+		new_cfg[key] = config[key];
+	new_cfg.data = remove_file_fields(new_cfg.data);
+	new_cfg.hash = {};
+	for (let key in config.hash)
+		new_cfg.hash[key] = config.hash[key];
+	delete new_cfg.hash.wpa_psk_file;
+	delete new_cfg.hash.vlan_file;
+
+	return new_cfg;
+}
+
+function bss_config_hash(config)
+{
+	return hostapd.sha1(remove_file_fields(config) + "");
+}
+
+function bss_find_existing(config, prev_config, prev_hash)
+{
+	let hash = bss_config_hash(config.data);
+
+	for (let i = 0; i < length(prev_config.bss); i++) {
+		if (!prev_hash[i] || hash != prev_hash[i])
+			continue;
+
+		prev_hash[i] = null;
+		return i;
+	}
+
+	return -1;
+}
+
+function get_config_bss(config, idx)
+{
+	if (!config.bss[idx]) {
+		hostapd.printf(`Invalid bss index ${idx}`);
+		return null;
+	}
+
+	let ifname = config.bss[idx].ifname;
+	if (!ifname)
+		hostapd.printf(`Could not find bss ${config.bss[idx].ifname}`);
+
+	return hostapd.bss[ifname];
+}
+
+function iface_reload_config(phydev, config, old_config)
+{
+	let phy = phydev.name;
+
+	if (!old_config || !is_equal(old_config.radio, config.radio))
+		return false;
+
+	if (is_equal(old_config.bss, config.bss))
+		return true;
+
+	if (!old_config.bss || !old_config.bss[0])
+		return false;
+
+	let iface = hostapd.interfaces[phy];
+	if (!iface) {
+		hostapd.printf(`Could not find previous interface ${iface_name}`);
+		return false;
+	}
+
+	let iface_name = old_config.bss[0].ifname;
+	let first_bss = hostapd.bss[iface_name];
+	if (!first_bss) {
+		hostapd.printf(`Could not find bss of previous interface ${iface_name}`);
+		return false;
+	}
+
+	let macaddr_list = iface_config_macaddr_list(config);
+	let bss_list = [];
+	let bss_list_cfg = [];
+	let prev_bss_hash = [];
+
+	for (let bss in old_config.bss) {
+		let hash = bss_config_hash(bss.data);
+		push(prev_bss_hash, bss_config_hash(bss.data));
+	}
+
+	// Step 1: find (possibly renamed) interfaces with the same config
+	// and store them in the new order (with gaps)
+	for (let i = 0; i < length(config.bss); i++) {
+		let prev;
+
+		// For fullmac devices, the first interface needs to be preserved,
+		// since it's treated as the master
+		if (!i && phy_is_fullmac(phy)) {
+			prev = 0;
+			prev_bss_hash[0] = null;
+		} else {
+			prev = bss_find_existing(config.bss[i], old_config, prev_bss_hash);
+		}
+		if (prev < 0)
+			continue;
+
+		let cur_config = config.bss[i];
+		let prev_config = old_config.bss[prev];
+
+		let prev_bss = get_config_bss(old_config, prev);
+		if (!prev_bss)
+			return false;
+
+		// try to preserve MAC address of this BSS by reassigning another
+		// BSS if necessary
+		if (cur_config.default_macaddr &&
+		    !macaddr_list[prev_config.bssid]) {
+			macaddr_list[prev_config.bssid] = i;
+			cur_config.bssid = prev_config.bssid;
+		}
+
+		bss_list[i] = prev_bss;
+		bss_list_cfg[i] = old_config.bss[prev];
+	}
+
+	if (config.mbssid && !bss_list_cfg[0]) {
+		hostapd.printf("First BSS changed with MBSSID enabled");
+		return false;
+	}
+
+	// Step 2: if none were found, rename and preserve the first one
+	if (length(bss_list) == 0) {
+		// can't change the bssid of the first bss
+		if (config.bss[0].bssid != old_config.bss[0].bssid) {
+			if (!config.bss[0].default_macaddr) {
+				hostapd.printf(`BSSID of first interface changed: ${lc(old_config.bss[0].bssid)} -> ${lc(config.bss[0].bssid)}`);
+				return false;
+			}
+
+			config.bss[0].bssid = old_config.bss[0].bssid;
+		}
+
+		let prev_bss = get_config_bss(old_config, 0);
+		if (!prev_bss)
+			return false;
+
+		macaddr_list[config.bss[0].bssid] = 0;
+		bss_list[0] = prev_bss;
+		bss_list_cfg[0] = old_config.bss[0];
+		prev_bss_hash[0] = null;
+	}
+
+	// Step 3: delete all unused old interfaces
+	for (let i = 0; i < length(prev_bss_hash); i++) {
+		if (!prev_bss_hash[i])
+			continue;
+
+		let prev_bss = get_config_bss(old_config, i);
+		if (!prev_bss)
+			return false;
+
+		let ifname = old_config.bss[i].ifname;
+		hostapd.printf(`Remove bss '${ifname}' on phy '${phy}'`);
+		prev_bss.delete();
+		wdev_remove(ifname);
+	}
+
+	// Step 4: rename preserved interfaces, use temporary name on duplicates
+	let rename_list = [];
+	for (let i = 0; i < length(bss_list); i++) {
+		if (!bss_list[i])
+			continue;
+
+		let old_ifname = bss_list_cfg[i].ifname;
+		let new_ifname = config.bss[i].ifname;
+		if (old_ifname == new_ifname)
+			continue;
+
+		if (hostapd.bss[new_ifname]) {
+			new_ifname = "tmp_" + substr(hostapd.sha1(new_ifname), 0, 8);
+			push(rename_list, i);
+		}
+
+		hostapd.printf(`Rename bss ${old_ifname} to ${new_ifname}`);
+		if (!bss_list[i].rename(new_ifname)) {
+			hostapd.printf(`Failed to rename bss ${old_ifname} to ${new_ifname}`);
+			return false;
+		}
+
+		bss_list_cfg[i].ifname = new_ifname;
+	}
+
+	// Step 5: rename interfaces with temporary names
+	for (let i in rename_list) {
+		let new_ifname = config.bss[i].ifname;
+		if (!bss_list[i].rename(new_ifname)) {
+			hostapd.printf(`Failed to rename bss to ${new_ifname}`);
+			return false;
+		}
+		bss_list_cfg[i].ifname = new_ifname;
+	}
+
+	// Step 6: assign BSSID for newly created interfaces
+	let macaddr_data = {
+		num_global: config.num_global_macaddr ?? 1,
+		mbssid: config.mbssid ?? 0,
+	};
+	macaddr_list = phydev.macaddr_init(macaddr_list, macaddr_data);
+	for (let i = 0; i < length(config.bss); i++) {
+		if (bss_list[i])
+			continue;
+		let bsscfg = config.bss[i];
+
+		let mac_idx = macaddr_list[bsscfg.bssid];
+		if (mac_idx < 0)
+			macaddr_list[bsscfg.bssid] = i;
+		if (mac_idx == i)
+			continue;
+
+		// statically assigned bssid of the new interface is in conflict
+		// with the bssid of a reused interface. reassign the reused interface
+		if (!bsscfg.default_macaddr) {
+			// can't update bssid of the first BSS, need to restart
+			if (!mac_idx < 0)
+				return false;
+
+			bsscfg = config.bss[mac_idx];
+		}
+
+		let addr = phydev.macaddr_next(i);
+		if (!addr) {
+			hostapd.printf(`Failed to generate mac address for phy ${phy}`);
+			return false;
+		}
+		bsscfg.bssid = addr;
+	}
+
+	let config_inline = iface_gen_config(phy, config);
+
+	// Step 7: fill in the gaps with new interfaces
+	for (let i = 0; i < length(config.bss); i++) {
+		let ifname = config.bss[i].ifname;
+		let bss = bss_list[i];
+
+		if (bss)
+			continue;
+
+		hostapd.printf(`Add bss ${ifname} on phy ${phy}`);
+		bss_list[i] = iface.add_bss(config_inline, i);
+		if (!bss_list[i]) {
+			hostapd.printf(`Failed to add new bss ${ifname} on phy ${phy}`);
+			return false;
+		}
+	}
+
+	// Step 8: update interface bss order
+	if (!iface.set_bss_order(bss_list)) {
+		hostapd.printf(`Failed to update BSS order on phy '${phy}'`);
+		return false;
+	}
+
+	// Step 9: update config
+	for (let i = 0; i < length(config.bss); i++) {
+		if (!bss_list_cfg[i])
+			continue;
+
+		let ifname = config.bss[i].ifname;
+		let bss = bss_list[i];
+
+		if (is_equal(config.bss[i], bss_list_cfg[i]))
+			continue;
+
+		if (is_equal(bss_remove_file_fields(config.bss[i]),
+		             bss_remove_file_fields(bss_list_cfg[i]))) {
+			hostapd.printf(`Update config data files for bss ${ifname}`);
+			if (bss.set_config(config_inline, i, true) < 0) {
+				hostapd.printf(`Could not update config data files for bss ${ifname}`);
+				return false;
+			} else {
+				bss.ctrl("RELOAD_WPA_PSK");
+				continue;
+			}
+		}
+
+		bss_reload_psk(bss, config.bss[i], bss_list_cfg[i]);
+		if (is_equal(config.bss[i], bss_list_cfg[i]))
+			continue;
+
+		hostapd.printf(`Reload config for bss '${config.bss[0].ifname}' on phy '${phy}'`);
+		if (bss.set_config(config_inline, i) < 0) {
+			hostapd.printf(`Failed to set config for bss ${ifname}`);
+			return false;
+		}
+	}
+
+	return true;
+}
+
+function iface_set_config(phy, config)
+{
+	let old_config = hostapd.data.config[phy];
+
+	hostapd.data.config[phy] = config;
+
+	if (!config) {
+		hostapd.remove_iface(phy);
+		return iface_remove(old_config);
+	}
+
+	let phydev = phy_open(phy);
+	if (!phydev) {
+		hostapd.printf(`Failed to open phy ${phy}`);
+		return false;
+	}
+
+	try {
+		let ret = iface_reload_config(phydev, config, old_config);
+		if (ret) {
+			iface_update_supplicant_macaddr(phy, config);
+			hostapd.printf(`Reloaded settings for phy ${phy}`);
+			return 0;
+		}
+	} catch (e) {
+			hostapd.printf(`Error reloading config: ${e}\n${e.stacktrace[0].context}`);
+	}
+
+	hostapd.printf(`Restart interface for phy ${phy}`);
+	let ret = iface_restart(phydev, config, old_config);
+
+	return ret;
+}
+
+function config_add_bss(config, name)
+{
+	let bss = {
+		ifname: name,
+		data: [],
+		hash: {}
+	};
+
+	push(config.bss, bss);
+
+	return bss;
+}
+
+function iface_load_config(filename)
+{
+	let f = open(filename, "r");
+	if (!f)
+		return null;
+
+	let config = {
+		radio: {
+			data: []
+		},
+		bss: [],
+		orig_file: filename,
+	};
+
+	let bss;
+	let line;
+	while ((line = trim(f.read("line"))) != null) {
+		let val = split(line, "=", 2);
+		if (!val[0])
+			continue;
+
+		if (val[0] == "interface") {
+			bss = config_add_bss(config, val[1]);
+			break;
+		}
+
+		if (val[0] == "channel") {
+			config.radio.channel = val[1];
+			continue;
+		}
+
+		if (val[0] == "#num_global_macaddr" ||
+		    val[0] == "mbssid")
+			config[val[0]] = int(val[1]);
+
+		push(config.radio.data, line);
+	}
+
+	while ((line = trim(f.read("line"))) != null) {
+		if (line == "#default_macaddr")
+			bss.default_macaddr = true;
+
+		let val = split(line, "=", 2);
+		if (!val[0])
+			continue;
+
+		if (val[0] == "bssid") {
+			bss.bssid = lc(val[1]);
+			continue;
+		}
+
+		if (val[0] == "nas_identifier")
+			bss.nasid = val[1];
+
+		if (val[0] == "bss") {
+			bss = config_add_bss(config, val[1]);
+			continue;
+		}
+
+		if (hostapd.data.file_fields[val[0]])
+			bss.hash[val[0]] = hostapd.sha1(readfile(val[1]));
+
+		push(bss.data, line);
+	}
+	f.close();
+
+	return config;
+}
+
+function ex_wrap(func) {
+	return (req) => {
+		try {
+			let ret = func(req);
+			return ret;
+		} catch(e) {
+			hostapd.printf(`Exception in ubus function: ${e}\n${e.stacktrace[0].context}`);
+		}
+		return libubus.STATUS_UNKNOWN_ERROR;
+	};
+}
+
+let main_obj = {
+	reload: {
+		args: {
+			phy: "",
+		},
+		call: ex_wrap(function(req) {
+			let phy_list = req.args.phy ? [ req.args.phy ] : keys(hostapd.data.config);
+			for (let phy_name in phy_list) {
+				let phy = hostapd.data.config[phy_name];
+				let config = iface_load_config(phy.orig_file);
+				iface_set_config(phy_name, config);
+			}
+
+			return 0;
+		})
+	},
+	apsta_state: {
+		args: {
+			phy: "",
+			up: true,
+			frequency: 0,
+			sec_chan_offset: 0,
+			csa: true,
+			csa_count: 0,
+		},
+		call: ex_wrap(function(req) {
+			if (req.args.up == null || !req.args.phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			let phy = req.args.phy;
+			let config = hostapd.data.config[phy];
+			if (!config || !config.bss || !config.bss[0] || !config.bss[0].ifname)
+				return 0;
+
+			let iface = hostapd.interfaces[phy];
+			if (!iface)
+				return 0;
+
+			if (!req.args.up) {
+				iface.stop();
+				return 0;
+			}
+
+			if (!req.args.frequency)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			let freq_info = iface_freq_info(iface, config, req.args);
+			if (!freq_info)
+				return libubus.STATUS_UNKNOWN_ERROR;
+
+			let ret;
+			if (req.args.csa) {
+				freq_info.csa_count = req.args.csa_count ?? 10;
+				ret = iface.switch_channel(freq_info);
+			} else {
+				ret = iface.start(freq_info);
+			}
+			if (!ret)
+				return libubus.STATUS_UNKNOWN_ERROR;
+
+			return 0;
+		})
+	},
+	config_get_macaddr_list: {
+		args: {
+			phy: ""
+		},
+		call: ex_wrap(function(req) {
+			let phy = req.args.phy;
+			if (!phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			let ret = {
+				macaddr: [],
+			};
+
+			let config = hostapd.data.config[phy];
+			if (!config)
+				return ret;
+
+			ret.macaddr = map(config.bss, (bss) => bss.bssid);
+			return ret;
+		})
+	},
+	config_set: {
+		args: {
+			phy: "",
+			config: "",
+			prev_config: "",
+		},
+		call: ex_wrap(function(req) {
+			let phy = req.args.phy;
+			let file = req.args.config;
+			let prev_file = req.args.prev_config;
+
+			if (!phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			if (prev_file && !hostapd.data.config[phy]) {
+				let config = iface_load_config(prev_file);
+				if (config)
+					config.radio.data = [];
+				hostapd.data.config[phy] = config;
+			}
+
+			let config = iface_load_config(file);
+
+			hostapd.printf(`Set new config for phy ${phy}: ${file}`);
+			iface_set_config(phy, config);
+
+			return {
+				pid: hostapd.getpid()
+			};
+		})
+	},
+	config_add: {
+		args: {
+			iface: "",
+			config: "",
+		},
+		call: ex_wrap(function(req) {
+			if (!req.args.iface || !req.args.config)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			if (hostapd.add_iface(`bss_config=${req.args.iface}:${req.args.config}`) < 0)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			return {
+				pid: hostapd.getpid()
+			};
+		})
+	},
+	config_remove: {
+		args: {
+			iface: ""
+		},
+		call: ex_wrap(function(req) {
+			if (!req.args.iface)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			hostapd.remove_iface(req.args.iface);
+			return 0;
+		})
+	},
+};
+
+hostapd.data.ubus = ubus;
+hostapd.data.obj = ubus.publish("hostapd", main_obj);
+
+function bss_event(type, name, data) {
+	let ubus = hostapd.data.ubus;
+
+	data ??= {};
+	data.name = name;
+	hostapd.data.obj.notify(`bss.${type}`, data, null, null, null, -1);
+	ubus.call("service", "event", { type: `hostapd.${name}.${type}`, data: {} });
+}
+
+return {
+	shutdown: function() {
+		for (let phy in hostapd.data.config)
+			iface_set_config(phy, null);
+		hostapd.ubus.disconnect();
+	},
+	bss_add: function(name, obj) {
+		bss_event("add", name);
+	},
+	bss_reload: function(name, obj, reconf) {
+		bss_event("reload", name, { reconf: reconf != 0 });
+	},
+	bss_remove: function(name, obj) {
+		bss_event("remove", name);
+	}
+};

feeds/hostapd/hostapd/files/radius.clients

@@ -0,0 +1 @@
+0.0.0.0/0 radius

feeds/hostapd/hostapd/files/radius.config

@@ -0,0 +1,9 @@
+config radius
+	option disabled '1'
+	option ca_cert '/etc/radius/ca.pem'
+	option cert '/etc/radius/cert.pem'
+	option key '/etc/radius/key.pem'
+	option users '/etc/radius/users'
+	option clients '/etc/radius/clients'
+	option auth_port '1812'
+	option acct_port '1813'

feeds/hostapd/hostapd/files/radius.init

@@ -0,0 +1,42 @@
+#!/bin/sh /etc/rc.common
+
+START=30
+
+USE_PROCD=1
+NAME=radius
+
+radius_start() {
+	local cfg="$1"
+
+	config_get_bool disabled "$cfg" disabled 0
+
+	[ "$disabled" -gt 0 ] && return
+
+	config_get ca "$cfg" ca_cert
+	config_get key "$cfg" key
+	config_get cert "$cfg" cert
+	config_get users "$cfg" users
+	config_get clients "$cfg" clients
+	config_get auth_port "$cfg" auth_port 1812
+	config_get acct_port "$cfg" acct_port 1813
+	config_get identity "$cfg" identity "$(cat /proc/sys/kernel/hostname)"
+
+	procd_open_instance $cfg
+	procd_set_param command /usr/sbin/hostapd-radius \
+		-C "$ca" \
+		-c "$cert" -k "$key" \
+		-s "$clients" -u "$users" \
+		-p "$auth_port" -P "$acct_port" \
+		-i "$identity"
+	procd_close_instance
+}
+
+start_service() {
+	config_load radius
+	config_foreach radius_start radius
+}
+
+service_triggers()
+{
+	procd_add_reload_trigger "radius"
+}

feeds/hostapd/hostapd/files/radius.users

@@ -0,0 +1,14 @@
+{
+	"phase1": {
+		"wildcard": [
+			{
+				"name": "*",
+				"methods": [ "PEAP" ]
+			}
+		]
+	},
+	"phase2": {
+		"users": {
+		}
+	}
+}

feeds/hostapd/hostapd/files/wdev.uc

@@ -0,0 +1,207 @@
+#!/usr/bin/env ucode
+'use strict';
+import { vlist_new, is_equal, wdev_create, wdev_remove, phy_open } from "/usr/share/hostap/common.uc";
+import { readfile, writefile, basename, readlink, glob } from "fs";
+let libubus = require("ubus");
+
+let keep_devices = {};
+let phy = shift(ARGV);
+let command = shift(ARGV);
+let phydev;
+
+const mesh_params = [
+	"mesh_retry_timeout", "mesh_confirm_timeout", "mesh_holding_timeout", "mesh_max_peer_links",
+	"mesh_max_retries", "mesh_ttl", "mesh_element_ttl", "mesh_hwmp_max_preq_retries",
+	"mesh_path_refresh_time", "mesh_min_discovery_timeout", "mesh_hwmp_active_path_timeout",
+	"mesh_hwmp_preq_min_interval", "mesh_hwmp_net_diameter_traversal_time", "mesh_hwmp_rootmode",
+	"mesh_hwmp_rann_interval", "mesh_gate_announcements", "mesh_sync_offset_max_neighor",
+	"mesh_rssi_threshold", "mesh_hwmp_active_path_to_root_timeout", "mesh_hwmp_root_interval",
+	"mesh_hwmp_confirmation_interval", "mesh_awake_window", "mesh_plink_timeout",
+	"mesh_auto_open_plinks", "mesh_fwding", "mesh_power_mode"
+];
+
+function iface_stop(wdev)
+{
+	if (keep_devices[wdev.ifname])
+		return;
+
+	wdev_remove(wdev.ifname);
+}
+
+function iface_start(wdev)
+{
+	let ifname = wdev.ifname;
+
+	if (readfile(`/sys/class/net/${ifname}/ifindex`)) {
+		system([ "ip", "link", "set", "dev", ifname, "down" ]);
+		wdev_remove(ifname);
+	}
+	let wdev_config = {};
+	for (let key in wdev)
+		wdev_config[key] = wdev[key];
+	if (!wdev_config.macaddr && wdev.mode != "monitor")
+		wdev_config.macaddr = phydev.macaddr_next();
+	wdev_create(phy, ifname, wdev_config);
+	system([ "ip", "link", "set", "dev", ifname, "up" ]);
+	if (wdev.freq)
+		system(`iw dev ${ifname} set freq ${wdev.freq} ${wdev.htmode}`);
+	if (wdev.mode == "adhoc") {
+		let cmd = ["iw", "dev", ifname, "ibss", "join", wdev.ssid, wdev.freq, wdev.htmode, "fixed-freq" ];
+		if (wdev.bssid)
+			push(cmd, wdev.bssid);
+		for (let key in [ "beacon-interval", "basic-rates", "mcast-rate", "keys" ])
+			if (wdev[key])
+				push(cmd, key, wdev[key]);
+		system(cmd);
+	} else if (wdev.mode == "mesh") {
+		let cmd = [ "iw", "dev", ifname, "mesh", "join", wdev.ssid, "freq", wdev.freq, wdev.htmode ];
+		for (let key in [ "mcast-rate", "beacon-interval" ])
+			if (wdev[key])
+				push(cmd, key, wdev[key]);
+		system(cmd);
+
+		cmd = ["iw", "dev", ifname, "set", "mesh_param" ];
+		let len = length(cmd);
+
+		for (let param in mesh_params)
+			if (wdev[param])
+				push(cmd, param, wdev[param]);
+
+		if (len == length(cmd))
+			return;
+
+		system(cmd);
+	}
+
+}
+
+function iface_cb(new_if, old_if)
+{
+	if (old_if && new_if && is_equal(old_if, new_if))
+		return;
+
+	if (old_if)
+		iface_stop(old_if);
+	if (new_if)
+		iface_start(new_if);
+}
+
+function drop_inactive(config)
+{
+	for (let key in config) {
+		if (!readfile(`/sys/class/net/${key}/ifindex`))
+			delete config[key];
+	}
+}
+
+function add_ifname(config)
+{
+	for (let key in config)
+		config[key].ifname = key;
+}
+
+function delete_ifname(config)
+{
+	for (let key in config)
+		delete config[key].ifname;
+}
+
+function add_existing(phy, config)
+{
+	let wdevs = glob(`/sys/class/ieee80211/${phy}/device/net/*`);
+	wdevs = map(wdevs, (arg) => basename(arg));
+	for (let wdev in wdevs) {
+		if (config[wdev])
+			continue;
+
+		if (basename(readlink(`/sys/class/net/${wdev}/phy80211`)) != phy)
+			continue;
+
+		if (trim(readfile(`/sys/class/net/${wdev}/operstate`)) == "down")
+			config[wdev] = {};
+	}
+}
+
+function usage()
+{
+	warn(`Usage: ${basename(sourcepath())} <phy> <command> [<arguments>]
+
+Commands:
+	set_config <config> [<device]...] - set phy configuration
+	get_macaddr <id>		  - get phy MAC address for vif index <id>
+`);
+	exit(1);
+}
+
+const commands = {
+	set_config: function(args) {
+		let statefile = `/var/run/wdev-${phy}.json`;
+
+		let new_config = shift(args);
+		for (let dev in ARGV)
+			keep_devices[dev] = true;
+
+		if (!new_config)
+			usage();
+
+		new_config = json(new_config);
+		if (!new_config) {
+			warn("Invalid configuration\n");
+			exit(1);
+		}
+
+		let old_config = readfile(statefile);
+		if (old_config)
+			old_config = json(old_config);
+
+		let config = vlist_new(iface_cb);
+		if (type(old_config) == "object")
+			config.data = old_config;
+
+		add_existing(phy, config.data);
+		add_ifname(config.data);
+		drop_inactive(config.data);
+
+		let ubus = libubus.connect();
+		let data = ubus.call("hostapd", "config_get_macaddr_list", { phy: phy });
+		let macaddr_list = [];
+		if (type(data) == "object" && data.macaddr)
+			macaddr_list = data.macaddr;
+		ubus.disconnect();
+		phydev.macaddr_init(macaddr_list);
+
+		add_ifname(new_config);
+		config.update(new_config);
+
+		drop_inactive(config.data);
+		delete_ifname(config.data);
+		writefile(statefile, sprintf("%J", config.data));
+	},
+	get_macaddr: function(args) {
+		let data = {};
+
+		for (let arg in args) {
+			arg = split(arg, "=", 2);
+			data[arg[0]] = arg[1];
+		}
+
+		let macaddr = phydev.macaddr_generate(data);
+		if (!macaddr) {
+			warn(`Could not get MAC address for phy ${phy}\n`);
+			exit(1);
+		}
+
+		print(macaddr + "\n");
+	},
+};
+
+if (!phy || !command | !commands[command])
+	usage();
+
+phydev = phy_open(phy);
+if (!phydev) {
+	warn(`PHY ${phy} does not exist\n`);
+	exit(1);
+}
+
+commands[command](ARGV);

feeds/hostapd/hostapd/files/wpa_supplicant-basic.config

@@ -0,0 +1,625 @@
+# Example wpa_supplicant build time configuration
+#
+# This file lists the configuration options that are used when building the
+# wpa_supplicant binary. All lines starting with # are ignored. Configuration
+# option lines must be commented out complete, if they are not to be included,
+# i.e., just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cases, these lines should use += in order not
+# to override previous values of the variables.
+
+
+# Uncomment following two lines and fix the paths if you have installed OpenSSL
+# or GnuTLS in non-default location
+#CFLAGS += -I/usr/local/openssl/include
+#LIBS += -L/usr/local/openssl/lib
+
+# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
+# the kerberos files are not in the default include path. Following line can be
+# used to fix build issues on such systems (krb5.h not found).
+#CFLAGS += -I/usr/include/kerberos
+
+# Driver interface for generic Linux wireless extensions
+# Note: WEXT is deprecated in the current Linux kernel version and no new
+# functionality is added to it. nl80211-based interface is the new
+# replacement for WEXT and its use allows wpa_supplicant to properly control
+# the driver to improve existing functionality like roaming and to support new
+# functionality.
+#CONFIG_DRIVER_WEXT=y
+
+# Driver interface for Linux drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for Windows NDIS
+#CONFIG_DRIVER_NDIS=y
+#CFLAGS += -I/usr/include/w32api/ddk
+#LIBS += -L/usr/local/lib
+# For native build using mingw
+#CONFIG_NATIVE_WINDOWS=y
+# Additional directories for cross-compilation on Linux host for mingw target
+#CFLAGS += -I/opt/mingw/mingw32/include/ddk
+#LIBS += -L/opt/mingw/mingw32/lib
+#CC=mingw32-gcc
+# By default, driver_ndis uses WinPcap for low-level operations. This can be
+# replaced with the following option which replaces WinPcap calls with NDISUIO.
+# However, this requires that WZC is disabled (net stop wzcsvc) before starting
+# wpa_supplicant.
+# CONFIG_USE_NDISUIO=y
+
+# Driver interface for wired Ethernet drivers
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for MACsec capable Qualcomm Atheros drivers
+#CONFIG_DRIVER_MACSEC_QCA=y
+
+# Driver interface for Linux MACsec drivers
+#CONFIG_DRIVER_MACSEC_LINUX=y
+
+# Driver interface for the Broadcom RoboSwitch family
+#CONFIG_DRIVER_ROBOSWITCH=y
+
+# Driver interface for no driver (e.g., WPS ER only)
+#CONFIG_DRIVER_NONE=y
+
+# Solaris libraries
+#LIBS += -lsocket -ldlpi -lnsl
+#LIBS_c += -lsocket
+
+# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
+# MACsec is included)
+#CONFIG_IEEE8021X_EAPOL=y
+
+# EAP-MD5
+#CONFIG_EAP_MD5=y
+
+# EAP-MSCHAPv2
+#CONFIG_EAP_MSCHAPV2=y
+
+# EAP-TLS
+#CONFIG_EAP_TLS=y
+
+# EAL-PEAP
+#CONFIG_EAP_PEAP=y
+
+# EAP-TTLS
+#CONFIG_EAP_TTLS=y
+
+# EAP-FAST
+#CONFIG_EAP_FAST=y
+
+# EAP-TEAP
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# EAP-GTC
+#CONFIG_EAP_GTC=y
+
+# EAP-OTP
+#CONFIG_EAP_OTP=y
+
+# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
+#CONFIG_EAP_SIM=y
+
+# Enable SIM simulator (Milenage) for EAP-SIM
+#CONFIG_SIM_SIMULATOR=y
+
+# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd (secure authentication using only a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-PAX
+#CONFIG_EAP_PAX=y
+
+# LEAP
+#CONFIG_EAP_LEAP=y
+
+# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# Enable USIM simulator (Milenage) for EAP-AKA
+#CONFIG_USIM_SIMULATOR=y
+
+# EAP-SAKE
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-TNC and related Trusted Network Connect support (experimental)
+#CONFIG_EAP_TNC=y
+
+# Wi-Fi Protected Setup (WPS)
+#CONFIG_WPS=y
+# Enable WPS external registrar functionality
+#CONFIG_WPS_ER=y
+# Disable credentials for an open network by default when acting as a WPS
+# registrar.
+#CONFIG_WPS_REG_DISABLE_OPEN=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
+# MACsec
+#CONFIG_MACSEC=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+#CONFIG_PKCS12=y
+
+# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
+# engine.
+#CONFIG_SMARTCARD=y
+
+# PC/SC interface for smartcards (USIM, GSM SIM)
+# Enable this if EAP-SIM or EAP-AKA is included
+#CONFIG_PCSC=y
+
+# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
+CONFIG_HT_OVERRIDES=y
+
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
+# Development testing
+#CONFIG_EAPOL_TEST=y
+
+# Select control interface backend for external programs, e.g, wpa_cli:
+# unix = UNIX domain sockets (default for Linux/*BSD)
+# udp = UDP sockets using localhost (127.0.0.1)
+# udp6 = UDP IPv6 sockets using localhost (::1)
+# named_pipe = Windows Named Pipe (default for Windows)
+# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
+# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
+# y = use default (backwards compatibility)
+# If this option is commented out, control interface is not included in the
+# build.
+CONFIG_CTRL_IFACE=y
+
+# Include support for GNU Readline and History Libraries in wpa_cli.
+# When building a wpa_cli binary for distribution, please note that these
+# libraries are licensed under GPL and as such, BSD license may not apply for
+# the resulting binary.
+#CONFIG_READLINE=y
+
+# Include internal line edit mode in wpa_cli. This can be used as a replacement
+# for GNU Readline to provide limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Remove debugging code that is printing out debug message to stdout.
+# This can be used to reduce the size of the wpa_supplicant considerably
+# if debugging code is not needed. The size reduction can be around 35%
+# (e.g., 90 kB).
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
+# 35-50 kB in code size.
+#CONFIG_NO_WPA=y
+
+# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
+# This option can be used to reduce code size by removing support for
+# converting ASCII passphrases into PSK. If this functionality is removed, the
+# PSK can only be configured as the 64-octet hexstring (e.g., from
+# wpa_passphrase). This saves about 0.5 kB in code size.
+#CONFIG_NO_WPA_PASSPHRASE=y
+
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+#CONFIG_SAE=y
+
+# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# This can be used if ap_scan=1 mode is never enabled.
+#CONFIG_NO_SCAN_PROCESSING=y
+
+# Select configuration backend:
+# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
+#	path is given on command line, not here; this option is just used to
+#	select the backend that allows configuration files to be used)
+# winreg = Windows registry (see win_example.reg for an example)
+CONFIG_BACKEND=file
+
+# Remove configuration write functionality (i.e., to allow the configuration
+# file to be updated based on runtime configuration changes). The runtime
+# configuration can still be changed, the changes are just not going to be
+# persistent over restarts. This option can be used to reduce code size by
+# about 3.5 kB.
+CONFIG_NO_CONFIG_WRITE=y
+
+# Remove support for configuration blobs to reduce code size by about 1.5 kB.
+#CONFIG_NO_CONFIG_BLOBS=y
+
+# Select program entry point implementation:
+# main = UNIX/POSIX like main() function (default)
+# main_winsvc = Windows service (read parameters from registry)
+# main_none = Very basic example (development use only)
+#CONFIG_MAIN=main
+
+# Select wrapper for operating system and C library specific functions
+# unix = UNIX/POSIX like systems (default)
+# win32 = Windows systems
+# none = Empty template
+#CONFIG_OS=unix
+
+# Select event loop implementation
+# eloop = select() loop (default)
+# eloop_win = Windows events and WaitForMultipleObject() loop
+#CONFIG_ELOOP=eloop
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select layer 2 packet implementation
+# linux = Linux packet socket (default)
+# pcap = libpcap/libdnet/WinPcap
+# freebsd = FreeBSD libpcap
+# winpcap = WinPcap with receive thread
+# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
+# none = Empty template
+#CONFIG_L2_PACKET=linux
+
+# Disable Linux packet socket workaround applicable for station interface
+# in a bridge for EAPOL frames. This should be uncommented only if the kernel
+# is known to not have the regression issue in packet socket behavior with
+# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
+CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
+
+# IEEE 802.11w (management frame protection), also known as PMF
+# Driver support is also needed for IEEE 802.11w.
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+CONFIG_OCV=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used. It should be noted that some existing TLS v1.0 -based
+# implementation may not be compatible with TLS v1.1 message (ClientHello is
+# sent prior to negotiating which version will be used)
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
+# This is only for Windows builds and requires WMI-related header files and
+# WbemUuid.Lib from Platform SDK even when building with MinGW.
+#CONFIG_NDIS_EVENTS_INTEGRATED=y
+#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
+
+# Add support for new DBus control interface
+# (fi.w1.hostap.wpa_supplicant1)
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
+
+# Add introspection support for new DBus control interface
+#CONFIG_CTRL_IFACE_DBUS_INTRO=y
+
+# Add support for loading EAP methods dynamically as shared libraries.
+# When this option is enabled, each EAP method can be either included
+# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
+# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
+# be loaded in the beginning of the wpa_supplicant configuration file
+# (see load_dynamic_eap parameter in the example file) before being used in
+# the network blocks.
+#
+# Note that some shared parts of EAP methods are included in the main program
+# and in order to be able to use dynamic EAP methods using these parts, the
+# main program must have been build with the EAP method enabled (=y or =dyn).
+# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
+# unless at least one of them was included in the main build to force inclusion
+# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
+# in the main build to be able to load these methods dynamically.
+#
+# Please also note that using dynamic libraries will increase the total binary
+# size. Thus, it may not be the best option for targets that have limited
+# amount of memory/flash.
+#CONFIG_DYNAMIC_EAP_METHODS=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+CONFIG_IEEE80211R=y
+
+# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+# Set syslog facility for debug messages
+CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
+# Enable privilege separation (see README 'Privilege separation' for details)
+#CONFIG_PRIVSEP=y
+
+# Enable mitigation against certain attacks against TKIP by delaying Michael
+# MIC error reports by a random amount of time between 0 and 60 seconds
+#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, uncomment these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, uncomment these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# wpa_supplicant depends on strong random number generation being available
+# from the operating system. os_get_random() function is used to fetch random
+# data when needed, e.g., for key generation. On Linux and BSD systems, this
+# works by reading /dev/urandom. It should be noted that the OS entropy pool
+# needs to be properly initialized before wpa_supplicant is started. This is
+# important especially on embedded devices that do not have a hardware random
+# number generator and may by default start up with minimal entropy available
+# for random number generation.
+#
+# As a safety net, wpa_supplicant is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data fetched
+# from the OS. This by itself is not considered to be very strong, but it may
+# help in cases where the system pool is not initialized properly. However, it
+# is very strongly recommended that the system pool is initialized with enough
+# entropy either by using hardware assisted random number generator or by
+# storing state over device reboots.
+#
+# wpa_supplicant can be configured to maintain its own entropy store over
+# restarts to enhance random number generation. This is not perfect, but it is
+# much more secure than using the same sequence of random numbers after every
+# reboot. This can be enabled with -e<entropy file> command line option. The
+# specified file needs to be readable and writable by wpa_supplicant.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal wpa_supplicant random pool can be
+# disabled. This will save some in binary size and CPU use. However, this
+# should only be considered for builds that are known to be used on devices
+# that meet the requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+#CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+#CONFIG_IEEE80211AC=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks (GAS/ANQP to learn more about the networks and network
+# selection based on available credentials).
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable interface matching in wpa_supplicant
+#CONFIG_MATCH_IFACE=y
+
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
+# AP mode operations with wpa_supplicant
+# This can be used for controlling AP mode operations with wpa_supplicant. It
+# should be noted that this is mainly aimed at simple cases like
+# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
+# external RADIUS server can be supported with hostapd.
+#CONFIG_AP=y
+
+# P2P (Wi-Fi Direct)
+# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
+# more information on P2P operations.
+#CONFIG_P2P=y
+
+# Enable TDLS support
+#CONFIG_TDLS=y
+
+# Wi-Fi Display
+# This can be used to enable Wi-Fi Display extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+#CONFIG_WIFI_DISPLAY=y
+
+# Autoscan
+# This can be used to enable automatic scan support in wpa_supplicant.
+# See wpa_supplicant.conf for more information on autoscan usage.
+#
+# Enabling directly a module will enable autoscan support.
+# For exponential module:
+#CONFIG_AUTOSCAN_EXPONENTIAL=y
+# For periodic module:
+#CONFIG_AUTOSCAN_PERIODIC=y
+
+# Password (and passphrase, etc.) backend for external storage
+# These optional mechanisms can be used to add support for storing passwords
+# and other secrets in external (to wpa_supplicant) location. This allows, for
+# example, operating system specific key storage to be used
+#
+# External password backend for testing purposes (developer use)
+#CONFIG_EXT_PASSWORD_TEST=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# OS X builds. This is only for building eapol_test.
+#CONFIG_OSX=y
+
+# Automatic Channel Selection
+# This will allow wpa_supplicant to pick the channel automatically when channel
+# is set to "0".
+#
+# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
+# to "channel=0". This would enable us to eventually add other ACS algorithms in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
+# a newly to create wpa_supplicant.conf variable acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#CONFIG_ACS=y
+
+# Support Multi Band Operation
+#CONFIG_MBO=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Support RSN on IBSS networks
+# This is needed to be able to use mode=1 network profile with proto=RSN and
+# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
+#CONFIG_IBSS_RSN=y
+
+# External PMKSA cache control
+# This can be used to enable control interface commands that allow the current
+# PMKSA cache entries to be fetched and new entries to be added.
+#CONFIG_PMKSA_CACHE_EXTERNAL=y
+
+# Mesh Networking (IEEE 802.11s)
+#CONFIG_MESH=y
+
+# Background scanning modules
+# These can be used to request wpa_supplicant to perform background scanning
+# operations for roaming within an ESS (same SSID). See the bgscan parameter in
+# the wpa_supplicant.conf file for more details.
+# Periodic background scans based on signal strength
+#CONFIG_BGSCAN_SIMPLE=y
+# Learn channels used by the network and try to avoid bgscans on other
+# channels (experimental)
+#CONFIG_BGSCAN_LEARN=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Device Provisioning Protocol (DPP)
+# This requires CONFIG_IEEE80211W=y to be enabled, too. (see
+# wpa_supplicant/README-DPP for details)
+#CONFIG_DPP=y
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+#CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/wpa_supplicant-full.config

@@ -0,0 +1,625 @@
+# Example wpa_supplicant build time configuration
+#
+# This file lists the configuration options that are used when building the
+# wpa_supplicant binary. All lines starting with # are ignored. Configuration
+# option lines must be commented out complete, if they are not to be included,
+# i.e., just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cases, these lines should use += in order not
+# to override previous values of the variables.
+
+
+# Uncomment following two lines and fix the paths if you have installed OpenSSL
+# or GnuTLS in non-default location
+#CFLAGS += -I/usr/local/openssl/include
+#LIBS += -L/usr/local/openssl/lib
+
+# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
+# the kerberos files are not in the default include path. Following line can be
+# used to fix build issues on such systems (krb5.h not found).
+#CFLAGS += -I/usr/include/kerberos
+
+# Driver interface for generic Linux wireless extensions
+# Note: WEXT is deprecated in the current Linux kernel version and no new
+# functionality is added to it. nl80211-based interface is the new
+# replacement for WEXT and its use allows wpa_supplicant to properly control
+# the driver to improve existing functionality like roaming and to support new
+# functionality.
+#CONFIG_DRIVER_WEXT=y
+
+# Driver interface for Linux drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for Windows NDIS
+#CONFIG_DRIVER_NDIS=y
+#CFLAGS += -I/usr/include/w32api/ddk
+#LIBS += -L/usr/local/lib
+# For native build using mingw
+#CONFIG_NATIVE_WINDOWS=y
+# Additional directories for cross-compilation on Linux host for mingw target
+#CFLAGS += -I/opt/mingw/mingw32/include/ddk
+#LIBS += -L/opt/mingw/mingw32/lib
+#CC=mingw32-gcc
+# By default, driver_ndis uses WinPcap for low-level operations. This can be
+# replaced with the following option which replaces WinPcap calls with NDISUIO.
+# However, this requires that WZC is disabled (net stop wzcsvc) before starting
+# wpa_supplicant.
+# CONFIG_USE_NDISUIO=y
+
+# Driver interface for wired Ethernet drivers
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for MACsec capable Qualcomm Atheros drivers
+#CONFIG_DRIVER_MACSEC_QCA=y
+
+# Driver interface for Linux MACsec drivers
+#CONFIG_DRIVER_MACSEC_LINUX=y
+
+# Driver interface for the Broadcom RoboSwitch family
+#CONFIG_DRIVER_ROBOSWITCH=y
+
+# Driver interface for no driver (e.g., WPS ER only)
+#CONFIG_DRIVER_NONE=y
+
+# Solaris libraries
+#LIBS += -lsocket -ldlpi -lnsl
+#LIBS_c += -lsocket
+
+# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
+# MACsec is included)
+CONFIG_IEEE8021X_EAPOL=y
+
+# EAP-MD5
+CONFIG_EAP_MD5=y
+
+# EAP-MSCHAPv2
+CONFIG_EAP_MSCHAPV2=y
+
+# EAP-TLS
+CONFIG_EAP_TLS=y
+
+# EAL-PEAP
+CONFIG_EAP_PEAP=y
+
+# EAP-TTLS
+CONFIG_EAP_TTLS=y
+
+# EAP-FAST
+CONFIG_EAP_FAST=y
+
+# EAP-TEAP
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# EAP-GTC
+CONFIG_EAP_GTC=y
+
+# EAP-OTP
+CONFIG_EAP_OTP=y
+
+# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
+#CONFIG_EAP_SIM=y
+
+# Enable SIM simulator (Milenage) for EAP-SIM
+#CONFIG_SIM_SIMULATOR=y
+
+# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd (secure authentication using only a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-PAX
+#CONFIG_EAP_PAX=y
+
+# LEAP
+CONFIG_EAP_LEAP=y
+
+# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# Enable USIM simulator (Milenage) for EAP-AKA
+#CONFIG_USIM_SIMULATOR=y
+
+# EAP-SAKE
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-TNC and related Trusted Network Connect support (experimental)
+#CONFIG_EAP_TNC=y
+
+# Wi-Fi Protected Setup (WPS)
+CONFIG_WPS=y
+# Enable WPS external registrar functionality
+#CONFIG_WPS_ER=y
+# Disable credentials for an open network by default when acting as a WPS
+# registrar.
+#CONFIG_WPS_REG_DISABLE_OPEN=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
+# MACsec
+#CONFIG_MACSEC=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+CONFIG_PKCS12=y
+
+# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
+# engine.
+CONFIG_SMARTCARD=y
+
+# PC/SC interface for smartcards (USIM, GSM SIM)
+# Enable this if EAP-SIM or EAP-AKA is included
+#CONFIG_PCSC=y
+
+# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
+CONFIG_HT_OVERRIDES=y
+
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
+# Development testing
+#CONFIG_EAPOL_TEST=y
+
+# Select control interface backend for external programs, e.g, wpa_cli:
+# unix = UNIX domain sockets (default for Linux/*BSD)
+# udp = UDP sockets using localhost (127.0.0.1)
+# udp6 = UDP IPv6 sockets using localhost (::1)
+# named_pipe = Windows Named Pipe (default for Windows)
+# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
+# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
+# y = use default (backwards compatibility)
+# If this option is commented out, control interface is not included in the
+# build.
+CONFIG_CTRL_IFACE=y
+
+# Include support for GNU Readline and History Libraries in wpa_cli.
+# When building a wpa_cli binary for distribution, please note that these
+# libraries are licensed under GPL and as such, BSD license may not apply for
+# the resulting binary.
+#CONFIG_READLINE=y
+
+# Include internal line edit mode in wpa_cli. This can be used as a replacement
+# for GNU Readline to provide limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Remove debugging code that is printing out debug message to stdout.
+# This can be used to reduce the size of the wpa_supplicant considerably
+# if debugging code is not needed. The size reduction can be around 35%
+# (e.g., 90 kB).
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
+# 35-50 kB in code size.
+#CONFIG_NO_WPA=y
+
+# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
+# This option can be used to reduce code size by removing support for
+# converting ASCII passphrases into PSK. If this functionality is removed, the
+# PSK can only be configured as the 64-octet hexstring (e.g., from
+# wpa_passphrase). This saves about 0.5 kB in code size.
+#CONFIG_NO_WPA_PASSPHRASE=y
+
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+#CONFIG_SAE=y
+
+# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# This can be used if ap_scan=1 mode is never enabled.
+#CONFIG_NO_SCAN_PROCESSING=y
+
+# Select configuration backend:
+# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
+#	path is given on command line, not here; this option is just used to
+#	select the backend that allows configuration files to be used)
+# winreg = Windows registry (see win_example.reg for an example)
+CONFIG_BACKEND=file
+
+# Remove configuration write functionality (i.e., to allow the configuration
+# file to be updated based on runtime configuration changes). The runtime
+# configuration can still be changed, the changes are just not going to be
+# persistent over restarts. This option can be used to reduce code size by
+# about 3.5 kB.
+#CONFIG_NO_CONFIG_WRITE=y
+
+# Remove support for configuration blobs to reduce code size by about 1.5 kB.
+#CONFIG_NO_CONFIG_BLOBS=y
+
+# Select program entry point implementation:
+# main = UNIX/POSIX like main() function (default)
+# main_winsvc = Windows service (read parameters from registry)
+# main_none = Very basic example (development use only)
+#CONFIG_MAIN=main
+
+# Select wrapper for operating system and C library specific functions
+# unix = UNIX/POSIX like systems (default)
+# win32 = Windows systems
+# none = Empty template
+#CONFIG_OS=unix
+
+# Select event loop implementation
+# eloop = select() loop (default)
+# eloop_win = Windows events and WaitForMultipleObject() loop
+#CONFIG_ELOOP=eloop
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select layer 2 packet implementation
+# linux = Linux packet socket (default)
+# pcap = libpcap/libdnet/WinPcap
+# freebsd = FreeBSD libpcap
+# winpcap = WinPcap with receive thread
+# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
+# none = Empty template
+#CONFIG_L2_PACKET=linux
+
+# Disable Linux packet socket workaround applicable for station interface
+# in a bridge for EAPOL frames. This should be uncommented only if the kernel
+# is known to not have the regression issue in packet socket behavior with
+# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
+CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
+
+# IEEE 802.11w (management frame protection), also known as PMF
+# Driver support is also needed for IEEE 802.11w.
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+CONFIG_OCV=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used. It should be noted that some existing TLS v1.0 -based
+# implementation may not be compatible with TLS v1.1 message (ClientHello is
+# sent prior to negotiating which version will be used)
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
+# This is only for Windows builds and requires WMI-related header files and
+# WbemUuid.Lib from Platform SDK even when building with MinGW.
+#CONFIG_NDIS_EVENTS_INTEGRATED=y
+#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
+
+# Add support for new DBus control interface
+# (fi.w1.hostap.wpa_supplicant1)
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
+
+# Add introspection support for new DBus control interface
+#CONFIG_CTRL_IFACE_DBUS_INTRO=y
+
+# Add support for loading EAP methods dynamically as shared libraries.
+# When this option is enabled, each EAP method can be either included
+# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
+# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
+# be loaded in the beginning of the wpa_supplicant configuration file
+# (see load_dynamic_eap parameter in the example file) before being used in
+# the network blocks.
+#
+# Note that some shared parts of EAP methods are included in the main program
+# and in order to be able to use dynamic EAP methods using these parts, the
+# main program must have been build with the EAP method enabled (=y or =dyn).
+# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
+# unless at least one of them was included in the main build to force inclusion
+# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
+# in the main build to be able to load these methods dynamically.
+#
+# Please also note that using dynamic libraries will increase the total binary
+# size. Thus, it may not be the best option for targets that have limited
+# amount of memory/flash.
+#CONFIG_DYNAMIC_EAP_METHODS=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+CONFIG_IEEE80211R=y
+
+# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+# Set syslog facility for debug messages
+CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
+# Enable privilege separation (see README 'Privilege separation' for details)
+#CONFIG_PRIVSEP=y
+
+# Enable mitigation against certain attacks against TKIP by delaying Michael
+# MIC error reports by a random amount of time between 0 and 60 seconds
+#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, uncomment these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, uncomment these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# wpa_supplicant depends on strong random number generation being available
+# from the operating system. os_get_random() function is used to fetch random
+# data when needed, e.g., for key generation. On Linux and BSD systems, this
+# works by reading /dev/urandom. It should be noted that the OS entropy pool
+# needs to be properly initialized before wpa_supplicant is started. This is
+# important especially on embedded devices that do not have a hardware random
+# number generator and may by default start up with minimal entropy available
+# for random number generation.
+#
+# As a safety net, wpa_supplicant is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data fetched
+# from the OS. This by itself is not considered to be very strong, but it may
+# help in cases where the system pool is not initialized properly. However, it
+# is very strongly recommended that the system pool is initialized with enough
+# entropy either by using hardware assisted random number generator or by
+# storing state over device reboots.
+#
+# wpa_supplicant can be configured to maintain its own entropy store over
+# restarts to enhance random number generation. This is not perfect, but it is
+# much more secure than using the same sequence of random numbers after every
+# reboot. This can be enabled with -e<entropy file> command line option. The
+# specified file needs to be readable and writable by wpa_supplicant.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal wpa_supplicant random pool can be
+# disabled. This will save some in binary size and CPU use. However, this
+# should only be considered for builds that are known to be used on devices
+# that meet the requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+#CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+#CONFIG_IEEE80211AC=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+CONFIG_WNM=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks (GAS/ANQP to learn more about the networks and network
+# selection based on available credentials).
+CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+CONFIG_HS20=y
+
+# Enable interface matching in wpa_supplicant
+#CONFIG_MATCH_IFACE=y
+
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
+# AP mode operations with wpa_supplicant
+# This can be used for controlling AP mode operations with wpa_supplicant. It
+# should be noted that this is mainly aimed at simple cases like
+# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
+# external RADIUS server can be supported with hostapd.
+#CONFIG_AP=y
+
+# P2P (Wi-Fi Direct)
+# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
+# more information on P2P operations.
+#CONFIG_P2P=y
+
+# Enable TDLS support
+#CONFIG_TDLS=y
+
+# Wi-Fi Display
+# This can be used to enable Wi-Fi Display extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+#CONFIG_WIFI_DISPLAY=y
+
+# Autoscan
+# This can be used to enable automatic scan support in wpa_supplicant.
+# See wpa_supplicant.conf for more information on autoscan usage.
+#
+# Enabling directly a module will enable autoscan support.
+# For exponential module:
+#CONFIG_AUTOSCAN_EXPONENTIAL=y
+# For periodic module:
+#CONFIG_AUTOSCAN_PERIODIC=y
+
+# Password (and passphrase, etc.) backend for external storage
+# These optional mechanisms can be used to add support for storing passwords
+# and other secrets in external (to wpa_supplicant) location. This allows, for
+# example, operating system specific key storage to be used
+#
+# External password backend for testing purposes (developer use)
+#CONFIG_EXT_PASSWORD_TEST=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# OS X builds. This is only for building eapol_test.
+#CONFIG_OSX=y
+
+# Automatic Channel Selection
+# This will allow wpa_supplicant to pick the channel automatically when channel
+# is set to "0".
+#
+# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
+# to "channel=0". This would enable us to eventually add other ACS algorithms in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
+# a newly to create wpa_supplicant.conf variable acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#CONFIG_ACS=y
+
+# Support Multi Band Operation
+#CONFIG_MBO=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Support RSN on IBSS networks
+# This is needed to be able to use mode=1 network profile with proto=RSN and
+# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
+CONFIG_IBSS_RSN=y
+
+# External PMKSA cache control
+# This can be used to enable control interface commands that allow the current
+# PMKSA cache entries to be fetched and new entries to be added.
+#CONFIG_PMKSA_CACHE_EXTERNAL=y
+
+# Mesh Networking (IEEE 802.11s)
+#CONFIG_MESH=y
+
+# Background scanning modules
+# These can be used to request wpa_supplicant to perform background scanning
+# operations for roaming within an ESS (same SSID). See the bgscan parameter in
+# the wpa_supplicant.conf file for more details.
+# Periodic background scans based on signal strength
+#CONFIG_BGSCAN_SIMPLE=y
+# Learn channels used by the network and try to avoid bgscans on other
+# channels (experimental)
+#CONFIG_BGSCAN_LEARN=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Device Provisioning Protocol (DPP)
+# This requires CONFIG_IEEE80211W=y to be enabled, too. (see
+# wpa_supplicant/README-DPP for details)
+#CONFIG_DPP=y
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/wpa_supplicant-mini.config

@@ -0,0 +1,625 @@
+# Example wpa_supplicant build time configuration
+#
+# This file lists the configuration options that are used when building the
+# wpa_supplicant binary. All lines starting with # are ignored. Configuration
+# option lines must be commented out complete, if they are not to be included,
+# i.e., just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cases, these lines should use += in order not
+# to override previous values of the variables.
+
+
+# Uncomment following two lines and fix the paths if you have installed OpenSSL
+# or GnuTLS in non-default location
+#CFLAGS += -I/usr/local/openssl/include
+#LIBS += -L/usr/local/openssl/lib
+
+# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
+# the kerberos files are not in the default include path. Following line can be
+# used to fix build issues on such systems (krb5.h not found).
+#CFLAGS += -I/usr/include/kerberos
+
+# Driver interface for generic Linux wireless extensions
+# Note: WEXT is deprecated in the current Linux kernel version and no new
+# functionality is added to it. nl80211-based interface is the new
+# replacement for WEXT and its use allows wpa_supplicant to properly control
+# the driver to improve existing functionality like roaming and to support new
+# functionality.
+#CONFIG_DRIVER_WEXT=y
+
+# Driver interface for Linux drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for Windows NDIS
+#CONFIG_DRIVER_NDIS=y
+#CFLAGS += -I/usr/include/w32api/ddk
+#LIBS += -L/usr/local/lib
+# For native build using mingw
+#CONFIG_NATIVE_WINDOWS=y
+# Additional directories for cross-compilation on Linux host for mingw target
+#CFLAGS += -I/opt/mingw/mingw32/include/ddk
+#LIBS += -L/opt/mingw/mingw32/lib
+#CC=mingw32-gcc
+# By default, driver_ndis uses WinPcap for low-level operations. This can be
+# replaced with the following option which replaces WinPcap calls with NDISUIO.
+# However, this requires that WZC is disabled (net stop wzcsvc) before starting
+# wpa_supplicant.
+# CONFIG_USE_NDISUIO=y
+
+# Driver interface for wired Ethernet drivers
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for MACsec capable Qualcomm Atheros drivers
+#CONFIG_DRIVER_MACSEC_QCA=y
+
+# Driver interface for Linux MACsec drivers
+#CONFIG_DRIVER_MACSEC_LINUX=y
+
+# Driver interface for the Broadcom RoboSwitch family
+#CONFIG_DRIVER_ROBOSWITCH=y
+
+# Driver interface for no driver (e.g., WPS ER only)
+#CONFIG_DRIVER_NONE=y
+
+# Solaris libraries
+#LIBS += -lsocket -ldlpi -lnsl
+#LIBS_c += -lsocket
+
+# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
+# MACsec is included)
+#CONFIG_IEEE8021X_EAPOL=y
+
+# EAP-MD5
+#CONFIG_EAP_MD5=y
+
+# EAP-MSCHAPv2
+#CONFIG_EAP_MSCHAPV2=y
+
+# EAP-TLS
+#CONFIG_EAP_TLS=y
+
+# EAL-PEAP
+#CONFIG_EAP_PEAP=y
+
+# EAP-TTLS
+#CONFIG_EAP_TTLS=y
+
+# EAP-FAST
+#CONFIG_EAP_FAST=y
+
+# EAP-TEAP
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# EAP-GTC
+#CONFIG_EAP_GTC=y
+
+# EAP-OTP
+#CONFIG_EAP_OTP=y
+
+# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
+#CONFIG_EAP_SIM=y
+
+# Enable SIM simulator (Milenage) for EAP-SIM
+#CONFIG_SIM_SIMULATOR=y
+
+# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd (secure authentication using only a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-PAX
+#CONFIG_EAP_PAX=y
+
+# LEAP
+#CONFIG_EAP_LEAP=y
+
+# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# Enable USIM simulator (Milenage) for EAP-AKA
+#CONFIG_USIM_SIMULATOR=y
+
+# EAP-SAKE
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-TNC and related Trusted Network Connect support (experimental)
+#CONFIG_EAP_TNC=y
+
+# Wi-Fi Protected Setup (WPS)
+#CONFIG_WPS=y
+# Enable WPS external registrar functionality
+#CONFIG_WPS_ER=y
+# Disable credentials for an open network by default when acting as a WPS
+# registrar.
+#CONFIG_WPS_REG_DISABLE_OPEN=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
+# MACsec
+#CONFIG_MACSEC=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+#CONFIG_PKCS12=y
+
+# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
+# engine.
+#CONFIG_SMARTCARD=y
+
+# PC/SC interface for smartcards (USIM, GSM SIM)
+# Enable this if EAP-SIM or EAP-AKA is included
+#CONFIG_PCSC=y
+
+# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
+CONFIG_HT_OVERRIDES=y
+
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
+# Development testing
+#CONFIG_EAPOL_TEST=y
+
+# Select control interface backend for external programs, e.g, wpa_cli:
+# unix = UNIX domain sockets (default for Linux/*BSD)
+# udp = UDP sockets using localhost (127.0.0.1)
+# udp6 = UDP IPv6 sockets using localhost (::1)
+# named_pipe = Windows Named Pipe (default for Windows)
+# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
+# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
+# y = use default (backwards compatibility)
+# If this option is commented out, control interface is not included in the
+# build.
+CONFIG_CTRL_IFACE=y
+
+# Include support for GNU Readline and History Libraries in wpa_cli.
+# When building a wpa_cli binary for distribution, please note that these
+# libraries are licensed under GPL and as such, BSD license may not apply for
+# the resulting binary.
+#CONFIG_READLINE=y
+
+# Include internal line edit mode in wpa_cli. This can be used as a replacement
+# for GNU Readline to provide limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Remove debugging code that is printing out debug message to stdout.
+# This can be used to reduce the size of the wpa_supplicant considerably
+# if debugging code is not needed. The size reduction can be around 35%
+# (e.g., 90 kB).
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
+# 35-50 kB in code size.
+#CONFIG_NO_WPA=y
+
+# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
+# This option can be used to reduce code size by removing support for
+# converting ASCII passphrases into PSK. If this functionality is removed, the
+# PSK can only be configured as the 64-octet hexstring (e.g., from
+# wpa_passphrase). This saves about 0.5 kB in code size.
+#CONFIG_NO_WPA_PASSPHRASE=y
+
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+#CONFIG_SAE=y
+
+# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# This can be used if ap_scan=1 mode is never enabled.
+#CONFIG_NO_SCAN_PROCESSING=y
+
+# Select configuration backend:
+# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
+#	path is given on command line, not here; this option is just used to
+#	select the backend that allows configuration files to be used)
+# winreg = Windows registry (see win_example.reg for an example)
+CONFIG_BACKEND=file
+
+# Remove configuration write functionality (i.e., to allow the configuration
+# file to be updated based on runtime configuration changes). The runtime
+# configuration can still be changed, the changes are just not going to be
+# persistent over restarts. This option can be used to reduce code size by
+# about 3.5 kB.
+CONFIG_NO_CONFIG_WRITE=y
+
+# Remove support for configuration blobs to reduce code size by about 1.5 kB.
+#CONFIG_NO_CONFIG_BLOBS=y
+
+# Select program entry point implementation:
+# main = UNIX/POSIX like main() function (default)
+# main_winsvc = Windows service (read parameters from registry)
+# main_none = Very basic example (development use only)
+#CONFIG_MAIN=main
+
+# Select wrapper for operating system and C library specific functions
+# unix = UNIX/POSIX like systems (default)
+# win32 = Windows systems
+# none = Empty template
+#CONFIG_OS=unix
+
+# Select event loop implementation
+# eloop = select() loop (default)
+# eloop_win = Windows events and WaitForMultipleObject() loop
+#CONFIG_ELOOP=eloop
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select layer 2 packet implementation
+# linux = Linux packet socket (default)
+# pcap = libpcap/libdnet/WinPcap
+# freebsd = FreeBSD libpcap
+# winpcap = WinPcap with receive thread
+# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
+# none = Empty template
+#CONFIG_L2_PACKET=linux
+
+# Disable Linux packet socket workaround applicable for station interface
+# in a bridge for EAPOL frames. This should be uncommented only if the kernel
+# is known to not have the regression issue in packet socket behavior with
+# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
+CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
+
+# IEEE 802.11w (management frame protection), also known as PMF
+# Driver support is also needed for IEEE 802.11w.
+#CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used. It should be noted that some existing TLS v1.0 -based
+# implementation may not be compatible with TLS v1.1 message (ClientHello is
+# sent prior to negotiating which version will be used)
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
+# This is only for Windows builds and requires WMI-related header files and
+# WbemUuid.Lib from Platform SDK even when building with MinGW.
+#CONFIG_NDIS_EVENTS_INTEGRATED=y
+#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
+
+# Add support for new DBus control interface
+# (fi.w1.hostap.wpa_supplicant1)
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
+
+# Add introspection support for new DBus control interface
+#CONFIG_CTRL_IFACE_DBUS_INTRO=y
+
+# Add support for loading EAP methods dynamically as shared libraries.
+# When this option is enabled, each EAP method can be either included
+# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
+# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
+# be loaded in the beginning of the wpa_supplicant configuration file
+# (see load_dynamic_eap parameter in the example file) before being used in
+# the network blocks.
+#
+# Note that some shared parts of EAP methods are included in the main program
+# and in order to be able to use dynamic EAP methods using these parts, the
+# main program must have been build with the EAP method enabled (=y or =dyn).
+# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
+# unless at least one of them was included in the main build to force inclusion
+# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
+# in the main build to be able to load these methods dynamically.
+#
+# Please also note that using dynamic libraries will increase the total binary
+# size. Thus, it may not be the best option for targets that have limited
+# amount of memory/flash.
+#CONFIG_DYNAMIC_EAP_METHODS=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+#CONFIG_IEEE80211R=y
+
+# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+# Set syslog facility for debug messages
+CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
+# Enable privilege separation (see README 'Privilege separation' for details)
+#CONFIG_PRIVSEP=y
+
+# Enable mitigation against certain attacks against TKIP by delaying Michael
+# MIC error reports by a random amount of time between 0 and 60 seconds
+#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, uncomment these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, uncomment these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# wpa_supplicant depends on strong random number generation being available
+# from the operating system. os_get_random() function is used to fetch random
+# data when needed, e.g., for key generation. On Linux and BSD systems, this
+# works by reading /dev/urandom. It should be noted that the OS entropy pool
+# needs to be properly initialized before wpa_supplicant is started. This is
+# important especially on embedded devices that do not have a hardware random
+# number generator and may by default start up with minimal entropy available
+# for random number generation.
+#
+# As a safety net, wpa_supplicant is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data fetched
+# from the OS. This by itself is not considered to be very strong, but it may
+# help in cases where the system pool is not initialized properly. However, it
+# is very strongly recommended that the system pool is initialized with enough
+# entropy either by using hardware assisted random number generator or by
+# storing state over device reboots.
+#
+# wpa_supplicant can be configured to maintain its own entropy store over
+# restarts to enhance random number generation. This is not perfect, but it is
+# much more secure than using the same sequence of random numbers after every
+# reboot. This can be enabled with -e<entropy file> command line option. The
+# specified file needs to be readable and writable by wpa_supplicant.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal wpa_supplicant random pool can be
+# disabled. This will save some in binary size and CPU use. However, this
+# should only be considered for builds that are known to be used on devices
+# that meet the requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+#CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+#CONFIG_IEEE80211AC=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks (GAS/ANQP to learn more about the networks and network
+# selection based on available credentials).
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable interface matching in wpa_supplicant
+#CONFIG_MATCH_IFACE=y
+
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
+# AP mode operations with wpa_supplicant
+# This can be used for controlling AP mode operations with wpa_supplicant. It
+# should be noted that this is mainly aimed at simple cases like
+# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
+# external RADIUS server can be supported with hostapd.
+#CONFIG_AP=y
+
+# P2P (Wi-Fi Direct)
+# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
+# more information on P2P operations.
+#CONFIG_P2P=y
+
+# Enable TDLS support
+#CONFIG_TDLS=y
+
+# Wi-Fi Display
+# This can be used to enable Wi-Fi Display extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+#CONFIG_WIFI_DISPLAY=y
+
+# Autoscan
+# This can be used to enable automatic scan support in wpa_supplicant.
+# See wpa_supplicant.conf for more information on autoscan usage.
+#
+# Enabling directly a module will enable autoscan support.
+# For exponential module:
+#CONFIG_AUTOSCAN_EXPONENTIAL=y
+# For periodic module:
+#CONFIG_AUTOSCAN_PERIODIC=y
+
+# Password (and passphrase, etc.) backend for external storage
+# These optional mechanisms can be used to add support for storing passwords
+# and other secrets in external (to wpa_supplicant) location. This allows, for
+# example, operating system specific key storage to be used
+#
+# External password backend for testing purposes (developer use)
+#CONFIG_EXT_PASSWORD_TEST=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# OS X builds. This is only for building eapol_test.
+#CONFIG_OSX=y
+
+# Automatic Channel Selection
+# This will allow wpa_supplicant to pick the channel automatically when channel
+# is set to "0".
+#
+# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
+# to "channel=0". This would enable us to eventually add other ACS algorithms in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
+# a newly to create wpa_supplicant.conf variable acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#CONFIG_ACS=y
+
+# Support Multi Band Operation
+#CONFIG_MBO=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Support RSN on IBSS networks
+# This is needed to be able to use mode=1 network profile with proto=RSN and
+# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
+#CONFIG_IBSS_RSN=y
+
+# External PMKSA cache control
+# This can be used to enable control interface commands that allow the current
+# PMKSA cache entries to be fetched and new entries to be added.
+#CONFIG_PMKSA_CACHE_EXTERNAL=y
+
+# Mesh Networking (IEEE 802.11s)
+#CONFIG_MESH=y
+
+# Background scanning modules
+# These can be used to request wpa_supplicant to perform background scanning
+# operations for roaming within an ESS (same SSID). See the bgscan parameter in
+# the wpa_supplicant.conf file for more details.
+# Periodic background scans based on signal strength
+#CONFIG_BGSCAN_SIMPLE=y
+# Learn channels used by the network and try to avoid bgscans on other
+# channels (experimental)
+#CONFIG_BGSCAN_LEARN=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Device Provisioning Protocol (DPP)
+# This requires CONFIG_IEEE80211W=y to be enabled, too. (see
+# wpa_supplicant/README-DPP for details)
+#CONFIG_DPP=y
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+#CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/wpa_supplicant-p2p.config

@@ -0,0 +1,625 @@
+# Example wpa_supplicant build time configuration
+#
+# This file lists the configuration options that are used when building the
+# wpa_supplicant binary. All lines starting with # are ignored. Configuration
+# option lines must be commented out complete, if they are not to be included,
+# i.e., just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cases, these lines should use += in order not
+# to override previous values of the variables.
+
+
+# Uncomment following two lines and fix the paths if you have installed OpenSSL
+# or GnuTLS in non-default location
+#CFLAGS += -I/usr/local/openssl/include
+#LIBS += -L/usr/local/openssl/lib
+
+# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
+# the kerberos files are not in the default include path. Following line can be
+# used to fix build issues on such systems (krb5.h not found).
+#CFLAGS += -I/usr/include/kerberos
+
+# Driver interface for generic Linux wireless extensions
+# Note: WEXT is deprecated in the current Linux kernel version and no new
+# functionality is added to it. nl80211-based interface is the new
+# replacement for WEXT and its use allows wpa_supplicant to properly control
+# the driver to improve existing functionality like roaming and to support new
+# functionality.
+#CONFIG_DRIVER_WEXT=y
+
+# Driver interface for Linux drivers using the nl80211 kernel interface
+CONFIG_DRIVER_NL80211=y
+
+# QCA vendor extensions to nl80211
+#CONFIG_DRIVER_NL80211_QCA=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+#CONFIG_DRIVER_BSD=y
+#CFLAGS += -I/usr/local/include
+#LIBS += -L/usr/local/lib
+#LIBS_p += -L/usr/local/lib
+#LIBS_c += -L/usr/local/lib
+
+# Driver interface for Windows NDIS
+#CONFIG_DRIVER_NDIS=y
+#CFLAGS += -I/usr/include/w32api/ddk
+#LIBS += -L/usr/local/lib
+# For native build using mingw
+#CONFIG_NATIVE_WINDOWS=y
+# Additional directories for cross-compilation on Linux host for mingw target
+#CFLAGS += -I/opt/mingw/mingw32/include/ddk
+#LIBS += -L/opt/mingw/mingw32/lib
+#CC=mingw32-gcc
+# By default, driver_ndis uses WinPcap for low-level operations. This can be
+# replaced with the following option which replaces WinPcap calls with NDISUIO.
+# However, this requires that WZC is disabled (net stop wzcsvc) before starting
+# wpa_supplicant.
+# CONFIG_USE_NDISUIO=y
+
+# Driver interface for wired Ethernet drivers
+CONFIG_DRIVER_WIRED=y
+
+# Driver interface for MACsec capable Qualcomm Atheros drivers
+#CONFIG_DRIVER_MACSEC_QCA=y
+
+# Driver interface for Linux MACsec drivers
+#CONFIG_DRIVER_MACSEC_LINUX=y
+
+# Driver interface for the Broadcom RoboSwitch family
+#CONFIG_DRIVER_ROBOSWITCH=y
+
+# Driver interface for no driver (e.g., WPS ER only)
+#CONFIG_DRIVER_NONE=y
+
+# Solaris libraries
+#LIBS += -lsocket -ldlpi -lnsl
+#LIBS_c += -lsocket
+
+# Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
+# MACsec is included)
+CONFIG_IEEE8021X_EAPOL=y
+
+# EAP-MD5
+CONFIG_EAP_MD5=y
+
+# EAP-MSCHAPv2
+CONFIG_EAP_MSCHAPV2=y
+
+# EAP-TLS
+CONFIG_EAP_TLS=y
+
+# EAL-PEAP
+CONFIG_EAP_PEAP=y
+
+# EAP-TTLS
+CONFIG_EAP_TTLS=y
+
+# EAP-FAST
+CONFIG_EAP_FAST=y
+
+# EAP-TEAP
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
+# EAP-GTC
+CONFIG_EAP_GTC=y
+
+# EAP-OTP
+CONFIG_EAP_OTP=y
+
+# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
+#CONFIG_EAP_SIM=y
+
+# Enable SIM simulator (Milenage) for EAP-SIM
+#CONFIG_SIM_SIMULATOR=y
+
+# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd (secure authentication using only a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-PAX
+#CONFIG_EAP_PAX=y
+
+# LEAP
+CONFIG_EAP_LEAP=y
+
+# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# Enable USIM simulator (Milenage) for EAP-AKA
+#CONFIG_USIM_SIMULATOR=y
+
+# EAP-SAKE
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-TNC and related Trusted Network Connect support (experimental)
+#CONFIG_EAP_TNC=y
+
+# Wi-Fi Protected Setup (WPS)
+CONFIG_WPS=y
+# Enable WPS external registrar functionality
+#CONFIG_WPS_ER=y
+# Disable credentials for an open network by default when acting as a WPS
+# registrar.
+#CONFIG_WPS_REG_DISABLE_OPEN=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# EAP-EKE
+#CONFIG_EAP_EKE=y
+
+# MACsec
+#CONFIG_MACSEC=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+CONFIG_PKCS12=y
+
+# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
+# engine.
+CONFIG_SMARTCARD=y
+
+# PC/SC interface for smartcards (USIM, GSM SIM)
+# Enable this if EAP-SIM or EAP-AKA is included
+#CONFIG_PCSC=y
+
+# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
+CONFIG_HT_OVERRIDES=y
+
+# Support VHT overrides (disable VHT, mask MCS rates, etc.)
+CONFIG_VHT_OVERRIDES=y
+
+# Development testing
+#CONFIG_EAPOL_TEST=y
+
+# Select control interface backend for external programs, e.g, wpa_cli:
+# unix = UNIX domain sockets (default for Linux/*BSD)
+# udp = UDP sockets using localhost (127.0.0.1)
+# udp6 = UDP IPv6 sockets using localhost (::1)
+# named_pipe = Windows Named Pipe (default for Windows)
+# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
+# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
+# y = use default (backwards compatibility)
+# If this option is commented out, control interface is not included in the
+# build.
+CONFIG_CTRL_IFACE=y
+
+# Include support for GNU Readline and History Libraries in wpa_cli.
+# When building a wpa_cli binary for distribution, please note that these
+# libraries are licensed under GPL and as such, BSD license may not apply for
+# the resulting binary.
+#CONFIG_READLINE=y
+
+# Include internal line edit mode in wpa_cli. This can be used as a replacement
+# for GNU Readline to provide limited command line editing and history support.
+#CONFIG_WPA_CLI_EDIT=y
+
+# Remove debugging code that is printing out debug message to stdout.
+# This can be used to reduce the size of the wpa_supplicant considerably
+# if debugging code is not needed. The size reduction can be around 35%
+# (e.g., 90 kB).
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
+# 35-50 kB in code size.
+#CONFIG_NO_WPA=y
+
+# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
+# This option can be used to reduce code size by removing support for
+# converting ASCII passphrases into PSK. If this functionality is removed, the
+# PSK can only be configured as the 64-octet hexstring (e.g., from
+# wpa_passphrase). This saves about 0.5 kB in code size.
+#CONFIG_NO_WPA_PASSPHRASE=y
+
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+#CONFIG_SAE=y
+
+# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
+# This can be used if ap_scan=1 mode is never enabled.
+#CONFIG_NO_SCAN_PROCESSING=y
+
+# Select configuration backend:
+# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
+#	path is given on command line, not here; this option is just used to
+#	select the backend that allows configuration files to be used)
+# winreg = Windows registry (see win_example.reg for an example)
+CONFIG_BACKEND=file
+
+# Remove configuration write functionality (i.e., to allow the configuration
+# file to be updated based on runtime configuration changes). The runtime
+# configuration can still be changed, the changes are just not going to be
+# persistent over restarts. This option can be used to reduce code size by
+# about 3.5 kB.
+#CONFIG_NO_CONFIG_WRITE=y
+
+# Remove support for configuration blobs to reduce code size by about 1.5 kB.
+#CONFIG_NO_CONFIG_BLOBS=y
+
+# Select program entry point implementation:
+# main = UNIX/POSIX like main() function (default)
+# main_winsvc = Windows service (read parameters from registry)
+# main_none = Very basic example (development use only)
+#CONFIG_MAIN=main
+
+# Select wrapper for operating system and C library specific functions
+# unix = UNIX/POSIX like systems (default)
+# win32 = Windows systems
+# none = Empty template
+#CONFIG_OS=unix
+
+# Select event loop implementation
+# eloop = select() loop (default)
+# eloop_win = Windows events and WaitForMultipleObject() loop
+#CONFIG_ELOOP=eloop
+
+# Should we use poll instead of select? Select is used by default.
+#CONFIG_ELOOP_POLL=y
+
+# Should we use epoll instead of select? Select is used by default.
+CONFIG_ELOOP_EPOLL=y
+
+# Should we use kqueue instead of select? Select is used by default.
+#CONFIG_ELOOP_KQUEUE=y
+
+# Select layer 2 packet implementation
+# linux = Linux packet socket (default)
+# pcap = libpcap/libdnet/WinPcap
+# freebsd = FreeBSD libpcap
+# winpcap = WinPcap with receive thread
+# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
+# none = Empty template
+#CONFIG_L2_PACKET=linux
+
+# Disable Linux packet socket workaround applicable for station interface
+# in a bridge for EAPOL frames. This should be uncommented only if the kernel
+# is known to not have the regression issue in packet socket behavior with
+# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
+CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
+
+# IEEE 802.11w (management frame protection), also known as PMF
+# Driver support is also needed for IEEE 802.11w.
+CONFIG_IEEE80211W=y
+
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
+# none = Empty template
+CONFIG_TLS=internal
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used. It should be noted that some existing TLS v1.0 -based
+# implementation may not be compatible with TLS v1.1 message (ClientHello is
+# sent prior to negotiating which version will be used)
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms. It should be
+# noted that some existing TLS v1.0 -based implementation may not be compatible
+# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
+# will be used)
+#CONFIG_TLSV12=y
+
+# Select which ciphers to use by default with OpenSSL if the user does not
+# specify them.
+#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
+# This is only for Windows builds and requires WMI-related header files and
+# WbemUuid.Lib from Platform SDK even when building with MinGW.
+#CONFIG_NDIS_EVENTS_INTEGRATED=y
+#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
+
+# Add support for new DBus control interface
+# (fi.w1.hostap.wpa_supplicant1)
+#CONFIG_CTRL_IFACE_DBUS_NEW=y
+
+# Add introspection support for new DBus control interface
+#CONFIG_CTRL_IFACE_DBUS_INTRO=y
+
+# Add support for loading EAP methods dynamically as shared libraries.
+# When this option is enabled, each EAP method can be either included
+# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
+# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
+# be loaded in the beginning of the wpa_supplicant configuration file
+# (see load_dynamic_eap parameter in the example file) before being used in
+# the network blocks.
+#
+# Note that some shared parts of EAP methods are included in the main program
+# and in order to be able to use dynamic EAP methods using these parts, the
+# main program must have been build with the EAP method enabled (=y or =dyn).
+# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
+# unless at least one of them was included in the main build to force inclusion
+# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
+# in the main build to be able to load these methods dynamically.
+#
+# Please also note that using dynamic libraries will increase the total binary
+# size. Thus, it may not be the best option for targets that have limited
+# amount of memory/flash.
+#CONFIG_DYNAMIC_EAP_METHODS=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+#CONFIG_IEEE80211R=y
+
+# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+#CONFIG_DEBUG_FILE=y
+
+# Send debug messages to syslog instead of stdout
+CONFIG_DEBUG_SYSLOG=y
+# Set syslog facility for debug messages
+CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Add support for writing debug log to Android logcat instead of standard
+# output
+#CONFIG_ANDROID_LOG=y
+
+# Enable privilege separation (see README 'Privilege separation' for details)
+#CONFIG_PRIVSEP=y
+
+# Enable mitigation against certain attacks against TKIP by delaying Michael
+# MIC error reports by a random amount of time between 0 and 60 seconds
+#CONFIG_DELAYED_MIC_ERROR_REPORT=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, uncomment these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, uncomment these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# wpa_supplicant depends on strong random number generation being available
+# from the operating system. os_get_random() function is used to fetch random
+# data when needed, e.g., for key generation. On Linux and BSD systems, this
+# works by reading /dev/urandom. It should be noted that the OS entropy pool
+# needs to be properly initialized before wpa_supplicant is started. This is
+# important especially on embedded devices that do not have a hardware random
+# number generator and may by default start up with minimal entropy available
+# for random number generation.
+#
+# As a safety net, wpa_supplicant is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data fetched
+# from the OS. This by itself is not considered to be very strong, but it may
+# help in cases where the system pool is not initialized properly. However, it
+# is very strongly recommended that the system pool is initialized with enough
+# entropy either by using hardware assisted random number generator or by
+# storing state over device reboots.
+#
+# wpa_supplicant can be configured to maintain its own entropy store over
+# restarts to enhance random number generation. This is not perfect, but it is
+# much more secure than using the same sequence of random numbers after every
+# reboot. This can be enabled with -e<entropy file> command line option. The
+# specified file needs to be readable and writable by wpa_supplicant.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal wpa_supplicant random pool can be
+# disabled. This will save some in binary size and CPU use. However, this
+# should only be considered for builds that are known to be used on devices
+# that meet the requirements described above.
+CONFIG_NO_RANDOM_POOL=y
+
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+CONFIG_GETRANDOM=y
+
+# IEEE 802.11n (High Throughput) support (mainly for AP mode)
+#CONFIG_IEEE80211N=y
+
+# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+# (depends on CONFIG_IEEE80211N)
+#CONFIG_IEEE80211AC=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks (GAS/ANQP to learn more about the networks and network
+# selection based on available credentials).
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable interface matching in wpa_supplicant
+#CONFIG_MATCH_IFACE=y
+
+# Disable roaming in wpa_supplicant
+#CONFIG_NO_ROAMING=y
+
+# AP mode operations with wpa_supplicant
+# This can be used for controlling AP mode operations with wpa_supplicant. It
+# should be noted that this is mainly aimed at simple cases like
+# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
+# external RADIUS server can be supported with hostapd.
+CONFIG_AP=y
+
+# P2P (Wi-Fi Direct)
+# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
+# more information on P2P operations.
+CONFIG_P2P=y
+
+# Enable TDLS support
+#CONFIG_TDLS=y
+
+# Wi-Fi Display
+# This can be used to enable Wi-Fi Display extensions for P2P using an external
+# program to control the additional information exchanges in the messages.
+#CONFIG_WIFI_DISPLAY=y
+
+# Autoscan
+# This can be used to enable automatic scan support in wpa_supplicant.
+# See wpa_supplicant.conf for more information on autoscan usage.
+#
+# Enabling directly a module will enable autoscan support.
+# For exponential module:
+#CONFIG_AUTOSCAN_EXPONENTIAL=y
+# For periodic module:
+#CONFIG_AUTOSCAN_PERIODIC=y
+
+# Password (and passphrase, etc.) backend for external storage
+# These optional mechanisms can be used to add support for storing passwords
+# and other secrets in external (to wpa_supplicant) location. This allows, for
+# example, operating system specific key storage to be used
+#
+# External password backend for testing purposes (developer use)
+#CONFIG_EXT_PASSWORD_TEST=y
+
+# Enable Fast Session Transfer (FST)
+#CONFIG_FST=y
+
+# Enable CLI commands for FST testing
+#CONFIG_FST_TEST=y
+
+# OS X builds. This is only for building eapol_test.
+#CONFIG_OSX=y
+
+# Automatic Channel Selection
+# This will allow wpa_supplicant to pick the channel automatically when channel
+# is set to "0".
+#
+# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
+# to "channel=0". This would enable us to eventually add other ACS algorithms in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
+# a newly to create wpa_supplicant.conf variable acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#CONFIG_ACS=y
+
+# Support Multi Band Operation
+#CONFIG_MBO=y
+
+# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
+CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
+
+# Support RSN on IBSS networks
+# This is needed to be able to use mode=1 network profile with proto=RSN and
+# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
+CONFIG_IBSS_RSN=y
+
+# External PMKSA cache control
+# This can be used to enable control interface commands that allow the current
+# PMKSA cache entries to be fetched and new entries to be added.
+#CONFIG_PMKSA_CACHE_EXTERNAL=y
+
+# Mesh Networking (IEEE 802.11s)
+#CONFIG_MESH=y
+
+# Background scanning modules
+# These can be used to request wpa_supplicant to perform background scanning
+# operations for roaming within an ESS (same SSID). See the bgscan parameter in
+# the wpa_supplicant.conf file for more details.
+# Periodic background scans based on signal strength
+#CONFIG_BGSCAN_SIMPLE=y
+# Learn channels used by the network and try to avoid bgscans on other
+# channels (experimental)
+#CONFIG_BGSCAN_LEARN=y
+
+# Opportunistic Wireless Encryption (OWE)
+# Experimental implementation of draft-harkins-owe-07.txt
+#CONFIG_OWE=y
+
+# Device Provisioning Protocol (DPP)
+# This requires CONFIG_IEEE80211W=y to be enabled, too. (see
+# wpa_supplicant/README-DPP for details)
+#CONFIG_DPP=y
+
+# uBus IPC/RPC System
+# Services can connect to the bus and provide methods
+# that can be called by other services or clients.
+CONFIG_UBUS=y
+
+# OpenWrt patch 380-disable-ctrl-iface-mib.patch
+# leads to the MIB only being compiled in if
+# CONFIG_CTRL_IFACE_MIB is enabled.
+CONFIG_CTRL_IFACE_MIB=y

feeds/hostapd/hostapd/files/wpa_supplicant.uc

@@ -0,0 +1,330 @@
+let libubus = require("ubus");
+import { open, readfile } from "fs";
+import { wdev_create, wdev_remove, is_equal, vlist_new, phy_open } from "common";
+
+let ubus = libubus.connect();
+
+wpas.data.config = {};
+wpas.data.iface_phy = {};
+wpas.data.macaddr_list = {};
+
+function iface_stop(iface)
+{
+	let ifname = iface.config.iface;
+
+	if (!iface.running)
+		return;
+
+	delete wpas.data.iface_phy[ifname];
+	wpas.remove_iface(ifname);
+	wdev_remove(ifname);
+	iface.running = false;
+}
+
+function iface_start(phydev, iface, macaddr_list)
+{
+	let phy = phydev.name;
+
+	if (iface.running)
+		return;
+
+	let ifname = iface.config.iface;
+	let wdev_config = {};
+	for (let field in iface.config)
+		wdev_config[field] = iface.config[field];
+	if (!wdev_config.macaddr)
+		wdev_config.macaddr = phydev.macaddr_next();
+
+	wpas.data.iface_phy[ifname] = phy;
+	wdev_remove(ifname);
+	let ret = wdev_create(phy, ifname, wdev_config);
+	if (ret)
+		wpas.printf(`Failed to create device ${ifname}: ${ret}`);
+	wpas.add_iface(iface.config);
+	iface.running = true;
+}
+
+function iface_cb(new_if, old_if)
+{
+	if (old_if && new_if && is_equal(old_if.config, new_if.config)) {
+		new_if.running = old_if.running;
+		return;
+	}
+
+	if (new_if && old_if)
+		wpas.printf(`Update configuration for interface ${old_if.config.iface}`);
+	else if (old_if)
+		wpas.printf(`Remove interface ${old_if.config.iface}`);
+
+	if (old_if)
+		iface_stop(old_if);
+}
+
+function prepare_config(config)
+{
+	config.config_data = readfile(config.config);
+
+	return { config: config };
+}
+
+function set_config(phy_name, config_list)
+{
+	let phy = wpas.data.config[phy_name];
+
+	if (!phy) {
+		phy = vlist_new(iface_cb, false);
+		wpas.data.config[phy_name] = phy;
+	}
+
+	let values = [];
+	for (let config in config_list)
+		push(values, [ config.iface, prepare_config(config) ]);
+
+	phy.update(values);
+}
+
+function start_pending(phy_name)
+{
+	let phy = wpas.data.config[phy_name];
+	let ubus = wpas.data.ubus;
+
+	if (!phy || !phy.data)
+		return;
+
+	let phydev = phy_open(phy_name);
+	if (!phydev) {
+		wpas.printf(`Could not open phy ${phy_name}`);
+		return;
+	}
+
+	let macaddr_list = wpas.data.macaddr_list[phy_name];
+	phydev.macaddr_init(macaddr_list);
+
+	for (let ifname in phy.data)
+		iface_start(phydev, phy.data[ifname]);
+}
+
+let main_obj = {
+	phy_set_state: {
+		args: {
+			phy: "",
+			stop: true,
+		},
+		call: function(req) {
+			if (!req.args.phy || req.args.stop == null)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			let phy = wpas.data.config[req.args.phy];
+			if (!phy)
+				return libubus.STATUS_NOT_FOUND;
+
+			try {
+				if (req.args.stop) {
+					for (let ifname in phy.data)
+						iface_stop(phy.data[ifname]);
+				} else {
+					start_pending(req.args.phy);
+				}
+			} catch (e) {
+				wpas.printf(`Error chaging state: ${e}\n${e.stacktrace[0].context}`);
+				return libubus.STATUS_INVALID_ARGUMENT;
+			}
+			return 0;
+		}
+	},
+	phy_set_macaddr_list: {
+		args: {
+			phy: "",
+			macaddr: [],
+		},
+		call: function(req) {
+			let phy = req.args.phy;
+			if (!phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			wpas.data.macaddr_list[phy] = req.args.macaddr;
+			return 0;
+		}
+	},
+	phy_status: {
+		args: {
+			phy: ""
+		},
+		call: function(req) {
+			if (!req.args.phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			let phy = wpas.data.config[req.args.phy];
+			if (!phy)
+				return libubus.STATUS_NOT_FOUND;
+
+			for (let ifname in phy.data) {
+				try {
+					let iface = wpas.interfaces[ifname];
+					if (!iface)
+						continue;
+
+					let status = iface.status();
+					if (!status)
+						continue;
+
+					if (status.state == "INTERFACE_DISABLED")
+						continue;
+
+					status.ifname = ifname;
+					return status;
+				} catch (e) {
+					continue;
+				}
+			}
+
+			return libubus.STATUS_NOT_FOUND;
+		}
+	},
+	config_set: {
+		args: {
+			phy: "",
+			config: [],
+			defer: true,
+		},
+		call: function(req) {
+			if (!req.args.phy)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			wpas.printf(`Set new config for phy ${req.args.phy}`);
+			try {
+				if (req.args.config)
+					set_config(req.args.phy, req.args.config);
+
+				if (!req.args.defer)
+					start_pending(req.args.phy);
+			} catch (e) {
+				wpas.printf(`Error loading config: ${e}\n${e.stacktrace[0].context}`);
+				return libubus.STATUS_INVALID_ARGUMENT;
+			}
+
+			return {
+				pid: wpas.getpid()
+			};
+		}
+	},
+	config_add: {
+		args: {
+			driver: "",
+			iface: "",
+			bridge: "",
+			hostapd_ctrl: "",
+			ctrl: "",
+			config: "",
+		},
+		call: function(req) {
+			if (!req.args.iface || !req.args.config)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			if (wpas.add_iface(req.args) < 0)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			return {
+				pid: wpas.getpid()
+			};
+		}
+	},
+	config_remove: {
+		args: {
+			iface: ""
+		},
+		call: function(req) {
+			if (!req.args.iface)
+				return libubus.STATUS_INVALID_ARGUMENT;
+
+			wpas.remove_iface(req.args.iface);
+			return 0;
+		}
+	},
+};
+
+wpas.data.ubus = ubus;
+wpas.data.obj = ubus.publish("wpa_supplicant", main_obj);
+
+function iface_event(type, name, data) {
+	let ubus = wpas.data.ubus;
+
+	data ??= {};
+	data.name = name;
+	wpas.data.obj.notify(`iface.${type}`, data, null, null, null, -1);
+	ubus.call("service", "event", { type: `wpa_supplicant.${name}.${type}`, data: {} });
+}
+
+function iface_hostapd_notify(phy, ifname, iface, state)
+{
+	let ubus = wpas.data.ubus;
+	let status = iface.status();
+	let msg = { phy: phy };
+
+	switch (state) {
+	case "DISCONNECTED":
+	case "AUTHENTICATING":
+	case "SCANNING":
+		msg.up = false;
+		break;
+	case "INTERFACE_DISABLED":
+	case "INACTIVE":
+		msg.up = true;
+		break;
+	case "COMPLETED":
+		msg.up = true;
+		msg.frequency = status.frequency;
+		msg.sec_chan_offset = status.sec_chan_offset;
+		break;
+	default:
+		return;
+	}
+
+	ubus.call("hostapd", "apsta_state", msg);
+}
+
+function iface_channel_switch(phy, ifname, iface, info)
+{
+	let msg = {
+		phy: phy,
+		up: true,
+		csa: true,
+		csa_count: info.csa_count ? info.csa_count - 1 : 0,
+		frequency: info.frequency,
+		sec_chan_offset: info.sec_chan_offset,
+	};
+	ubus.call("hostapd", "apsta_state", msg);
+}
+
+return {
+	shutdown: function() {
+		for (let phy in wpas.data.config)
+			set_config(phy, []);
+		wpas.ubus.disconnect();
+	},
+	iface_add: function(name, obj) {
+		iface_event("add", name);
+	},
+	iface_remove: function(name, obj) {
+		iface_event("remove", name);
+	},
+	state: function(ifname, iface, state) {
+		let phy = wpas.data.iface_phy[ifname];
+		if (!phy) {
+			wpas.printf(`no PHY for ifname ${ifname}`);
+			return;
+		}
+
+		iface_hostapd_notify(phy, ifname, iface, state);
+	},
+	event: function(ifname, iface, ev, info) {
+		let phy = wpas.data.iface_phy[ifname];
+		if (!phy) {
+			wpas.printf(`no PHY for ifname ${ifname}`);
+			return;
+		}
+
+		if (ev == "CH_SWITCH_STARTED")
+			iface_channel_switch(phy, ifname, iface, info);
+	}
+};

feeds/hostapd/hostapd/files/wpad.init

@@ -0,0 +1,43 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+STOP=21
+
+USE_PROCD=1
+NAME=wpad
+
+start_service() {
+	if [ -x "/usr/sbin/hostapd" ]; then
+		mkdir -p /var/run/hostapd
+		chown network:network /var/run/hostapd
+		procd_open_instance hostapd
+		procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
+		procd_set_param respawn 3600 1 0
+		procd_set_param limits core="unlimited"
+		[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+			procd_add_jail hostapd
+			procd_set_param capabilities /etc/capabilities/wpad.json
+			procd_set_param user network
+			procd_set_param group network
+			procd_set_param no_new_privs 1
+		}
+		procd_close_instance
+	fi
+
+	if [ -x "/usr/sbin/wpa_supplicant" ]; then
+		mkdir -p /var/run/wpa_supplicant
+		chown network:network /var/run/wpa_supplicant
+		procd_open_instance supplicant
+		procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
+		procd_set_param respawn 3600 1 0
+		procd_set_param limits core="unlimited"
+		[ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+			procd_add_jail wpa_supplicant
+			procd_set_param capabilities /etc/capabilities/wpad.json
+			procd_set_param user network
+			procd_set_param group network
+			procd_set_param no_new_privs 1
+		}
+		procd_close_instance
+	fi
+}

feeds/hostapd/hostapd/files/wpad_acl.json

@@ -0,0 +1,16 @@
+{
+	"user": "network",
+	"access": {
+		"service": {
+			"methods": [ "event" ]
+		},
+		"wpa_supplicant": {
+			"methods": [ "phy_set_state", "phy_set_macaddr_list", "phy_status" ]
+		},
+		"hostapd": {
+			"methods": [ "apsta_state" ]
+		}
+	},
+	"publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
+	"send": [ "bss.*", "wps_credentials" ]
+}

feeds/hostapd/hostapd/files/wps-hotplug.sh

@@ -0,0 +1,69 @@
+#!/bin/sh
+
+wps_catch_credentials() {
+	local iface ifaces ifc ifname ssid encryption key radio radios
+	local found=0
+
+	. /usr/share/libubox/jshn.sh
+	ubus -S -t 30 listen wps_credentials | while read creds; do
+		json_init
+		json_load "$creds"
+		json_select wps_credentials || continue
+		json_get_vars ifname ssid key encryption
+		local ifcname="$ifname"
+		json_init
+		json_load "$(ubus -S call network.wireless status)"
+		json_get_keys radios
+		for radio in $radios; do
+			json_select $radio
+			json_select interfaces
+			json_get_keys ifaces
+			for ifc in $ifaces; do
+				json_select $ifc
+				json_get_vars ifname
+				[ "$ifname" = "$ifcname" ] && {
+					ubus -S call uci set "{\"config\":\"wireless\", \"type\":\"wifi-iface\",		\
+								\"match\": { \"device\": \"$radio\", \"encryption\": \"wps\" },	\
+								\"values\": { \"encryption\": \"$encryption\", 			\
+										\"ssid\": \"$ssid\", 				\
+										\"key\": \"$key\" } }"
+					ubus -S call uci commit '{"config": "wireless"}'
+					ubus -S call uci apply
+				}
+				json_select ..
+			done
+			json_select ..
+			json_select ..
+		done
+	done
+}
+
+if [ "$ACTION" = "released" ] && [ "$BUTTON" = "wps" ]; then
+	# If the button was pressed for 3 seconds or more, trigger WPS on
+	# wpa_supplicant only, no matter if hostapd is running or not.  If
+	# was pressed for less than 3 seconds, try triggering on
+	# hostapd. If there is no hostapd instance to trigger it on or WPS
+	# is not enabled on them, trigger it on wpa_supplicant.
+	if [ "$SEEN" -lt 3 ] ; then
+		wps_done=0
+		ubusobjs="$( ubus -S list hostapd.* )"
+		for ubusobj in $ubusobjs; do
+			ubus -S call $ubusobj wps_start && wps_done=1
+		done
+		[ $wps_done = 0 ] || return 0
+	fi
+	wps_done=0
+	ubusobjs="$( ubus -S list wpa_supplicant.* )"
+	for ubusobj in $ubusobjs; do
+		ifname="$(echo $ubusobj | cut -d'.' -f2 )"
+		multi_ap=""
+		if [ -e "/var/run/wpa_supplicant-${ifname}.conf.is_multiap" ]; then
+			ubus -S call $ubusobj wps_start '{ "multi_ap": true }' && wps_done=1
+		else
+			ubus -S call $ubusobj wps_start && wps_done=1
+		fi
+	done
+	[ $wps_done = 0 ] || wps_catch_credentials &
+fi
+
+return 0

feeds/hostapd/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch

@@ -0,0 +1,43 @@
+From 21ce83b4ae2b9563175fdb4fc4312096cc399cf8 Mon Sep 17 00:00:00 2001
+From: David Bauer <mail@david-bauer.net>
+Date: Wed, 5 May 2021 00:44:34 +0200
+Subject: [PATCH] wolfssl: add RNG to EC key
+
+Since upstream commit 6467de5a8840 ("Randomize z ordinates in
+scalar mult when timing resistant") WolfSSL requires a RNG for
+the EC key when built hardened which is the default.
+
+Set the RNG for the EC key to fix connections for OWE clients.
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+---
+ src/crypto/crypto_wolfssl.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/src/crypto/crypto_wolfssl.c
++++ b/src/crypto/crypto_wolfssl.c
+@@ -1340,6 +1340,7 @@ int ecc_projective_add_point(ecc_point *
+ 
+ struct crypto_ec {
+ 	ecc_key key;
++	WC_RNG rng;
+ 	mp_int a;
+ 	mp_int prime;
+ 	mp_int order;
+@@ -1394,6 +1395,8 @@ struct crypto_ec * crypto_ec_init(int gr
+ 		return NULL;
+ 
+ 	if (wc_ecc_init(&e->key) != 0 ||
++	    wc_InitRng(&e->rng) != 0 ||
++	    wc_ecc_set_rng(&e->key, &e->rng) != 0 ||
+ 	    wc_ecc_set_curve(&e->key, 0, curve_id) != 0 ||
+ 	    mp_init(&e->a) != MP_OKAY ||
+ 	    mp_init(&e->prime) != MP_OKAY ||
+@@ -1425,6 +1428,7 @@ void crypto_ec_deinit(struct crypto_ec*
+ 	mp_clear(&e->order);
+ 	mp_clear(&e->prime);
+ 	mp_clear(&e->a);
++	wc_FreeRng(&e->rng);
+ 	wc_ecc_free(&e->key);
+ 	os_free(e);
+ }

feeds/hostapd/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch

@@ -0,0 +1,135 @@
+From 8de8cd8380af0c43d4fde67a668d79ef73b26b26 Mon Sep 17 00:00:00 2001
+From: Peter Oh <peter.oh@bowerswilkins.com>
+Date: Tue, 30 Jun 2020 14:18:58 +0200
+Subject: [PATCH 10/19] mesh: Allow DFS channels to be selected if dfs is
+ enabled
+
+Note: DFS is assumed to be usable if a country code has been set
+
+Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
+Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
+---
+ wpa_supplicant/wpa_supplicant.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -2638,7 +2638,7 @@ static int drv_supports_vht(struct wpa_s
+ }
+ 
+ 
+-static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode)
++static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode, bool dfs_enabled)
+ {
+ 	int i;
+ 
+@@ -2647,7 +2647,10 @@ static bool ibss_mesh_is_80mhz_avail(int
+ 
+ 		chan = hw_get_channel_chan(mode, i, NULL);
+ 		if (!chan ||
+-		    chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
++		    chan->flag & HOSTAPD_CHAN_DISABLED)
++			return false;
++		
++		if (!dfs_enabled && chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
+ 			return false;
+ 	}
+ 
+@@ -2774,7 +2777,7 @@ static void ibss_mesh_select_40mhz(struc
+ 				   const struct wpa_ssid *ssid,
+ 				   struct hostapd_hw_modes *mode,
+ 				   struct hostapd_freq_params *freq,
+-				   int obss_scan) {
++				   int obss_scan, bool dfs_enabled) {
+ 	int chan_idx;
+ 	struct hostapd_channel_data *pri_chan = NULL, *sec_chan = NULL;
+ 	int i, res;
+@@ -2798,8 +2801,11 @@ static void ibss_mesh_select_40mhz(struc
+ 		return;
+ 
+ 	/* Check primary channel flags */
+-	if (pri_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
++	if (pri_chan->flag & HOSTAPD_CHAN_DISABLED)
+ 		return;
++	if (pri_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
++		if (!dfs_enabled)
++			return;
+ 
+ #ifdef CONFIG_HT_OVERRIDES
+ 	if (ssid->disable_ht40)
+@@ -2825,8 +2831,11 @@ static void ibss_mesh_select_40mhz(struc
+ 		return;
+ 
+ 	/* Check secondary channel flags */
+-	if (sec_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
++	if (sec_chan->flag & HOSTAPD_CHAN_DISABLED)
+ 		return;
++	if (sec_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
++		if (!dfs_enabled)
++			return;
+ 
+ 	if (ht40 == -1) {
+ 		if (!(pri_chan->flag & HOSTAPD_CHAN_HT40MINUS))
+@@ -2880,7 +2889,7 @@ static bool ibss_mesh_select_80_160mhz(s
+ 				       const struct wpa_ssid *ssid,
+ 				       struct hostapd_hw_modes *mode,
+ 				       struct hostapd_freq_params *freq,
+-				       int ieee80211_mode, bool is_6ghz) {
++				       int ieee80211_mode, bool is_6ghz, bool dfs_enabled) {
+ 	static const int bw80[] = {
+ 		5180, 5260, 5500, 5580, 5660, 5745, 5825,
+ 		5955, 6035, 6115, 6195, 6275, 6355, 6435,
+@@ -2925,7 +2934,7 @@ static bool ibss_mesh_select_80_160mhz(s
+ 		goto skip_80mhz;
+ 
+ 	/* Use 40 MHz if channel not usable */
+-	if (!ibss_mesh_is_80mhz_avail(channel, mode))
++	if (!ibss_mesh_is_80mhz_avail(channel, mode, dfs_enabled))
+ 		goto skip_80mhz;
+ 
+ 	chwidth = CONF_OPER_CHWIDTH_80MHZ;
+@@ -2939,7 +2948,7 @@ static bool ibss_mesh_select_80_160mhz(s
+ 	if ((mode->he_capab[ieee80211_mode].phy_cap[
+ 		     HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] &
+ 	     HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G) && is_6ghz &&
+-	    ibss_mesh_is_80mhz_avail(channel + 16, mode)) {
++	    ibss_mesh_is_80mhz_avail(channel + 16, mode, dfs_enabled)) {
+ 		for (j = 0; j < ARRAY_SIZE(bw160); j++) {
+ 			if (freq->freq == bw160[j]) {
+ 				chwidth = CONF_OPER_CHWIDTH_160MHZ;
+@@ -2967,10 +2976,12 @@ static bool ibss_mesh_select_80_160mhz(s
+ 				if (!chan)
+ 					continue;
+ 
+-				if (chan->flag & (HOSTAPD_CHAN_DISABLED |
+-						  HOSTAPD_CHAN_NO_IR |
+-						  HOSTAPD_CHAN_RADAR))
++				if (chan->flag & HOSTAPD_CHAN_DISABLED)
+ 					continue;
++				if (chan->flag & (HOSTAPD_CHAN_RADAR |
++						  HOSTAPD_CHAN_NO_IR))
++					if (!dfs_enabled)
++						continue;
+ 
+ 				/* Found a suitable second segment for 80+80 */
+ 				chwidth = CONF_OPER_CHWIDTH_80P80MHZ;
+@@ -3025,6 +3036,7 @@ void ibss_mesh_setup_freq(struct wpa_sup
+ 	int i, obss_scan = 1;
+ 	u8 channel;
+ 	bool is_6ghz;
++	bool dfs_enabled = wpa_s->conf->country[0] && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_RADAR);
+ 
+ 	freq->freq = ssid->frequency;
+ 
+@@ -3070,9 +3082,9 @@ void ibss_mesh_setup_freq(struct wpa_sup
+ 	freq->channel = channel;
+ 	/* Setup higher BW only for 5 GHz */
+ 	if (mode->mode == HOSTAPD_MODE_IEEE80211A) {
+-		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan);
++		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan, dfs_enabled);
+ 		if (!ibss_mesh_select_80_160mhz(wpa_s, ssid, mode, freq,
+-						ieee80211_mode, is_6ghz))
++						ieee80211_mode, is_6ghz, dfs_enabled))
+ 			freq->he_enabled = freq->vht_enabled = false;
+ 	}
+ 

feeds/hostapd/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch

@@ -0,0 +1,81 @@
+From fc8ea40f6130ac18d9c66797de2cf1d5af55d496 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Tue, 30 Jun 2020 14:19:07 +0200
+Subject: [PATCH 19/19] mesh: use deterministic channel on channel switch
+
+This patch uses a deterministic channel on DFS channel switch
+in mesh networks. Otherwise, when switching to a usable but not
+available channel, no CSA can be sent and a random channel is choosen
+without notification of other nodes. It is then quite likely, that
+the mesh network gets disconnected.
+
+Fix this by using a deterministic number, based on the sha256 hash
+of the mesh ID, in order to use at least a different number in each
+mesh network.
+
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+---
+ src/ap/dfs.c                 | 20 +++++++++++++++++++-
+ src/drivers/driver_nl80211.c |  4 ++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+--- a/src/ap/dfs.c
++++ b/src/ap/dfs.c
+@@ -17,6 +17,7 @@
+ #include "ap_drv_ops.h"
+ #include "drivers/driver.h"
+ #include "dfs.h"
++#include "crypto/crypto.h"
+ 
+ 
+ enum dfs_channel_type {
+@@ -526,9 +527,14 @@ dfs_get_valid_channel(struct hostapd_ifa
+ 	int num_available_chandefs;
+ 	int chan_idx, chan_idx2;
+ 	int sec_chan_idx_80p80 = -1;
++	bool is_mesh = false;
+ 	int i;
+ 	u32 _rand;
+ 
++#ifdef CONFIG_MESH
++	is_mesh = iface->mconf;
++#endif
++
+ 	wpa_printf(MSG_DEBUG, "DFS: Selecting random channel");
+ 	*secondary_channel = 0;
+ 	*oper_centr_freq_seg0_idx = 0;
+@@ -548,8 +554,20 @@ dfs_get_valid_channel(struct hostapd_ifa
+ 	if (num_available_chandefs == 0)
+ 		return NULL;
+ 
+-	if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
++	/* try to use deterministic channel in mesh, so that both sides
++	 * have a chance to switch to the same channel */
++	if (is_mesh) {
++#ifdef CONFIG_MESH
++		u64 hash[4];
++		const u8 *meshid[1] = { &iface->mconf->meshid[0] };
++		const size_t meshid_len = iface->mconf->meshid_len;
++
++		sha256_vector(1, meshid, &meshid_len, (u8 *)&hash[0]);
++		_rand = hash[0] + hash[1] + hash[2] + hash[3];
++#endif
++	} else if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
+ 		return NULL;
++
+ 	chan_idx = _rand % num_available_chandefs;
+ 	dfs_find_channel(iface, &chan, chan_idx, type);
+ 	if (!chan) {
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -11017,6 +11017,10 @@ static int nl80211_switch_channel(void *
+ 	if (ret)
+ 		goto error;
+ 
++	if (drv->nlmode == NL80211_IFTYPE_MESH_POINT) {
++		nla_put_flag(msg, NL80211_ATTR_HANDLE_DFS);
++	}
++
+ 	/* beacon_csa params */
+ 	beacon_csa = nla_nest_start(msg, NL80211_ATTR_CSA_IES);
+ 	if (!beacon_csa)

feeds/hostapd/hostapd/patches/021-fix-sta-add-after-previous-connection.patch

@@ -0,0 +1,26 @@
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -4621,6 +4621,13 @@ static int add_associated_sta(struct hos
+ 	 * drivers to accept the STA parameter configuration. Since this is
+ 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
+ 	 * reinstallation is not a concern for this case.
++	 *
++	 * If the STA was associated and authorized earlier, but came for a new
++	 * connection (!added_unassoc + !reassoc), remove the existing STA entry
++	 * so that it can be re-added. This case is rarely seen when the AP could
++	 * not receive the deauth/disassoc frame from the STA. And the STA comes
++	 * back with new connection within a short period or before the inactive
++	 * STA entry is removed from the list.
+ 	 */
+ 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
+ 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
+@@ -4634,7 +4641,8 @@ static int add_associated_sta(struct hos
+ 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
+ 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
+ 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
+-	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
++	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)) ||
++	     (!reassoc && (sta->flags & WLAN_STA_AUTHORIZED)))) {
+ 		hostapd_drv_sta_remove(hapd, sta->addr);
+ 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
+ 		set = 0;

feeds/hostapd/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch

@@ -0,0 +1,25 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 8 Jul 2021 16:33:03 +0200
+Subject: [PATCH] hostapd: fix use of uninitialized stack variables
+
+When a CSA is performed on an 80 MHz channel, hostapd_change_config_freq
+unconditionally calls hostapd_set_oper_centr_freq_seg0/1_idx with seg0/1
+filled by ieee80211_freq_to_chan.
+However, if ieee80211_freq_to_chan fails (because the freq is 0 or invalid),
+seg0/1 remains uninitialized and filled with stack garbage, causing errors
+such as "hostapd: 80 MHz: center segment 1 configured"
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -3764,7 +3764,7 @@ static int hostapd_change_config_freq(st
+ 				      struct hostapd_freq_params *old_params)
+ {
+ 	int channel;
+-	u8 seg0, seg1;
++	u8 seg0 = 0, seg1 = 0;
+ 	struct hostapd_hw_modes *mode;
+ 
+ 	if (!params->channel) {

feeds/hostapd/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch

@@ -0,0 +1,275 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 28 Jul 2021 05:49:46 +0200
+Subject: [PATCH] driver_nl80211: rewrite neigh code to not depend on
+ libnl3-route
+
+Removes an unnecessary dependency and also makes the code smaller
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -16,9 +16,6 @@
+ #include <net/if.h>
+ #include <netlink/genl/genl.h>
+ #include <netlink/genl/ctrl.h>
+-#ifdef CONFIG_LIBNL3_ROUTE
+-#include <netlink/route/neighbour.h>
+-#endif /* CONFIG_LIBNL3_ROUTE */
+ #include <linux/rtnetlink.h>
+ #include <netpacket/packet.h>
+ #include <linux/errqueue.h>
+@@ -5783,26 +5780,29 @@ fail:
+ 
+ static void rtnl_neigh_delete_fdb_entry(struct i802_bss *bss, const u8 *addr)
+ {
+-#ifdef CONFIG_LIBNL3_ROUTE
+ 	struct wpa_driver_nl80211_data *drv = bss->drv;
+-	struct rtnl_neigh *rn;
+-	struct nl_addr *nl_addr;
++	struct ndmsg nhdr = {
++		.ndm_state = NUD_PERMANENT,
++		.ndm_ifindex = bss->ifindex,
++		.ndm_family = AF_BRIDGE,
++	};
++	struct nl_msg *msg;
+ 	int err;
+ 
+-	rn = rtnl_neigh_alloc();
+-	if (!rn)
++	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
++	if (!msg)
+ 		return;
+ 
+-	rtnl_neigh_set_family(rn, AF_BRIDGE);
+-	rtnl_neigh_set_ifindex(rn, bss->ifindex);
+-	nl_addr = nl_addr_build(AF_BRIDGE, (void *) addr, ETH_ALEN);
+-	if (!nl_addr) {
+-		rtnl_neigh_put(rn);
+-		return;
+-	}
+-	rtnl_neigh_set_lladdr(rn, nl_addr);
++	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
++		goto errout;
++
++	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
++		goto errout;
++
++	if (nl_send_auto_complete(drv->rtnl_sk, msg) < 0)
++		goto errout;
+ 
+-	err = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
++	err = nl_wait_for_ack(drv->rtnl_sk);
+ 	if (err < 0) {
+ 		wpa_printf(MSG_DEBUG, "nl80211: bridge FDB entry delete for "
+ 			   MACSTR " ifindex=%d failed: %s", MAC2STR(addr),
+@@ -5812,9 +5812,8 @@ static void rtnl_neigh_delete_fdb_entry(
+ 			   MACSTR, MAC2STR(addr));
+ 	}
+ 
+-	nl_addr_put(nl_addr);
+-	rtnl_neigh_put(rn);
+-#endif /* CONFIG_LIBNL3_ROUTE */
++errout:
++	nlmsg_free(msg);
+ }
+ 
+ 
+@@ -8492,7 +8491,6 @@ static void *i802_init(struct hostapd_da
+ 	    (params->num_bridge == 0 || !params->bridge[0]))
+ 		add_ifidx(drv, br_ifindex, drv->ifindex);
+ 
+-#ifdef CONFIG_LIBNL3_ROUTE
+ 	if (bss->added_if_into_bridge || bss->already_in_bridge) {
+ 		int err;
+ 
+@@ -8509,7 +8507,6 @@ static void *i802_init(struct hostapd_da
+ 			goto failed;
+ 		}
+ 	}
+-#endif /* CONFIG_LIBNL3_ROUTE */
+ 
+ 	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
+ 		wpa_printf(MSG_DEBUG,
+@@ -11883,13 +11880,14 @@ static int wpa_driver_br_add_ip_neigh(vo
+ 				      const u8 *ipaddr, int prefixlen,
+ 				      const u8 *addr)
+ {
+-#ifdef CONFIG_LIBNL3_ROUTE
+ 	struct i802_bss *bss = priv;
+ 	struct wpa_driver_nl80211_data *drv = bss->drv;
+-	struct rtnl_neigh *rn;
+-	struct nl_addr *nl_ipaddr = NULL;
+-	struct nl_addr *nl_lladdr = NULL;
+-	int family, addrsize;
++	struct ndmsg nhdr = {
++		.ndm_state = NUD_PERMANENT,
++		.ndm_ifindex = bss->br_ifindex,
++	};
++	struct nl_msg *msg;
++	int addrsize;
+ 	int res;
+ 
+ 	if (!ipaddr || prefixlen == 0 || !addr)
+@@ -11908,85 +11906,66 @@ static int wpa_driver_br_add_ip_neigh(vo
+ 	}
+ 
+ 	if (version == 4) {
+-		family = AF_INET;
++		nhdr.ndm_family = AF_INET;
+ 		addrsize = 4;
+ 	} else if (version == 6) {
+-		family = AF_INET6;
++		nhdr.ndm_family = AF_INET6;
+ 		addrsize = 16;
+ 	} else {
+ 		return -EINVAL;
+ 	}
+ 
+-	rn = rtnl_neigh_alloc();
+-	if (rn == NULL)
++	msg = nlmsg_alloc_simple(RTM_NEWNEIGH, NLM_F_CREATE);
++	if (!msg)
+ 		return -ENOMEM;
+ 
+-	/* set the destination ip address for neigh */
+-	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
+-	if (nl_ipaddr == NULL) {
+-		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
+-		res = -ENOMEM;
++	res = -ENOMEM;
++	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
+ 		goto errout;
+-	}
+-	nl_addr_set_prefixlen(nl_ipaddr, prefixlen);
+-	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
+-	if (res) {
+-		wpa_printf(MSG_DEBUG,
+-			   "nl80211: neigh set destination addr failed");
++
++	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
+ 		goto errout;
+-	}
+ 
+-	/* set the corresponding lladdr for neigh */
+-	nl_lladdr = nl_addr_build(AF_BRIDGE, (u8 *) addr, ETH_ALEN);
+-	if (nl_lladdr == NULL) {
+-		wpa_printf(MSG_DEBUG, "nl80211: neigh set lladdr failed");
+-		res = -ENOMEM;
++	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
+ 		goto errout;
+-	}
+-	rtnl_neigh_set_lladdr(rn, nl_lladdr);
+ 
+-	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
+-	rtnl_neigh_set_state(rn, NUD_PERMANENT);
++	res = nl_send_auto_complete(drv->rtnl_sk, msg);
++	if (res < 0)
++		goto errout;
+ 
+-	res = rtnl_neigh_add(drv->rtnl_sk, rn, NLM_F_CREATE);
++	res = nl_wait_for_ack(drv->rtnl_sk);
+ 	if (res) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "nl80211: Adding bridge ip neigh failed: %s",
+ 			   nl_geterror(res));
+ 	}
+ errout:
+-	if (nl_lladdr)
+-		nl_addr_put(nl_lladdr);
+-	if (nl_ipaddr)
+-		nl_addr_put(nl_ipaddr);
+-	if (rn)
+-		rtnl_neigh_put(rn);
++	nlmsg_free(msg);
+ 	return res;
+-#else /* CONFIG_LIBNL3_ROUTE */
+-	return -1;
+-#endif /* CONFIG_LIBNL3_ROUTE */
+ }
+ 
+ 
+ static int wpa_driver_br_delete_ip_neigh(void *priv, u8 version,
+ 					 const u8 *ipaddr)
+ {
+-#ifdef CONFIG_LIBNL3_ROUTE
+ 	struct i802_bss *bss = priv;
+ 	struct wpa_driver_nl80211_data *drv = bss->drv;
+-	struct rtnl_neigh *rn;
+-	struct nl_addr *nl_ipaddr;
+-	int family, addrsize;
++	struct ndmsg nhdr = {
++		.ndm_state = NUD_PERMANENT,
++		.ndm_ifindex = bss->br_ifindex,
++	};
++	struct nl_msg *msg;
++	int addrsize;
+ 	int res;
+ 
+ 	if (!ipaddr)
+ 		return -EINVAL;
+ 
+ 	if (version == 4) {
+-		family = AF_INET;
++		nhdr.ndm_family = AF_INET;
+ 		addrsize = 4;
+ 	} else if (version == 6) {
+-		family = AF_INET6;
++		nhdr.ndm_family = AF_INET6;
+ 		addrsize = 16;
+ 	} else {
+ 		return -EINVAL;
+@@ -12004,41 +11983,30 @@ static int wpa_driver_br_delete_ip_neigh
+ 		return -1;
+ 	}
+ 
+-	rn = rtnl_neigh_alloc();
+-	if (rn == NULL)
++	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
++	if (!msg)
+ 		return -ENOMEM;
+ 
+-	/* set the destination ip address for neigh */
+-	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
+-	if (nl_ipaddr == NULL) {
+-		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
+-		res = -ENOMEM;
++	res = -ENOMEM;
++	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
+ 		goto errout;
+-	}
+-	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
+-	if (res) {
+-		wpa_printf(MSG_DEBUG,
+-			   "nl80211: neigh set destination addr failed");
++
++	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
+ 		goto errout;
+-	}
+ 
+-	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
++	res = nl_send_auto_complete(drv->rtnl_sk, msg);
++	if (res < 0)
++		goto errout;
+ 
+-	res = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
++	res = nl_wait_for_ack(drv->rtnl_sk);
+ 	if (res) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "nl80211: Deleting bridge ip neigh failed: %s",
+ 			   nl_geterror(res));
+ 	}
+ errout:
+-	if (nl_ipaddr)
+-		nl_addr_put(nl_ipaddr);
+-	if (rn)
+-		rtnl_neigh_put(rn);
++	nlmsg_free(msg);
+ 	return res;
+-#else /* CONFIG_LIBNL3_ROUTE */
+-	return -1;
+-#endif /* CONFIG_LIBNL3_ROUTE */
+ }
+ 
+ 

feeds/hostapd/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch

@@ -0,0 +1,34 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 18 Feb 2019 12:57:11 +0100
+Subject: [PATCH] mesh: allow processing authentication frames in blocked state
+
+If authentication fails repeatedly e.g. because of a weak signal, the link
+can end up in blocked state. If one of the nodes tries to establish a link
+again before it is unblocked on the other side, it will block the link to
+that other side. The same happens on the other side when it unblocks the
+link. In that scenario, the link never recovers on its own.
+
+To fix this, allow restarting authentication even if the link is in blocked
+state, but don't initiate the attempt until the blocked period is over.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -3020,15 +3020,6 @@ static void handle_auth(struct hostapd_d
+ 				       seq_ctrl);
+ 			return;
+ 		}
+-#ifdef CONFIG_MESH
+-		if ((hapd->conf->mesh & MESH_ENABLED) &&
+-		    sta->plink_state == PLINK_BLOCKED) {
+-			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
+-				   " is blocked - drop Authentication frame",
+-				   MAC2STR(sa));
+-			return;
+-		}
+-#endif /* CONFIG_MESH */
+ #ifdef CONFIG_PASN
+ 		if (auth_alg == WLAN_AUTH_PASN &&
+ 		    (sta->flags & WLAN_STA_ASSOC)) {

feeds/hostapd/hostapd/patches/050-build_fix.patch

@@ -0,0 +1,20 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -324,6 +324,7 @@ ifdef CONFIG_FILS
+ CFLAGS += -DCONFIG_FILS
+ OBJS += ../src/ap/fils_hlp.o
+ NEED_SHA384=y
++NEED_HMAC_SHA384_KDF=y
+ NEED_AES_SIV=y
+ ifdef CONFIG_FILS_SK_PFS
+ CFLAGS += -DCONFIG_FILS_SK_PFS
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -331,6 +331,7 @@ endif
+ ifdef CONFIG_FILS
+ CFLAGS += -DCONFIG_FILS
+ NEED_SHA384=y
++NEED_HMAC_SHA384_KDF=y
+ NEED_AES_SIV=y
+ ifdef CONFIG_FILS_SK_PFS
+ CFLAGS += -DCONFIG_FILS_SK_PFS

feeds/hostapd/hostapd/patches/120-mbedtls-fips186_2_prf.patch

@@ -0,0 +1,114 @@
+From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 19 Jul 2022 20:02:21 -0400
+Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ hostapd/Makefile            |  4 ---
+ src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
+ wpa_supplicant/Makefile     |  4 ---
+ 3 files changed, 60 insertions(+), 8 deletions(-)
+
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -759,10 +759,6 @@ endif
+ OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+-ifdef NEED_FIPS186_2_PRF
+-OBJS += ../src/crypto/fips_prf_internal.o
+-SHA1OBJS += ../src/crypto/sha1-internal.o
+-endif
+ ifeq ($(CONFIG_CRYPTO), mbedtls)
+ ifdef CONFIG_DPP
+ LIBS += -lmbedx509
+--- a/src/crypto/crypto_mbedtls.c
++++ b/src/crypto/crypto_mbedtls.c
+@@ -132,6 +132,12 @@
+ #define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
+ #endif
+ 
++#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
++ || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
++/* EAP_SIM=y EAP_AKA=y */
++#define CRYPTO_MBEDTLS_FIPS186_2_PRF
++#endif
++
+ #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
+  || defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
+ #define CRYPTO_MBEDTLS_SHA1_T_PRF
+@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
+ 
+ #endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
+ 
++#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
++
++/* fips_prf_internal.c sha1-internal.c */
++
++/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
++ * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
++ * where xlen is 160 */
++
++int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
++{
++	/* FIPS 186-2 + change notice 1 */
++
++	mbedtls_sha1_context ctx;
++	u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
++	u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
++	const u32 xstate_init[] =
++	  { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
++
++	mbedtls_sha1_init(&ctx);
++	os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
++
++	/* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
++	for (; xlen >= 20; xlen -= 20) {
++		/* XSEED_j = 0 */
++		/* XVAL = (XKEY + XSEED_j) mod 2^b */
++
++		/* w_i = G(t, XVAL) */
++		os_memcpy(xstate, xstate_init, sizeof(xstate_init));
++		mbedtls_internal_sha1_process(&ctx, xkey);
++
++	  #if __BYTE_ORDER == __LITTLE_ENDIAN
++		xstate[0] = host_to_be32(xstate[0]);
++		xstate[1] = host_to_be32(xstate[1]);
++		xstate[2] = host_to_be32(xstate[2]);
++		xstate[3] = host_to_be32(xstate[3]);
++		xstate[4] = host_to_be32(xstate[4]);
++	  #endif
++		os_memcpy(x, xstate, 20);
++		if (xlen == 20) /*(done; skip prep for next loop)*/
++			break;
++
++		/* XKEY = (1 + XKEY + w_i) mod 2^b */
++		for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
++			xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
++		x += 20;
++		/* x_j = w_0|w_1 (each pair of iterations through loop)*/
++	}
++
++	mbedtls_sha1_free(&ctx);
++	return 0;
++}
++
++#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
++
+ #endif /* MBEDTLS_SHA1_C */
+ 
+ 
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1174,10 +1174,6 @@ endif
+ OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+-ifdef NEED_FIPS186_2_PRF
+-OBJS += ../src/crypto/fips_prf_internal.o
+-SHA1OBJS += ../src/crypto/sha1-internal.o
+-endif
+ ifeq ($(CONFIG_CRYPTO), mbedtls)
+ LIBS += -lmbedcrypto
+ LIBS_p += -lmbedcrypto

feeds/hostapd/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch

@@ -0,0 +1,421 @@
+From 31bd19e0e0254b910cccfd3ddc6a6a9222bbcfc0 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 9 Oct 2022 05:12:17 -0400
+Subject: [PATCH 3/7] mbedtls: annotate with TEST_FAIL() for hwsim tests
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/crypto/crypto_mbedtls.c | 124 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 124 insertions(+)
+
+--- a/src/crypto/crypto_mbedtls.c
++++ b/src/crypto/crypto_mbedtls.c
+@@ -280,6 +280,9 @@ __attribute_noinline__
+ static int md_vector(size_t num_elem, const u8 *addr[], const size_t *len,
+                      u8 *mac, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 0) != 0){
+@@ -343,6 +346,9 @@ __attribute_noinline__
+ static int sha384_512_vector(size_t num_elem, const u8 *addr[],
+                              const size_t *len, u8 *mac, int is384)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha512_context ctx;
+ 	mbedtls_sha512_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -375,6 +381,9 @@ int sha384_vector(size_t num_elem, const
+ #include <mbedtls/sha256.h>
+ int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha256_context ctx;
+ 	mbedtls_sha256_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -397,6 +406,9 @@ int sha256_vector(size_t num_elem, const
+ #include <mbedtls/sha1.h>
+ int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha1_context ctx;
+ 	mbedtls_sha1_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -419,6 +431,9 @@ int sha1_vector(size_t num_elem, const u
+ #include <mbedtls/md5.h>
+ int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_md5_context ctx;
+ 	mbedtls_md5_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -441,6 +456,9 @@ int md5_vector(size_t num_elem, const u8
+ #include <mbedtls/md4.h>
+ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_md4_context ctx;
+ 	mbedtls_md4_init(&ctx);
+ 	mbedtls_md4_starts_ret(&ctx);
+@@ -460,6 +478,9 @@ static int hmac_vector(const u8 *key, si
+                        const u8 *addr[], const size_t *len, u8 *mac,
+                        mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 1) != 0){
+@@ -571,6 +592,9 @@ static int hmac_kdf_expand(const u8 *prk
+                            const char *label, const u8 *info, size_t info_len,
+                            u8 *okm, size_t okm_len, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
+   #ifdef MBEDTLS_HKDF_C
+ 	if (label == NULL)  /* RFC 5869 HKDF-Expand when (label == NULL) */
+@@ -663,6 +687,9 @@ static int hmac_prf_bits(const u8 *key,
+                          const u8 *data, size_t data_len, u8 *buf,
+                          size_t buf_len_bits, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
+@@ -938,6 +965,9 @@ int pbkdf2_sha1(const char *passphrase,
+ 
+ static void *aes_crypt_init_mode(const u8 *key, size_t len, int mode)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
+ 	if (!aes)
+ 		return NULL;
+@@ -996,6 +1026,9 @@ void aes_decrypt_deinit(void *ctx)
+ /* aes-wrap.c */
+ int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_nist_kw_context ctx;
+ 	mbedtls_nist_kw_init(&ctx);
+ 	size_t olen;
+@@ -1010,6 +1043,9 @@ int aes_wrap(const u8 *kek, size_t kek_l
+ /* aes-unwrap.c */
+ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 *plain)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_nist_kw_context ctx;
+ 	mbedtls_nist_kw_init(&ctx);
+ 	size_t olen;
+@@ -1041,6 +1077,9 @@ int omac1_aes_vector(
+     const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[],
+     const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_cipher_type_t cipher_type;
+ 	switch (key_len) {
+ 	case 16: cipher_type = MBEDTLS_CIPHER_AES_128_ECB; break;
+@@ -1103,6 +1142,9 @@ int omac1_aes_256(const u8 *key, const u
+ /* aes-encblock.c */
+ int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_aes_context aes;
+ 	mbedtls_aes_init(&aes);
+ 	int ret = mbedtls_aes_setkey_enc(&aes, key, 128)
+@@ -1118,6 +1160,9 @@ int aes_128_encrypt_block(const u8 *key,
+ int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
+ 		    u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	unsigned char counter[MBEDTLS_AES_BLOCK_SIZE];
+ 	unsigned char stream_block[MBEDTLS_AES_BLOCK_SIZE];
+ 	os_memcpy(counter, nonce, MBEDTLS_AES_BLOCK_SIZE);/*(must be writable)*/
+@@ -1160,11 +1205,17 @@ static int aes_128_cbc_oper(const u8 *ke
+ 
+ int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_ENCRYPT);
+ }
+ 
+ int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_DECRYPT);
+ }
+ 
+@@ -1407,6 +1458,10 @@ int crypto_hash_finish(struct crypto_has
+ 	}
+ 	mbedtls_md_free(mctx);
+ 	os_free(mctx);
++
++	if (TEST_FAIL())
++		return -1;
++
+ 	return 0;
+ }
+ 
+@@ -1421,6 +1476,9 @@ int crypto_hash_finish(struct crypto_has
+ 
+ struct crypto_bignum *crypto_bignum_init(void)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
+ 	if (bn)
+ 		mbedtls_mpi_init(bn);
+@@ -1429,6 +1487,9 @@ struct crypto_bignum *crypto_bignum_init
+ 
+ struct crypto_bignum *crypto_bignum_init_set(const u8 *buf, size_t len)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
+ 	if (bn) {
+ 		mbedtls_mpi_init(bn);
+@@ -1442,6 +1503,9 @@ struct crypto_bignum *crypto_bignum_init
+ 
+ struct crypto_bignum *crypto_bignum_init_uint(unsigned int val)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+   #if 0 /*(hostap use of this interface passes int, not uint)*/
+ 	val = host_to_be32(val);
+ 	return crypto_bignum_init_set((const u8 *)&val, sizeof(val));
+@@ -1467,6 +1531,9 @@ void crypto_bignum_deinit(struct crypto_
+ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ 			 u8 *buf, size_t buflen, size_t padlen)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	size_t n = mbedtls_mpi_size((mbedtls_mpi *)a);
+ 	if (n < padlen)
+ 		n = padlen;
+@@ -1477,6 +1544,9 @@ int crypto_bignum_to_bin(const struct cr
+ 
+ int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/*assert(r != m);*//* r must not be same as m for mbedtls_mpi_random()*/
+   #if MBEDTLS_VERSION_NUMBER >= 0x021B0000 /* mbedtls 2.27.0 */
+ 	return mbedtls_mpi_random((mbedtls_mpi *)r, 0, (mbedtls_mpi *)m,
+@@ -1513,6 +1583,9 @@ int crypto_bignum_exptmod(const struct c
+ 			  const struct crypto_bignum *c,
+ 			  struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* (check if input params match d; d is the result) */
+ 	/* (a == d) is ok in current mbedtls implementation */
+ 	if (b == d || c == d) { /*(not ok; store result in intermediate)*/
+@@ -1540,6 +1613,9 @@ int crypto_bignum_inverse(const struct c
+ 			  const struct crypto_bignum *b,
+ 			  struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_inv_mod((mbedtls_mpi *)c,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b) ? -1 : 0;
+@@ -1549,6 +1625,9 @@ int crypto_bignum_sub(const struct crypt
+ 		      const struct crypto_bignum *b,
+ 		      struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_sub_mpi((mbedtls_mpi *)c,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b) ? -1 : 0;
+@@ -1558,6 +1637,9 @@ int crypto_bignum_div(const struct crypt
+ 		      const struct crypto_bignum *b,
+ 		      struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/*(most current use of this crypto.h interface has a == c (result),
+ 	 * so store result in an intermediate to avoid overwritten input)*/
+ 	mbedtls_mpi R;
+@@ -1575,6 +1657,9 @@ int crypto_bignum_addmod(const struct cr
+ 			 const struct crypto_bignum *c,
+ 			 struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_add_mpi((mbedtls_mpi *)d,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b)
+@@ -1588,6 +1673,9 @@ int crypto_bignum_mulmod(const struct cr
+ 			 const struct crypto_bignum *c,
+ 			 struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_mul_mpi((mbedtls_mpi *)d,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b)
+@@ -1600,6 +1688,9 @@ int crypto_bignum_sqrmod(const struct cr
+ 			 const struct crypto_bignum *b,
+ 			 struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 1
+ 	return crypto_bignum_mulmod(a, a, b, c);
+   #else
+@@ -1650,6 +1741,9 @@ int crypto_bignum_is_odd(const struct cr
+ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ 			   const struct crypto_bignum *p)
+ {
++	if (TEST_FAIL())
++		return -2;
++
+ 	/* Security Note:
+ 	 * mbedtls_mpi_exp_mod() is not documented to run in constant time,
+ 	 * though mbedtls/library/bignum.c uses constant_time_internal.h funcs.
+@@ -1702,6 +1796,9 @@ int crypto_mod_exp(const u8 *base, size_
+ 		   const u8 *modulus, size_t modulus_len,
+ 		   u8 *result, size_t *result_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result;
+ 	mbedtls_mpi_init(&bn_base);
+ 	mbedtls_mpi_init(&bn_exp);
+@@ -1769,6 +1866,9 @@ static int crypto_mbedtls_dh_init_public
+ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
+ 		   u8 *pubkey)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 0 /*(crypto_dh_init() duplicated (and identical) in crypto_*.c modules)*/
+ 	size_t pubkey_len, pad;
+ 
+@@ -1810,6 +1910,9 @@ int crypto_dh_derive_secret(u8 generator
+ 			    const u8 *pubkey, size_t pubkey_len,
+ 			    u8 *secret, size_t *len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 0
+ 	if (pubkey_len > prime_len ||
+ 	    (pubkey_len == prime_len &&
+@@ -2512,6 +2615,9 @@ const struct crypto_ec_point * crypto_ec
+ 
+ struct crypto_ec_point *crypto_ec_point_init(struct crypto_ec *e)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
+ 	if (p != NULL)
+ 		mbedtls_ecp_point_init(p);
+@@ -2536,6 +2642,9 @@ int crypto_ec_point_x(struct crypto_ec *
+ int crypto_ec_point_to_bin(struct crypto_ec *e,
+ 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* crypto.h documents crypto_ec_point_to_bin() output is big-endian */
+ 	size_t len = CRYPTO_EC_plen(e);
+ 	if (x) {
+@@ -2563,6 +2672,9 @@ int crypto_ec_point_to_bin(struct crypto
+ struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
+ 						  const u8 *val)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	size_t len = CRYPTO_EC_plen(e);
+ 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
+ 	u8 buf[1+MBEDTLS_MPI_MAX_SIZE*2];
+@@ -2615,6 +2727,9 @@ int crypto_ec_point_add(struct crypto_ec
+ 			const struct crypto_ec_point *b,
+ 			struct crypto_ec_point *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* mbedtls does not provide an mbedtls_ecp_point add function */
+ 	mbedtls_mpi one;
+ 	mbedtls_mpi_init(&one);
+@@ -2631,6 +2746,9 @@ int crypto_ec_point_mul(struct crypto_ec
+ 			const struct crypto_bignum *b,
+ 			struct crypto_ec_point *res)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_ecp_mul(
+ 		(mbedtls_ecp_group *)e, (mbedtls_ecp_point *)res,
+ 		(const mbedtls_mpi *)b, (const mbedtls_ecp_point *)p,
+@@ -2639,6 +2757,9 @@ int crypto_ec_point_mul(struct crypto_ec
+ 
+ int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	if (mbedtls_ecp_get_type((mbedtls_ecp_group *)e)
+ 	    == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ 		/* e.g. MBEDTLS_ECP_DP_CURVE25519 and MBEDTLS_ECP_DP_CURVE448 */
+@@ -2751,6 +2872,9 @@ struct crypto_bignum *
+ crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
+ 			      const struct crypto_bignum *x)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *y2 = os_malloc(sizeof(*y2));
+ 	if (y2 == NULL)
+ 		return NULL;

feeds/hostapd/hostapd/patches/150-add-NULL-checks-encountered-during-tests-hwsim.patch

@@ -0,0 +1,45 @@
+From 33afce36c54b0cad38643629ded10ff5d727f077 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Fri, 12 Aug 2022 05:34:47 -0400
+Subject: [PATCH 5/7] add NULL checks (encountered during tests/hwsim)
+
+sae_derive_commit_element_ecc NULL pwe_ecc check
+dpp_gen_keypair() NULL curve check
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/common/dpp_crypto.c | 6 ++++++
+ src/common/sae.c        | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/src/common/dpp_crypto.c
++++ b/src/common/dpp_crypto.c
+@@ -269,6 +269,12 @@ int dpp_get_pubkey_hash(struct crypto_ec
+ 
+ struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
+ {
++	if (curve == NULL) {
++		wpa_printf(MSG_DEBUG,
++		           "DPP: %s curve must be initialized", __func__);
++		return NULL;
++	}
++
+ 	struct crypto_ec_key *key;
+ 
+ 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1278,6 +1278,13 @@ void sae_deinit_pt(struct sae_pt *pt)
+ static int sae_derive_commit_element_ecc(struct sae_data *sae,
+ 					 struct crypto_bignum *mask)
+ {
++	if (sae->tmp->pwe_ecc == NULL) {
++		wpa_printf(MSG_DEBUG,
++		           "SAE: %s sae->tmp->pwe_ecc must be initialized",
++		           __func__);
++		return -1;
++	}
++
+ 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
+ 	if (!sae->tmp->own_commit_element_ecc) {
+ 		sae->tmp->own_commit_element_ecc =

feeds/hostapd/hostapd/patches/160-dpp_pkex-EC-point-mul-w-value-prime.patch

@@ -0,0 +1,26 @@
+From 54211caa2e0e5163aefef390daf88a971367a702 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 4 Oct 2022 17:09:24 -0400
+Subject: [PATCH 6/7] dpp_pkex: EC point mul w/ value < prime
+
+crypto_ec_point_mul() with mbedtls requires point
+be multiplied by a multiplicand with value < prime
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/common/dpp_crypto.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/src/common/dpp_crypto.c
++++ b/src/common/dpp_crypto.c
+@@ -1588,7 +1588,9 @@ dpp_pkex_derive_Qr(const struct dpp_curv
+ 	Pr = crypto_ec_key_get_public_key(Pr_key);
+ 	Qr = crypto_ec_point_init(ec);
+ 	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
+-	if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
++	if (!Pr || !Qr || !hash_bn ||
++	    crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
++	    crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
+ 		goto fail;
+ 
+ 	if (crypto_ec_point_is_at_infinity(ec, Qr)) {

feeds/hostapd/hostapd/patches/170-hostapd-update-cfs0-and-cfs1-for-160MHz.patch

@@ -0,0 +1,141 @@
+From d4c4ef302f98fd6bce173b8636e7e350d8b44981 Mon Sep 17 00:00:00 2001
+From: P Praneesh <ppranees@codeaurora.org>
+Date: Fri, 19 Mar 2021 12:17:27 +0530
+Subject: [PATCH] hostapd: update cfs0 and cfs1 for 160MHz
+
+As per standard Draft P802.11ax_D8.0,( Table 26-9—Setting
+of the VHT Channel Width and VHT NSS at an HE STA
+transmitting the OM Control subfield ), center frequency of
+160MHz should be published in HT information subset 2 of
+HT information when EXT NSS BW field is enabled.
+
+If the supported number of NSS in 160MHz is at least max NSS
+support, then center_freq_seg0 indicates the center frequency of 80MHz and
+center_freq_seg1 indicates the center frequency of 160MHz.
+
+If the supported number of NSS in 160MHz is less than max NSS
+support, then center_freq_seg0 indicates the center frequency of 80MHz and
+center_freq_seg1 is 0. The center frequency of 160MHz is published in HT
+operation information element instead.
+
+Signed-off-by: P Praneesh <ppranees@codeaurora.org>
+---
+ hostapd/config_file.c           |  2 ++
+ src/ap/ieee802_11_ht.c          |  7 +++++++
+ src/ap/ieee802_11_vht.c         | 16 ++++++++++++++++
+ src/common/hw_features_common.c |  1 +
+ src/common/ieee802_11_defs.h    |  1 +
+ 5 files changed, 27 insertions(+)
+
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -1153,6 +1153,8 @@ static int hostapd_config_vht_capab(stru
+ 		conf->vht_capab |= VHT_CAP_RX_ANTENNA_PATTERN;
+ 	if (os_strstr(capab, "[TX-ANTENNA-PATTERN]"))
+ 		conf->vht_capab |= VHT_CAP_TX_ANTENNA_PATTERN;
++	if (os_strstr(capab, "[EXT-NSS-BW-SUPP]"))
++		conf->vht_capab |= VHT_CAP_EXTENDED_NSS_BW_SUPPORT;
+ 	return 0;
+ }
+ #endif /* CONFIG_IEEE80211AC */
+--- a/src/ap/ieee802_11_ht.c
++++ b/src/ap/ieee802_11_ht.c
+@@ -82,7 +82,9 @@ u8 * hostapd_eid_ht_capabilities(struct
+ u8 * hostapd_eid_ht_operation(struct hostapd_data *hapd, u8 *eid)
+ {
+ 	struct ieee80211_ht_operation *oper;
++	le32 vht_capabilities_info;
+ 	u8 *pos = eid;
++	u8 chwidth;
+ 
+ 	if (!hapd->iconf->ieee80211n || hapd->conf->disable_11n ||
+ 	    is_6ghz_op_class(hapd->iconf->op_class))
+@@ -103,6 +105,13 @@ u8 * hostapd_eid_ht_operation(struct hos
+ 		oper->ht_param |= HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW |
+ 			HT_INFO_HT_PARAM_STA_CHNL_WIDTH;
+ 
++	vht_capabilities_info = host_to_le32(hapd->iface->current_mode->vht_capab);
++	chwidth = hostapd_get_oper_chwidth(hapd->iconf);
++	if (vht_capabilities_info & VHT_CAP_EXTENDED_NSS_BW_SUPPORT
++		&& ((chwidth == CHANWIDTH_160MHZ) || (chwidth == CHANWIDTH_80P80MHZ))) {
++		oper->operation_mode = host_to_le16(hapd->iconf->vht_oper_centr_freq_seg0_idx << 5);
++	}
++
+ 	pos += sizeof(*oper);
+ 
+ 	return pos;
+--- a/src/ap/ieee802_11_vht.c
++++ b/src/ap/ieee802_11_vht.c
+@@ -25,6 +25,7 @@ u8 * hostapd_eid_vht_capabilities(struct
+ 	struct ieee80211_vht_capabilities *cap;
+ 	struct hostapd_hw_modes *mode = hapd->iface->current_mode;
+ 	u8 *pos = eid;
++	u8 chwidth;
+ 
+ 	if (!mode || is_6ghz_op_class(hapd->iconf->op_class))
+ 		return eid;
+@@ -62,6 +63,17 @@ u8 * hostapd_eid_vht_capabilities(struct
+ 			host_to_le32(nsts << VHT_CAP_BEAMFORMEE_STS_OFFSET);
+ 	}
+ 
++	chwidth = hostapd_get_oper_chwidth(hapd->iconf);
++	if (((host_to_le32(mode->vht_capab)) & VHT_CAP_EXTENDED_NSS_BW_SUPPORT)
++		&& ((chwidth == CHANWIDTH_160MHZ) || (chwidth == CHANWIDTH_80P80MHZ))) {
++		cap->vht_capabilities_info |= VHT_CAP_EXTENDED_NSS_BW_SUPPORT;
++		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ));
++		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_160MHZ));
++		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_MASK));
++	} else {
++		cap->vht_capabilities_info &= ~VHT_CAP_EXTENDED_NSS_BW_SUPPORT_MASK;
++	}
++
+ 	/* Supported MCS set comes from hw */
+ 	os_memcpy(&cap->vht_supported_mcs_set, mode->vht_mcs_set, 8);
+ 
+@@ -74,6 +86,7 @@ u8 * hostapd_eid_vht_capabilities(struct
+ u8 * hostapd_eid_vht_operation(struct hostapd_data *hapd, u8 *eid)
+ {
+ 	struct ieee80211_vht_operation *oper;
++	le32 vht_capabilities_info;
+ 	u8 *pos = eid;
+ 	enum oper_chan_width oper_chwidth =
+ 		hostapd_get_oper_chwidth(hapd->iconf);
+@@ -106,6 +119,7 @@ u8 * hostapd_eid_vht_operation(struct ho
+ 	oper->vht_op_info_chan_center_freq_seg1_idx = seg1;
+ 
+ 	oper->vht_op_info_chwidth = oper_chwidth;
++	vht_capabilities_info = host_to_le32(hapd->iface->current_mode->vht_capab);
+ 	if (oper_chwidth == CONF_OPER_CHWIDTH_160MHZ) {
+ 		/*
+ 		 * Convert 160 MHz channel width to new style as interop
+@@ -119,6 +133,9 @@ u8 * hostapd_eid_vht_operation(struct ho
+ 			oper->vht_op_info_chan_center_freq_seg0_idx -= 8;
+ 		else
+ 			oper->vht_op_info_chan_center_freq_seg0_idx += 8;
++
++		if (vht_capabilities_info & VHT_CAP_EXTENDED_NSS_BW_SUPPORT)
++			oper->vht_op_info_chan_center_freq_seg1_idx = 0;
+ 	} else if (oper_chwidth == CONF_OPER_CHWIDTH_80P80MHZ) {
+ 		/*
+ 		 * Convert 80+80 MHz channel width to new style as interop
+--- a/src/common/hw_features_common.c
++++ b/src/common/hw_features_common.c
+@@ -811,6 +811,7 @@ int ieee80211ac_cap_check(u32 hw, u32 co
+ 	VHT_CAP_CHECK(VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB);
+ 	VHT_CAP_CHECK(VHT_CAP_RX_ANTENNA_PATTERN);
+ 	VHT_CAP_CHECK(VHT_CAP_TX_ANTENNA_PATTERN);
++	VHT_CAP_CHECK(VHT_CAP_EXTENDED_NSS_BW_SUPPORT);
+ 
+ #undef VHT_CAP_CHECK
+ #undef VHT_CAP_CHECK_MAX
+--- a/src/common/ieee802_11_defs.h
++++ b/src/common/ieee802_11_defs.h
+@@ -1349,6 +1349,8 @@ struct ieee80211_ampe_ie {
+ #define VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB     ((u32) BIT(26) | BIT(27))
+ #define VHT_CAP_RX_ANTENNA_PATTERN                  ((u32) BIT(28))
+ #define VHT_CAP_TX_ANTENNA_PATTERN                  ((u32) BIT(29))
++#define VHT_CAP_EXTENDED_NSS_BW_SUPPORT		    ((u32) BIT(30))
++#define VHT_CAP_EXTENDED_NSS_BW_SUPPORT_MASK	    ((u32) BIT(30) | BIT(31))
+ 
+ #define VHT_OPMODE_CHANNEL_WIDTH_MASK		    ((u8) BIT(0) | BIT(1))
+ #define VHT_OPMODE_CHANNEL_RxNSS_MASK		    ((u8) BIT(4) | BIT(5) | \

feeds/hostapd/hostapd/patches/180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch

@@ -0,0 +1,20 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 14 Sep 2023 10:53:50 +0200
+Subject: [PATCH] driver_nl80211: fix setting QoS map on secondary BSSs
+
+The setting is per-BSS, not per PHY
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -11341,7 +11341,7 @@ static int nl80211_set_qos_map(void *pri
+ 	wpa_hexdump(MSG_DEBUG, "nl80211: Setting QoS Map",
+ 		    qos_map_set, qos_map_set_len);
+ 
+-	if (!(msg = nl80211_drv_msg(drv, 0, NL80211_CMD_SET_QOS_MAP)) ||
++	if (!(msg = nl80211_bss_msg(bss, 0, NL80211_CMD_SET_QOS_MAP)) ||
+ 	    nla_put(msg, NL80211_ATTR_QOS_MAP, qos_map_set_len, qos_map_set)) {
+ 		nlmsg_free(msg);
+ 		return -ENOBUFS;

feeds/hostapd/hostapd/patches/181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch

@@ -0,0 +1,18 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 14 Sep 2023 11:28:03 +0200
+Subject: [PATCH] driver_nl80211: update drv->ifindex on removing the first
+ BSS
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -8867,6 +8867,7 @@ static int wpa_driver_nl80211_if_remove(
+ 		if (drv->first_bss->next) {
+ 			drv->first_bss = drv->first_bss->next;
+ 			drv->ctx = drv->first_bss->ctx;
++			drv->ifindex = drv->first_bss->ifindex;
+ 			os_free(bss);
+ 		} else {
+ 			wpa_printf(MSG_DEBUG, "nl80211: No second BSS to reassign context to");

feeds/hostapd/hostapd/patches/182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch

@@ -0,0 +1,34 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 18 Sep 2023 16:47:41 +0200
+Subject: [PATCH] nl80211: move nl80211_put_freq_params call outside of
+ 802.11ax #ifdef
+
+The relevance of this call is not specific to 802.11ax, so it should be done
+even with CONFIG_IEEE80211AX disabled.
+
+Fixes: b3921db426ea ("nl80211: Add frequency info in start AP command")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -5226,6 +5226,9 @@ static int wpa_driver_nl80211_set_ap(voi
+ 		nla_nest_end(msg, ftm);
+ 	}
+ 
++	if (params->freq && nl80211_put_freq_params(msg, params->freq) < 0)
++		goto fail;
++
+ #ifdef CONFIG_IEEE80211AX
+ 	if (params->he_spr_ctrl) {
+ 		struct nlattr *spr;
+@@ -5260,9 +5263,6 @@ static int wpa_driver_nl80211_set_ap(voi
+ 		nla_nest_end(msg, spr);
+ 	}
+ 
+-	if (params->freq && nl80211_put_freq_params(msg, params->freq) < 0)
+-		goto fail;
+-
+ 	if (params->freq && params->freq->he_enabled) {
+ 		struct nlattr *bss_color;
+ 

feeds/hostapd/hostapd/patches/183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch

@@ -0,0 +1,28 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 20 Sep 2023 13:41:10 +0200
+Subject: [PATCH] hostapd: cancel channel_list_update_timeout in
+ hostapd_cleanup_iface_partial
+
+Fixes a crash when disabling an interface during channel list update
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -569,6 +569,7 @@ static void sta_track_deinit(struct host
+ void hostapd_cleanup_iface_partial(struct hostapd_iface *iface)
+ {
+ 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
++	eloop_cancel_timeout(channel_list_update_timeout, iface, NULL);
+ #ifdef NEED_AP_MLME
+ 	hostapd_stop_setup_timers(iface);
+ #endif /* NEED_AP_MLME */
+@@ -598,7 +599,6 @@ void hostapd_cleanup_iface_partial(struc
+ static void hostapd_cleanup_iface(struct hostapd_iface *iface)
+ {
+ 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
+-	eloop_cancel_timeout(channel_list_update_timeout, iface, NULL);
+ 	eloop_cancel_timeout(hostapd_interface_setup_failure_handler, iface,
+ 			     NULL);
+ 

feeds/hostapd/hostapd/patches/200-multicall.patch

@@ -0,0 +1,355 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -1,6 +1,7 @@
+ ALL=hostapd hostapd_cli
+ CONFIG_FILE = .config
+ 
++-include $(if $(MULTICALL), ../wpa_supplicant/.config)
+ include ../src/build.rules
+ 
+ ifdef LIBS
+@@ -199,7 +200,8 @@ endif
+ 
+ ifdef CONFIG_NO_VLAN
+ CFLAGS += -DCONFIG_NO_VLAN
+-else
++endif
++ifneq ($(findstring CONFIG_NO_VLAN,$(CFLAGS)), CONFIG_NO_VLAN)
+ OBJS += ../src/ap/vlan_init.o
+ OBJS += ../src/ap/vlan_ifconfig.o
+ OBJS += ../src/ap/vlan.o
+@@ -357,10 +359,14 @@ CFLAGS += -DCONFIG_MBO
+ OBJS += ../src/ap/mbo_ap.o
+ endif
+ 
++ifndef MULTICALL
++CFLAGS += -DNO_SUPPLICANT
++endif
++
+ include ../src/drivers/drivers.mak
+-OBJS += $(DRV_AP_OBJS)
+-CFLAGS += $(DRV_AP_CFLAGS)
+-LDFLAGS += $(DRV_AP_LDFLAGS)
++OBJS += $(sort $(DRV_AP_OBJS) $(if $(MULTICALL),$(DRV_WPA_OBJS)))
++CFLAGS += $(DRV_AP_CFLAGS) $(if $(MULTICALL),$(DRV_WPA_CFLAGS))
++LDFLAGS += $(DRV_AP_LDFLAGS) $(if $(MULTICALL),$(DRV_WPA_LDFLAGS))
+ LIBS += $(DRV_AP_LIBS)
+ 
+ ifdef CONFIG_L2_PACKET
+@@ -1380,6 +1386,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
+ _OBJS_VAR := OBJS
+ include ../src/objs.mk
+ 
++hostapd_multi.a: $(BCHECK) $(OBJS)
++	$(Q)$(CC) -c -o hostapd_multi.o -Dmain=hostapd_main $(CFLAGS) main.c
++	@$(E) "  CC " $<
++	@rm -f $@
++	@$(AR) cr $@ hostapd_multi.o $(OBJS)
++
+ hostapd: $(OBJS)
+ 	$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
+ 	@$(E) "  LD " $@
+@@ -1460,6 +1472,12 @@ include ../src/objs.mk
+ _OBJS_VAR := SOBJS
+ include ../src/objs.mk
+ 
++dump_cflags:
++	@printf "%s " "$(CFLAGS)"
++
++dump_ldflags:
++	@printf "%s " "$(LDFLAGS) $(LIBS) $(EXTRALIBS)"
++
+ nt_password_hash: $(NOBJS)
+ 	$(Q)$(CC) $(LDFLAGS) -o nt_password_hash $(NOBJS) $(LIBS_n)
+ 	@$(E) "  LD " $@
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -10,6 +10,7 @@ ALL += dbus/fi.w1.wpa_supplicant1.servic
+ EXTRA_TARGETS=dynamic_eap_methods
+ 
+ CONFIG_FILE=.config
++-include $(if $(MULTICALL),../hostapd/.config)
+ include ../src/build.rules
+ 
+ ifdef CONFIG_BUILD_PASN_SO
+@@ -382,7 +383,9 @@ endif
+ ifdef CONFIG_IBSS_RSN
+ NEED_RSN_AUTHENTICATOR=y
+ CFLAGS += -DCONFIG_IBSS_RSN
++ifndef MULTICALL
+ CFLAGS += -DCONFIG_NO_VLAN
++endif
+ OBJS += ibss_rsn.o
+ endif
+ 
+@@ -924,6 +927,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
+ CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
+ LIBS += -ldl -rdynamic
+ endif
++else
++  ifdef MULTICALL
++    OBJS += ../src/eap_common/eap_common.o
++  endif
+ endif
+ 
+ ifdef CONFIG_AP
+@@ -931,9 +938,11 @@ NEED_EAP_COMMON=y
+ NEED_RSN_AUTHENTICATOR=y
+ CFLAGS += -DCONFIG_AP
+ OBJS += ap.o
++ifndef MULTICALL
+ CFLAGS += -DCONFIG_NO_RADIUS
+ CFLAGS += -DCONFIG_NO_ACCOUNTING
+ CFLAGS += -DCONFIG_NO_VLAN
++endif
+ OBJS += ../src/ap/hostapd.o
+ OBJS += ../src/ap/wpa_auth_glue.o
+ OBJS += ../src/ap/utils.o
+@@ -1022,6 +1031,12 @@ endif
+ ifdef CONFIG_HS20
+ OBJS += ../src/ap/hs20.o
+ endif
++else
++  ifdef MULTICALL
++    OBJS += ../src/eap_server/eap_server.o
++    OBJS += ../src/eap_server/eap_server_identity.o
++    OBJS += ../src/eap_server/eap_server_methods.o
++  endif
+ endif
+ 
+ ifdef CONFIG_MBO
+@@ -1030,7 +1045,9 @@ CFLAGS += -DCONFIG_MBO
+ endif
+ 
+ ifdef NEED_RSN_AUTHENTICATOR
++ifndef MULTICALL
+ CFLAGS += -DCONFIG_NO_RADIUS
++endif
+ NEED_AES_WRAP=y
+ OBJS += ../src/ap/wpa_auth.o
+ OBJS += ../src/ap/wpa_auth_ie.o
+@@ -2010,6 +2027,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
+ 
+ _OBJS_VAR := OBJS
+ include ../src/objs.mk
++wpa_supplicant_multi.a: .config $(BCHECK) $(OBJS) $(EXTRA_progs)
++	$(Q)$(CC) -c -o wpa_supplicant_multi.o -Dmain=wpa_supplicant_main $(CFLAGS) main.c
++	@$(E) "  CC " $<
++	@rm -f $@
++	@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
++
+ wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
+ 	$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
+ 	@$(E) "  LD " $@
+@@ -2142,6 +2165,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
+ 	$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
+ 	@$(E) "  sed" $<
+ 
++dump_cflags:
++	@printf "%s " "$(CFLAGS)"
++
++dump_ldflags:
++	@printf "%s " "$(LDFLAGS) $(LIBS) $(EXTRALIBS)"
++
+ wpa_supplicant.exe: wpa_supplicant
+ 	mv -f $< $@
+ wpa_cli.exe: wpa_cli
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -6667,8 +6667,8 @@ union wpa_event_data {
+  * Driver wrapper code should call this function whenever an event is received
+  * from the driver.
+  */
+-void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+-			  union wpa_event_data *data);
++extern void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
++				    union wpa_event_data *data);
+ 
+ /**
+  * wpa_supplicant_event_global - Report a driver event for wpa_supplicant
+@@ -6680,7 +6680,7 @@ void wpa_supplicant_event(void *ctx, enu
+  * Same as wpa_supplicant_event(), but we search for the interface in
+  * wpa_global.
+  */
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++extern void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
+ 				 union wpa_event_data *data);
+ 
+ /*
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -2184,8 +2184,8 @@ err:
+ #endif /* CONFIG_OWE */
+ 
+ 
+-void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+-			  union wpa_event_data *data)
++void hostapd_wpa_event(void *ctx, enum wpa_event_type event,
++		       union wpa_event_data *data)
+ {
+ 	struct hostapd_data *hapd = ctx;
+ #ifndef CONFIG_NO_STDOUT_DEBUG
+@@ -2489,7 +2489,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
+ 
+ 
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
+ 				 union wpa_event_data *data)
+ {
+ 	struct hapd_interfaces *interfaces = ctx;
+--- a/wpa_supplicant/wpa_priv.c
++++ b/wpa_supplicant/wpa_priv.c
+@@ -1039,8 +1039,8 @@ static void wpa_priv_send_ft_response(st
+ }
+ 
+ 
+-void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+-			  union wpa_event_data *data)
++static void supplicant_event(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data)
+ {
+ 	struct wpa_priv_interface *iface = ctx;
+ 
+@@ -1103,7 +1103,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
+ 
+ 
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void supplicant_event_global(void *ctx, enum wpa_event_type event,
+ 				 union wpa_event_data *data)
+ {
+ 	struct wpa_priv_global *global = ctx;
+@@ -1217,6 +1217,8 @@ int main(int argc, char *argv[])
+ 	if (os_program_init())
+ 		return -1;
+ 
++	wpa_supplicant_event = supplicant_event;
++	wpa_supplicant_event_global = supplicant_event_global;
+ 	wpa_priv_fd_workaround();
+ 
+ 	os_memset(&global, 0, sizeof(global));
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -5353,8 +5353,8 @@ static void wpas_link_reconfig(struct wp
+ }
+ 
+ 
+-void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+-			  union wpa_event_data *data)
++void supplicant_event(void *ctx, enum wpa_event_type event,
++		      union wpa_event_data *data)
+ {
+ 	struct wpa_supplicant *wpa_s = ctx;
+ 	int resched;
+@@ -6272,7 +6272,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
+ 
+ 
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void supplicant_event_global(void *ctx, enum wpa_event_type event,
+ 				 union wpa_event_data *data)
+ {
+ 	struct wpa_supplicant *wpa_s;
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -7462,7 +7462,6 @@ struct wpa_interface * wpa_supplicant_ma
+ 	return NULL;
+ }
+ 
+-
+ /**
+  * wpa_supplicant_match_existing - Match existing interfaces
+  * @global: Pointer to global data from wpa_supplicant_init()
+@@ -7497,6 +7496,11 @@ static int wpa_supplicant_match_existing
+ 
+ #endif /* CONFIG_MATCH_IFACE */
+ 
++extern void supplicant_event(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
++
++extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
++ 				 union wpa_event_data *data);
+ 
+ /**
+  * wpa_supplicant_add_iface - Add a new network interface
+@@ -7753,6 +7757,8 @@ struct wpa_global * wpa_supplicant_init(
+ #ifndef CONFIG_NO_WPA_MSG
+ 	wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
+ #endif /* CONFIG_NO_WPA_MSG */
++	wpa_supplicant_event = supplicant_event;
++	wpa_supplicant_event_global = supplicant_event_global;
+ 
+ 	if (params->wpa_debug_file_path)
+ 		wpa_debug_open_file(params->wpa_debug_file_path);
+--- a/hostapd/main.c
++++ b/hostapd/main.c
+@@ -698,6 +698,11 @@ fail:
+ 	return -1;
+ }
+ 
++void hostapd_wpa_event(void *ctx, enum wpa_event_type event,
++                       union wpa_event_data *data);
++
++void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
++ 				 union wpa_event_data *data);
+ 
+ #ifdef CONFIG_WPS
+ static int gen_uuid(const char *txt_addr)
+@@ -791,6 +796,8 @@ int main(int argc, char *argv[])
+ 		return -1;
+ #endif /* CONFIG_DPP */
+ 
++	wpa_supplicant_event = hostapd_wpa_event;
++	wpa_supplicant_event_global = hostapd_wpa_event_global;
+ 	for (;;) {
+ 		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:q");
+ 		if (c < 0)
+--- a/src/drivers/drivers.c
++++ b/src/drivers/drivers.c
+@@ -10,6 +10,10 @@
+ #include "utils/common.h"
+ #include "driver.h"
+ 
++void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
++void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
+ 
+ const struct wpa_driver_ops *const wpa_drivers[] =
+ {
+--- a/wpa_supplicant/eapol_test.c
++++ b/wpa_supplicant/eapol_test.c
+@@ -31,7 +31,12 @@
+ #include "ctrl_iface.h"
+ #include "pcsc_funcs.h"
+ #include "wpas_glue.h"
++#include "drivers/driver.h"
+ 
++void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
++void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
+ 
+ const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
+ 
+@@ -1303,6 +1308,10 @@ static void usage(void)
+ 	       "option several times.\n");
+ }
+ 
++extern void supplicant_event(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
++extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
++			     union wpa_event_data *data);
+ 
+ int main(int argc, char *argv[])
+ {
+@@ -1323,6 +1332,8 @@ int main(int argc, char *argv[])
+ 	if (os_program_init())
+ 		return -1;
+ 
++	wpa_supplicant_event = supplicant_event;
++	wpa_supplicant_event_global = supplicant_event_global;
+ 	hostapd_logger_register_cb(hostapd_logger_cb);
+ 
+ 	os_memset(&eapol_test, 0, sizeof(eapol_test));

feeds/hostapd/hostapd/patches/300-noscan.patch

@@ -0,0 +1,58 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -3448,6 +3448,10 @@ static int hostapd_config_fill(struct ho
+ 		if (bss->ocv && !bss->ieee80211w)
+ 			bss->ieee80211w = 1;
+ #endif /* CONFIG_OCV */
++	} else if (os_strcmp(buf, "noscan") == 0) {
++		conf->noscan = atoi(pos);
++	} else if (os_strcmp(buf, "ht_coex") == 0) {
++		conf->no_ht_coex = !atoi(pos);
+ 	} else if (os_strcmp(buf, "ieee80211n") == 0) {
+ 		conf->ieee80211n = atoi(pos);
+ 	} else if (os_strcmp(buf, "ht_capab") == 0) {
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -1075,6 +1075,8 @@ struct hostapd_config {
+ 
+ 	int ht_op_mode_fixed;
+ 	u16 ht_capab;
++	int noscan;
++	int no_ht_coex;
+ 	int ieee80211n;
+ 	int secondary_channel;
+ 	int no_pri_sec_switch;
+--- a/src/ap/hw_features.c
++++ b/src/ap/hw_features.c
+@@ -546,7 +546,8 @@ static int ieee80211n_check_40mhz(struct
+ 	int ret;
+ 
+ 	/* Check that HT40 is used and PRI / SEC switch is allowed */
+-	if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
++	if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
++		iface->conf->noscan)
+ 		return 0;
+ 
+ 	hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
+--- a/src/ap/ieee802_11_ht.c
++++ b/src/ap/ieee802_11_ht.c
+@@ -239,6 +239,9 @@ void hostapd_2040_coex_action(struct hos
+ 		return;
+ 	}
+ 
++	if (iface->conf->noscan || iface->conf->no_ht_coex)
++		return;
++
+ 	if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "Ignore too short 20/40 BSS Coexistence Management frame");
+@@ -399,6 +402,9 @@ void ht40_intolerant_add(struct hostapd_
+ 	if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
+ 		return;
+ 
++	if (iface->conf->noscan || iface->conf->no_ht_coex)
++		return;
++
+ 	wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
+ 		   " in Association Request", MAC2STR(sta->addr));
+ 

feeds/hostapd/hostapd/patches/301-mesh-noscan.patch

@@ -0,0 +1,71 @@
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2600,6 +2600,7 @@ static const struct parse_data ssid_fiel
+ #else /* CONFIG_MESH */
+ 	{ INT_RANGE(mode, 0, 4) },
+ #endif /* CONFIG_MESH */
++	{ INT_RANGE(noscan, 0, 1) },
+ 	{ INT_RANGE(proactive_key_caching, 0, 1) },
+ 	{ INT_RANGE(disabled, 0, 2) },
+ 	{ STR(id_str) },
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -775,6 +775,7 @@ static void wpa_config_write_network(FIL
+ #endif /* IEEE8021X_EAPOL */
+ 	INT(mode);
+ 	INT(no_auto_peer);
++	INT(noscan);
+ 	INT(mesh_fwding);
+ 	INT(frequency);
+ 	INT(enable_edmg);
+--- a/wpa_supplicant/mesh.c
++++ b/wpa_supplicant/mesh.c
+@@ -506,6 +506,8 @@ static int wpa_supplicant_mesh_init(stru
+ 			   frequency);
+ 		goto out_free;
+ 	}
++	if (ssid->noscan)
++		conf->noscan = 1;
+ 
+ 	if (ssid->mesh_basic_rates == NULL) {
+ 		/*
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -2710,7 +2710,7 @@ static bool ibss_mesh_can_use_vht(struct
+ 				  const struct wpa_ssid *ssid,
+ 				  struct hostapd_hw_modes *mode)
+ {
+-	if (mode->mode != HOSTAPD_MODE_IEEE80211A)
++	if (mode->mode != HOSTAPD_MODE_IEEE80211A && !(ssid->noscan))
+ 		return false;
+ 
+ 	if (!drv_supports_vht(wpa_s, ssid))
+@@ -2783,7 +2783,7 @@ static void ibss_mesh_select_40mhz(struc
+ 	int i, res;
+ 	unsigned int j;
+ 	static const int ht40plus[] = {
+-		36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157, 165, 173,
++		1, 2, 3, 4, 5, 6, 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157, 165, 173,
+ 		184, 192
+ 	};
+ 	int ht40 = -1;
+@@ -3033,7 +3033,7 @@ void ibss_mesh_setup_freq(struct wpa_sup
+ 	int ieee80211_mode = wpas_mode_to_ieee80211_mode(ssid->mode);
+ 	enum hostapd_hw_mode hw_mode;
+ 	struct hostapd_hw_modes *mode = NULL;
+-	int i, obss_scan = 1;
++	int i, obss_scan = !(ssid->noscan);
+ 	u8 channel;
+ 	bool is_6ghz;
+ 	bool dfs_enabled = wpa_s->conf->country[0] && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_RADAR);
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -1035,6 +1035,8 @@ struct wpa_ssid {
+ 	 */
+ 	int no_auto_peer;
+ 
++	int noscan;
++
+ 	/**
+ 	 * mesh_rssi_threshold - Set mesh parameter mesh_rssi_threshold (dBm)
+ 	 *

feeds/hostapd/hostapd/patches/310-rescan_immediately.patch

@@ -0,0 +1,11 @@
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -5767,7 +5767,7 @@ wpa_supplicant_alloc(struct wpa_supplica
+ 	if (wpa_s == NULL)
+ 		return NULL;
+ 	wpa_s->scan_req = INITIAL_SCAN_REQ;
+-	wpa_s->scan_interval = 5;
++	wpa_s->scan_interval = 1;
+ 	wpa_s->new_connection = 1;
+ 	wpa_s->parent = parent ? parent : wpa_s;
+ 	wpa_s->p2pdev = wpa_s->parent;

feeds/hostapd/hostapd/patches/330-nl80211_fix_set_freq.patch

@@ -0,0 +1,11 @@
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -5407,7 +5407,7 @@ static int nl80211_set_channel(struct i8
+ 		   freq->he_enabled, freq->eht_enabled, freq->bandwidth,
+ 		   freq->center_freq1, freq->center_freq2);
+ 
+-	msg = nl80211_drv_msg(drv, 0, set_chan ? NL80211_CMD_SET_CHANNEL :
++	msg = nl80211_bss_msg(bss, 0, set_chan ? NL80211_CMD_SET_CHANNEL :
+ 			      NL80211_CMD_SET_WIPHY);
+ 	if (!msg || nl80211_put_freq_params(msg, freq) < 0) {
+ 		nlmsg_free(msg);

feeds/hostapd/hostapd/patches/341-mesh-ctrl-iface-channel-switch.patch

@@ -0,0 +1,39 @@
+--- a/wpa_supplicant/ap.c
++++ b/wpa_supplicant/ap.c
+@@ -1825,15 +1825,35 @@ int ap_switch_channel(struct wpa_supplic
+ 
+ 
+ #ifdef CONFIG_CTRL_IFACE
++
++static int __ap_ctrl_iface_chanswitch(struct hostapd_iface *iface,
++				      struct csa_settings *settings)
++{
++#ifdef NEED_AP_MLME
++	if (!iface || !iface->bss[0])
++		return 0;
++
++	return hostapd_switch_channel(iface->bss[0], settings);
++#else
++	return -1;
++#endif
++}
++
++
+ int ap_ctrl_iface_chanswitch(struct wpa_supplicant *wpa_s, const char *pos)
+ {
+ 	struct csa_settings settings;
+ 	int ret = hostapd_parse_csa_settings(pos, &settings);
+ 
++	if (!(wpa_s->ap_iface && wpa_s->ap_iface->bss[0]) &&
++	    !(wpa_s->ifmsh && wpa_s->ifmsh->bss[0]))
++		return -1;
++
++	ret = __ap_ctrl_iface_chanswitch(wpa_s->ap_iface, &settings);
+ 	if (ret)
+ 		return ret;
+ 
+-	return ap_switch_channel(wpa_s, &settings);
++	return __ap_ctrl_iface_chanswitch(wpa_s->ifmsh, &settings);
+ }
+ #endif /* CONFIG_CTRL_IFACE */
+ 

feeds/hostapd/hostapd/patches/350-nl80211_del_beacon_bss.patch

@@ -0,0 +1,35 @@
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -3008,12 +3008,12 @@ static int wpa_driver_nl80211_del_beacon
+ 		return 0;
+ 
+ 	wpa_printf(MSG_DEBUG, "nl80211: Remove beacon (ifindex=%d)",
+-		   drv->ifindex);
++		   bss->ifindex);
+ 	link->beacon_set = 0;
+ 	link->freq = 0;
+ 
+ 	nl80211_put_wiphy_data_ap(bss);
+-	msg = nl80211_drv_msg(drv, 0, NL80211_CMD_DEL_BEACON);
++	msg = nl80211_bss_msg(bss, 0, NL80211_CMD_DEL_BEACON);
+ 	if (!msg)
+ 		return -ENOBUFS;
+ 
+@@ -6100,7 +6100,7 @@ static void nl80211_teardown_ap(struct i
+ 		nl80211_mgmt_unsubscribe(bss, "AP teardown");
+ 
+ 	nl80211_put_wiphy_data_ap(bss);
+-	bss->flink->beacon_set = 0;
++	wpa_driver_nl80211_del_beacon_all(bss);
+ }
+ 
+ 
+@@ -8859,8 +8859,6 @@ static int wpa_driver_nl80211_if_remove(
+ 	} else {
+ 		wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
+ 		nl80211_teardown_ap(bss);
+-		if (!bss->added_if && !drv->first_bss->next)
+-			wpa_driver_nl80211_del_beacon_all(bss);
+ 		nl80211_destroy_bss(bss);
+ 		if (!bss->added_if)
+ 			i802_set_iface_flags(bss, 0);

feeds/hostapd/hostapd/patches/380-disable_ctrl_iface_mib.patch

@@ -0,0 +1,239 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -221,6 +221,9 @@ endif
+ ifdef CONFIG_NO_CTRL_IFACE
+ CFLAGS += -DCONFIG_NO_CTRL_IFACE
+ else
++ifdef CONFIG_CTRL_IFACE_MIB
++CFLAGS += -DCONFIG_CTRL_IFACE_MIB
++endif
+ ifeq ($(CONFIG_CTRL_IFACE), udp)
+ CFLAGS += -DCONFIG_CTRL_IFACE_UDP
+ else
+--- a/hostapd/ctrl_iface.c
++++ b/hostapd/ctrl_iface.c
+@@ -3314,6 +3314,7 @@ static int hostapd_ctrl_iface_receive_pr
+ 						      reply_size);
+ 	} else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
+ 		reply_len = hostapd_drv_status(hapd, reply, reply_size);
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 	} else if (os_strcmp(buf, "MIB") == 0) {
+ 		reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
+ 		if (reply_len >= 0) {
+@@ -3355,6 +3356,7 @@ static int hostapd_ctrl_iface_receive_pr
+ 	} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
+ 		reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
+ 							reply_size);
++#endif
+ 	} else if (os_strcmp(buf, "ATTACH") == 0) {
+ 		if (hostapd_ctrl_iface_attach(hapd, from, fromlen, NULL))
+ 			reply_len = -1;
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -983,6 +983,9 @@ ifdef CONFIG_FILS
+ OBJS += ../src/ap/fils_hlp.o
+ endif
+ ifdef CONFIG_CTRL_IFACE
++ifdef CONFIG_CTRL_IFACE_MIB
++CFLAGS += -DCONFIG_CTRL_IFACE_MIB
++endif
+ OBJS += ../src/ap/ctrl_iface_ap.o
+ endif
+ 
+--- a/wpa_supplicant/ctrl_iface.c
++++ b/wpa_supplicant/ctrl_iface.c
+@@ -2326,7 +2326,7 @@ static int wpa_supplicant_ctrl_iface_sta
+ 			pos += ret;
+ 		}
+ 
+-#ifdef CONFIG_AP
++#if defined(CONFIG_AP) && defined(CONFIG_CTRL_IFACE_MIB)
+ 		if (wpa_s->ap_iface) {
+ 			pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
+ 							    end - pos,
+@@ -12087,6 +12087,7 @@ char * wpa_supplicant_ctrl_iface_process
+ 			reply_len = -1;
+ 	} else if (os_strncmp(buf, "NOTE ", 5) == 0) {
+ 		wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 	} else if (os_strcmp(buf, "MIB") == 0) {
+ 		reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
+ 		if (reply_len >= 0) {
+@@ -12099,6 +12100,7 @@ char * wpa_supplicant_ctrl_iface_process
+ 				reply_size - reply_len);
+ #endif /* CONFIG_MACSEC */
+ 		}
++#endif
+ 	} else if (os_strncmp(buf, "STATUS", 6) == 0) {
+ 		reply_len = wpa_supplicant_ctrl_iface_status(
+ 			wpa_s, buf + 6, reply, reply_size);
+@@ -12587,6 +12589,7 @@ char * wpa_supplicant_ctrl_iface_process
+ 		reply_len = wpa_supplicant_ctrl_iface_bss(
+ 			wpa_s, buf + 4, reply, reply_size);
+ #ifdef CONFIG_AP
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 	} else if (os_strcmp(buf, "STA-FIRST") == 0) {
+ 		reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
+ 	} else if (os_strncmp(buf, "STA ", 4) == 0) {
+@@ -12595,12 +12598,15 @@ char * wpa_supplicant_ctrl_iface_process
+ 	} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
+ 		reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
+ 						   reply_size);
++#endif
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 	} else if (os_strncmp(buf, "DEAUTHENTICATE ", 15) == 0) {
+ 		if (ap_ctrl_iface_sta_deauthenticate(wpa_s, buf + 15))
+ 			reply_len = -1;
+ 	} else if (os_strncmp(buf, "DISASSOCIATE ", 13) == 0) {
+ 		if (ap_ctrl_iface_sta_disassociate(wpa_s, buf + 13))
+ 			reply_len = -1;
++#endif
+ 	} else if (os_strncmp(buf, "CHAN_SWITCH ", 12) == 0) {
+ 		if (ap_ctrl_iface_chanswitch(wpa_s, buf + 12))
+ 			reply_len = -1;
+--- a/src/ap/ctrl_iface_ap.c
++++ b/src/ap/ctrl_iface_ap.c
+@@ -26,6 +26,26 @@
+ #include "taxonomy.h"
+ #include "wnm_ap.h"
+ 
++static const char * hw_mode_str(enum hostapd_hw_mode mode)
++{
++	switch (mode) {
++	case HOSTAPD_MODE_IEEE80211B:
++		return "b";
++	case HOSTAPD_MODE_IEEE80211G:
++		return "g";
++	case HOSTAPD_MODE_IEEE80211A:
++		return "a";
++	case HOSTAPD_MODE_IEEE80211AD:
++		return "ad";
++	case HOSTAPD_MODE_IEEE80211ANY:
++		return "any";
++	case NUM_HOSTAPD_MODES:
++		return "invalid";
++	}
++	return "unknown";
++}
++
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 
+ static size_t hostapd_write_ht_mcs_bitmask(char *buf, size_t buflen,
+ 					   size_t curr_len, const u8 *mcs_set)
+@@ -212,26 +232,6 @@ static const char * timeout_next_str(int
+ }
+ 
+ 
+-static const char * hw_mode_str(enum hostapd_hw_mode mode)
+-{
+-	switch (mode) {
+-	case HOSTAPD_MODE_IEEE80211B:
+-		return "b";
+-	case HOSTAPD_MODE_IEEE80211G:
+-		return "g";
+-	case HOSTAPD_MODE_IEEE80211A:
+-		return "a";
+-	case HOSTAPD_MODE_IEEE80211AD:
+-		return "ad";
+-	case HOSTAPD_MODE_IEEE80211ANY:
+-		return "any";
+-	case NUM_HOSTAPD_MODES:
+-		return "invalid";
+-	}
+-	return "unknown";
+-}
+-
+-
+ static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd,
+ 				      struct sta_info *sta,
+ 				      char *buf, size_t buflen)
+@@ -493,6 +493,7 @@ int hostapd_ctrl_iface_sta_next(struct h
+ 	return hostapd_ctrl_iface_sta_mib(hapd, sta->next, buf, buflen);
+ }
+ 
++#endif
+ 
+ #ifdef CONFIG_P2P_MANAGER
+ static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
+@@ -884,12 +885,12 @@ int hostapd_ctrl_iface_status(struct hos
+ 			return len;
+ 		len += ret;
+ 	}
+-
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 	if (iface->conf->ieee80211n && !hapd->conf->disable_11n && mode) {
+ 		len = hostapd_write_ht_mcs_bitmask(buf, buflen, len,
+ 						   mode->mcs_set);
+ 	}
+-
++#endif /* CONFIG_CTRL_IFACE_MIB */
+ 	if (iface->current_rates && iface->num_rates) {
+ 		ret = os_snprintf(buf + len, buflen - len, "supported_rates=");
+ 		if (os_snprintf_error(buflen - len, ret))
+--- a/src/ap/ieee802_1x.c
++++ b/src/ap/ieee802_1x.c
+@@ -2834,6 +2834,7 @@ static const char * bool_txt(bool val)
+ 	return val ? "TRUE" : "FALSE";
+ }
+ 
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 
+ int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
+ {
+@@ -3020,6 +3021,7 @@ int ieee802_1x_get_mib_sta(struct hostap
+ 	return len;
+ }
+ 
++#endif
+ 
+ #ifdef CONFIG_HS20
+ static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -5328,6 +5328,7 @@ static const char * wpa_bool_txt(int val
+ 	return val ? "TRUE" : "FALSE";
+ }
+ 
++#ifdef CONFIG_CTRL_IFACE_MIB
+ 
+ #define RSN_SUITE "%02x-%02x-%02x-%d"
+ #define RSN_SUITE_ARG(s) \
+@@ -5480,7 +5481,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
+ 
+ 	return len;
+ }
+-
++#endif
+ 
+ void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
+ {
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -3834,6 +3834,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
+ }
+ 
+ 
++#ifdef CONFIG_CTRL_IFACE_MIB
++
+ #define RSN_SUITE "%02x-%02x-%02x-%d"
+ #define RSN_SUITE_ARG(s) \
+ ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
+@@ -3915,6 +3917,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
+ 
+ 	return (int) len;
+ }
++#endif
+ #endif /* CONFIG_CTRL_IFACE */
+ 
+ 
+--- a/wpa_supplicant/ap.c
++++ b/wpa_supplicant/ap.c
+@@ -1499,7 +1499,7 @@ int wpas_ap_wps_nfc_report_handover(stru
+ #endif /* CONFIG_WPS */
+ 
+ 
+-#ifdef CONFIG_CTRL_IFACE
++#if defined(CONFIG_CTRL_IFACE) && defined(CONFIG_CTRL_IFACE_MIB)
+ 
+ int ap_ctrl_iface_sta_first(struct wpa_supplicant *wpa_s,
+ 			    char *buf, size_t buflen)

feeds/hostapd/hostapd/patches/381-hostapd_cli_UNKNOWN-COMMAND.patch

@@ -0,0 +1,11 @@
+--- a/hostapd/hostapd_cli.c
++++ b/hostapd/hostapd_cli.c
+@@ -757,7 +757,7 @@ static int wpa_ctrl_command_sta(struct w
+ 	}
+ 
+ 	buf[len] = '\0';
+-	if (memcmp(buf, "FAIL", 4) == 0)
++	if (memcmp(buf, "FAIL", 4) == 0 || memcmp(buf, "UNKNOWN COMMAND", 15) == 0)
+ 		return -1;
+ 	if (print)
+ 		printf("%s", buf);

feeds/hostapd/hostapd/patches/390-wpa_ie_cap_workaround.patch

@@ -0,0 +1,56 @@
+--- a/src/common/wpa_common.c
++++ b/src/common/wpa_common.c
+@@ -2841,6 +2841,31 @@ u32 wpa_akm_to_suite(int akm)
+ }
+ 
+ 
++static void wpa_fixup_wpa_ie_rsn(u8 *assoc_ie, const u8 *wpa_msg_ie,
++				 size_t rsn_ie_len)
++{
++	int pos, count;
++
++	pos = sizeof(struct rsn_ie_hdr) + RSN_SELECTOR_LEN;
++	if (rsn_ie_len < pos + 2)
++		return;
++
++	count = WPA_GET_LE16(wpa_msg_ie + pos);
++	pos += 2 + count * RSN_SELECTOR_LEN;
++	if (rsn_ie_len < pos + 2)
++		return;
++
++	count = WPA_GET_LE16(wpa_msg_ie + pos);
++	pos += 2 + count * RSN_SELECTOR_LEN;
++	if (rsn_ie_len < pos + 2)
++		return;
++
++	if (!assoc_ie[pos] && !assoc_ie[pos + 1] &&
++	    (wpa_msg_ie[pos] || wpa_msg_ie[pos + 1]))
++		memcpy(&assoc_ie[pos], &wpa_msg_ie[pos], 2);
++}
++
++
+ int wpa_compare_rsn_ie(int ft_initial_assoc,
+ 		       const u8 *ie1, size_t ie1len,
+ 		       const u8 *ie2, size_t ie2len)
+@@ -2848,8 +2873,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
+ 	if (ie1 == NULL || ie2 == NULL)
+ 		return -1;
+ 
+-	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
+-		return 0; /* identical IEs */
++	if (ie1len == ie2len) {
++		u8 *ie_tmp;
++
++		if (os_memcmp(ie1, ie2, ie1len) == 0)
++			return 0; /* identical IEs */
++
++		ie_tmp = alloca(ie1len);
++		memcpy(ie_tmp, ie1, ie1len);
++		wpa_fixup_wpa_ie_rsn(ie_tmp, ie2, ie1len);
++
++		if (os_memcmp(ie_tmp, ie2, ie1len) == 0)
++			return 0; /* only mismatch in RSN capabilties */
++	}
+ 
+ #ifdef CONFIG_IEEE80211R
+ 	if (ft_initial_assoc) {

feeds/hostapd/hostapd/patches/400-wps_single_auth_enc_type.patch

@@ -0,0 +1,23 @@
+--- a/src/ap/wps_hostapd.c
++++ b/src/ap/wps_hostapd.c
+@@ -394,9 +394,8 @@ static int hapd_wps_reconfig_in_memory(s
+ 				bss->wpa_pairwise |= WPA_CIPHER_GCMP;
+ 			else
+ 				bss->wpa_pairwise |= WPA_CIPHER_CCMP;
+-		}
+ #ifndef CONFIG_NO_TKIP
+-		if (cred->encr_type & WPS_ENCR_TKIP)
++		} else if (cred->encr_type & WPS_ENCR_TKIP)
+ 			bss->wpa_pairwise |= WPA_CIPHER_TKIP;
+ #endif /* CONFIG_NO_TKIP */
+ 		bss->rsn_pairwise = bss->wpa_pairwise;
+@@ -1181,8 +1180,7 @@ int hostapd_init_wps(struct hostapd_data
+ 					  WPA_CIPHER_GCMP_256)) {
+ 			wps->encr_types |= WPS_ENCR_AES;
+ 			wps->encr_types_rsn |= WPS_ENCR_AES;
+-		}
+-		if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
++		} else if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
+ #ifdef CONFIG_NO_TKIP
+ 			wpa_printf(MSG_INFO, "WPS: TKIP not supported");
+ 			goto fail;

feeds/hostapd/hostapd/patches/410-limit_debug_messages.patch

@@ -0,0 +1,210 @@
+--- a/src/utils/wpa_debug.c
++++ b/src/utils/wpa_debug.c
+@@ -206,7 +206,7 @@ void wpa_debug_close_linux_tracing(void)
+  *
+  * Note: New line '\n' is added to the end of the text when printing to stdout.
+  */
+-void wpa_printf(int level, const char *fmt, ...)
++void _wpa_printf(int level, const char *fmt, ...)
+ {
+ 	va_list ap;
+ 
+@@ -255,7 +255,7 @@ void wpa_printf(int level, const char *f
+ }
+ 
+ 
+-static void _wpa_hexdump(int level, const char *title, const u8 *buf,
++void _wpa_hexdump(int level, const char *title, const u8 *buf,
+ 			 size_t len, int show, int only_syslog)
+ {
+ 	size_t i;
+@@ -382,19 +382,7 @@ static void _wpa_hexdump(int level, cons
+ #endif /* CONFIG_ANDROID_LOG */
+ }
+ 
+-void wpa_hexdump(int level, const char *title, const void *buf, size_t len)
+-{
+-	_wpa_hexdump(level, title, buf, len, 1, 0);
+-}
+-
+-
+-void wpa_hexdump_key(int level, const char *title, const void *buf, size_t len)
+-{
+-	_wpa_hexdump(level, title, buf, len, wpa_debug_show_keys, 0);
+-}
+-
+-
+-static void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
++void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
+ 			       size_t len, int show)
+ {
+ 	size_t i, llen;
+@@ -507,20 +495,6 @@ file_done:
+ }
+ 
+ 
+-void wpa_hexdump_ascii(int level, const char *title, const void *buf,
+-		       size_t len)
+-{
+-	_wpa_hexdump_ascii(level, title, buf, len, 1);
+-}
+-
+-
+-void wpa_hexdump_ascii_key(int level, const char *title, const void *buf,
+-			   size_t len)
+-{
+-	_wpa_hexdump_ascii(level, title, buf, len, wpa_debug_show_keys);
+-}
+-
+-
+ #ifdef CONFIG_DEBUG_FILE
+ static char *last_path = NULL;
+ #endif /* CONFIG_DEBUG_FILE */
+@@ -644,7 +618,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
+ }
+ 
+ 
+-void wpa_msg(void *ctx, int level, const char *fmt, ...)
++void _wpa_msg(void *ctx, int level, const char *fmt, ...)
+ {
+ 	va_list ap;
+ 	char *buf;
+@@ -682,7 +656,7 @@ void wpa_msg(void *ctx, int level, const
+ }
+ 
+ 
+-void wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
++void _wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
+ {
+ 	va_list ap;
+ 	char *buf;
+--- a/src/utils/wpa_debug.h
++++ b/src/utils/wpa_debug.h
+@@ -51,6 +51,17 @@ void wpa_debug_close_file(void);
+ void wpa_debug_setup_stdout(void);
+ void wpa_debug_stop_log(void);
+ 
++/* internal */
++void _wpa_hexdump(int level, const char *title, const u8 *buf,
++		  size_t len, int show, int only_syslog);
++void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
++			size_t len, int show);
++extern int wpa_debug_show_keys;
++
++#ifndef CONFIG_MSG_MIN_PRIORITY
++#define CONFIG_MSG_MIN_PRIORITY 0
++#endif
++
+ /**
+  * wpa_debug_printf_timestamp - Print timestamp for debug output
+  *
+@@ -71,9 +82,15 @@ void wpa_debug_print_timestamp(void);
+  *
+  * Note: New line '\n' is added to the end of the text when printing to stdout.
+  */
+-void wpa_printf(int level, const char *fmt, ...)
++void _wpa_printf(int level, const char *fmt, ...)
+ PRINTF_FORMAT(2, 3);
+ 
++#define wpa_printf(level, ...)						\
++	do {								\
++		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
++			_wpa_printf(level, __VA_ARGS__);		\
++	} while(0)
++
+ /**
+  * wpa_hexdump - conditional hex dump
+  * @level: priority level (MSG_*) of the message
+@@ -85,7 +102,13 @@ PRINTF_FORMAT(2, 3);
+  * output may be directed to stdout, stderr, and/or syslog based on
+  * configuration. The contents of buf is printed out has hex dump.
+  */
+-void wpa_hexdump(int level, const char *title, const void *buf, size_t len);
++static inline void wpa_hexdump(int level, const char *title, const void *buf, size_t len)
++{
++	if (level < CONFIG_MSG_MIN_PRIORITY)
++		return;
++
++	_wpa_hexdump(level, title, buf, len, 1, 1);
++}
+ 
+ static inline void wpa_hexdump_buf(int level, const char *title,
+ 				   const struct wpabuf *buf)
+@@ -107,7 +130,13 @@ static inline void wpa_hexdump_buf(int l
+  * like wpa_hexdump(), but by default, does not include secret keys (passwords,
+  * etc.) in debug output.
+  */
+-void wpa_hexdump_key(int level, const char *title, const void *buf, size_t len);
++static inline void wpa_hexdump_key(int level, const char *title, const u8 *buf, size_t len)
++{
++	if (level < CONFIG_MSG_MIN_PRIORITY)
++		return;
++
++	_wpa_hexdump(level, title, buf, len, wpa_debug_show_keys, 1);
++}
+ 
+ static inline void wpa_hexdump_buf_key(int level, const char *title,
+ 				       const struct wpabuf *buf)
+@@ -129,8 +158,14 @@ static inline void wpa_hexdump_buf_key(i
+  * the hex numbers and ASCII characters (for printable range) are shown. 16
+  * bytes per line will be shown.
+  */
+-void wpa_hexdump_ascii(int level, const char *title, const void *buf,
+-		       size_t len);
++static inline void wpa_hexdump_ascii(int level, const char *title,
++				     const u8 *buf, size_t len)
++{
++	if (level < CONFIG_MSG_MIN_PRIORITY)
++		return;
++
++	_wpa_hexdump_ascii(level, title, buf, len, 1);
++}
+ 
+ /**
+  * wpa_hexdump_ascii_key - conditional hex dump, hide keys
+@@ -146,8 +181,14 @@ void wpa_hexdump_ascii(int level, const
+  * bytes per line will be shown. This works like wpa_hexdump_ascii(), but by
+  * default, does not include secret keys (passwords, etc.) in debug output.
+  */
+-void wpa_hexdump_ascii_key(int level, const char *title, const void *buf,
+-			   size_t len);
++static inline void wpa_hexdump_ascii_key(int level, const char *title,
++					 const u8 *buf, size_t len)
++{
++	if (level < CONFIG_MSG_MIN_PRIORITY)
++		return;
++
++	_wpa_hexdump_ascii(level, title, buf, len, wpa_debug_show_keys);
++}
+ 
+ /*
+  * wpa_dbg() behaves like wpa_msg(), but it can be removed from build to reduce
+@@ -184,7 +225,12 @@ void wpa_hexdump_ascii_key(int level, co
+  *
+  * Note: New line '\n' is added to the end of the text when printing to stdout.
+  */
+-void wpa_msg(void *ctx, int level, const char *fmt, ...) PRINTF_FORMAT(3, 4);
++void _wpa_msg(void *ctx, int level, const char *fmt, ...) PRINTF_FORMAT(3, 4);
++#define wpa_msg(ctx, level, ...)					\
++	do {								\
++		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
++			_wpa_msg(ctx, level, __VA_ARGS__);		\
++	} while(0)
+ 
+ /**
+  * wpa_msg_ctrl - Conditional printf for ctrl_iface monitors
+@@ -198,8 +244,13 @@ void wpa_msg(void *ctx, int level, const
+  * attached ctrl_iface monitors. In other words, it can be used for frequent
+  * events that do not need to be sent to syslog.
+  */
+-void wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
++void _wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
+ PRINTF_FORMAT(3, 4);
++#define wpa_msg_ctrl(ctx, level, ...)					\
++	do {								\
++		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
++			_wpa_msg_ctrl(ctx, level, __VA_ARGS__);		\
++	} while(0)
+ 
+ /**
+  * wpa_msg_global - Global printf for ctrl_iface monitors

feeds/hostapd/hostapd/patches/420-indicate-features.patch

@@ -0,0 +1,63 @@
+--- a/hostapd/main.c
++++ b/hostapd/main.c
+@@ -31,7 +31,7 @@
+ #include "config_file.h"
+ #include "eap_register.h"
+ #include "ctrl_iface.h"
+-
++#include "build_features.h"
+ 
+ struct hapd_global {
+ 	void **drv_priv;
+@@ -799,7 +799,7 @@ int main(int argc, char *argv[])
+ 	wpa_supplicant_event = hostapd_wpa_event;
+ 	wpa_supplicant_event_global = hostapd_wpa_event_global;
+ 	for (;;) {
+-		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:q");
++		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:g:G:qv::");
+ 		if (c < 0)
+ 			break;
+ 		switch (c) {
+@@ -836,6 +836,8 @@ int main(int argc, char *argv[])
+ 			break;
+ #endif /* CONFIG_DEBUG_LINUX_TRACING */
+ 		case 'v':
++			if (optarg)
++				exit(!has_feature(optarg));
+ 			show_version();
+ 			exit(1);
+ 		case 'g':
+--- a/wpa_supplicant/main.c
++++ b/wpa_supplicant/main.c
+@@ -12,6 +12,7 @@
+ #endif /* __linux__ */
+ 
+ #include "common.h"
++#include "build_features.h"
+ #include "crypto/crypto.h"
+ #include "fst/fst.h"
+ #include "wpa_supplicant_i.h"
+@@ -202,7 +203,7 @@ int main(int argc, char *argv[])
+ 
+ 	for (;;) {
+ 		c = getopt(argc, argv,
+-			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");
++			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuv::W");
+ 		if (c < 0)
+ 			break;
+ 		switch (c) {
+@@ -302,8 +303,12 @@ int main(int argc, char *argv[])
+ 			break;
+ #endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
+ 		case 'v':
+-			printf("%s\n", wpa_supplicant_version);
+-			exitcode = 0;
++			if (optarg) {
++				exitcode = !has_feature(optarg);
++			} else {
++				printf("%s\n", wpa_supplicant_version);
++				exitcode = 0;
++			}
+ 			goto out;
+ 		case 'W':
+ 			params.wait_for_monitor++;

feeds/hostapd/hostapd/patches/430-hostapd_cli_ifdef.patch

@@ -0,0 +1,56 @@
+--- a/hostapd/hostapd_cli.c
++++ b/hostapd/hostapd_cli.c
+@@ -401,7 +401,6 @@ static int hostapd_cli_cmd_disassociate(
+ }
+ 
+ 
+-#ifdef CONFIG_TAXONOMY
+ static int hostapd_cli_cmd_signature(struct wpa_ctrl *ctrl, int argc,
+ 				     char *argv[])
+ {
+@@ -414,7 +413,6 @@ static int hostapd_cli_cmd_signature(str
+ 	os_snprintf(buf, sizeof(buf), "SIGNATURE %s", argv[0]);
+ 	return wpa_ctrl_command(ctrl, buf);
+ }
+-#endif /* CONFIG_TAXONOMY */
+ 
+ 
+ static int hostapd_cli_cmd_sa_query(struct wpa_ctrl *ctrl, int argc,
+@@ -431,7 +429,6 @@ static int hostapd_cli_cmd_sa_query(stru
+ }
+ 
+ 
+-#ifdef CONFIG_WPS
+ static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
+ 				   char *argv[])
+ {
+@@ -657,7 +654,6 @@ static int hostapd_cli_cmd_wps_config(st
+ 			 ssid_hex, argv[1]);
+ 	return wpa_ctrl_command(ctrl, buf);
+ }
+-#endif /* CONFIG_WPS */
+ 
+ 
+ static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
+@@ -1610,13 +1606,10 @@ static const struct hostapd_cli_cmd host
+ 	{ "disassociate", hostapd_cli_cmd_disassociate,
+ 	  hostapd_complete_stations,
+ 	  "<addr> = disassociate a station" },
+-#ifdef CONFIG_TAXONOMY
+ 	{ "signature", hostapd_cli_cmd_signature, hostapd_complete_stations,
+ 	  "<addr> = get taxonomy signature for a station" },
+-#endif /* CONFIG_TAXONOMY */
+ 	{ "sa_query", hostapd_cli_cmd_sa_query, hostapd_complete_stations,
+ 	  "<addr> = send SA Query to a station" },
+-#ifdef CONFIG_WPS
+ 	{ "wps_pin", hostapd_cli_cmd_wps_pin, NULL,
+ 	  "<uuid> <pin> [timeout] [addr] = add WPS Enrollee PIN" },
+ 	{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin, NULL,
+@@ -1641,7 +1634,6 @@ static const struct hostapd_cli_cmd host
+ 	  "<SSID> <auth> <encr> <key> = configure AP" },
+ 	{ "wps_get_status", hostapd_cli_cmd_wps_get_status, NULL,
+ 	  "= show current WPS status" },
+-#endif /* CONFIG_WPS */
+ 	{ "disassoc_imminent", hostapd_cli_cmd_disassoc_imminent, NULL,
+ 	  "= send Disassociation Imminent notification" },
+ 	{ "ess_disassoc", hostapd_cli_cmd_ess_disassoc, NULL,

feeds/hostapd/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch

@@ -0,0 +1,189 @@
+From 4bb69d15477e0f2b00e166845341dc933de47c58 Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Sun, 3 Jun 2012 18:22:56 +0200
+Subject: [PATCHv2 601/602] wpa_supplicant: add new config params to be used
+ with the ibss join command
+
+Signed-hostap: Antonio Quartulli <ordex@autistici.org>
+---
+ src/drivers/driver.h            |    6 +++
+ wpa_supplicant/config.c         |   96 +++++++++++++++++++++++++++++++++++++++
+ wpa_supplicant/config_ssid.h    |    6 +++
+ wpa_supplicant/wpa_supplicant.c |   23 +++++++---
+ 4 files changed, 124 insertions(+), 7 deletions(-)
+
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -19,6 +19,7 @@
+ 
+ #define WPA_SUPPLICANT_DRIVER_VERSION 4
+ 
++#include "ap/sta_info.h"
+ #include "common/defs.h"
+ #include "common/ieee802_11_defs.h"
+ #include "common/wpa_common.h"
+@@ -953,6 +954,9 @@ struct wpa_driver_associate_params {
+ 	 * responsible for selecting with which BSS to associate. */
+ 	const u8 *bssid;
+ 
++	unsigned char rates[WLAN_SUPP_RATES_MAX];
++	int mcast_rate;
++
+ 	/**
+ 	 * bssid_hint - BSSID of a proposed AP
+ 	 *
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -18,6 +18,7 @@
+ #include "eap_peer/eap.h"
+ #include "p2p/p2p.h"
+ #include "fst/fst.h"
++#include "ap/sta_info.h"
+ #include "config.h"
+ 
+ 
+@@ -2389,6 +2390,97 @@ static char * wpa_config_write_mac_value
+ #endif /* NO_CONFIG_WRITE */
+ 
+ 
++static int wpa_config_parse_mcast_rate(const struct parse_data *data,
++				       struct wpa_ssid *ssid, int line,
++				       const char *value)
++{
++	ssid->mcast_rate = (int)(strtod(value, NULL) * 10);
++
++	return 0;
++}
++
++#ifndef NO_CONFIG_WRITE
++static char * wpa_config_write_mcast_rate(const struct parse_data *data,
++					  struct wpa_ssid *ssid)
++{
++	char *value;
++	int res;
++
++	if (!ssid->mcast_rate == 0)
++		return NULL;
++
++	value = os_malloc(6); /* longest: 300.0 */
++	if (value == NULL)
++		return NULL;
++	res = os_snprintf(value, 5, "%.1f", (double)ssid->mcast_rate / 10);
++	if (res < 0) {
++		os_free(value);
++		return NULL;
++	}
++	return value;
++}
++#endif /* NO_CONFIG_WRITE */
++
++static int wpa_config_parse_rates(const struct parse_data *data,
++				  struct wpa_ssid *ssid, int line,
++				  const char *value)
++{
++	int i;
++	char *pos, *r, *sptr, *end;
++	double rate;
++
++	pos = (char *)value;
++	r = strtok_r(pos, ",", &sptr);
++	i = 0;
++	while (pos && i < WLAN_SUPP_RATES_MAX) {
++		rate = 0.0;
++		if (r)
++			rate = strtod(r, &end);
++		ssid->rates[i] = rate * 2;
++		if (*end != '\0' || rate * 2 != ssid->rates[i])
++			return 1;
++
++		i++;
++		r = strtok_r(NULL, ",", &sptr);
++	}
++
++	return 0;
++}
++
++#ifndef NO_CONFIG_WRITE
++static char * wpa_config_write_rates(const struct parse_data *data,
++				     struct wpa_ssid *ssid)
++{
++	char *value, *pos;
++	int res, i;
++
++	if (ssid->rates[0] <= 0)
++		return NULL;
++
++	value = os_malloc(6 * WLAN_SUPP_RATES_MAX + 1);
++	if (value == NULL)
++		return NULL;
++	pos = value;
++	for (i = 0; i < WLAN_SUPP_RATES_MAX - 1; i++) {
++		res = os_snprintf(pos, 6, "%.1f,", (double)ssid->rates[i] / 2);
++		if (res < 0) {
++			os_free(value);
++			return NULL;
++		}
++		pos += res;
++	}
++	res = os_snprintf(pos, 6, "%.1f",
++			  (double)ssid->rates[WLAN_SUPP_RATES_MAX - 1] / 2);
++	if (res < 0) {
++		os_free(value);
++		return NULL;
++	}
++
++	value[6 * WLAN_SUPP_RATES_MAX] = '\0';
++	return value;
++}
++#endif /* NO_CONFIG_WRITE */
++
+ /* Helper macros for network block parser */
+ 
+ #ifdef OFFSET
+@@ -2674,6 +2766,8 @@ static const struct parse_data ssid_fiel
+ 	{ INT(ap_max_inactivity) },
+ 	{ INT(dtim_period) },
+ 	{ INT(beacon_int) },
++	{ FUNC(rates) },
++	{ FUNC(mcast_rate) },
+ #ifdef CONFIG_MACSEC
+ 	{ INT_RANGE(macsec_policy, 0, 1) },
+ 	{ INT_RANGE(macsec_integ_only, 0, 1) },
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -10,8 +10,10 @@
+ #define CONFIG_SSID_H
+ 
+ #include "common/defs.h"
++#include "ap/sta_info.h"
+ #include "utils/list.h"
+ #include "eap_peer/eap_config.h"
++#include "drivers/nl80211_copy.h"
+ 
+ 
+ #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
+@@ -879,6 +881,9 @@ struct wpa_ssid {
+ 	 */
+ 	void *parent_cred;
+ 
++	unsigned char rates[WLAN_SUPP_RATES_MAX];
++	double mcast_rate;
++
+ #ifdef CONFIG_MACSEC
+ 	/**
+ 	 * macsec_policy - Determines the policy for MACsec secure session
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -4175,6 +4175,12 @@ static void wpas_start_assoc_cb(struct w
+ 			params.beacon_int = ssid->beacon_int;
+ 		else
+ 			params.beacon_int = wpa_s->conf->beacon_int;
++		int i = 0;
++		while (i < WLAN_SUPP_RATES_MAX) {
++			params.rates[i] = ssid->rates[i];
++			i++;
++		}
++		params.mcast_rate = ssid->mcast_rate;
+ 	}
+ 
+ 	if (bss && ssid->enable_edmg)

feeds/hostapd/hostapd/patches/463-add-mcast_rate-to-11s.patch

@@ -0,0 +1,68 @@
+From: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Date: Thu, 11 May 2017 08:21:45 +0200
+Subject: [PATCH] set mcast_rate in mesh mode
+
+The wpa_supplicant code for IBSS allows to set the mcast rate. It is
+recommended to increase this value from 1 or 6 Mbit/s to something higher
+when using a mesh protocol on top which uses the multicast packet loss as
+indicator for the link quality.
+
+This setting was unfortunately not applied for mesh mode. But it would be
+beneficial when wpa_supplicant would behave similar to IBSS mode and set
+this argument during mesh join like authsae already does. At least it is
+helpful for companies/projects which are currently switching to 802.11s
+(without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
+because newer drivers seem to support 802.11s but not IBSS anymore.
+
+Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
+Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
+
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -1827,6 +1827,7 @@ struct wpa_driver_mesh_join_params {
+ #define WPA_DRIVER_MESH_FLAG_AMPE	0x00000008
+ 	unsigned int flags;
+ 	bool handle_dfs;
++	int mcast_rate;
+ };
+ 
+ struct wpa_driver_set_key_params {
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -11667,6 +11667,18 @@ static int nl80211_put_mesh_id(struct nl
+ }
+ 
+ 
++static int nl80211_put_mcast_rate(struct nl_msg *msg, int mcast_rate)
++{
++	if (mcast_rate > 0) {
++		wpa_printf(MSG_DEBUG, "  * mcast_rate=%.1f",
++			   (double)mcast_rate / 10);
++		return nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, mcast_rate);
++	}
++
++	return 0;
++}
++
++
+ static int nl80211_put_mesh_config(struct nl_msg *msg,
+ 				   struct wpa_driver_mesh_bss_params *params)
+ {
+@@ -11728,6 +11740,7 @@ static int nl80211_join_mesh(struct i802
+ 	    nl80211_put_basic_rates(msg, params->basic_rates) ||
+ 	    nl80211_put_mesh_id(msg, params->meshid, params->meshid_len) ||
+ 	    nl80211_put_beacon_int(msg, params->beacon_int) ||
++	    nl80211_put_mcast_rate(msg, params->mcast_rate) ||
+ 	    nl80211_put_dtim_period(msg, params->dtim_period))
+ 		goto fail;
+ 
+--- a/wpa_supplicant/mesh.c
++++ b/wpa_supplicant/mesh.c
+@@ -632,6 +632,7 @@ int wpa_supplicant_join_mesh(struct wpa_
+ 
+ 	params->meshid = ssid->ssid;
+ 	params->meshid_len = ssid->ssid_len;
++	params->mcast_rate = ssid->mcast_rate;
+ 	ibss_mesh_setup_freq(wpa_s, ssid, &params->freq);
+ 	wpa_s->mesh_ht_enabled = !!params->freq.ht_enabled;
+ 	wpa_s->mesh_vht_enabled = !!params->freq.vht_enabled;

feeds/hostapd/hostapd/patches/464-fix-mesh-obss-check.patch

@@ -0,0 +1,13 @@
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -3040,6 +3040,10 @@ void ibss_mesh_setup_freq(struct wpa_sup
+ 
+ 	freq->freq = ssid->frequency;
+ 
++	if (ssid->fixed_freq) {
++		obss_scan = 0;
++	}
++
+ 	if (ssid->mode == WPAS_MODE_IBSS && !ssid->fixed_freq) {
+ 		struct wpa_bss *bss = ibss_find_existing_bss(wpa_s, ssid);
+ 

feeds/hostapd/hostapd/patches/465-hostapd-config-support-random-BSS-color.patch

@@ -0,0 +1,24 @@
+From c9304d3303d563ad6d2619f4e07864ed12f96889 Mon Sep 17 00:00:00 2001
+From: David Bauer <mail@david-bauer.net>
+Date: Sat, 14 May 2022 21:41:03 +0200
+Subject: [PATCH] hostapd: config: support random BSS color
+
+Configure the HE BSS color to a random value in case the config defines
+a BSS color which exceeds the max BSS color (63).
+
+Signed-off-by: David Bauer <mail@david-bauer.net>
+---
+ hostapd/config_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -3500,6 +3500,8 @@ static int hostapd_config_fill(struct ho
+ 	} else if (os_strcmp(buf, "he_bss_color") == 0) {
+ 		conf->he_op.he_bss_color = atoi(pos) & 0x3f;
+ 		conf->he_op.he_bss_color_disabled = 0;
++		if (atoi(pos) > 63)
++			conf->he_op.he_bss_color = os_random() % 63 + 1;
+ 	} else if (os_strcmp(buf, "he_bss_color_partial") == 0) {
+ 		conf->he_op.he_bss_color_partial = atoi(pos);
+ 	} else if (os_strcmp(buf, "he_default_pe_duration") == 0) {

feeds/hostapd/hostapd/patches/470-survey_data_fallback.patch

@@ -0,0 +1,30 @@
+--- a/src/ap/acs.c
++++ b/src/ap/acs.c
+@@ -455,17 +455,17 @@ static int acs_get_bw_center_chan(int fr
+ static int acs_survey_is_sufficient(struct freq_survey *survey)
+ {
+ 	if (!(survey->filled & SURVEY_HAS_NF)) {
++		survey->nf = -95;
+ 		wpa_printf(MSG_INFO,
+ 			   "ACS: Survey for freq %d is missing noise floor",
+ 			   survey->freq);
+-		return 0;
+ 	}
+ 
+ 	if (!(survey->filled & SURVEY_HAS_CHAN_TIME)) {
++		survey->channel_time = 0;
+ 		wpa_printf(MSG_INFO,
+ 			   "ACS: Survey for freq %d is missing channel time",
+ 			   survey->freq);
+-		return 0;
+ 	}
+ 
+ 	if (!(survey->filled & SURVEY_HAS_CHAN_TIME_BUSY) &&
+@@ -473,7 +473,6 @@ static int acs_survey_is_sufficient(stru
+ 		wpa_printf(MSG_INFO,
+ 			   "ACS: Survey for freq %d is missing RX and busy time (at least one is required)",
+ 			   survey->freq);
+-		return 0;
+ 	}
+ 
+ 	return 1;

feeds/hostapd/hostapd/patches/500-lto-jobserver-support.patch

@@ -0,0 +1,59 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -1396,7 +1396,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
+ 	@$(AR) cr $@ hostapd_multi.o $(OBJS)
+ 
+ hostapd: $(OBJS)
+-	$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
++	+$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
+ 	@$(E) "  LD " $@
+ 
+ ifdef CONFIG_WPA_TRACE
+@@ -1407,7 +1407,7 @@ _OBJS_VAR := OBJS_c
+ include ../src/objs.mk
+ 
+ hostapd_cli: $(OBJS_c)
+-	$(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
++	+$(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
+ 	@$(E) "  LD " $@
+ 
+ NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS)
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -2037,31 +2037,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
+ 	@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
+ 
+ wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
+-	$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
++	+$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
+ 	@$(E) "  LD " $@
+ 
+ _OBJS_VAR := OBJS_t
+ include ../src/objs.mk
+ eapol_test: $(OBJS_t)
+-	$(Q)$(LDO) $(LDFLAGS) -o eapol_test $(OBJS_t) $(LIBS)
++	+$(Q)$(LDO) $(LDFLAGS) -o eapol_test $(OBJS_t) $(LIBS)
+ 	@$(E) "  LD " $@
+ 
+ _OBJS_VAR := OBJS_t2
+ include ../src/objs.mk
+ preauth_test: $(OBJS_t2)
+-	$(Q)$(LDO) $(LDFLAGS) -o preauth_test $(OBJS_t2) $(LIBS)
++	+$(Q)$(LDO) $(LDFLAGS) -o preauth_test $(OBJS_t2) $(LIBS)
+ 	@$(E) "  LD " $@
+ 
+ _OBJS_VAR := OBJS_p
+ include ../src/objs.mk
+ wpa_passphrase: $(OBJS_p)
+-	$(Q)$(LDO) $(LDFLAGS) -o wpa_passphrase $(OBJS_p) $(LIBS_p) $(LIBS)
++	+$(Q)$(LDO) $(LDFLAGS) -o wpa_passphrase $(OBJS_p) $(LIBS_p) $(LIBS)
+ 	@$(E) "  LD " $@
+ 
+ _OBJS_VAR := OBJS_c
+ include ../src/objs.mk
+ wpa_cli: $(OBJS_c)
+-	$(Q)$(LDO) $(LDFLAGS) -o wpa_cli $(OBJS_c) $(LIBS_c)
++	+$(Q)$(LDO) $(LDFLAGS) -o wpa_cli $(OBJS_c) $(LIBS_c)
+ 	@$(E) "  LD " $@
+ 
+ LIBCTRL += ../src/common/wpa_ctrl.o

feeds/hostapd/hostapd/patches/590-rrm-wnm-statistics.patch

@@ -0,0 +1,92 @@
+--- a/src/ap/hostapd.h
++++ b/src/ap/hostapd.h
+@@ -163,6 +163,21 @@ struct hostapd_sae_commit_queue {
+ };
+ 
+ /**
++ * struct hostapd_openwrt_stats - OpenWrt custom STA/AP statistics
++ */
++struct hostapd_openwrt_stats {
++	struct {
++		u64 neighbor_report_tx;
++	} rrm;
++
++	struct {
++		u64 bss_transition_query_rx;
++		u64 bss_transition_request_tx;
++		u64 bss_transition_response_rx;
++	} wnm;
++};
++
++/**
+  * struct hostapd_data - hostapd per-BSS data structure
+  */
+ struct hostapd_data {
+@@ -182,6 +197,9 @@ struct hostapd_data {
+ 
+ 	struct hostapd_data *mld_first_bss;
+ 
++	/* OpenWrt specific statistics */
++	struct hostapd_openwrt_stats openwrt_stats;
++
+ 	int num_sta; /* number of entries in sta_list */
+ 	struct sta_info *sta_list; /* STA info list head */
+ #define STA_HASH_SIZE 256
+--- a/src/ap/wnm_ap.c
++++ b/src/ap/wnm_ap.c
+@@ -386,6 +386,7 @@ static int ieee802_11_send_bss_trans_mgm
+ 	mgmt->u.action.u.bss_tm_req.validity_interval = 1;
+ 	pos = mgmt->u.action.u.bss_tm_req.variable;
+ 
++	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
+ 	wpa_printf(MSG_DEBUG, "WNM: Send BSS Transition Management Request to "
+ 		   MACSTR " dialog_token=%u req_mode=0x%x disassoc_timer=%u "
+ 		   "validity_interval=%u",
+@@ -790,10 +791,12 @@ int ieee802_11_rx_wnm_action_ap(struct h
+ 					       plen);
+ 		return 0;
+ 	case WNM_BSS_TRANS_MGMT_QUERY:
++		hapd->openwrt_stats.wnm.bss_transition_query_rx++;
+ 		ieee802_11_rx_bss_trans_mgmt_query(hapd, mgmt->sa, payload,
+ 						   plen);
+ 		return 0;
+ 	case WNM_BSS_TRANS_MGMT_RESP:
++		hapd->openwrt_stats.wnm.bss_transition_response_rx++;
+ 		ieee802_11_rx_bss_trans_mgmt_resp(hapd, mgmt->sa, payload,
+ 						  plen);
+ 		return 0;
+@@ -840,6 +843,7 @@ int wnm_send_disassoc_imminent(struct ho
+ 
+ 	pos = mgmt->u.action.u.bss_tm_req.variable;
+ 
++	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
+ 	wpa_printf(MSG_DEBUG, "WNM: Send BSS Transition Management Request frame to indicate imminent disassociation (disassoc_timer=%d) to "
+ 		   MACSTR, disassoc_timer, MAC2STR(sta->addr));
+ 	if (hostapd_drv_send_mlme(hapd, buf, pos - buf, 0, NULL, 0, 0) < 0) {
+@@ -921,6 +925,7 @@ int wnm_send_ess_disassoc_imminent(struc
+ 		return -1;
+ 	}
+ 
++	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
+ 	if (disassoc_timer) {
+ 		/* send disassociation frame after time-out */
+ 		set_disassoc_timer(hapd, sta, disassoc_timer);
+@@ -1001,6 +1006,7 @@ int wnm_send_bss_tm_req(struct hostapd_d
+ 	}
+ 	os_free(buf);
+ 
++	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
+ 	if (disassoc_timer) {
+ 		/* send disassociation frame after time-out */
+ 		set_disassoc_timer(hapd, sta, disassoc_timer);
+--- a/src/ap/rrm.c
++++ b/src/ap/rrm.c
+@@ -269,6 +269,8 @@ static void hostapd_send_nei_report_resp
+ 		}
+ 	}
+ 
++	hapd->openwrt_stats.rrm.neighbor_report_tx++;
++
+ 	hostapd_drv_send_action(hapd, hapd->iface->freq, 0, addr,
+ 				wpabuf_head(buf), wpabuf_len(buf));
+ 	wpabuf_free(buf);

feeds/hostapd/hostapd/patches/600-ubus_support.patch

@@ -0,0 +1,738 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -166,6 +166,12 @@ OBJS += ../src/common/hw_features_common
+ 
+ OBJS += ../src/eapol_auth/eapol_auth_sm.o
+ 
++ifdef CONFIG_UBUS
++CFLAGS += -DUBUS_SUPPORT
++OBJS += ../src/utils/uloop.o
++OBJS += ../src/ap/ubus.o
++LIBS += -lubox -lubus
++endif
+ 
+ ifdef CONFIG_CODE_COVERAGE
+ CFLAGS += -O0 -fprofile-arcs -ftest-coverage
+--- a/src/ap/hostapd.h
++++ b/src/ap/hostapd.h
+@@ -18,6 +18,7 @@
+ #include "utils/list.h"
+ #include "ap_config.h"
+ #include "drivers/driver.h"
++#include "ubus.h"
+ 
+ #define OCE_STA_CFON_ENABLED(hapd) \
+ 	((hapd->conf->oce & OCE_STA_CFON) && \
+@@ -184,6 +185,7 @@ struct hostapd_data {
+ 	struct hostapd_iface *iface;
+ 	struct hostapd_config *iconf;
+ 	struct hostapd_bss_config *conf;
++	struct hostapd_ubus_bss ubus;
+ 	int interface_added; /* virtual interface added for this BSS */
+ 	unsigned int started:1;
+ 	unsigned int disabled:1;
+@@ -695,6 +697,7 @@ hostapd_alloc_bss_data(struct hostapd_if
+ 		       struct hostapd_bss_config *bss);
+ int hostapd_setup_interface(struct hostapd_iface *iface);
+ int hostapd_setup_interface_complete(struct hostapd_iface *iface, int err);
++void hostapd_set_own_neighbor_report(struct hostapd_data *hapd);
+ void hostapd_interface_deinit(struct hostapd_iface *iface);
+ void hostapd_interface_free(struct hostapd_iface *iface);
+ struct hostapd_iface * hostapd_alloc_iface(void);
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -435,6 +435,7 @@ void hostapd_free_hapd_data(struct hosta
+ 	hapd->beacon_set_done = 0;
+ 
+ 	wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
++	hostapd_ubus_free_bss(hapd);
+ 	accounting_deinit(hapd);
+ 	hostapd_deinit_wpa(hapd);
+ 	vlan_deinit(hapd);
+@@ -1187,6 +1188,8 @@ static int hostapd_start_beacon(struct h
+ 	if (hapd->driver && hapd->driver->set_operstate)
+ 		hapd->driver->set_operstate(hapd->drv_priv, 1);
+ 
++	hostapd_ubus_add_bss(hapd);
++
+ 	return 0;
+ }
+ 
+@@ -2275,6 +2278,7 @@ static int hostapd_setup_interface_compl
+ 	if (err)
+ 		goto fail;
+ 
++	hostapd_ubus_add_iface(iface);
+ 	wpa_printf(MSG_DEBUG, "Completing interface initialization");
+ 	if (iface->freq) {
+ #ifdef NEED_AP_MLME
+@@ -2494,6 +2498,7 @@ dfs_offload:
+ 
+ fail:
+ 	wpa_printf(MSG_ERROR, "Interface initialization failed");
++	hostapd_ubus_free_iface(iface);
+ 
+ 	if (iface->is_no_ir) {
+ 		hostapd_set_state(iface, HAPD_IFACE_NO_IR);
+@@ -2984,6 +2989,7 @@ void hostapd_interface_deinit_free(struc
+ 		   (unsigned int) iface->conf->num_bss);
+ 	driver = iface->bss[0]->driver;
+ 	drv_priv = iface->bss[0]->drv_priv;
++	hostapd_ubus_free_iface(iface);
+ 	hostapd_interface_deinit(iface);
+ 	wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
+ 		   __func__, driver, drv_priv);
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -2786,7 +2786,7 @@ static void handle_auth(struct hostapd_d
+ 	u16 auth_alg, auth_transaction, status_code;
+ 	u16 resp = WLAN_STATUS_SUCCESS;
+ 	struct sta_info *sta = NULL;
+-	int res, reply_res;
++	int res, reply_res, ubus_resp;
+ 	u16 fc;
+ 	const u8 *challenge = NULL;
+ 	u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
+@@ -2795,6 +2795,11 @@ static void handle_auth(struct hostapd_d
+ 	struct radius_sta rad_info;
+ 	const u8 *dst, *sa, *bssid;
+ 	bool mld_sta = false;
++	struct hostapd_ubus_request req = {
++		.type = HOSTAPD_UBUS_AUTH_REQ,
++		.mgmt_frame = mgmt,
++		.ssi_signal = rssi,
++	};
+ 
+ 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
+ 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
+@@ -2986,6 +2991,13 @@ static void handle_auth(struct hostapd_d
+ 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ 		goto fail;
+ 	}
++	ubus_resp = hostapd_ubus_handle_event(hapd, &req);
++	if (0 && ubus_resp) {
++		wpa_printf(MSG_DEBUG, "Station " MACSTR " rejected by ubus handler.\n",
++			MAC2STR(mgmt->sa));
++		resp = ubus_resp > 0 ? (u16) ubus_resp : WLAN_STATUS_UNSPECIFIED_FAILURE;
++		goto fail;
++	}
+ 	if (res == HOSTAPD_ACL_PENDING)
+ 		return;
+ 
+@@ -5161,7 +5173,7 @@ static void handle_assoc(struct hostapd_
+ 	int resp = WLAN_STATUS_SUCCESS;
+ 	u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ 	const u8 *pos;
+-	int left, i;
++	int left, i, ubus_resp;
+ 	struct sta_info *sta;
+ 	u8 *tmp = NULL;
+ #ifdef CONFIG_FILS
+@@ -5374,6 +5386,11 @@ static void handle_assoc(struct hostapd_
+ 		left = res;
+ 	}
+ #endif /* CONFIG_FILS */
++	struct hostapd_ubus_request req = {
++		.type = HOSTAPD_UBUS_ASSOC_REQ,
++		.mgmt_frame = mgmt,
++		.ssi_signal = rssi,
++	};
+ 
+ 	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
+ 	 * is used */
+@@ -5472,6 +5489,13 @@ static void handle_assoc(struct hostapd_
+ 	}
+ #endif /* CONFIG_FILS */
+ 
++	ubus_resp = hostapd_ubus_handle_event(hapd, &req);
++	if (0 && ubus_resp) {
++		wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
++		       MAC2STR(mgmt->sa));
++		resp = ubus_resp > 0 ? (u16) ubus_resp : WLAN_STATUS_UNSPECIFIED_FAILURE;
++		goto fail;
++	}
+  fail:
+ 
+ 	/*
+@@ -5753,6 +5777,7 @@ static void handle_disassoc(struct hosta
+ 			   (unsigned long) len);
+ 		return;
+ 	}
++	hostapd_ubus_notify(hapd, "disassoc", mgmt->sa);
+ 
+ 	sta = ap_get_sta(hapd, mgmt->sa);
+ 	if (!sta) {
+@@ -5784,6 +5809,8 @@ static void handle_deauth(struct hostapd
+ 	/* Clear the PTKSA cache entries for PASN */
+ 	ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
+ 
++	hostapd_ubus_notify(hapd, "deauth", mgmt->sa);
++
+ 	sta = ap_get_sta(hapd, mgmt->sa);
+ 	if (!sta) {
+ 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
+--- a/src/ap/beacon.c
++++ b/src/ap/beacon.c
+@@ -1036,6 +1036,12 @@ void handle_probe_req(struct hostapd_dat
+ 	u16 csa_offs[2];
+ 	size_t csa_offs_len;
+ 	struct radius_sta rad_info;
++	struct hostapd_ubus_request req = {
++		.type = HOSTAPD_UBUS_PROBE_REQ,
++		.mgmt_frame = mgmt,
++		.ssi_signal = ssi_signal,
++		.elems = &elems,
++	};
+ 
+ 	if (hapd->iconf->rssi_ignore_probe_request && ssi_signal &&
+ 	    ssi_signal < hapd->iconf->rssi_ignore_probe_request)
+@@ -1222,6 +1228,12 @@ void handle_probe_req(struct hostapd_dat
+ 	}
+ #endif /* CONFIG_P2P */
+ 
++	if (hostapd_ubus_handle_event(hapd, &req)) {
++		wpa_printf(MSG_DEBUG, "Probe request for " MACSTR " rejected by ubus handler.\n",
++		       MAC2STR(mgmt->sa));
++		return;
++	}
++
+ 	/* TODO: verify that supp_rates contains at least one matching rate
+ 	 * with AP configuration */
+ 
+--- a/src/ap/drv_callbacks.c
++++ b/src/ap/drv_callbacks.c
+@@ -260,6 +260,10 @@ int hostapd_notif_assoc(struct hostapd_d
+ 	u16 reason = WLAN_REASON_UNSPECIFIED;
+ 	int status = WLAN_STATUS_SUCCESS;
+ 	const u8 *p2p_dev_addr = NULL;
++	struct hostapd_ubus_request req = {
++		.type = HOSTAPD_UBUS_ASSOC_REQ,
++		.addr = addr,
++	};
+ 
+ 	if (addr == NULL) {
+ 		/*
+@@ -396,6 +400,12 @@ int hostapd_notif_assoc(struct hostapd_d
+ 		goto fail;
+ 	}
+ 
++	if (hostapd_ubus_handle_event(hapd, &req)) {
++		wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
++			   MAC2STR(req.addr));
++		goto fail;
++	}
++
+ #ifdef CONFIG_P2P
+ 	if (elems.p2p) {
+ 		wpabuf_free(sta->p2p_ie);
+--- a/src/ap/sta_info.c
++++ b/src/ap/sta_info.c
+@@ -471,6 +471,7 @@ void ap_handle_timer(void *eloop_ctx, vo
+ 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
+ 			       HOSTAPD_LEVEL_INFO, "deauthenticated due to "
+ 			       "local deauth request");
++		hostapd_ubus_notify(hapd, "local-deauth", sta->addr);
+ 		ap_free_sta(hapd, sta);
+ 		return;
+ 	}
+@@ -626,6 +627,7 @@ skip_poll:
+ 		mlme_deauthenticate_indication(
+ 			hapd, sta,
+ 			WLAN_REASON_PREV_AUTH_NOT_VALID);
++		hostapd_ubus_notify(hapd, "inactive-deauth", sta->addr);
+ 		ap_free_sta(hapd, sta);
+ 		break;
+ 	}
+@@ -1344,15 +1346,28 @@ void ap_sta_set_authorized(struct hostap
+ 					sta->addr, authorized, dev_addr);
+ 
+ 	if (authorized) {
++		static const char * const auth_algs[] = {
++			[WLAN_AUTH_OPEN] = "open",
++			[WLAN_AUTH_SHARED_KEY] = "shared",
++			[WLAN_AUTH_FT] = "ft",
++			[WLAN_AUTH_SAE] = "sae",
++			[WLAN_AUTH_FILS_SK] = "fils-sk",
++			[WLAN_AUTH_FILS_SK_PFS] = "fils-sk-pfs",
++			[WLAN_AUTH_FILS_PK] = "fils-pk",
++			[WLAN_AUTH_PASN] = "pasn",
++		};
++		const char *auth_alg = NULL;
+ 		const u8 *dpp_pkhash;
+ 		const char *keyid;
+ 		char dpp_pkhash_buf[100];
+ 		char keyid_buf[100];
+ 		char ip_addr[100];
++		char alg_buf[100];
+ 
+ 		dpp_pkhash_buf[0] = '\0';
+ 		keyid_buf[0] = '\0';
+ 		ip_addr[0] = '\0';
++		alg_buf[0] = '\0';
+ #ifdef CONFIG_P2P
+ 		if (wpa_auth_get_ip_addr(sta->wpa_sm, ip_addr_buf) == 0) {
+ 			os_snprintf(ip_addr, sizeof(ip_addr),
+@@ -1362,6 +1377,13 @@ void ap_sta_set_authorized(struct hostap
+ 		}
+ #endif /* CONFIG_P2P */
+ 
++		if (sta->auth_alg < ARRAY_SIZE(auth_algs))
++			auth_alg = auth_algs[sta->auth_alg];
++
++		if (auth_alg)
++			os_snprintf(alg_buf, sizeof(alg_buf),
++				" auth_alg=%s", auth_alg);
++
+ 		keyid = ap_sta_wpa_get_keyid(hapd, sta);
+ 		if (keyid) {
+ 			os_snprintf(keyid_buf, sizeof(keyid_buf),
+@@ -1380,17 +1402,19 @@ void ap_sta_set_authorized(struct hostap
+ 					 dpp_pkhash, SHA256_MAC_LEN);
+ 		}
+ 
+-		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s%s",
+-			buf, ip_addr, keyid_buf, dpp_pkhash_buf);
++		hostapd_ubus_notify_authorized(hapd, sta);
++		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s%s%s",
++			buf, ip_addr, keyid_buf, dpp_pkhash_buf, alg_buf);
+ 
+ 		if (hapd->msg_ctx_parent &&
+ 		    hapd->msg_ctx_parent != hapd->msg_ctx)
+ 			wpa_msg_no_global(hapd->msg_ctx_parent, MSG_INFO,
+-					  AP_STA_CONNECTED "%s%s%s%s",
++					  AP_STA_CONNECTED "%s%s%s%s%s",
+ 					  buf, ip_addr, keyid_buf,
+-					  dpp_pkhash_buf);
++					  dpp_pkhash_buf, alg_buf);
+ 	} else {
+ 		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_DISCONNECTED "%s", buf);
++		hostapd_ubus_notify(hapd, "disassoc", sta->addr);
+ 
+ 		if (hapd->msg_ctx_parent &&
+ 		    hapd->msg_ctx_parent != hapd->msg_ctx)
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -269,6 +269,7 @@ static void hostapd_wpa_auth_psk_failure
+ 	struct hostapd_data *hapd = ctx;
+ 	wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR,
+ 		MAC2STR(addr));
++	hostapd_ubus_notify(hapd, "key-mismatch", addr);
+ }
+ 
+ 
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -192,6 +192,13 @@ ifdef CONFIG_EAPOL_TEST
+ CFLAGS += -Werror -DEAPOL_TEST
+ endif
+ 
++ifdef CONFIG_UBUS
++CFLAGS += -DUBUS_SUPPORT
++OBJS += ubus.o
++OBJS += ../src/utils/uloop.o
++LIBS += -lubox -lubus
++endif
++
+ ifdef CONFIG_CODE_COVERAGE
+ CFLAGS += -O0 -fprofile-arcs -ftest-coverage
+ LIBS += -lgcov
+@@ -987,6 +994,9 @@ ifdef CONFIG_CTRL_IFACE_MIB
+ CFLAGS += -DCONFIG_CTRL_IFACE_MIB
+ endif
+ OBJS += ../src/ap/ctrl_iface_ap.o
++ifdef CONFIG_UBUS
++OBJS += ../src/ap/ubus.o
++endif
+ endif
+ 
+ CFLAGS += -DEAP_SERVER -DEAP_SERVER_IDENTITY
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -7593,6 +7593,8 @@ struct wpa_supplicant * wpa_supplicant_a
+ 	}
+ #endif /* CONFIG_P2P */
+ 
++	wpas_ubus_add_bss(wpa_s);
++
+ 	return wpa_s;
+ }
+ 
+@@ -7619,6 +7621,8 @@ int wpa_supplicant_remove_iface(struct w
+ 	struct wpa_supplicant *parent = wpa_s->parent;
+ #endif /* CONFIG_MESH */
+ 
++	wpas_ubus_free_bss(wpa_s);
++
+ 	/* Remove interface from the global list of interfaces */
+ 	prev = global->ifaces;
+ 	if (prev == wpa_s) {
+@@ -7965,8 +7969,12 @@ int wpa_supplicant_run(struct wpa_global
+ 	eloop_register_signal_terminate(wpa_supplicant_terminate, global);
+ 	eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
+ 
++	wpas_ubus_add(global);
++
+ 	eloop_run();
+ 
++	wpas_ubus_free(global);
++
+ 	return 0;
+ }
+ 
+--- a/wpa_supplicant/wpa_supplicant_i.h
++++ b/wpa_supplicant/wpa_supplicant_i.h
+@@ -21,6 +21,7 @@
+ #include "config_ssid.h"
+ #include "wmm_ac.h"
+ #include "pasn/pasn_common.h"
++#include "ubus.h"
+ 
+ extern const char *const wpa_supplicant_version;
+ extern const char *const wpa_supplicant_license;
+@@ -319,6 +320,8 @@ struct wpa_global {
+ #endif /* CONFIG_WIFI_DISPLAY */
+ 
+ 	struct psk_list_entry *add_psk; /* From group formation */
++
++	struct ubus_object ubus_global;
+ };
+ 
+ 
+@@ -685,6 +688,7 @@ struct wpa_supplicant {
+ 	unsigned char own_addr[ETH_ALEN];
+ 	unsigned char perm_addr[ETH_ALEN];
+ 	char ifname[100];
++	struct wpas_ubus_bss ubus;
+ #ifdef CONFIG_MATCH_IFACE
+ 	int matched;
+ #endif /* CONFIG_MATCH_IFACE */
+--- a/wpa_supplicant/wps_supplicant.c
++++ b/wpa_supplicant/wps_supplicant.c
+@@ -33,6 +33,7 @@
+ #include "p2p/p2p.h"
+ #include "p2p_supplicant.h"
+ #include "wps_supplicant.h"
++#include "ubus.h"
+ 
+ 
+ #ifndef WPS_PIN_SCAN_IGNORE_SEL_REG
+@@ -402,6 +403,8 @@ static int wpa_supplicant_wps_cred(void
+ 	wpa_hexdump_key(MSG_DEBUG, "WPS: Received Credential attribute",
+ 			cred->cred_attr, cred->cred_attr_len);
+ 
++	wpas_ubus_notify(wpa_s, cred);
++
+ 	if (wpa_s->conf->wps_cred_processing == 1)
+ 		return 0;
+ 
+--- a/wpa_supplicant/main.c
++++ b/wpa_supplicant/main.c
+@@ -203,7 +203,7 @@ int main(int argc, char *argv[])
+ 
+ 	for (;;) {
+ 		c = getopt(argc, argv,
+-			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuv::W");
++			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:nNo:O:p:P:qsTtuv::W");
+ 		if (c < 0)
+ 			break;
+ 		switch (c) {
+@@ -268,6 +268,9 @@ int main(int argc, char *argv[])
+ 			params.conf_p2p_dev = optarg;
+ 			break;
+ #endif /* CONFIG_P2P */
++		case 'n':
++			iface_count = 0;
++			break;
+ 		case 'o':
+ 			params.override_driver = optarg;
+ 			break;
+--- a/src/ap/rrm.c
++++ b/src/ap/rrm.c
+@@ -89,6 +89,9 @@ static void hostapd_handle_beacon_report
+ 		return;
+ 	wpa_msg(hapd->msg_ctx, MSG_INFO, BEACON_RESP_RX MACSTR " %u %02x %s",
+ 		MAC2STR(addr), token, rep_mode, report);
++	if (len < sizeof(struct rrm_measurement_beacon_report))
++		return;
++	hostapd_ubus_notify_beacon_report(hapd, addr, token, rep_mode, (struct rrm_measurement_beacon_report*) pos, len);
+ }
+ 
+ 
+--- a/src/ap/vlan_init.c
++++ b/src/ap/vlan_init.c
+@@ -22,6 +22,7 @@
+ static int vlan_if_add(struct hostapd_data *hapd, struct hostapd_vlan *vlan,
+ 		       int existsok)
+ {
++	bool vlan_exists = iface_exists(vlan->ifname);
+ 	int ret;
+ #ifdef CONFIG_WEP
+ 	int i;
+@@ -36,7 +37,7 @@ static int vlan_if_add(struct hostapd_da
+ 	}
+ #endif /* CONFIG_WEP */
+ 
+-	if (!iface_exists(vlan->ifname))
++	if (!vlan_exists)
+ 		ret = hostapd_vlan_if_add(hapd, vlan->ifname);
+ 	else if (!existsok)
+ 		return -1;
+@@ -51,6 +52,9 @@ static int vlan_if_add(struct hostapd_da
+ 	if (hapd->wpa_auth)
+ 		ret = wpa_auth_ensure_group(hapd->wpa_auth, vlan->vlan_id);
+ 
++	if (!ret && !vlan_exists)
++		hostapd_ubus_add_vlan(hapd, vlan);
++
+ 	if (ret == 0)
+ 		return ret;
+ 
+@@ -77,6 +81,8 @@ int vlan_if_remove(struct hostapd_data *
+ 			   "WPA deinitialization for VLAN %d failed (%d)",
+ 			   vlan->vlan_id, ret);
+ 
++	hostapd_ubus_remove_vlan(hapd, vlan);
++
+ 	return hostapd_vlan_if_remove(hapd, vlan->ifname);
+ }
+ 
+--- a/src/ap/dfs.c
++++ b/src/ap/dfs.c
+@@ -1216,6 +1216,8 @@ int hostapd_dfs_pre_cac_expired(struct h
+ 		"freq=%d ht_enabled=%d chan_offset=%d chan_width=%d cf1=%d cf2=%d",
+ 		freq, ht_enabled, chan_offset, chan_width, cf1, cf2);
+ 
++	hostapd_ubus_notify_radar_detected(iface, freq, chan_width, cf1, cf2);
++
+ 	/* Proceed only if DFS is not offloaded to the driver */
+ 	if (iface->drv_flags & WPA_DRIVER_FLAGS_DFS_OFFLOAD)
+ 		return 0;
+--- a/src/ap/airtime_policy.c
++++ b/src/ap/airtime_policy.c
+@@ -112,8 +112,14 @@ static void set_sta_weights(struct hosta
+ {
+ 	struct sta_info *sta;
+ 
+-	for (sta = hapd->sta_list; sta; sta = sta->next)
+-		sta_set_airtime_weight(hapd, sta, weight);
++	for (sta = hapd->sta_list; sta; sta = sta->next) {
++		unsigned int sta_weight = weight;
++
++		if (sta->dyn_airtime_weight)
++			sta_weight = (weight * sta->dyn_airtime_weight) / 256;
++
++		sta_set_airtime_weight(hapd, sta, sta_weight);
++	}
+ }
+ 
+ 
+@@ -244,7 +250,10 @@ int airtime_policy_new_sta(struct hostap
+ 	unsigned int weight;
+ 
+ 	if (hapd->iconf->airtime_mode == AIRTIME_MODE_STATIC) {
+-		weight = get_weight_for_sta(hapd, sta->addr);
++		if (sta->dyn_airtime_weight)
++			weight = sta->dyn_airtime_weight;
++		else
++			weight = get_weight_for_sta(hapd, sta->addr);
+ 		if (weight)
+ 			return sta_set_airtime_weight(hapd, sta, weight);
+ 	}
+--- a/src/ap/sta_info.h
++++ b/src/ap/sta_info.h
+@@ -322,6 +322,7 @@ struct sta_info {
+ #endif /* CONFIG_TESTING_OPTIONS */
+ #ifdef CONFIG_AIRTIME_POLICY
+ 	unsigned int airtime_weight;
++	unsigned int dyn_airtime_weight;
+ 	struct os_reltime backlogged_until;
+ #endif /* CONFIG_AIRTIME_POLICY */
+ 
+--- a/src/ap/wnm_ap.c
++++ b/src/ap/wnm_ap.c
+@@ -455,7 +455,8 @@ static void ieee802_11_rx_bss_trans_mgmt
+ 		MAC2STR(addr), reason, hex ? " neighbor=" : "", hex);
+ 	os_free(hex);
+ 
+-	ieee802_11_send_bss_trans_mgmt_request(hapd, addr, dialog_token);
++	if (!hostapd_ubus_notify_bss_transition_query(hapd, addr, dialog_token, reason, pos, end - pos))
++		ieee802_11_send_bss_trans_mgmt_request(hapd, addr, dialog_token);
+ }
+ 
+ 
+@@ -477,7 +478,7 @@ static void ieee802_11_rx_bss_trans_mgmt
+ 					      size_t len)
+ {
+ 	u8 dialog_token, status_code, bss_termination_delay;
+-	const u8 *pos, *end;
++	const u8 *pos, *end, *target_bssid = NULL;
+ 	int enabled = hapd->conf->bss_transition;
+ 	struct sta_info *sta;
+ 
+@@ -524,6 +525,7 @@ static void ieee802_11_rx_bss_trans_mgmt
+ 			wpa_printf(MSG_DEBUG, "WNM: not enough room for Target BSSID field");
+ 			return;
+ 		}
++		target_bssid = pos;
+ 		sta->agreed_to_steer = 1;
+ 		eloop_cancel_timeout(ap_sta_reset_steer_flag_timer, hapd, sta);
+ 		eloop_register_timeout(2, 0, ap_sta_reset_steer_flag_timer,
+@@ -543,6 +545,10 @@ static void ieee802_11_rx_bss_trans_mgmt
+ 			MAC2STR(addr), status_code, bss_termination_delay);
+ 	}
+ 
++	hostapd_ubus_notify_bss_transition_response(hapd, sta->addr, dialog_token,
++						    status_code, bss_termination_delay,
++						    target_bssid, pos, end - pos);
++
+ 	wpa_hexdump(MSG_DEBUG, "WNM: BSS Transition Candidate List Entries",
+ 		    pos, end - pos);
+ }
+--- a/src/utils/eloop.c
++++ b/src/utils/eloop.c
+@@ -77,6 +77,9 @@ struct eloop_sock_table {
+ struct eloop_data {
+ 	int max_sock;
+ 
++	eloop_timeout_poll_handler timeout_poll_cb;
++	eloop_poll_handler poll_cb;
++
+ 	size_t count; /* sum of all table counts */
+ #ifdef CONFIG_ELOOP_POLL
+ 	size_t max_pollfd_map; /* number of pollfds_map currently allocated */
+@@ -1121,6 +1124,12 @@ void eloop_run(void)
+ 				os_reltime_sub(&timeout->time, &now, &tv);
+ 			else
+ 				tv.sec = tv.usec = 0;
++		}
++
++		if (eloop.timeout_poll_cb && eloop.timeout_poll_cb(&tv, !!timeout))
++			timeout = (void *)1;
++
++		if (timeout) {
+ #if defined(CONFIG_ELOOP_POLL) || defined(CONFIG_ELOOP_EPOLL)
+ 			timeout_ms = tv.sec * 1000 + tv.usec / 1000;
+ #endif /* defined(CONFIG_ELOOP_POLL) || defined(CONFIG_ELOOP_EPOLL) */
+@@ -1190,7 +1199,8 @@ void eloop_run(void)
+ 		eloop.exceptions.changed = 0;
+ 
+ 		eloop_process_pending_signals();
+-
++		if (eloop.poll_cb)
++			eloop.poll_cb();
+ 
+ 		/* check if some registered timeouts have occurred */
+ 		timeout = dl_list_first(&eloop.timeout, struct eloop_timeout,
+@@ -1252,6 +1262,14 @@ out:
+ 	return;
+ }
+ 
++int eloop_register_cb(eloop_poll_handler poll_cb,
++		      eloop_timeout_poll_handler timeout_cb)
++{
++	eloop.poll_cb = poll_cb;
++	eloop.timeout_poll_cb = timeout_cb;
++
++	return 0;
++}
+ 
+ void eloop_terminate(void)
+ {
+--- a/src/utils/eloop.h
++++ b/src/utils/eloop.h
+@@ -65,6 +65,9 @@ typedef void (*eloop_timeout_handler)(vo
+  */
+ typedef void (*eloop_signal_handler)(int sig, void *signal_ctx);
+ 
++typedef bool (*eloop_timeout_poll_handler)(struct os_reltime *tv, bool tv_set);
++typedef void (*eloop_poll_handler)(void);
++
+ /**
+  * eloop_init() - Initialize global event loop data
+  * Returns: 0 on success, -1 on failure
+@@ -73,6 +76,9 @@ typedef void (*eloop_signal_handler)(int
+  */
+ int eloop_init(void);
+ 
++int eloop_register_cb(eloop_poll_handler poll_cb,
++		      eloop_timeout_poll_handler timeout_cb);
++
+ /**
+  * eloop_register_read_sock - Register handler for read events
+  * @sock: File descriptor number for the socket
+@@ -320,6 +326,8 @@ int eloop_register_signal_reconfig(eloop
+  */
+ int eloop_sock_requeue(void);
+ 
++void eloop_add_uloop(void);
++
+ /**
+  * eloop_run - Start the event loop
+  *
+--- /dev/null
++++ b/src/utils/uloop.c
+@@ -0,0 +1,64 @@
++#include <libubox/uloop.h>
++#include "includes.h"
++#include "common.h"
++#include "eloop.h"
++
++static void eloop_uloop_event_cb(int sock, void *eloop_ctx, void *sock_ctx)
++{
++}
++
++static void eloop_uloop_fd_cb(struct uloop_fd *fd, unsigned int events)
++{
++	unsigned int changed = events ^ fd->flags;
++
++	if (changed & ULOOP_READ) {
++		if (events & ULOOP_READ)
++			eloop_register_sock(fd->fd, EVENT_TYPE_READ, eloop_uloop_event_cb, fd, fd);
++		else
++			eloop_unregister_sock(fd->fd, EVENT_TYPE_READ);
++	}
++
++	if (changed & ULOOP_WRITE) {
++		if (events & ULOOP_WRITE)
++			eloop_register_sock(fd->fd, EVENT_TYPE_WRITE, eloop_uloop_event_cb, fd, fd);
++		else
++			eloop_unregister_sock(fd->fd, EVENT_TYPE_WRITE);
++	}
++}
++
++static bool uloop_timeout_poll_handler(struct os_reltime *tv, bool tv_set)
++{
++	struct os_reltime tv_uloop;
++	int timeout_ms = uloop_get_next_timeout();
++
++	if (timeout_ms < 0)
++		return false;
++
++	tv_uloop.sec = timeout_ms / 1000;
++	tv_uloop.usec = (timeout_ms % 1000) * 1000;
++
++	if (!tv_set || os_reltime_before(&tv_uloop, tv)) {
++		*tv = tv_uloop;
++		return true;
++	}
++
++	return false;
++}
++
++static void uloop_poll_handler(void)
++{
++	uloop_run_timeout(0);
++}
++
++void eloop_add_uloop(void)
++{
++	static bool init_done = false;
++
++	if (!init_done) {
++		uloop_init();
++		uloop_fd_set_cb = eloop_uloop_fd_cb;
++		init_done = true;
++	}
++
++	eloop_register_cb(uloop_poll_handler, uloop_timeout_poll_handler);
++}

feeds/hostapd/hostapd/patches/601-ucode_support.patch

@@ -0,0 +1,723 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -168,9 +168,21 @@ OBJS += ../src/eapol_auth/eapol_auth_sm.
+ 
+ ifdef CONFIG_UBUS
+ CFLAGS += -DUBUS_SUPPORT
+-OBJS += ../src/utils/uloop.o
+ OBJS += ../src/ap/ubus.o
+-LIBS += -lubox -lubus
++LIBS += -lubus
++NEED_ULOOP:=y
++endif
++
++ifdef CONFIG_UCODE
++CFLAGS += -DUCODE_SUPPORT
++OBJS += ../src/utils/ucode.o
++OBJS += ../src/ap/ucode.o
++NEED_ULOOP:=y
++endif
++
++ifdef NEED_ULOOP
++OBJS += ../src/utils/uloop.o
++LIBS += -lubox
+ endif
+ 
+ ifdef CONFIG_CODE_COVERAGE
+--- a/hostapd/main.c
++++ b/hostapd/main.c
+@@ -1007,6 +1007,7 @@ int main(int argc, char *argv[])
+ 	}
+ 
+ 	hostapd_global_ctrl_iface_init(&interfaces);
++	hostapd_ucode_init(&interfaces);
+ 
+ 	if (hostapd_global_run(&interfaces, daemonize, pid_file)) {
+ 		wpa_printf(MSG_ERROR, "Failed to start eloop");
+@@ -1016,6 +1017,7 @@ int main(int argc, char *argv[])
+ 	ret = 0;
+ 
+  out:
++	hostapd_ucode_free();
+ 	hostapd_global_ctrl_iface_deinit(&interfaces);
+ 	/* Deinitialize all interfaces */
+ 	for (i = 0; i < interfaces.count; i++) {
+--- a/src/ap/hostapd.h
++++ b/src/ap/hostapd.h
+@@ -19,6 +19,7 @@
+ #include "ap_config.h"
+ #include "drivers/driver.h"
+ #include "ubus.h"
++#include "ucode.h"
+ 
+ #define OCE_STA_CFON_ENABLED(hapd) \
+ 	((hapd->conf->oce & OCE_STA_CFON) && \
+@@ -51,6 +52,10 @@ struct hapd_interfaces {
+ 	struct hostapd_config * (*config_read_cb)(const char *config_fname);
+ 	int (*ctrl_iface_init)(struct hostapd_data *hapd);
+ 	void (*ctrl_iface_deinit)(struct hostapd_data *hapd);
++	int (*ctrl_iface_recv)(struct hostapd_data *hapd,
++			       char *buf, char *reply, int reply_size,
++			       struct sockaddr_storage *from,
++			       socklen_t fromlen);
+ 	int (*for_each_interface)(struct hapd_interfaces *interfaces,
+ 				  int (*cb)(struct hostapd_iface *iface,
+ 					    void *ctx), void *ctx);
+@@ -186,6 +191,7 @@ struct hostapd_data {
+ 	struct hostapd_config *iconf;
+ 	struct hostapd_bss_config *conf;
+ 	struct hostapd_ubus_bss ubus;
++	struct hostapd_ucode_bss ucode;
+ 	int interface_added; /* virtual interface added for this BSS */
+ 	unsigned int started:1;
+ 	unsigned int disabled:1;
+@@ -506,6 +512,7 @@ struct hostapd_sta_info {
+  */
+ struct hostapd_iface {
+ 	struct hapd_interfaces *interfaces;
++	struct hostapd_ucode_iface ucode;
+ 	void *owner;
+ 	char *config_fname;
+ 	struct hostapd_config *conf;
+@@ -706,6 +713,8 @@ struct hostapd_iface * hostapd_init(stru
+ struct hostapd_iface *
+ hostapd_interface_init_bss(struct hapd_interfaces *interfaces, const char *phy,
+ 			   const char *config_fname, int debug);
++int hostapd_setup_bss(struct hostapd_data *hapd, int first, bool start_beacon);
++void hostapd_bss_deinit(struct hostapd_data *hapd);
+ void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
+ 			   int reassoc);
+ void hostapd_interface_deinit_free(struct hostapd_iface *iface);
+@@ -732,6 +741,7 @@ hostapd_switch_channel_fallback(struct h
+ void hostapd_cleanup_cs_params(struct hostapd_data *hapd);
+ void hostapd_periodic_iface(struct hostapd_iface *iface);
+ int hostapd_owe_trans_get_info(struct hostapd_data *hapd);
++void hostapd_owe_update_trans(struct hostapd_iface *iface);
+ void hostapd_ocv_check_csa_sa_query(void *eloop_ctx, void *timeout_ctx);
+ 
+ void hostapd_switch_color(struct hostapd_data *hapd, u64 bitmap);
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -252,6 +252,8 @@ int hostapd_reload_config(struct hostapd
+ 	struct hostapd_config *newconf, *oldconf;
+ 	size_t j;
+ 
++	hostapd_ucode_reload_bss(hapd);
++
+ 	if (iface->config_fname == NULL) {
+ 		/* Only in-memory config in use - assume it has been updated */
+ 		hostapd_clear_old(iface);
+@@ -435,6 +437,7 @@ void hostapd_free_hapd_data(struct hosta
+ 	hapd->beacon_set_done = 0;
+ 
+ 	wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
++	hostapd_ucode_free_bss(hapd);
+ 	hostapd_ubus_free_bss(hapd);
+ 	accounting_deinit(hapd);
+ 	hostapd_deinit_wpa(hapd);
+@@ -538,7 +541,7 @@ void hostapd_free_hapd_data(struct hosta
+  * Most of the modules that are initialized in hostapd_setup_bss() are
+  * deinitialized here.
+  */
+-static void hostapd_cleanup(struct hostapd_data *hapd)
++void hostapd_cleanup(struct hostapd_data *hapd)
+ {
+ 	wpa_printf(MSG_DEBUG, "%s(hapd=%p (%s))", __func__, hapd,
+ 		   hapd->conf ? hapd->conf->iface : "N/A");
+@@ -600,6 +603,7 @@ void hostapd_cleanup_iface_partial(struc
+ static void hostapd_cleanup_iface(struct hostapd_iface *iface)
+ {
+ 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
++	hostapd_ucode_free_iface(iface);
+ 	eloop_cancel_timeout(hostapd_interface_setup_failure_handler, iface,
+ 			     NULL);
+ 
+@@ -1189,6 +1193,7 @@ static int hostapd_start_beacon(struct h
+ 		hapd->driver->set_operstate(hapd->drv_priv, 1);
+ 
+ 	hostapd_ubus_add_bss(hapd);
++	hostapd_ucode_add_bss(hapd);
+ 
+ 	return 0;
+ }
+@@ -1211,7 +1216,7 @@ static int hostapd_start_beacon(struct h
+  * initialized. Most of the modules that are initialized here will be
+  * deinitialized in hostapd_cleanup().
+  */
+-static int hostapd_setup_bss(struct hostapd_data *hapd, int first,
++int hostapd_setup_bss(struct hostapd_data *hapd, int first,
+ 			     bool start_beacon)
+ {
+ 	struct hostapd_bss_config *conf = hapd->conf;
+@@ -2237,7 +2242,7 @@ static int hostapd_owe_iface_iter2(struc
+ #endif /* CONFIG_OWE */
+ 
+ 
+-static void hostapd_owe_update_trans(struct hostapd_iface *iface)
++void hostapd_owe_update_trans(struct hostapd_iface *iface)
+ {
+ #ifdef CONFIG_OWE
+ 	/* Check whether the enabled BSS can complete OWE transition mode
+@@ -2698,7 +2703,7 @@ hostapd_alloc_bss_data(struct hostapd_if
+ }
+ 
+ 
+-static void hostapd_bss_deinit(struct hostapd_data *hapd)
++void hostapd_bss_deinit(struct hostapd_data *hapd)
+ {
+ 	if (!hapd)
+ 		return;
+@@ -3491,7 +3496,8 @@ int hostapd_remove_iface(struct hapd_int
+ 		hapd_iface = interfaces->iface[i];
+ 		if (hapd_iface == NULL)
+ 			return -1;
+-		if (!os_strcmp(hapd_iface->conf->bss[0]->iface, buf)) {
++		if (!os_strcmp(hapd_iface->phy, buf) ||
++		    !os_strcmp(hapd_iface->conf->bss[0]->iface, buf)) {
+ 			wpa_printf(MSG_INFO, "Remove interface '%s'", buf);
+ 			hapd_iface->driver_ap_teardown =
+ 				!!(hapd_iface->drv_flags &
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -195,8 +195,20 @@ endif
+ ifdef CONFIG_UBUS
+ CFLAGS += -DUBUS_SUPPORT
+ OBJS += ubus.o
++LIBS += -lubus
++NEED_ULOOP:=y
++endif
++
++ifdef CONFIG_UCODE
++CFLAGS += -DUCODE_SUPPORT
++OBJS += ../src/utils/ucode.o
++OBJS += ucode.o
++NEED_ULOOP:=y
++endif
++
++ifdef NEED_ULOOP
+ OBJS += ../src/utils/uloop.o
+-LIBS += -lubox -lubus
++LIBS += -lubox
+ endif
+ 
+ ifdef CONFIG_CODE_COVERAGE
+@@ -997,6 +1009,9 @@ OBJS += ../src/ap/ctrl_iface_ap.o
+ ifdef CONFIG_UBUS
+ OBJS += ../src/ap/ubus.o
+ endif
++ifdef CONFIG_UCODE
++OBJS += ../src/ap/ucode.o
++endif
+ endif
+ 
+ CFLAGS += -DEAP_SERVER -DEAP_SERVER_IDENTITY
+--- a/wpa_supplicant/wpa_supplicant.c
++++ b/wpa_supplicant/wpa_supplicant.c
+@@ -1044,6 +1044,7 @@ void wpa_supplicant_set_state(struct wpa
+ 		sme_sched_obss_scan(wpa_s, 0);
+ 	}
+ 	wpa_s->wpa_state = state;
++	wpas_ucode_update_state(wpa_s);
+ 
+ #ifdef CONFIG_BGSCAN
+ 	if (state == WPA_COMPLETED && wpa_s->current_ssid != wpa_s->bgscan_ssid)
+@@ -7594,6 +7595,7 @@ struct wpa_supplicant * wpa_supplicant_a
+ #endif /* CONFIG_P2P */
+ 
+ 	wpas_ubus_add_bss(wpa_s);
++	wpas_ucode_add_bss(wpa_s);
+ 
+ 	return wpa_s;
+ }
+@@ -7621,6 +7623,7 @@ int wpa_supplicant_remove_iface(struct w
+ 	struct wpa_supplicant *parent = wpa_s->parent;
+ #endif /* CONFIG_MESH */
+ 
++	wpas_ucode_free_bss(wpa_s);
+ 	wpas_ubus_free_bss(wpa_s);
+ 
+ 	/* Remove interface from the global list of interfaces */
+@@ -7931,6 +7934,7 @@ struct wpa_global * wpa_supplicant_init(
+ 
+ 	eloop_register_timeout(WPA_SUPPLICANT_CLEANUP_INTERVAL, 0,
+ 			       wpas_periodic, global, NULL);
++	wpas_ucode_init(global);
+ 
+ 	return global;
+ }
+@@ -7969,12 +7973,8 @@ int wpa_supplicant_run(struct wpa_global
+ 	eloop_register_signal_terminate(wpa_supplicant_terminate, global);
+ 	eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
+ 
+-	wpas_ubus_add(global);
+-
+ 	eloop_run();
+ 
+-	wpas_ubus_free(global);
+-
+ 	return 0;
+ }
+ 
+@@ -8007,6 +8007,8 @@ void wpa_supplicant_deinit(struct wpa_gl
+ 
+ 	wpas_notify_supplicant_deinitialized(global);
+ 
++	wpas_ucode_free();
++
+ 	eap_peer_unregister_methods();
+ #ifdef CONFIG_AP
+ 	eap_server_unregister_methods();
+--- a/wpa_supplicant/wpa_supplicant_i.h
++++ b/wpa_supplicant/wpa_supplicant_i.h
+@@ -22,6 +22,7 @@
+ #include "wmm_ac.h"
+ #include "pasn/pasn_common.h"
+ #include "ubus.h"
++#include "ucode.h"
+ 
+ extern const char *const wpa_supplicant_version;
+ extern const char *const wpa_supplicant_license;
+@@ -689,6 +690,7 @@ struct wpa_supplicant {
+ 	unsigned char perm_addr[ETH_ALEN];
+ 	char ifname[100];
+ 	struct wpas_ubus_bss ubus;
++	struct wpas_ucode_bss ucode;
+ #ifdef CONFIG_MATCH_IFACE
+ 	int matched;
+ #endif /* CONFIG_MATCH_IFACE */
+--- a/hostapd/ctrl_iface.c
++++ b/hostapd/ctrl_iface.c
+@@ -4856,6 +4856,7 @@ try_again:
+ 		return -1;
+ 	}
+ 
++	interface->ctrl_iface_recv = hostapd_ctrl_iface_receive_process;
+ 	wpa_msg_register_cb(hostapd_ctrl_iface_msg_cb);
+ 
+ 	return 0;
+@@ -4957,6 +4958,7 @@ fail:
+ 	os_free(fname);
+ 
+ 	interface->global_ctrl_sock = s;
++	interface->ctrl_iface_recv = hostapd_ctrl_iface_receive_process;
+ 	eloop_register_read_sock(s, hostapd_global_ctrl_iface_receive,
+ 				 interface, NULL);
+ 
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -3787,6 +3787,25 @@ struct wpa_driver_ops {
+ 			 const char *ifname);
+ 
+ 	/**
++	 * if_rename - Rename a virtual interface
++	 * @priv: Private driver interface data
++	 * @type: Interface type
++	 * @ifname: Interface name of the virtual interface to be renamed
++	 *	    (NULL when renaming the AP BSS interface)
++	 * @new_name: New interface name of the virtual interface
++	 * Returns: 0 on success, -1 on failure
++	 */
++	int (*if_rename)(void *priv, enum wpa_driver_if_type type,
++			 const char *ifname, const char *new_name);
++
++	/**
++	 * set_first_bss - Make a virtual interface the first (primary) bss
++	 * @priv: Private driver interface data
++	 * Returns: 0 on success, -1 on failure
++	 */
++	int (*set_first_bss)(void *priv);
++
++	/**
+ 	 * set_sta_vlan - Bind a station into a specific interface (AP only)
+ 	 * @priv: Private driver interface data
+ 	 * @ifname: Interface (main or virtual BSS or VLAN)
+@@ -6440,6 +6459,7 @@ union wpa_event_data {
+ 
+ 	/**
+ 	 * struct ch_switch
++	 * @count: Count until channel switch activates
+ 	 * @freq: Frequency of new channel in MHz
+ 	 * @ht_enabled: Whether this is an HT channel
+ 	 * @ch_offset: Secondary channel offset
+@@ -6450,6 +6470,7 @@ union wpa_event_data {
+ 	 * @punct_bitmap: Puncturing bitmap
+ 	 */
+ 	struct ch_switch {
++		int count;
+ 		int freq;
+ 		int ht_enabled;
+ 		int ch_offset;
+--- a/src/drivers/driver_nl80211_event.c
++++ b/src/drivers/driver_nl80211_event.c
+@@ -1202,6 +1202,7 @@ static void mlme_event_ch_switch(struct
+ 				 struct nlattr *bw, struct nlattr *cf1,
+ 				 struct nlattr *cf2,
+ 				 struct nlattr *punct_bitmap,
++				 struct nlattr *count,
+ 				 int finished)
+ {
+ 	struct i802_bss *bss;
+@@ -1265,6 +1266,8 @@ static void mlme_event_ch_switch(struct
+ 		data.ch_switch.cf1 = nla_get_u32(cf1);
+ 	if (cf2)
+ 		data.ch_switch.cf2 = nla_get_u32(cf2);
++	if (count)
++		data.ch_switch.count = nla_get_u32(count);
+ 
+ 	if (finished)
+ 		bss->flink->freq = data.ch_switch.freq;
+@@ -3912,6 +3915,7 @@ static void do_process_drv_event(struct
+ 				     tb[NL80211_ATTR_CENTER_FREQ1],
+ 				     tb[NL80211_ATTR_CENTER_FREQ2],
+ 				     tb[NL80211_ATTR_PUNCT_BITMAP],
++				     tb[NL80211_ATTR_CH_SWITCH_COUNT],
+ 				     0);
+ 		break;
+ 	case NL80211_CMD_CH_SWITCH_NOTIFY:
+@@ -3924,6 +3928,7 @@ static void do_process_drv_event(struct
+ 				     tb[NL80211_ATTR_CENTER_FREQ1],
+ 				     tb[NL80211_ATTR_CENTER_FREQ2],
+ 				     tb[NL80211_ATTR_PUNCT_BITMAP],
++					 NULL,
+ 				     1);
+ 		break;
+ 	case NL80211_CMD_DISCONNECT:
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -5389,6 +5389,7 @@ void supplicant_event(void *ctx, enum wp
+ 		event_to_string(event), event);
+ #endif /* CONFIG_NO_STDOUT_DEBUG */
+ 
++	wpas_ucode_event(wpa_s, event, data);
+ 	switch (event) {
+ 	case EVENT_AUTH:
+ #ifdef CONFIG_FST
+--- a/src/ap/ap_drv_ops.h
++++ b/src/ap/ap_drv_ops.h
+@@ -393,6 +393,23 @@ static inline int hostapd_drv_stop_ap(st
+ 	return hapd->driver->stop_ap(hapd->drv_priv);
+ }
+ 
++static inline int hostapd_drv_if_rename(struct hostapd_data *hapd,
++					enum wpa_driver_if_type type,
++					const char *ifname,
++					const char *new_name)
++{
++	if (!hapd->driver || !hapd->driver->if_rename || !hapd->drv_priv)
++		return -1;
++	return hapd->driver->if_rename(hapd->drv_priv, type, ifname, new_name);
++}
++
++static inline int hostapd_drv_set_first_bss(struct hostapd_data *hapd)
++{
++	if (!hapd->driver || !hapd->driver->set_first_bss || !hapd->drv_priv)
++		return 0;
++	return hapd->driver->set_first_bss(hapd->drv_priv);
++}
++
+ static inline int hostapd_drv_channel_info(struct hostapd_data *hapd,
+ 					   struct wpa_channel_info *ci)
+ {
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -1333,7 +1333,7 @@ static void wpa_driver_nl80211_event_rtm
+ 		}
+ 		wpa_printf(MSG_DEBUG, "nl80211: Interface down (%s/%s)",
+ 			   namebuf, ifname);
+-		if (os_strcmp(drv->first_bss->ifname, ifname) != 0) {
++		if (drv->first_bss->ifindex != ifi->ifi_index) {
+ 			wpa_printf(MSG_DEBUG,
+ 				   "nl80211: Not the main interface (%s) - do not indicate interface down",
+ 				   drv->first_bss->ifname);
+@@ -1369,7 +1369,7 @@ static void wpa_driver_nl80211_event_rtm
+ 		}
+ 		wpa_printf(MSG_DEBUG, "nl80211: Interface up (%s/%s)",
+ 			   namebuf, ifname);
+-		if (os_strcmp(drv->first_bss->ifname, ifname) != 0) {
++		if (drv->first_bss->ifindex != ifi->ifi_index) {
+ 			wpa_printf(MSG_DEBUG,
+ 				   "nl80211: Not the main interface (%s) - do not indicate interface up",
+ 				   drv->first_bss->ifname);
+@@ -8432,6 +8432,7 @@ static void *i802_init(struct hostapd_da
+ 	char master_ifname[IFNAMSIZ];
+ 	int ifindex, br_ifindex = 0;
+ 	int br_added = 0;
++	int err;
+ 
+ 	bss = wpa_driver_nl80211_drv_init(hapd, params->ifname,
+ 					  params->global_priv, 1,
+@@ -8491,21 +8492,17 @@ static void *i802_init(struct hostapd_da
+ 	    (params->num_bridge == 0 || !params->bridge[0]))
+ 		add_ifidx(drv, br_ifindex, drv->ifindex);
+ 
+-	if (bss->added_if_into_bridge || bss->already_in_bridge) {
+-		int err;
+-
+-		drv->rtnl_sk = nl_socket_alloc();
+-		if (drv->rtnl_sk == NULL) {
+-			wpa_printf(MSG_ERROR, "nl80211: Failed to allocate nl_sock");
+-			goto failed;
+-		}
++	drv->rtnl_sk = nl_socket_alloc();
++	if (drv->rtnl_sk == NULL) {
++		wpa_printf(MSG_ERROR, "nl80211: Failed to allocate nl_sock");
++		goto failed;
++	}
+ 
+-		err = nl_connect(drv->rtnl_sk, NETLINK_ROUTE);
+-		if (err) {
+-			wpa_printf(MSG_ERROR, "nl80211: Failed to connect nl_sock to NETLINK_ROUTE: %s",
+-				   nl_geterror(err));
+-			goto failed;
+-		}
++	err = nl_connect(drv->rtnl_sk, NETLINK_ROUTE);
++	if (err) {
++		wpa_printf(MSG_ERROR, "nl80211: Failed to connect nl_sock to NETLINK_ROUTE: %s",
++			   nl_geterror(err));
++		goto failed;
+ 	}
+ 
+ 	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
+@@ -8875,6 +8872,50 @@ static int wpa_driver_nl80211_if_remove(
+ 	return 0;
+ }
+ 
++static int wpa_driver_nl80211_if_rename(struct i802_bss *bss,
++					enum wpa_driver_if_type type,
++					const char *ifname, const char *new_name)
++{
++	struct wpa_driver_nl80211_data *drv = bss->drv;
++	struct ifinfomsg ifi = {
++		.ifi_family = AF_UNSPEC,
++		.ifi_index = bss->ifindex,
++	};
++	struct nl_msg *msg;
++	int res = -ENOMEM;
++
++	if (ifname)
++		ifi.ifi_index = if_nametoindex(ifname);
++
++	msg = nlmsg_alloc_simple(RTM_SETLINK, 0);
++	if (!msg)
++		return res;
++
++	if (nlmsg_append(msg, &ifi, sizeof(ifi), NLMSG_ALIGNTO) < 0)
++		goto out;
++
++	if (nla_put_string(msg, IFLA_IFNAME, new_name))
++		goto out;
++
++	res = nl_send_auto_complete(drv->rtnl_sk, msg);
++	if (res < 0)
++		goto out;
++
++	res = nl_wait_for_ack(drv->rtnl_sk);
++	if (res) {
++		wpa_printf(MSG_INFO,
++			   "nl80211: Renaming device %s to %s failed: %s",
++			   ifname ? ifname : bss->ifname, new_name, nl_geterror(res));
++		goto out;
++	}
++
++	if (type == WPA_IF_AP_BSS && !ifname)
++		os_strlcpy(bss->ifname, new_name, sizeof(bss->ifname));
++
++out:
++	nlmsg_free(msg);
++	return res;
++}
+ 
+ static int cookie_handler(struct nl_msg *msg, void *arg)
+ {
+@@ -10513,6 +10554,37 @@ static int driver_nl80211_if_remove(void
+ }
+ 
+ 
++static int driver_nl80211_if_rename(void *priv, enum wpa_driver_if_type type,
++				    const char *ifname, const char *new_name)
++{
++	struct i802_bss *bss = priv;
++	return wpa_driver_nl80211_if_rename(bss, type, ifname, new_name);
++}
++
++
++static int driver_nl80211_set_first_bss(void *priv)
++{
++	struct i802_bss *bss = priv, *tbss;
++	struct wpa_driver_nl80211_data *drv = bss->drv;
++
++	if (drv->first_bss == bss)
++		return 0;
++
++	for (tbss = drv->first_bss; tbss; tbss = tbss->next) {
++		if (tbss->next != bss)
++			continue;
++
++		tbss->next = bss->next;
++		bss->next = drv->first_bss;
++		drv->first_bss = bss;
++		drv->ctx = bss->ctx;
++		return 0;
++	}
++
++	return -1;
++}
++
++
+ static int driver_nl80211_send_mlme(void *priv, const u8 *data,
+ 				    size_t data_len, int noack,
+ 				    unsigned int freq,
+@@ -13697,6 +13769,8 @@ const struct wpa_driver_ops wpa_driver_n
+ 	.set_acl = wpa_driver_nl80211_set_acl,
+ 	.if_add = wpa_driver_nl80211_if_add,
+ 	.if_remove = driver_nl80211_if_remove,
++	.if_rename = driver_nl80211_if_rename,
++	.set_first_bss = driver_nl80211_set_first_bss,
+ 	.send_mlme = driver_nl80211_send_mlme,
+ 	.get_hw_feature_data = nl80211_get_hw_feature_data,
+ 	.sta_add = wpa_driver_nl80211_sta_add,
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -547,11 +547,16 @@ static const char * sae_get_password(str
+ 				     struct sae_pt **s_pt,
+ 				     const struct sae_pk **s_pk)
+ {
++	struct hostapd_bss_config *conf = hapd->conf;
++	struct hostapd_ssid *ssid = &conf->ssid;
++	struct hostapd_sta_wpa_psk_short *psk;
+ 	const char *password = NULL;
+-	struct sae_password_entry *pw;
+-	struct sae_pt *pt = NULL;
+-	const struct sae_pk *pk = NULL;
+-	struct hostapd_sta_wpa_psk_short *psk = NULL;
++	struct sae_password_entry *pw = NULL;
++ 	struct sae_pt *pt = NULL;
++ 	const struct sae_pk *pk = NULL;
++ 
++	if (sta && sta->use_sta_psk)
++		goto use_sta_psk;
+ 
+ 	for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
+ 		if (!is_broadcast_ether_addr(pw->peer_addr) &&
+@@ -582,6 +587,31 @@ static const char * sae_get_password(str
+ 		}
+ 	}
+ 
++use_sta_psk:
++	if (!password && sta) {
++		for (psk = sta->psk; psk; psk = psk->next) {
++			if (!psk->is_passphrase)
++				continue;
++
++			password = psk->passphrase;
++			if (!sta->use_sta_psk)
++				break;
++
++			if (sta->sae_pt) {
++				pt = sta->sae_pt;
++				break;
++			}
++
++			pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
++					   ssid->ssid_len,
++					   (const u8 *) password,
++					   os_strlen(password),
++					   NULL);
++			sta->sae_pt = pt;
++			break;
++		}
++	}
++
+ 	if (pw_entry)
+ 		*pw_entry = pw;
+ 	if (s_pt)
+@@ -3105,6 +3135,12 @@ static void handle_auth(struct hostapd_d
+ 		goto fail;
+ 	}
+ 
++	res = hostapd_ucode_sta_auth(hapd, sta);
++	if (res) {
++		resp = res;
++		goto fail;
++	}
++
+ 	sta->flags &= ~WLAN_STA_PREAUTH;
+ 	ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
+ 
+--- a/src/ap/sta_info.c
++++ b/src/ap/sta_info.c
+@@ -425,6 +425,9 @@ void ap_free_sta(struct hostapd_data *ha
+ 	forced_memzero(sta->last_tk, WPA_TK_MAX_LEN);
+ #endif /* CONFIG_TESTING_OPTIONS */
+ 
++	if (sta->sae_pt)
++		sae_deinit_pt(sta->sae_pt);
++
+ 	os_free(sta);
+ }
+ 
+@@ -1326,6 +1329,8 @@ void ap_sta_set_authorized(struct hostap
+ 		sta->flags &= ~WLAN_STA_AUTHORIZED;
+ 	}
+ 
++	if (authorized)
++		hostapd_ucode_sta_connected(hapd, sta);
+ #ifdef CONFIG_P2P
+ 	if (hapd->p2p_group == NULL) {
+ 		if (sta->p2p_ie != NULL &&
+--- a/src/ap/sta_info.h
++++ b/src/ap/sta_info.h
+@@ -198,6 +198,9 @@ struct sta_info {
+ 	int vlan_id_bound; /* updated by ap_sta_bind_vlan() */
+ 	 /* PSKs from RADIUS authentication server */
+ 	struct hostapd_sta_wpa_psk_short *psk;
++	struct sae_pt *sae_pt;
++	int use_sta_psk;
++	int psk_idx;
+ 
+ 	char *identity; /* User-Name from RADIUS */
+ 	char *radius_cui; /* Chargeable-User-Identity from RADIUS */
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -341,6 +341,7 @@ static const u8 * hostapd_wpa_auth_get_p
+ 	struct sta_info *sta = ap_get_sta(hapd, addr);
+ 	const u8 *psk;
+ 
++	sta->psk_idx = 0;
+ 	if (vlan_id)
+ 		*vlan_id = 0;
+ 	if (psk_len)
+@@ -387,13 +388,18 @@ static const u8 * hostapd_wpa_auth_get_p
+ 	 * returned psk which should not be returned again.
+ 	 * logic list (all hostapd_get_psk; all sta->psk)
+ 	 */
++	if (sta && sta->use_sta_psk)
++		psk = NULL;
+ 	if (sta && sta->psk && !psk) {
+ 		struct hostapd_sta_wpa_psk_short *pos;
++		int psk_idx;
+ 
+ 		if (vlan_id)
+ 			*vlan_id = 0;
+ 		psk = sta->psk->psk;
++		sta->psk_idx = psk_idx = 1;
+ 		for (pos = sta->psk; pos; pos = pos->next) {
++			psk_idx++;
+ 			if (pos->is_passphrase) {
+ 				if (pbkdf2_sha1(pos->passphrase,
+ 						hapd->conf->ssid.ssid,
+@@ -406,10 +412,14 @@ static const u8 * hostapd_wpa_auth_get_p
+ 				pos->is_passphrase = 0;
+ 			}
+ 			if (pos->psk == prev_psk) {
++				sta->psk_idx = psk_idx;
+ 				psk = pos->next ? pos->next->psk : NULL;
+ 				break;
+ 			}
+ 		}
++
++		if (!psk)
++			sta->psk_idx = 0;
+ 	}
+ 	return psk;
+ }

feeds/hostapd/hostapd/patches/610-hostapd_cli_ujail_permission.patch

@@ -0,0 +1,33 @@
+--- a/src/common/wpa_ctrl.c
++++ b/src/common/wpa_ctrl.c
+@@ -135,7 +135,7 @@ try_again:
+ 		return NULL;
+ 	}
+ 	tries++;
+-#ifdef ANDROID
++
+ 	/* Set client socket file permissions so that bind() creates the client
+ 	 * socket with these permissions and there is no need to try to change
+ 	 * them with chmod() after bind() which would have potential issues with
+@@ -147,7 +147,7 @@ try_again:
+ 	 * operations to allow the response to go through. Those are using the
+ 	 * no-deference-symlinks version to avoid races. */
+ 	fchmod(ctrl->s, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+-#endif /* ANDROID */
++
+ 	if (bind(ctrl->s, (struct sockaddr *) &ctrl->local,
+ 		    sizeof(ctrl->local)) < 0) {
+ 		if (errno == EADDRINUSE && tries < 2) {
+@@ -165,7 +165,11 @@ try_again:
+ 		return NULL;
+ 	}
+ 
+-#ifdef ANDROID
++#ifndef ANDROID
++	/* Set group even if we do not have privileges to change owner */
++	lchown(ctrl->local.sun_path, -1, 101);
++	lchown(ctrl->local.sun_path, 101, 101);
++#else
+ 	/* Set group even if we do not have privileges to change owner */
+ 	lchown(ctrl->local.sun_path, -1, AID_WIFI);
+ 	lchown(ctrl->local.sun_path, AID_SYSTEM, AID_WIFI);

feeds/hostapd/hostapd/patches/701-reload_config_inline.patch

@@ -0,0 +1,33 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -4816,7 +4816,12 @@ struct hostapd_config * hostapd_config_r
+ 	int errors = 0;
+ 	size_t i;
+ 
+-	f = fopen(fname, "r");
++	if (!strncmp(fname, "data:", 5)) {
++		f = fmemopen((void *)(fname + 5), strlen(fname + 5), "r");
++		fname = "<inline>";
++	} else {
++		f = fopen(fname, "r");
++	}
+ 	if (f == NULL) {
+ 		wpa_printf(MSG_ERROR, "Could not open configuration file '%s' "
+ 			   "for reading.", fname);
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -326,8 +326,13 @@ struct wpa_config * wpa_config_read(cons
+ 	while (cred_tail && cred_tail->next)
+ 		cred_tail = cred_tail->next;
+ 
++	if (!strncmp(name, "data:", 5)) {
++		f = fmemopen((void *)(name + 5), strlen(name + 5), "r");
++		name = "<inline>";
++	} else {
++		f = fopen(name, "r");
++	}
+ 	wpa_printf(MSG_DEBUG, "Reading configuration file '%s'", name);
+-	f = fopen(name, "r");
+ 	if (f == NULL) {
+ 		wpa_printf(MSG_ERROR, "Failed to open config file '%s', "
+ 			   "error: %s", name, strerror(errno));

feeds/hostapd/hostapd/patches/710-vlan_no_bridge.patch

@@ -0,0 +1,41 @@
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -121,6 +121,7 @@ struct hostapd_ssid {
+ #define DYNAMIC_VLAN_OPTIONAL 1
+ #define DYNAMIC_VLAN_REQUIRED 2
+ 	int dynamic_vlan;
++	int vlan_no_bridge;
+ #define DYNAMIC_VLAN_NAMING_WITHOUT_DEVICE 0
+ #define DYNAMIC_VLAN_NAMING_WITH_DEVICE 1
+ #define DYNAMIC_VLAN_NAMING_END 2
+--- a/src/ap/vlan_full.c
++++ b/src/ap/vlan_full.c
+@@ -475,6 +475,9 @@ void vlan_newlink(const char *ifname, st
+ 	if (!vlan)
+ 		return;
+ 
++	if (hapd->conf->ssid.vlan_no_bridge)
++		goto out;
++
+ 	vlan->configured = 1;
+ 
+ 	notempty = vlan->vlan_desc.notempty;
+@@ -506,6 +509,7 @@ void vlan_newlink(const char *ifname, st
+ 				    ifname, br_name, tagged[i], hapd);
+ 	}
+ 
++out:
+ 	ifconfig_up(ifname);
+ }
+ 
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -3351,6 +3351,8 @@ static int hostapd_config_fill(struct ho
+ #ifndef CONFIG_NO_VLAN
+ 	} else if (os_strcmp(buf, "dynamic_vlan") == 0) {
+ 		bss->ssid.dynamic_vlan = atoi(pos);
++	} else if (os_strcmp(buf, "vlan_no_bridge") == 0) {
++		bss->ssid.vlan_no_bridge = atoi(pos);
+ 	} else if (os_strcmp(buf, "per_sta_vif") == 0) {
+ 		bss->ssid.per_sta_vif = atoi(pos);
+ 	} else if (os_strcmp(buf, "vlan_file") == 0) {

feeds/hostapd/hostapd/patches/711-wds_bridge_force.patch

@@ -0,0 +1,22 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2318,6 +2318,8 @@ static int hostapd_config_fill(struct ho
+ 			   sizeof(conf->bss[0]->iface));
+ 	} else if (os_strcmp(buf, "bridge") == 0) {
+ 		os_strlcpy(bss->bridge, pos, sizeof(bss->bridge));
++		if (!bss->wds_bridge[0])
++			os_strlcpy(bss->wds_bridge, pos, sizeof(bss->wds_bridge));
+ 	} else if (os_strcmp(buf, "bridge_hairpin") == 0) {
+ 		bss->bridge_hairpin = atoi(pos);
+ 	} else if (os_strcmp(buf, "vlan_bridge") == 0) {
+--- a/src/ap/ap_drv_ops.c
++++ b/src/ap/ap_drv_ops.c
+@@ -348,8 +348,6 @@ int hostapd_set_wds_sta(struct hostapd_d
+ 		return -1;
+ 	if (hapd->conf->wds_bridge[0])
+ 		bridge = hapd->conf->wds_bridge;
+-	else if (hapd->conf->bridge[0])
+-		bridge = hapd->conf->bridge;
+ 	return hapd->driver->set_wds_sta(hapd->drv_priv, addr, aid, val,
+ 					 bridge, ifname_wds);
+ }

feeds/hostapd/hostapd/patches/720-iface_max_num_sta.patch

@@ -0,0 +1,81 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2848,6 +2848,14 @@ static int hostapd_config_fill(struct ho
+ 				   line, bss->max_num_sta, MAX_STA_COUNT);
+ 			return 1;
+ 		}
++	} else if (os_strcmp(buf, "iface_max_num_sta") == 0) {
++		conf->max_num_sta = atoi(pos);
++		if (conf->max_num_sta < 0 ||
++		    conf->max_num_sta > MAX_STA_COUNT) {
++			wpa_printf(MSG_ERROR, "Line %d: Invalid max_num_sta=%d; allowed range 0..%d",
++				   line, conf->max_num_sta, MAX_STA_COUNT);
++			return 1;
++		}
+ 	} else if (os_strcmp(buf, "wpa") == 0) {
+ 		bss->wpa = atoi(pos);
+ 	} else if (os_strcmp(buf, "extended_key_id") == 0) {
+--- a/src/ap/hostapd.h
++++ b/src/ap/hostapd.h
+@@ -742,6 +742,7 @@ void hostapd_cleanup_cs_params(struct ho
+ void hostapd_periodic_iface(struct hostapd_iface *iface);
+ int hostapd_owe_trans_get_info(struct hostapd_data *hapd);
+ void hostapd_ocv_check_csa_sa_query(void *eloop_ctx, void *timeout_ctx);
++int hostapd_check_max_sta(struct hostapd_data *hapd);
+ 
+ void hostapd_switch_color(struct hostapd_data *hapd, u64 bitmap);
+ void hostapd_cleanup_cca_params(struct hostapd_data *hapd);
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -244,6 +244,29 @@ static int hostapd_iface_conf_changed(st
+ 	return 0;
+ }
+ 
++static inline int hostapd_iface_num_sta(struct hostapd_iface *iface)
++{
++	int num_sta = 0;
++	int i;
++
++	for (i = 0; i < iface->num_bss; i++)
++		num_sta += iface->bss[i]->num_sta;
++
++	return num_sta;
++}
++
++
++int hostapd_check_max_sta(struct hostapd_data *hapd)
++{
++	if (hapd->num_sta >= hapd->conf->max_num_sta)
++		return 1;
++
++	if (hapd->iconf->max_num_sta &&
++	    hostapd_iface_num_sta(hapd->iface) >= hapd->iconf->max_num_sta)
++		return 1;
++
++	return 0;
++}
+ 
+ int hostapd_reload_config(struct hostapd_iface *iface)
+ {
+--- a/src/ap/beacon.c
++++ b/src/ap/beacon.c
+@@ -1252,7 +1252,7 @@ void handle_probe_req(struct hostapd_dat
+ 	if (hapd->conf->no_probe_resp_if_max_sta &&
+ 	    is_multicast_ether_addr(mgmt->da) &&
+ 	    is_multicast_ether_addr(mgmt->bssid) &&
+-	    hapd->num_sta >= hapd->conf->max_num_sta &&
++	    hostapd_check_max_sta(hapd) &&
+ 	    !ap_get_sta(hapd, mgmt->sa)) {
+ 		wpa_printf(MSG_MSGDUMP, "%s: Ignore Probe Request from " MACSTR
+ 			   " since no room for additional STA",
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -1039,6 +1039,8 @@ struct hostapd_config {
+ 	unsigned int track_sta_max_num;
+ 	unsigned int track_sta_max_age;
+ 
++	int max_num_sta;
++
+ 	char country[3]; /* first two octets: country code as described in
+ 			  * ISO/IEC 3166-1. Third octet:
+ 			  * ' ' (ascii 32): all environments

feeds/hostapd/hostapd/patches/730-ft_iface.patch

@@ -0,0 +1,38 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -3007,6 +3007,8 @@ static int hostapd_config_fill(struct ho
+ 		wpa_printf(MSG_INFO,
+ 			   "Line %d: Obsolete peerkey parameter ignored", line);
+ #ifdef CONFIG_IEEE80211R_AP
++	} else if (os_strcmp(buf, "ft_iface") == 0) {
++		os_strlcpy(bss->ft_iface, pos, sizeof(bss->ft_iface));
+ 	} else if (os_strcmp(buf, "mobility_domain") == 0) {
+ 		if (os_strlen(pos) != 2 * MOBILITY_DOMAIN_ID_LEN ||
+ 		    hexstr2bin(pos, bss->mobility_domain,
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -283,6 +283,7 @@ struct airtime_sta_weight {
+ struct hostapd_bss_config {
+ 	char iface[IFNAMSIZ + 1];
+ 	char bridge[IFNAMSIZ + 1];
++	char ft_iface[IFNAMSIZ + 1];
+ 	char vlan_bridge[IFNAMSIZ + 1];
+ 	char wds_bridge[IFNAMSIZ + 1];
+ 	int bridge_hairpin; /* hairpin_mode on bridge members */
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -1727,8 +1727,12 @@ int hostapd_setup_wpa(struct hostapd_dat
+ 	    wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) {
+ 		const char *ft_iface;
+ 
+-		ft_iface = hapd->conf->bridge[0] ? hapd->conf->bridge :
+-			   hapd->conf->iface;
++		if (hapd->conf->ft_iface[0])
++			ft_iface = hapd->conf->ft_iface;
++		else if (hapd->conf->bridge[0])
++			ft_iface = hapd->conf->bridge;
++		else
++			ft_iface = hapd->conf->iface;
+ 		hapd->l2 = l2_packet_init(ft_iface, NULL, ETH_P_RRB,
+ 					  hostapd_rrb_receive, hapd, 1);
+ 		if (!hapd->l2) {

feeds/hostapd/hostapd/patches/740-snoop_iface.patch

@@ -0,0 +1,139 @@
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -284,6 +284,7 @@ struct hostapd_bss_config {
+ 	char iface[IFNAMSIZ + 1];
+ 	char bridge[IFNAMSIZ + 1];
+ 	char ft_iface[IFNAMSIZ + 1];
++	char snoop_iface[IFNAMSIZ + 1];
+ 	char vlan_bridge[IFNAMSIZ + 1];
+ 	char wds_bridge[IFNAMSIZ + 1];
+ 	int bridge_hairpin; /* hairpin_mode on bridge members */
+--- a/src/ap/x_snoop.c
++++ b/src/ap/x_snoop.c
+@@ -33,28 +33,31 @@ int x_snoop_init(struct hostapd_data *ha
+ 
+ 	hapd->x_snoop_initialized = true;
+ 
+-	if (hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE,
++	if (!conf->snoop_iface[0] &&
++	    hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE,
+ 					 1)) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "x_snoop: Failed to enable hairpin_mode on the bridge port");
+ 		return -1;
+ 	}
+ 
+-	if (hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 1)) {
++	if (!conf->snoop_iface[0] &&
++	    hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 1)) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "x_snoop: Failed to enable proxyarp on the bridge port");
+ 		return -1;
+ 	}
+ 
+ 	if (hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT,
+-					 1)) {
++					 conf->snoop_iface[0] ? conf->snoop_iface : NULL, 1)) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "x_snoop: Failed to enable accepting gratuitous ARP on the bridge");
+ 		return -1;
+ 	}
+ 
+ #ifdef CONFIG_IPV6
+-	if (hostapd_drv_br_set_net_param(hapd, DRV_BR_MULTICAST_SNOOPING, 1)) {
++	if (!conf->snoop_iface[0] &&
++	    hostapd_drv_br_set_net_param(hapd, DRV_BR_MULTICAST_SNOOPING, NULL, 1)) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "x_snoop: Failed to enable multicast snooping on the bridge");
+ 		return -1;
+@@ -73,8 +76,12 @@ x_snoop_get_l2_packet(struct hostapd_dat
+ {
+ 	struct hostapd_bss_config *conf = hapd->conf;
+ 	struct l2_packet_data *l2;
++	const char *ifname = conf->bridge;
++
++	if (conf->snoop_iface[0])
++		ifname = conf->snoop_iface;
+ 
+-	l2 = l2_packet_init(conf->bridge, NULL, ETH_P_ALL, handler, hapd, 1);
++	l2 = l2_packet_init(ifname, NULL, ETH_P_ALL, handler, hapd, 1);
+ 	if (l2 == NULL) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "x_snoop: Failed to initialize L2 packet processing %s",
+@@ -127,9 +134,12 @@ void x_snoop_mcast_to_ucast_convert_send
+ 
+ void x_snoop_deinit(struct hostapd_data *hapd)
+ {
++	struct hostapd_bss_config *conf = hapd->conf;
++
+ 	if (!hapd->x_snoop_initialized)
+ 		return;
+-	hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT, 0);
++	hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT,
++				     conf->snoop_iface[0] ? conf->snoop_iface : NULL, 0);
+ 	hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 0);
+ 	hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE, 0);
+ 	hapd->x_snoop_initialized = false;
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2322,6 +2322,8 @@ static int hostapd_config_fill(struct ho
+ 			os_strlcpy(bss->wds_bridge, pos, sizeof(bss->wds_bridge));
+ 	} else if (os_strcmp(buf, "bridge_hairpin") == 0) {
+ 		bss->bridge_hairpin = atoi(pos);
++	} else if (os_strcmp(buf, "snoop_iface") == 0) {
++		os_strlcpy(bss->snoop_iface, pos, sizeof(bss->snoop_iface));
+ 	} else if (os_strcmp(buf, "vlan_bridge") == 0) {
+ 		os_strlcpy(bss->vlan_bridge, pos, sizeof(bss->vlan_bridge));
+ 	} else if (os_strcmp(buf, "wds_bridge") == 0) {
+--- a/src/ap/ap_drv_ops.h
++++ b/src/ap/ap_drv_ops.h
+@@ -366,12 +366,12 @@ static inline int hostapd_drv_br_port_se
+ 
+ static inline int hostapd_drv_br_set_net_param(struct hostapd_data *hapd,
+ 					       enum drv_br_net_param param,
+-					       unsigned int val)
++					       const char *ifname, unsigned int val)
+ {
+ 	if (hapd->driver == NULL || hapd->drv_priv == NULL ||
+ 	    hapd->driver->br_set_net_param == NULL)
+ 		return -1;
+-	return hapd->driver->br_set_net_param(hapd->drv_priv, param, val);
++	return hapd->driver->br_set_net_param(hapd->drv_priv, param, ifname, val);
+ }
+ 
+ static inline int hostapd_drv_vendor_cmd(struct hostapd_data *hapd,
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -4209,7 +4209,7 @@ struct wpa_driver_ops {
+ 	 * Returns: 0 on success, negative (<0) on failure
+ 	 */
+ 	int (*br_set_net_param)(void *priv, enum drv_br_net_param param,
+-				unsigned int val);
++				const char *ifname, unsigned int val);
+ 
+ 	/**
+ 	 * get_wowlan - Get wake-on-wireless status
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -12168,7 +12168,7 @@ static const char * drv_br_net_param_str
+ 
+ 
+ static int wpa_driver_br_set_net_param(void *priv, enum drv_br_net_param param,
+-				       unsigned int val)
++				       const char *ifname, unsigned int val)
+ {
+ 	struct i802_bss *bss = priv;
+ 	char path[128];
+@@ -12194,8 +12194,11 @@ static int wpa_driver_br_set_net_param(v
+ 			return -EINVAL;
+ 	}
+ 
++	if (!ifname)
++		ifname = bss->brname;
++
+ 	os_snprintf(path, sizeof(path), "/proc/sys/net/ipv%d/conf/%s/%s",
+-		    ip_version, bss->brname, param_txt);
++		    ip_version, ifname, param_txt);
+ 
+ set_val:
+ 	if (linux_write_system_file(path, val))

feeds/hostapd/hostapd/patches/750-qos_map_set_without_interworking.patch

@@ -0,0 +1,97 @@
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -1604,6 +1604,8 @@ static int parse_anqp_elem(struct hostap
+ 	return 0;
+ }
+ 
++#endif /* CONFIG_INTERWORKING */
++
+ 
+ static int parse_qos_map_set(struct hostapd_bss_config *bss,
+ 			     char *buf, int line)
+@@ -1645,8 +1647,6 @@ static int parse_qos_map_set(struct host
+ 	return 0;
+ }
+ 
+-#endif /* CONFIG_INTERWORKING */
+-
+ 
+ #ifdef CONFIG_HS20
+ static int hs20_parse_conn_capab(struct hostapd_bss_config *bss, char *buf,
+@@ -4062,10 +4062,10 @@ static int hostapd_config_fill(struct ho
+ 		bss->gas_frag_limit = val;
+ 	} else if (os_strcmp(buf, "gas_comeback_delay") == 0) {
+ 		bss->gas_comeback_delay = atoi(pos);
++#endif /* CONFIG_INTERWORKING */
+ 	} else if (os_strcmp(buf, "qos_map_set") == 0) {
+ 		if (parse_qos_map_set(bss, pos, line) < 0)
+ 			return 1;
+-#endif /* CONFIG_INTERWORKING */
+ #ifdef CONFIG_RADIUS_TEST
+ 	} else if (os_strcmp(buf, "dump_msk_file") == 0) {
+ 		os_free(bss->dump_msk_file);
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -1486,6 +1486,7 @@ int hostapd_setup_bss(struct hostapd_dat
+ 		wpa_printf(MSG_ERROR, "GAS server initialization failed");
+ 		return -1;
+ 	}
++#endif /* CONFIG_INTERWORKING */
+ 
+ 	if (conf->qos_map_set_len &&
+ 	    hostapd_drv_set_qos_map(hapd, conf->qos_map_set,
+@@ -1493,7 +1494,6 @@ int hostapd_setup_bss(struct hostapd_dat
+ 		wpa_printf(MSG_ERROR, "Failed to initialize QoS Map");
+ 		return -1;
+ 	}
+-#endif /* CONFIG_INTERWORKING */
+ 
+ 	if (conf->bss_load_update_period && bss_load_update_init(hapd)) {
+ 		wpa_printf(MSG_ERROR, "BSS Load initialization failed");
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -2683,8 +2683,6 @@ void wnm_bss_keep_alive_deinit(struct wp
+ }
+ 
+ 
+-#ifdef CONFIG_INTERWORKING
+-
+ static int wpas_qos_map_set(struct wpa_supplicant *wpa_s, const u8 *qos_map,
+ 			    size_t len)
+ {
+@@ -2717,8 +2715,6 @@ static void interworking_process_assoc_r
+ 	}
+ }
+ 
+-#endif /* CONFIG_INTERWORKING */
+-
+ 
+ static void wpa_supplicant_set_4addr_mode(struct wpa_supplicant *wpa_s)
+ {
+@@ -3098,10 +3094,8 @@ static int wpa_supplicant_event_associnf
+ 		wnm_process_assoc_resp(wpa_s, data->assoc_info.resp_ies,
+ 				       data->assoc_info.resp_ies_len);
+ #endif /* CONFIG_WNM */
+-#ifdef CONFIG_INTERWORKING
+ 		interworking_process_assoc_resp(wpa_s, data->assoc_info.resp_ies,
+ 						data->assoc_info.resp_ies_len);
+-#endif /* CONFIG_INTERWORKING */
+ 		if (wpa_s->hw_capab == CAPAB_VHT &&
+ 		    get_ie(data->assoc_info.resp_ies,
+ 			   data->assoc_info.resp_ies_len, WLAN_EID_VHT_CAP))
+--- a/src/ap/ieee802_11_shared.c
++++ b/src/ap/ieee802_11_shared.c
+@@ -1116,13 +1116,11 @@ u8 * hostapd_eid_rsnxe(struct hostapd_da
+ u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
+ 		    const u8 *ext_capab_ie, size_t ext_capab_ie_len)
+ {
+-#ifdef CONFIG_INTERWORKING
+ 	/* check for QoS Map support */
+ 	if (ext_capab_ie_len >= 5) {
+ 		if (ext_capab_ie[4] & 0x01)
+ 			sta->qos_map_enabled = 1;
+ 	}
+-#endif /* CONFIG_INTERWORKING */
+ 
+ 	if (ext_capab_ie_len > 0) {
+ 		sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));

feeds/hostapd/hostapd/patches/751-qos_map_ignore_when_unsupported.patch

@@ -0,0 +1,12 @@
+--- a/src/ap/ap_drv_ops.c
++++ b/src/ap/ap_drv_ops.c
+@@ -927,7 +927,8 @@ int hostapd_start_dfs_cac(struct hostapd
+ int hostapd_drv_set_qos_map(struct hostapd_data *hapd,
+ 			    const u8 *qos_map_set, u8 qos_map_set_len)
+ {
+-	if (!hapd->driver || !hapd->driver->set_qos_map || !hapd->drv_priv)
++	if (!hapd->driver || !hapd->driver->set_qos_map || !hapd->drv_priv ||
++	    !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_QOS_MAPPING))
+ 		return 0;
+ 	return hapd->driver->set_qos_map(hapd->drv_priv, qos_map_set,
+ 					 qos_map_set_len);

feeds/hostapd/hostapd/patches/751-wispr-ft.patch

@@ -0,0 +1,539 @@
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -16,7 +16,11 @@
+ 
+ struct vlan_description;
+ struct mld_info;
+-
++struct rate_description {
++	u32 rx;
++	u32 tx;
++};
++ 
+ #define MAX_OWN_IE_OVERRIDE 256
+ 
+ #ifdef _MSC_VER
+@@ -88,6 +92,7 @@ struct ft_rrb_frame {
+ #define FT_RRB_IDENTITY      15
+ #define FT_RRB_RADIUS_CUI    16
+ #define FT_RRB_SESSION_TIMEOUT  17 /* le32 seconds */
++#define FT_RRB_RATE_LIMIT	18
+ 
+ struct ft_rrb_tlv {
+ 	le16 type;
+@@ -368,6 +373,10 @@ struct wpa_auth_callbacks {
+ 			struct vlan_description *vlan);
+ 	int (*get_vlan)(void *ctx, const u8 *sta_addr,
+ 			struct vlan_description *vlan);
++	int (*set_rate_limit)(void *ctx, const u8 *sta_addr,
++			      struct rate_description *rate);
++	int (*get_rate_limit)(void *ctx, const u8 *sta_addr,
++			      struct rate_description *rate);
+ 	int (*set_identity)(void *ctx, const u8 *sta_addr,
+ 			    const u8 *identity, size_t identity_len);
+ 	size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf);
+@@ -536,7 +545,7 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
+ 			struct vlan_description *vlan,
+ 			const u8 **identity, size_t *identity_len,
+ 			const u8 **radius_cui, size_t *radius_cui_len,
+-			int *session_timeout);
++			int *session_timeout, struct rate_description *rate);
+ 
+ #endif /* CONFIG_IEEE80211R_AP */
+ 
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -1200,6 +1200,40 @@ static int hostapd_wpa_auth_get_vlan(voi
+ }
+ 
+ 
++static int hostapd_wpa_auth_set_rate_limit(void *ctx, const u8 *sta_addr,
++					   struct rate_description *rate)
++{
++	struct hostapd_data *hapd = ctx;
++	struct sta_info *sta;
++
++	sta = ap_get_sta(hapd, sta_addr);
++	if (!sta || !sta->wpa_sm)
++		return -1;
++
++	memcpy(sta->bandwidth, rate, sizeof(*rate));
++	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
++		       HOSTAPD_LEVEL_INFO, "rate-limit %d %d", sta->bandwidth[0], sta->bandwidth[1]);
++
++	return 0;
++}
++
++
++static int hostapd_wpa_auth_get_rate_limit(void *ctx, const u8 *sta_addr,
++					   struct rate_description *rate)
++{
++	struct hostapd_data *hapd = ctx;
++	struct sta_info *sta;
++
++	sta = ap_get_sta(hapd, sta_addr);
++	if (!sta)
++		return -1;
++
++	memcpy(rate, sta->bandwidth, sizeof(*rate));
++
++	return 0;
++}
++
++
+ static int
+ hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr,
+ 			      const u8 *identity, size_t identity_len)
+@@ -1640,6 +1674,8 @@ int hostapd_setup_wpa(struct hostapd_dat
+ 		.add_tspec = hostapd_wpa_auth_add_tspec,
+ 		.set_vlan = hostapd_wpa_auth_set_vlan,
+ 		.get_vlan = hostapd_wpa_auth_get_vlan,
++		.set_rate_limit = hostapd_wpa_auth_set_rate_limit,
++		.get_rate_limit = hostapd_wpa_auth_get_rate_limit,
+ 		.set_identity = hostapd_wpa_auth_set_identity,
+ 		.get_identity = hostapd_wpa_auth_get_identity,
+ 		.set_radius_cui = hostapd_wpa_auth_set_radius_cui,
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -379,6 +379,14 @@ static size_t wpa_ft_vlan_len(const stru
+ 	return tlv_len;
+ }
+ 
++static size_t wpa_ft_rate_limit_len(const struct rate_description *rate)
++{
++	if (!rate || (!rate->rx && !rate->tx))
++		return 0;
++
++	return (sizeof(struct ft_rrb_tlv) + 8);
++}
++
+ 
+ static size_t wpa_ft_vlan_lin(const struct vlan_description *vlan,
+ 			      u8 *start, u8 *endpos)
+@@ -434,10 +442,48 @@ static size_t wpa_ft_vlan_lin(const stru
+ }
+ 
+ 
++static size_t wpa_ft_rate_limit_lin(const struct rate_description *rate,
++				    u8 *start, u8 *endpos)
++{
++	size_t tlv_len;
++	int i, len;
++	struct ft_rrb_tlv *hdr;
++	u8 *pos = start;
++
++	if (!rate)
++		return 0;
++
++	tlv_len = 0;
++	if (rate->rx || rate->tx) {
++		tlv_len += sizeof(*hdr);
++		if (start + tlv_len > endpos)
++			return tlv_len;
++		hdr = (struct ft_rrb_tlv *) pos;
++		hdr->type = host_to_le16(FT_RRB_RATE_LIMIT);
++		hdr->len = host_to_le16(2 * sizeof(le32));
++		pos = start + tlv_len;
++
++		tlv_len += sizeof(u32);
++		if (start + tlv_len > endpos)
++			return tlv_len;
++		WPA_PUT_LE32(pos, rate->rx);
++		pos = start + tlv_len;
++		tlv_len += sizeof(u32);
++		if (start + tlv_len > endpos)
++			return tlv_len;
++		WPA_PUT_LE32(pos, rate->tx);
++		pos = start + tlv_len;
++	}
++
++	return tlv_len;
++}
++
++
+ static int wpa_ft_rrb_lin(const struct tlv_list *tlvs1,
+ 			  const struct tlv_list *tlvs2,
+ 			  const struct vlan_description *vlan,
+-			  u8 **plain, size_t *plain_len)
++			  u8 **plain, size_t *plain_len,
++			  const struct rate_description *rate)
+ {
+ 	u8 *pos, *endpos;
+ 	size_t tlv_len;
+@@ -445,6 +491,7 @@ static int wpa_ft_rrb_lin(const struct t
+ 	tlv_len = wpa_ft_tlv_len(tlvs1);
+ 	tlv_len += wpa_ft_tlv_len(tlvs2);
+ 	tlv_len += wpa_ft_vlan_len(vlan);
++	tlv_len += wpa_ft_rate_limit_len(rate);
+ 
+ 	*plain_len = tlv_len;
+ 	*plain = os_zalloc(tlv_len);
+@@ -458,6 +505,7 @@ static int wpa_ft_rrb_lin(const struct t
+ 	pos += wpa_ft_tlv_lin(tlvs1, pos, endpos);
+ 	pos += wpa_ft_tlv_lin(tlvs2, pos, endpos);
+ 	pos += wpa_ft_vlan_lin(vlan, pos, endpos);
++	pos += wpa_ft_rate_limit_lin(rate, pos, endpos);
+ 
+ 	/* validity check */
+ 	if (pos != endpos) {
+@@ -526,7 +574,8 @@ static int wpa_ft_rrb_build(const u8 *ke
+ 			    const struct tlv_list *tlvs_auth,
+ 			    const struct vlan_description *vlan,
+ 			    const u8 *src_addr, u8 type,
+-			    u8 **packet, size_t *packet_len)
++			    u8 **packet, size_t *packet_len,
++			    const struct rate_description *rate)
+ {
+ 	u8 *plain = NULL, *auth = NULL, *pos, *tmp;
+ 	size_t plain_len = 0, auth_len = 0;
+@@ -534,10 +583,10 @@ static int wpa_ft_rrb_build(const u8 *ke
+ 	size_t pad_len = 0;
+ 
+ 	*packet = NULL;
+-	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, vlan, &plain, &plain_len) < 0)
++	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, vlan, &plain, &plain_len, rate) < 0)
+ 		goto out;
+ 
+-	if (wpa_ft_rrb_lin(tlvs_auth, NULL, NULL, &auth, &auth_len) < 0)
++	if (wpa_ft_rrb_lin(tlvs_auth, NULL, NULL, &auth, &auth_len, NULL) < 0)
+ 		goto out;
+ 
+ 	*packet_len = sizeof(u16) + auth_len + plain_len;
+@@ -700,6 +749,24 @@ static int wpa_ft_get_vlan(struct wpa_au
+ }
+ 
+ 
++static int wpa_ft_get_rate_limit(struct wpa_authenticator *wpa_auth,
++				 const u8 *sta_addr, struct rate_description *rate)
++{
++	if (!wpa_auth->cb->get_rate_limit)
++		return -1;
++	return wpa_auth->cb->get_rate_limit(wpa_auth->cb_ctx, sta_addr, rate);
++}
++
++
++static int wpa_ft_set_rate_limit(struct wpa_authenticator *wpa_auth,
++				 const u8 *sta_addr, struct rate_description *rate)
++{
++	if (!wpa_auth->cb->set_rate_limit)
++		return -1;
++	return wpa_auth->cb->set_rate_limit(wpa_auth->cb_ctx, sta_addr, rate);
++}
++
++
+ static int
+ wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
+ 		    const u8 *identity, size_t identity_len)
+@@ -1025,7 +1092,7 @@ wpa_ft_rrb_seq_req(struct wpa_authentica
+ 
+ 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_req_auth, NULL,
+ 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_REQ,
+-			     &packet, &packet_len) < 0) {
++			     &packet, &packet_len, NULL) < 0) {
+ 		item = NULL; /* some other seq resp might still accept this */
+ 		goto err;
+ 	}
+@@ -1208,6 +1275,7 @@ struct wpa_ft_pmk_r0_sa {
+ 	u8 spa[ETH_ALEN];
+ 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
+ 	struct vlan_description *vlan;
++	struct rate_description *rate;
+ 	os_time_t expiration; /* 0 for no expiration */
+ 	u8 *identity;
+ 	size_t identity_len;
+@@ -1226,6 +1294,7 @@ struct wpa_ft_pmk_r1_sa {
+ 	u8 spa[ETH_ALEN];
+ 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
+ 	struct vlan_description *vlan;
++	struct rate_description *rate;
+ 	u8 *identity;
+ 	size_t identity_len;
+ 	u8 *radius_cui;
+@@ -1254,6 +1323,7 @@ static void wpa_ft_free_pmk_r0(struct wp
+ 
+ 	os_memset(r0->pmk_r0, 0, PMK_LEN_MAX);
+ 	os_free(r0->vlan);
++	os_free(r0->rate);
+ 	os_free(r0->identity);
+ 	os_free(r0->radius_cui);
+ 	os_free(r0);
+@@ -1307,6 +1377,7 @@ static void wpa_ft_free_pmk_r1(struct wp
+ 	eloop_cancel_timeout(wpa_ft_expire_pmk_r1, r1, NULL);
+ 
+ 	os_memset(r1->pmk_r1, 0, PMK_LEN_MAX);
++	os_free(r1->rate);
+ 	os_free(r1->vlan);
+ 	os_free(r1->identity);
+ 	os_free(r1->radius_cui);
+@@ -1360,7 +1431,8 @@ static int wpa_ft_store_pmk_r0(struct wp
+ 			       const struct vlan_description *vlan,
+ 			       int expires_in, int session_timeout,
+ 			       const u8 *identity, size_t identity_len,
+-			       const u8 *radius_cui, size_t radius_cui_len)
++			       const u8 *radius_cui, size_t radius_cui_len,
++			       struct rate_description *rate)
+ {
+ 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+ 	struct wpa_ft_pmk_r0_sa *r0;
+@@ -1388,6 +1460,14 @@ static int wpa_ft_store_pmk_r0(struct wp
+ 		}
+ 		*r0->vlan = *vlan;
+ 	}
++	if (rate) {
++		r0->rate = os_zalloc(sizeof(*rate));
++		if (!r0->rate) {
++			bin_clear_free(r0, sizeof(*r0));
++			return -1;
++		}
++		*r0->rate = *rate;
++	}
+ 	if (identity) {
+ 		r0->identity = os_malloc(identity_len);
+ 		if (r0->identity) {
+@@ -1447,7 +1527,8 @@ static int wpa_ft_store_pmk_r1(struct wp
+ 			       const struct vlan_description *vlan,
+ 			       int expires_in, int session_timeout,
+ 			       const u8 *identity, size_t identity_len,
+-			       const u8 *radius_cui, size_t radius_cui_len)
++			       const u8 *radius_cui, size_t radius_cui_len,
++			       struct rate_description *rate)
+ {
+ 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+ 	int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
+@@ -1477,6 +1558,14 @@ static int wpa_ft_store_pmk_r1(struct wp
+ 		}
+ 		*r1->vlan = *vlan;
+ 	}
++	if (rate) {
++		r1->rate = os_zalloc(sizeof(*rate));
++		if (!r1->rate) {
++			bin_clear_free(r1, sizeof(*r1));
++			return -1;
++		}
++		*r1->rate = *rate;
++	}
+ 	if (identity) {
+ 		r1->identity = os_malloc(identity_len);
+ 		if (r1->identity) {
+@@ -1513,7 +1602,7 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
+ 			struct vlan_description *vlan,
+ 			const u8 **identity, size_t *identity_len,
+ 			const u8 **radius_cui, size_t *radius_cui_len,
+-			int *session_timeout)
++			int *session_timeout, struct rate_description *rate)
+ {
+ 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
+ 	struct wpa_ft_pmk_r1_sa *r1;
+@@ -1533,6 +1622,12 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
+ 				*vlan = *r1->vlan;
+ 			if (vlan && !r1->vlan)
+ 				os_memset(vlan, 0, sizeof(*vlan));
++			if (rate) {
++				if (r1->rate)
++					*rate = *r1->rate;
++				else
++					memset(rate, 0, sizeof(*rate));
++			}
+ 			if (identity && identity_len) {
+ 				*identity = r1->identity;
+ 				*identity_len = r1->identity_len;
+@@ -2059,7 +2154,7 @@ static int wpa_ft_pull_pmk_r1(struct wpa
+ 
+ 	if (wpa_ft_rrb_build(key, key_len, req_enc, NULL, req_auth, NULL,
+ 			     sm->wpa_auth->addr, FT_PACKET_R0KH_R1KH_PULL,
+-			     &packet, &packet_len) < 0)
++			     &packet, &packet_len, NULL) < 0)
+ 		return -1;
+ 
+ 	ft_pending_req_ies = wpabuf_alloc_copy(ies, ies_len);
+@@ -2088,6 +2183,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
+ {
+ 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
+ 	struct vlan_description vlan;
++	struct rate_description rate;
+ 	const u8 *identity, *radius_cui;
+ 	size_t identity_len, radius_cui_len;
+ 	int session_timeout;
+@@ -2099,6 +2195,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
+ 			   MAC2STR(sm->addr));
+ 		return -1;
+ 	}
++	wpa_ft_get_rate_limit(sm->wpa_auth, sm->addr, &rate);
+ 
+ 	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
+ 	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+@@ -2108,7 +2205,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
+ 	return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_len,
+ 				   pmk_r0_name, sm->pairwise, &vlan, expires_in,
+ 				   session_timeout, identity, identity_len,
+-				   radius_cui, radius_cui_len);
++				   radius_cui, radius_cui_len, &rate);
+ }
+ 
+ 
+@@ -2172,6 +2269,7 @@ void wpa_auth_ft_store_keys(struct wpa_s
+ 	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
+ 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
+ 	struct vlan_description vlan;
++	struct rate_description rate;
+ 	const u8 *identity, *radius_cui;
+ 	size_t identity_len, radius_cui_len;
+ 	int session_timeout;
+@@ -2185,6 +2283,8 @@ void wpa_auth_ft_store_keys(struct wpa_s
+ 		return;
+ 	}
+ 
++	wpa_ft_get_rate_limit(sm->wpa_auth, sm->addr, &rate);
++
+ 	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
+ 	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
+ 					       &radius_cui);
+@@ -2195,11 +2295,12 @@ void wpa_auth_ft_store_keys(struct wpa_s
+ 			    pmk_r0_name,
+ 			    sm->pairwise, &vlan, expires_in,
+ 			    session_timeout, identity, identity_len,
+-			    radius_cui, radius_cui_len);
++			    radius_cui, radius_cui_len, &rate);
+ 	wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, key_len,
+ 			    sm->pmk_r1_name, sm->pairwise, &vlan,
+ 			    expires_in, session_timeout, identity,
+-			    identity_len, radius_cui, radius_cui_len);
++			    identity_len, radius_cui, radius_cui_len,
++			    &rate);
+ }
+ 
+ 
+@@ -3100,7 +3201,8 @@ static int wpa_ft_local_derive_pmk_r1(st
+ 				      const u8 **radius_cui,
+ 				      size_t *radius_cui_len,
+ 				      int *out_session_timeout,
+-				      size_t *pmk_r1_len)
++				      size_t *pmk_r1_len,
++				      struct rate_description *rate)
+ {
+ 	struct wpa_auth_config *conf = &wpa_auth->conf;
+ 	const struct wpa_ft_pmk_r0_sa *r0;
+@@ -3136,7 +3238,8 @@ static int wpa_ft_local_derive_pmk_r1(st
+ 			    out_pmk_r1_name,
+ 			    sm->pairwise, r0->vlan, expires_in, session_timeout,
+ 			    r0->identity, r0->identity_len,
+-			    r0->radius_cui, r0->radius_cui_len);
++			    r0->radius_cui, r0->radius_cui_len,
++			    r0->rate);
+ 
+ 	*out_pairwise = sm->pairwise;
+ 	if (vlan) {
+@@ -3146,6 +3249,13 @@ static int wpa_ft_local_derive_pmk_r1(st
+ 			os_memset(vlan, 0, sizeof(*vlan));
+ 	}
+ 
++	if (rate) {
++		if (r0->rate)
++			*rate = *r0->rate;
++		else
++			os_memset(rate, 0, sizeof(*rate));
++	}
++
+ 	if (identity && identity_len) {
+ 		*identity = r0->identity;
+ 		*identity_len = r0->identity_len;
+@@ -3178,6 +3288,7 @@ static int wpa_ft_process_auth_req(struc
+ 	u8 *pos, *end;
+ 	int pairwise, session_timeout = 0;
+ 	struct vlan_description vlan;
++	struct rate_description rate = {};
+ 	const u8 *identity, *radius_cui;
+ 	size_t identity_len = 0, radius_cui_len = 0;
+ 	size_t pmk_r1_len, kdk_len, len;
+@@ -3274,7 +3385,7 @@ static int wpa_ft_process_auth_req(struc
+ 					pmk_r1, &pmk_r1_len, &pairwise, &vlan,
+ 					&identity, &identity_len, &radius_cui,
+ 					&radius_cui_len,
+-					&session_timeout) == 0) {
++					&session_timeout, &rate) == 0) {
+ 			wpa_printf(MSG_DEBUG,
+ 				   "FT: Found PMKR1Name (using SHA%zu) from local cache",
+ 				   pmk_r1_len * 8);
+@@ -3290,7 +3401,7 @@ static int wpa_ft_process_auth_req(struc
+ 				       pmk_r1_name, pmk_r1, &pairwise,
+ 				       &vlan, &identity, &identity_len,
+ 				       &radius_cui, &radius_cui_len,
+-				       &session_timeout, &pmk_r1_len) == 0) {
++				       &session_timeout, &pmk_r1_len, &rate) == 0) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "FT: Generated PMK-R1 based on local PMK-R0");
+ 		goto pmk_r1_derived;
+@@ -3392,6 +3503,7 @@ pmk_r1_derived:
+ 		wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN");
+ 		goto out;
+ 	}
++	wpa_ft_set_rate_limit(sm->wpa_auth, sm->addr, &rate);
+ 	if (wpa_ft_set_identity(sm->wpa_auth, sm->addr,
+ 				identity, identity_len) < 0 ||
+ 	    wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr,
+@@ -3973,7 +4085,7 @@ static int wpa_ft_rrb_build_r0(const u8
+ 
+ 	ret = wpa_ft_rrb_build(key, key_len, tlvs, sess_tlv, tlv_auth,
+ 			       pmk_r0->vlan, src_addr, type,
+-			       packet, packet_len);
++			       packet, packet_len, pmk_r0->rate);
+ 
+ 	forced_memzero(pmk_r1, sizeof(pmk_r1));
+ 
+@@ -4113,7 +4225,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa
+ 		ret = wpa_ft_rrb_build(key, key_len, resp, NULL, resp_auth,
+ 				       NULL, wpa_auth->addr,
+ 				       FT_PACKET_R0KH_R1KH_RESP,
+-				       &packet, &packet_len);
++				       &packet, &packet_len, NULL);
+ 	} else {
+ 		ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id,
+ 					  f_s1kh_id, resp_auth, wpa_auth->addr,
+@@ -4165,11 +4277,15 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
+ 	size_t f_expires_in_len;
+ 	size_t f_identity_len, f_radius_cui_len;
+ 	size_t f_session_timeout_len;
++	size_t f_rate_len;
++	const u8 *f_rate;
+ 	int pairwise;
+ 	int ret = -1;
+ 	int expires_in;
+ 	int session_timeout;
+ 	struct vlan_description vlan;
++	struct rate_description rate;
++	int has_rate = 0;
+ 	size_t pmk_r1_len;
+ 
+ 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1);
+@@ -4279,6 +4395,13 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
+ 	wpa_printf(MSG_DEBUG, "FT: vlan %d%s",
+ 		   le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : "");
+ 
++	RRB_GET_OPTIONAL(FT_RRB_RATE_LIMIT, rate, msgtype, 2 * sizeof(le32));
++	if (f_rate) {
++		memcpy(&rate, f_rate, sizeof(rate));
++		rate.rx = le_to_host32(rate.rx);
++		rate.tx = le_to_host32(rate.tx);
++		has_rate = 1;
++	};
+ 	RRB_GET_OPTIONAL(FT_RRB_IDENTITY, identity, msgtype, -1);
+ 	if (f_identity)
+ 		wpa_hexdump_ascii(MSG_DEBUG, "FT: Identity", f_identity,
+@@ -4301,7 +4424,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
+ 				f_pmk_r1_name,
+ 				pairwise, &vlan, expires_in, session_timeout,
+ 				f_identity, f_identity_len, f_radius_cui,
+-				f_radius_cui_len) < 0)
++				f_radius_cui_len, has_rate ? &rate : 0) < 0)
+ 		goto out;
+ 
+ 	ret = 0;
+@@ -4614,7 +4737,7 @@ static int wpa_ft_rrb_rx_seq_req(struct
+ 
+ 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_resp_auth, NULL,
+ 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_RESP,
+-			     &packet, &packet_len) < 0)
++			     &packet, &packet_len, NULL) < 0)
+ 		goto out;
+ 
+ 	wpa_ft_rrb_oui_send(wpa_auth, src_addr,

feeds/hostapd/hostapd/patches/760-acs_exclude_dfs.patch

@@ -0,0 +1,13 @@
+--- a/src/ap/acs.c
++++ b/src/ap/acs.c
+@@ -668,6 +668,10 @@ acs_find_ideal_chan_mode(struct hostapd_
+ 			continue;
+ 		}
+ 
++		if (iface->conf->acs_exclude_dfs &&
++                      (chan->flag & HOSTAPD_CHAN_RADAR))
++			continue;
++
+ 		/* HT40 on 5 GHz has a limited set of primary channels as per
+ 		 * 11n Annex J */
+ 		if (mode->mode == HOSTAPD_MODE_IEEE80211A &&

feeds/hostapd/hostapd/patches/760-dynamic_own_ip.patch

@@ -0,0 +1,109 @@
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -310,6 +310,7 @@ struct hostapd_bss_config {
+ 	unsigned int eap_sim_db_timeout;
+ 	int eap_server_erp; /* Whether ERP is enabled on internal EAP server */
+ 	struct hostapd_ip_addr own_ip_addr;
++	int dynamic_own_ip_addr;
+ 	char *nas_identifier;
+ 	struct hostapd_radius_servers *radius;
+ 	int acct_interim_interval;
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -163,6 +163,8 @@ struct radius_client_data {
+ 	 */
+ 	void *ctx;
+ 
++	struct hostapd_ip_addr local_ip;
++
+ 	/**
+ 	 * conf - RADIUS client configuration (list of RADIUS servers to use)
+ 	 */
+@@ -720,6 +722,30 @@ static void radius_client_list_add(struc
+ 
+ 
+ /**
++ * radius_client_send - Get local address for the RADIUS auth socket
++ * @radius: RADIUS client context from radius_client_init()
++ * @addr: pointer to store the address
++ *
++ * This function returns the local address for the connection to the RADIUS
++ * auth server. It also opens the socket if it's not available yet.
++ */
++int radius_client_get_local_addr(struct radius_client_data *radius,
++				 struct hostapd_ip_addr *addr)
++{
++	struct hostapd_radius_servers *conf = radius->conf;
++
++	if (conf->auth_server && radius->auth_sock < 0)
++		radius_client_init_auth(radius);
++
++	if (radius->auth_sock < 0)
++		return -1;
++
++	memcpy(addr, &radius->local_ip, sizeof(*addr));
++
++	return 0;
++}
++
++/**
+  * radius_client_send - Send a RADIUS request
+  * @radius: RADIUS client context from radius_client_init()
+  * @msg: RADIUS message to be sent
+@@ -1238,6 +1264,10 @@ radius_change_server(struct radius_clien
+ 			wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
+ 				   inet_ntoa(claddr.sin_addr),
+ 				   ntohs(claddr.sin_port));
++			if (auth) {
++				radius->local_ip.af = AF_INET;
++				radius->local_ip.u.v4 = claddr.sin_addr;
++			}
+ 		}
+ 		break;
+ #ifdef CONFIG_IPV6
+@@ -1249,6 +1279,10 @@ radius_change_server(struct radius_clien
+ 				   inet_ntop(AF_INET6, &claddr6.sin6_addr,
+ 					     abuf, sizeof(abuf)),
+ 				   ntohs(claddr6.sin6_port));
++			if (auth) {
++				radius->local_ip.af = AF_INET6;
++				radius->local_ip.u.v6 = claddr6.sin6_addr;
++			}
+ 		}
+ 		break;
+ 	}
+--- a/src/radius/radius_client.h
++++ b/src/radius/radius_client.h
+@@ -249,6 +249,8 @@ int radius_client_register(struct radius
+ void radius_client_set_interim_error_cb(struct radius_client_data *radius,
+ 					void (*cb)(const u8 *addr, void *ctx),
+ 					void *ctx);
++int radius_client_get_local_addr(struct radius_client_data *radius,
++				 struct hostapd_ip_addr * addr);
+ int radius_client_send(struct radius_client_data *radius,
+ 		       struct radius_msg *msg,
+ 		       RadiusType msg_type, const u8 *addr);
+--- a/src/ap/ieee802_1x.c
++++ b/src/ap/ieee802_1x.c
+@@ -598,6 +598,10 @@ int add_common_radius_attr(struct hostap
+ 	struct hostapd_radius_attr *attr;
+ 	int len;
+ 
++	if (hapd->conf->dynamic_own_ip_addr)
++		radius_client_get_local_addr(hapd->radius,
++					     &hapd->conf->own_ip_addr);
++
+ 	if (!hostapd_config_get_radius_attr(req_attr,
+ 					    RADIUS_ATTR_NAS_IP_ADDRESS) &&
+ 	    hapd->conf->own_ip_addr.af == AF_INET &&
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2688,6 +2688,8 @@ static int hostapd_config_fill(struct ho
+ 	} else if (os_strcmp(buf, "iapp_interface") == 0) {
+ 		wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used");
+ #endif /* CONFIG_IAPP */
++	} else if (os_strcmp(buf, "dynamic_own_ip_addr") == 0) {
++		bss->dynamic_own_ip_addr = atoi(pos);
+ 	} else if (os_strcmp(buf, "own_ip_addr") == 0) {
+ 		if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) {
+ 			wpa_printf(MSG_ERROR,

feeds/hostapd/hostapd/patches/761-shared_das_port.patch

@@ -0,0 +1,298 @@
+--- a/src/radius/radius_das.h
++++ b/src/radius/radius_das.h
+@@ -44,6 +44,7 @@ struct radius_das_attrs {
+ struct radius_das_conf {
+ 	int port;
+ 	const u8 *shared_secret;
++	const u8 *nas_identifier;
+ 	size_t shared_secret_len;
+ 	const struct hostapd_ip_addr *client_addr;
+ 	unsigned int time_window;
+--- a/src/ap/hostapd.c
++++ b/src/ap/hostapd.c
+@@ -1423,6 +1423,7 @@ int hostapd_setup_bss(struct hostapd_dat
+ 
+ 			os_memset(&das_conf, 0, sizeof(das_conf));
+ 			das_conf.port = conf->radius_das_port;
++			das_conf.nas_identifier = conf->nas_identifier;
+ 			das_conf.shared_secret = conf->radius_das_shared_secret;
+ 			das_conf.shared_secret_len =
+ 				conf->radius_das_shared_secret_len;
+--- a/src/radius/radius_das.c
++++ b/src/radius/radius_das.c
+@@ -12,13 +12,26 @@
+ #include "utils/common.h"
+ #include "utils/eloop.h"
+ #include "utils/ip_addr.h"
++#include "utils/list.h"
+ #include "radius.h"
+ #include "radius_das.h"
+ 
+ 
+-struct radius_das_data {
++static struct dl_list das_ports = DL_LIST_HEAD_INIT(das_ports);
++
++struct radius_das_port {
++	struct dl_list list;
++	struct dl_list das_data;
++
++	int port;
+ 	int sock;
++};
++
++struct radius_das_data {
++	struct dl_list list;
++	struct radius_das_port *port;
+ 	u8 *shared_secret;
++	u8 *nas_identifier;
+ 	size_t shared_secret_len;
+ 	struct hostapd_ip_addr client_addr;
+ 	unsigned int time_window;
+@@ -378,56 +391,17 @@ fail:
+ }
+ 
+ 
+-static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
++static void
++radius_das_receive_msg(struct radius_das_data *das, struct radius_msg *msg,
++		       struct sockaddr *from, socklen_t fromlen,
++		       char *abuf, int from_port)
+ {
+-	struct radius_das_data *das = eloop_ctx;
+-	u8 buf[1500];
+-	union {
+-		struct sockaddr_storage ss;
+-		struct sockaddr_in sin;
+-#ifdef CONFIG_IPV6
+-		struct sockaddr_in6 sin6;
+-#endif /* CONFIG_IPV6 */
+-	} from;
+-	char abuf[50];
+-	int from_port = 0;
+-	socklen_t fromlen;
+-	int len;
+-	struct radius_msg *msg, *reply = NULL;
++	struct radius_msg *reply = NULL;
+ 	struct radius_hdr *hdr;
+ 	struct wpabuf *rbuf;
++	struct os_time now;
+ 	u32 val;
+ 	int res;
+-	struct os_time now;
+-
+-	fromlen = sizeof(from);
+-	len = recvfrom(sock, buf, sizeof(buf), 0,
+-		       (struct sockaddr *) &from.ss, &fromlen);
+-	if (len < 0) {
+-		wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
+-		return;
+-	}
+-
+-	os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
+-	from_port = ntohs(from.sin.sin_port);
+-
+-	wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
+-		   len, abuf, from_port);
+-	if (das->client_addr.u.v4.s_addr &&
+-	    das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
+-		wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
+-		return;
+-	}
+-
+-	msg = radius_msg_parse(buf, len);
+-	if (msg == NULL) {
+-		wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
+-			   "from %s:%d failed", abuf, from_port);
+-		return;
+-	}
+-
+-	if (wpa_debug_level <= MSG_MSGDUMP)
+-		radius_msg_dump(msg);
+ 
+ 	if (radius_msg_verify_das_req(msg, das->shared_secret,
+ 				       das->shared_secret_len,
+@@ -494,9 +468,8 @@ static void radius_das_receive(int sock,
+ 			radius_msg_dump(reply);
+ 
+ 		rbuf = radius_msg_get_buf(reply);
+-		res = sendto(das->sock, wpabuf_head(rbuf),
+-			     wpabuf_len(rbuf), 0,
+-			     (struct sockaddr *) &from.ss, fromlen);
++		res = sendto(das->port->sock, wpabuf_head(rbuf),
++			     wpabuf_len(rbuf), 0, from, fromlen);
+ 		if (res < 0) {
+ 			wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
+ 				   abuf, from_port, strerror(errno));
+@@ -508,6 +481,72 @@ fail:
+ 	radius_msg_free(reply);
+ }
+ 
++static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
++{
++	struct radius_das_port *p = eloop_ctx;
++	struct radius_das_data *das;
++	u8 buf[1500];
++	union {
++		struct sockaddr_storage ss;
++		struct sockaddr_in sin;
++#ifdef CONFIG_IPV6
++		struct sockaddr_in6 sin6;
++#endif /* CONFIG_IPV6 */
++	} from;
++	struct radius_msg *msg;
++	size_t nasid_len = 0;
++	u8 *nasid_buf = NULL;
++	char abuf[50];
++	int from_port = 0;
++	socklen_t fromlen;
++	int found = 0;
++	int len;
++
++	fromlen = sizeof(from);
++	len = recvfrom(sock, buf, sizeof(buf), 0,
++		       (struct sockaddr *) &from.ss, &fromlen);
++	if (len < 0) {
++		wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
++		return;
++	}
++
++	os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
++	from_port = ntohs(from.sin.sin_port);
++
++	msg = radius_msg_parse(buf, len);
++	if (msg == NULL) {
++		wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
++			   "from %s:%d failed", abuf, from_port);
++		return;
++	}
++
++	wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
++		   len, abuf, from_port);
++
++	if (wpa_debug_level <= MSG_MSGDUMP)
++		radius_msg_dump(msg);
++
++	radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
++				&nasid_buf, &nasid_len, NULL);
++	dl_list_for_each(das, &p->das_data, struct radius_das_data, list) {
++		if (das->client_addr.u.v4.s_addr &&
++		    das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr)
++			continue;
++
++		if (das->nas_identifier && nasid_buf &&
++		    (nasid_len != os_strlen(das->nas_identifier) ||
++		     os_memcmp(das->nas_identifier, nasid_buf, nasid_len) != 0))
++			continue;
++
++		found = 1;
++		radius_das_receive_msg(das, msg, (struct sockaddr *)&from.ss,
++				       fromlen, abuf, from_port);
++	}
++
++	if (!found)
++		wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
++}
++
+ 
+ static int radius_das_open_socket(int port)
+ {
+@@ -533,6 +572,49 @@ static int radius_das_open_socket(int po
+ }
+ 
+ 
++static struct radius_das_port *
++radius_das_open_port(int port)
++{
++	struct radius_das_port *p;
++
++	dl_list_for_each(p, &das_ports, struct radius_das_port, list) {
++		if (p->port == port)
++			return p;
++	}
++
++	p = os_zalloc(sizeof(*p));
++	if (p == NULL)
++		return NULL;
++
++	dl_list_init(&p->das_data);
++	p->port = port;
++	p->sock = radius_das_open_socket(port);
++	if (p->sock < 0)
++		goto free_port;
++
++	if (eloop_register_read_sock(p->sock, radius_das_receive, p, NULL))
++		goto close_port;
++
++	dl_list_add(&das_ports, &p->list);
++
++	return p;
++
++close_port:
++	close(p->sock);
++free_port:
++	os_free(p);
++
++	return NULL;
++}
++
++static void radius_das_close_port(struct radius_das_port *p)
++{
++	dl_list_del(&p->list);
++	eloop_unregister_read_sock(p->sock);
++	close(p->sock);
++	free(p);
++}
++
+ struct radius_das_data *
+ radius_das_init(struct radius_das_conf *conf)
+ {
+@@ -553,6 +635,8 @@ radius_das_init(struct radius_das_conf *
+ 	das->ctx = conf->ctx;
+ 	das->disconnect = conf->disconnect;
+ 	das->coa = conf->coa;
++	if (conf->nas_identifier)
++		das->nas_identifier = os_strdup(conf->nas_identifier);
+ 
+ 	os_memcpy(&das->client_addr, conf->client_addr,
+ 		  sizeof(das->client_addr));
+@@ -565,19 +649,15 @@ radius_das_init(struct radius_das_conf *
+ 	}
+ 	das->shared_secret_len = conf->shared_secret_len;
+ 
+-	das->sock = radius_das_open_socket(conf->port);
+-	if (das->sock < 0) {
++	das->port = radius_das_open_port(conf->port);
++	if (!das->port) {
+ 		wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
+ 			   "DAS");
+ 		radius_das_deinit(das);
+ 		return NULL;
+ 	}
+ 
+-	if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
+-	{
+-		radius_das_deinit(das);
+-		return NULL;
+-	}
++	dl_list_add(&das->port->das_data, &das->list);
+ 
+ 	return das;
+ }
+@@ -588,11 +668,14 @@ void radius_das_deinit(struct radius_das
+ 	if (das == NULL)
+ 		return;
+ 
+-	if (das->sock >= 0) {
+-		eloop_unregister_read_sock(das->sock);
+-		close(das->sock);
++	if (das->port) {
++		dl_list_del(&das->list);
++
++		if (dl_list_empty(&das->port->das_data))
++			radius_das_close_port(das->port);
+ 	}
+ 
++	os_free(das->nas_identifier);
+ 	os_free(das->shared_secret);
+ 	os_free(das);
+ }

feeds/hostapd/hostapd/patches/770-radius_server.patch

@@ -0,0 +1,154 @@
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -63,6 +63,10 @@ endif
+ OBJS += main.o
+ OBJS += config_file.o
+ 
++ifdef CONFIG_RADIUS_SERVER
++OBJS += radius.o
++endif
++
+ OBJS += ../src/ap/hostapd.o
+ OBJS += ../src/ap/wpa_auth_glue.o
+ OBJS += ../src/ap/drv_callbacks.o
+--- a/hostapd/main.c
++++ b/hostapd/main.c
+@@ -40,6 +40,7 @@ struct hapd_global {
+ 
+ static struct hapd_global global;
+ 
++extern int radius_main(int argc, char **argv);
+ 
+ #ifndef CONFIG_NO_HOSTAPD_LOGGER
+ static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
+@@ -771,6 +772,11 @@ int main(int argc, char *argv[])
+ 	if (os_program_init())
+ 		return -1;
+ 
++#ifdef RADIUS_SERVER
++	if (strstr(argv[0], "radius"))
++		return radius_main(argc, argv);
++#endif
++
+ 	os_memset(&interfaces, 0, sizeof(interfaces));
+ 	interfaces.reload_config = hostapd_reload_config;
+ 	interfaces.config_read_cb = hostapd_config_read;
+--- a/src/radius/radius_server.c
++++ b/src/radius/radius_server.c
+@@ -63,6 +63,12 @@ struct radius_server_counters {
+ 	u32 unknown_acct_types;
+ };
+ 
++struct radius_accept_attr {
++	u8 type;
++	u16 len;
++	void *data;
++};
++
+ /**
+  * struct radius_session - Internal RADIUS server data for a session
+  */
+@@ -90,7 +96,7 @@ struct radius_session {
+ 	unsigned int macacl:1;
+ 	unsigned int t_c_filtering:1;
+ 
+-	struct hostapd_radius_attr *accept_attr;
++	struct radius_accept_attr *accept_attr;
+ 
+ 	u32 t_c_timestamp; /* Last read T&C timestamp from user DB */
+ };
+@@ -394,6 +400,7 @@ static void radius_server_session_free(s
+ 	radius_msg_free(sess->last_reply);
+ 	os_free(sess->username);
+ 	os_free(sess->nas_ip);
++	os_free(sess->accept_attr);
+ 	os_free(sess);
+ 	data->num_sess--;
+ }
+@@ -554,6 +561,36 @@ radius_server_erp_find_key(struct radius
+ }
+ #endif /* CONFIG_ERP */
+ 
++static struct radius_accept_attr *
++radius_server_copy_attr(const struct hostapd_radius_attr *data)
++{
++	const struct hostapd_radius_attr *attr;
++	struct radius_accept_attr *attr_new;
++	size_t data_size = 0;
++	void *data_buf;
++	int n_attr = 1;
++
++	for (attr = data; attr; attr = attr->next) {
++		n_attr++;
++		data_size += wpabuf_len(attr->val);
++	}
++
++	attr_new = os_zalloc(n_attr * sizeof(*attr) + data_size);
++	if (!attr_new)
++		return NULL;
++
++	data_buf = &attr_new[n_attr];
++	for (n_attr = 0, attr = data; attr; attr = attr->next) {
++		struct radius_accept_attr *cur = &attr_new[n_attr++];
++
++		cur->type = attr->type;
++		cur->len = wpabuf_len(attr->val);
++		cur->data = memcpy(data_buf, wpabuf_head(attr->val), cur->len);
++		data_buf += cur->len;
++	}
++
++	return attr_new;
++}
+ 
+ static struct radius_session *
+ radius_server_get_new_session(struct radius_server_data *data,
+@@ -607,7 +644,7 @@ radius_server_get_new_session(struct rad
+ 		eap_user_free(tmp);
+ 		return NULL;
+ 	}
+-	sess->accept_attr = tmp->accept_attr;
++	sess->accept_attr = radius_server_copy_attr(tmp->accept_attr);
+ 	sess->macacl = tmp->macacl;
+ 	eap_user_free(tmp);
+ 
+@@ -1118,11 +1155,10 @@ radius_server_encapsulate_eap(struct rad
+ 	}
+ 
+ 	if (code == RADIUS_CODE_ACCESS_ACCEPT) {
+-		struct hostapd_radius_attr *attr;
+-		for (attr = sess->accept_attr; attr; attr = attr->next) {
+-			if (!radius_msg_add_attr(msg, attr->type,
+-						 wpabuf_head(attr->val),
+-						 wpabuf_len(attr->val))) {
++		struct radius_accept_attr *attr;
++		for (attr = sess->accept_attr; attr->data; attr++) {
++			if (!radius_msg_add_attr(msg, attr->type, attr->data,
++						 attr->len)) {
+ 				wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
+ 				radius_msg_free(msg);
+ 				return NULL;
+@@ -1211,11 +1247,10 @@ radius_server_macacl(struct radius_serve
+ 	}
+ 
+ 	if (code == RADIUS_CODE_ACCESS_ACCEPT) {
+-		struct hostapd_radius_attr *attr;
+-		for (attr = sess->accept_attr; attr; attr = attr->next) {
+-			if (!radius_msg_add_attr(msg, attr->type,
+-						 wpabuf_head(attr->val),
+-						 wpabuf_len(attr->val))) {
++		struct radius_accept_attr *attr;
++		for (attr = sess->accept_attr; attr->data; attr++) {
++			if (!radius_msg_add_attr(msg, attr->type, attr->data,
++						 attr->len)) {
+ 				wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
+ 				radius_msg_free(msg);
+ 				return NULL;
+@@ -2512,7 +2547,7 @@ static int radius_server_get_eap_user(vo
+ 	ret = data->get_eap_user(data->conf_ctx, identity, identity_len,
+ 				 phase2, user);
+ 	if (ret == 0 && user) {
+-		sess->accept_attr = user->accept_attr;
++		sess->accept_attr = radius_server_copy_attr(user->accept_attr);
+ 		sess->remediation = user->remediation;
+ 		sess->macacl = user->macacl;
+ 		sess->t_c_timestamp = user->t_c_timestamp;

feeds/hostapd/hostapd/patches/780-maxassoc.patch

@@ -0,0 +1,11 @@
+--- a/src/ap/sta_info.c
++++ b/src/ap/sta_info.c
+@@ -717,7 +717,7 @@ struct sta_info * ap_sta_add(struct host
+ 		return sta;
+ 
+ 	wpa_printf(MSG_DEBUG, "  New STA");
+-	if (hapd->num_sta >= hapd->conf->max_num_sta) {
++	if (hostapd_check_max_sta(hapd)) {
+ 		/* FIX: might try to remove some old STAs first? */
+ 		wpa_printf(MSG_DEBUG, "no more room for new STAs (%d/%d)",
+ 			   hapd->num_sta, hapd->conf->max_num_sta);

feeds/hostapd/hostapd/patches/790-wired-dynamic-vlan.patch

@@ -0,0 +1,33 @@
+Index: hostapd-2021-02-20-59e9794c/src/ap/vlan_init.c
+===================================================================
+--- hostapd-2021-02-20-59e9794c.orig/src/ap/vlan_init.c
++++ hostapd-2021-02-20-59e9794c/src/ap/vlan_init.c
+@@ -37,7 +37,14 @@ static int vlan_if_add(struct hostapd_da
+ 	}
+ #endif /* CONFIG_WEP */
+ 
+-	if (!vlan_exists)
++	if (!hapd->driver || !hapd->driver->if_add) {
++		char *dot = strstr(vlan->ifname, ".");
++		if (dot)
++			*dot = '\0';
++		ret = 0;
++	}
++	
++	else if (!vlan_exists)
+ 		ret = hostapd_vlan_if_add(hapd, vlan->ifname);
+ 	else if (!existsok)
+ 		return -1;
+Index: hostapd-2021-02-20-59e9794c/src/ap/vlan_init.c
+===================================================================
+--- hostapd-2021-02-20-59e9794c.orig/src/ap/vlan_init.c
++++ hostapd-2021-02-20-59e9794c/src/ap/vlan_init.c
+@@ -59,7 +59,7 @@ static int vlan_if_add(struct hostapd_da
+ 	if (hapd->wpa_auth)
+ 		ret = wpa_auth_ensure_group(hapd->wpa_auth, vlan->vlan_id);
+ 
+-	if (!ret && !vlan_exists)
++	if (!ret && !vlan_exists && hapd->driver->if_add)
+ 		hostapd_ubus_add_vlan(hapd, vlan);
+ 
+ 	if (ret == 0)

feeds/hostapd/hostapd/patches/900-coa.patch

@@ -0,0 +1,22 @@
+--- a/src/radius/radius_das.c
++++ b/src/radius/radius_das.c
+@@ -48,6 +48,8 @@ static struct radius_msg * radius_das_di
+ 		RADIUS_ATTR_EVENT_TIMESTAMP,
+ 		RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+ 		RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
++		RADIUS_ATTR_VENDOR_SPECIFIC,
++		RADIUS_ATTR_CALLED_STATION_ID,
+ #ifdef CONFIG_IPV6
+ 		RADIUS_ATTR_NAS_IPV6_ADDRESS,
+ #endif /* CONFIG_IPV6 */
+@@ -205,9 +207,8 @@ static struct radius_msg * radius_das_co
+ 		RADIUS_ATTR_EVENT_TIMESTAMP,
+ 		RADIUS_ATTR_MESSAGE_AUTHENTICATOR,
+ 		RADIUS_ATTR_CHARGEABLE_USER_IDENTITY,
+-#ifdef CONFIG_HS20
+ 		RADIUS_ATTR_VENDOR_SPECIFIC,
+-#endif /* CONFIG_HS20 */
++		RADIUS_ATTR_CALLED_STATION_ID,
+ #ifdef CONFIG_IPV6
+ 		RADIUS_ATTR_NAS_IPV6_ADDRESS,
+ #endif /* CONFIG_IPV6 */

feeds/hostapd/hostapd/patches/901-cfg-section.patch

@@ -0,0 +1,37 @@
+Index: hostapd-2023-09-08-e5ccbfc6/hostapd/config_file.c
+===================================================================
+--- hostapd-2023-09-08-e5ccbfc6.orig/hostapd/config_file.c
++++ hostapd-2023-09-08-e5ccbfc6/hostapd/config_file.c
+@@ -2345,6 +2345,8 @@ static int hostapd_config_fill(struct ho
+ 			return 1;
+ 		}
+ 		conf->driver = driver;
++	} else if (os_strcmp(buf, "uci_section") == 0) {
++		bss->uci_section = os_strdup(pos);
+ 	} else if (os_strcmp(buf, "driver_params") == 0) {
+ 		os_free(conf->driver_params);
+ 		conf->driver_params = os_strdup(pos);
+Index: hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.h
+===================================================================
+--- hostapd-2023-09-08-e5ccbfc6.orig/src/ap/ap_config.h
++++ hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.h
+@@ -287,6 +287,7 @@ struct hostapd_bss_config {
+ 	char snoop_iface[IFNAMSIZ + 1];
+ 	char vlan_bridge[IFNAMSIZ + 1];
+ 	char wds_bridge[IFNAMSIZ + 1];
++	char *uci_section;
+ 	int bridge_hairpin; /* hairpin_mode on bridge members */
+ 
+ 	enum hostapd_logger_level logger_syslog_level, logger_stdout_level;
+Index: hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.c
+===================================================================
+--- hostapd-2023-09-08-e5ccbfc6.orig/src/ap/ap_config.c
++++ hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.c
+@@ -798,6 +798,7 @@ void hostapd_config_free_bss(struct host
+ 	os_free(conf->radius_req_attr_sqlite);
+ 	os_free(conf->rsn_preauth_interfaces);
+ 	os_free(conf->ctrl_interface);
++	os_free(conf->uci_section);
+ 	os_free(conf->config_id);
+ 	os_free(conf->ca_cert);
+ 	os_free(conf->server_cert);

feeds/hostapd/hostapd/patches/901-coa-ubus.patch

@@ -0,0 +1,28 @@
+Index: hostapd-2021-02-20-59e9794c/src/ap/hostapd.c
+===================================================================
+--- hostapd-2021-02-20-59e9794c.orig/src/ap/hostapd.c
++++ hostapd-2021-02-20-59e9794c/src/ap/hostapd.c
+@@ -1034,6 +1034,23 @@ hostapd_das_disconnect(void *ctx, struct
+ 	struct hostapd_data *hapd = ctx;
+ 	struct sta_info *sta;
+ 	int multi;
++	int ubus_resp;
++	struct hostapd_ubus_request req = {
++		.type = HOSTAPD_UBUS_COA,
++		.mgmt_frame = 0,
++		.ssi_signal = 0,
++		.addr = attr->sta_addr,
++	};
++
++	if (hostapd_ubus_handle_event(hapd, &req)) {
++		wpa_printf(MSG_INFO, "DAS: disconnect due approved via ubus");
++		sta = ap_get_sta(hapd, attr->sta_addr);
++		if (sta) {
++			hostapd_drv_sta_deauth(hapd, attr->sta_addr, 2);
++			ap_sta_deauthenticate(hapd, sta, 2);
++		}
++		return RADIUS_DAS_SUCCESS;
++	}
+ 
+ 	if (hostapd_das_nas_mismatch(hapd, attr))
+ 		return RADIUS_DAS_NAS_MISMATCH;