busybox: the DHCP client would sometimes send a superflous port unreachable frame

Fixes: WIFI-14149 Signed-off-by: John Crispin <john@phrozen.org>
ucentral-schema: update to latest HEAD
2025-10-31 18:38:10 +00:00 · 2025-04-01 13:26:24 +02:00 · 2025-03-28 09:44:37 +01:00 · 2025-03-28 08:06:00 +01:00 · 2025-03-28 08:05:38 +01:00 · 2025-03-28 08:04:28 +01:00
10268 changed files with 1583083 additions and 1566180 deletions
--- a/.github/workflows/build-dev.yml
+++ b/.github/workflows/build-dev.yml
@@ -15,21 +15,20 @@ on:
 jobs:
  build:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    outputs:
      x64_vm_image_name: ${{ steps.package_and_upload_image.outputs.x64_vm_image_name }}
    strategy:
      fail-fast: false
      matrix:
-        target: [ 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf196', 'cig_wf660a', 'cybertan_eww622-a1', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap111', 'edgecore_ecw5211', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap102', 'hfcl_ion4','hfcl_ion4xi_wp', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4xi_w', 'hfcl_ion4xi_HMR', 'hfcl_ion4x_w', 'indio_um-305ax', 'indio_um-325ac', 'indio_um-510ac-v3', 'indio_um-550ac', 'indio_um-310ax-v1', 'indio_um-510axp-v1', 'indio_um-510axm-v1', 'udaya_a5-id2', 'wallys_dr40x9', 'wallys_dr6018', 'wallys_dr6018_v4', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655' ]
+        target: [ 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf189', 'cig_wf196', 'cig_wf196', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'sonicfi_rap630w-312g', 'sonicfi_rap63xc-211g', 'sonicfi_rap630c-311g', 'sonicfi_rap630w-311g', 'sonicfi_rap630w-211g', 'sonicfi_rap7110c-341x', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap105', 'edgecore_eap111', 'edgecore_eap112', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap103', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4x_3', 'hfcl_ion4xi_w', 'hfcl_ion4x_w', 'indio_um-305ax', 'senao_iap4300m', 'senao_iap2300m', 'senao_jeap6500', 'udaya_a6-id2', 'udaya_a6-od2', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655' ]
    steps:
    - uses: actions/checkout@v3
    # Clean unnecessary files to save disk space
    - name: clean unncessary files to save space
      run: |
-        docker rmi `docker images -q`
+        docker rmi `docker images -q` || true
    - name: Build image for ${{ matrix.target }}
      id: build
@@ -81,7 +80,7 @@ jobs:
        fi
  trigger-testing:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
@@ -94,7 +93,7 @@ jobs:
        client-payload: '{"ref": "${GITHUB_REF#refs/tags/}", "sha": "${{ github.sha }}"}'
  create-x64_vm-ami:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
--- a/28
+++ b/28
@@ -0,0 +1,28 @@
 BSD 3-Clause License
 Copyright (c) 2024, Telecom Infra Project
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:
 1. Redistributions of source code must retain the above copyright notice, this
   list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright notice,
   this list of conditions and the following disclaimer in the documentation
   and/or other materials provided with the distribution.
 3. Neither the name of the copyright holder nor the names of its
   contributors may be used to endorse or promote products derived from
   this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/feeds/bluetooth/nrf52840/files/etc/init.d/nrf52840
+++ b/feeds/bluetooth/nrf52840/files/etc/init.d/nrf52840
@@ -6,7 +6,8 @@ boot() {
 	. /lib/functions/system.sh
 	case $(board_name) in
 	edgecore,eap102|\
-	edgecore,oap102)
+	edgecore,oap102|\
 	edgecore,oap103)
 		echo 54 > /sys/class/gpio/export
 		echo out > /sys/class/gpio/gpio54/direction
 		echo 0 > /sys/class/gpio/gpio54/value
--- a/feeds/hfcl/hfcl/Makefile
+++ b/feeds/hfcl/hfcl/Makefile
@@ -0,0 +1,29 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=hfcl
 PKG_VERSION:=1.0
 PKG_BUILD_DIR:= $(BUILD_DIR)/$(PKG_NAME)
 include $(INCLUDE_DIR)/package.mk
 define Package/hfcl
        SECTION:=base
        CATEGORY:=Utilities
        TITLE:=hfcl
 endef
 define Build/Prepare
        mkdir -p $(PKG_BUILD_DIR)
 endef
 define Build/Compile/Default
 endef
 Build/Compile = $(Build/Compile/Default)
 define Package/hfcl/install
 	cp -rf ./files/* $(1)
 endef
 $(eval $(call BuildPackage,hfcl))
--- a/feeds/hfcl/hfcl/files/etc/ucentral_check.sh
+++ b/feeds/hfcl/hfcl/files/etc/ucentral_check.sh
@@ -0,0 +1,43 @@
 #!/bin/sh
 echo "Start Websocket check/recovery script"
 ucentral_conn=$(netstat -atulpn | grep -i ucentral | awk '{print $6}')
 hostname_AP=$(uci get system.@system[0].hostname)
 uc_file_check=$(du /etc/config/ucentral | awk '{print $1}' )
 sleep 20
 curr_date=$(date)
 if [[ "$uc_file_check" = 0 ]]
 then
 	echo "[[$curr_date]]  empty ucentral file found, need to factory reset"
 	ubi_mount=$(mount | grep ubifs | grep noatime | awk '{print $1}')
 	if [[ "$ubi_mount" != "/dev/ubi0_3" ]]
 	then
 		echo "[[$curr_date]]  ubifs not mounted, need to reboot before factory reset, mount was $ubi_mount"
 		/sbin/reboot
 	else
 		/sbin/jffs2reset -y -r
 	fi
 elif [[ "$hostname_AP" = "OpenWrt" ]]
 then
 	echo "[[$curr_date]] hostname set to openwrt, doing ucentral and capabilities load"
 	/usr/share/ucentral/capabilities.uc
 	rlink=$(readlink -f /etc/ucentral/ucentral.active)
 	/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.active
 	rm -rf /etc/ucentral/ucentral.active
 	ln -s $rlink /etc/ucentral/ucentral.active
 	sleep 60
 	ucentral_check=$(netstat -atulpn | grep -i ucentral | awk '{print $6}')
 	if [[ "$ucentral_check" != "ESTABLIHED" ]]
 	then
 		echo "[[$curr_date]] loading didn't work, need to factory reset"
 		/sbin/jffs2reset -y -r
 	fi
 elif [[ "$ucentral_conn" != "ESTABLISHED" ]]
 then
 	echo "[[$curr_date]]  Ucentral either crashed or stopped, restarting the same"
        /etc/init.d/ucentral restart
 else
        echo "[[$curr_date]]  Ucentral working all fine, nothing to do"
 fi
--- a/feeds/hfcl/hfcl/files/etc/uci-defaults/abc-hfcl-ucentral
+++ b/feeds/hfcl/hfcl/files/etc/uci-defaults/abc-hfcl-ucentral
@@ -0,0 +1,18 @@
 #!/bin/sh
 #rm -f /etc/rc.local
 #cp -f /etc/loop.local /etc/rc.local
 crontab -r
 /etc/init.d/cron enable
 /etc/init.d/cron start
 sleep 60
 crontab -l | { cat; echo "*/3 * * * * /bin/sh /etc/ucentral_check.sh >> /tmp/ucentral_check";} | crontab -
 crontab -l | { cat; echo "* */4 * * * rm -rf /tmp/ucentral_check";} | crontab -
 /etc/init.d/cron restart
--- a/feeds/hostapd/hostapd/Config.in
+++ b/feeds/hostapd/hostapd/Config.in
@@ -0,0 +1,108 @@
 # wpa_supplicant config
 config WPA_RFKILL_SUPPORT
 	bool "Add rfkill support"
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
 		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
 		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
 		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
 		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
 		   PACKAGE_wpad-mesh-wolfssl || \
 		   PACKAGE_wpad-mesh-mbedtls
 	default n
 config WPA_MSG_MIN_PRIORITY
 	int "Minimum debug message priority"
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
 		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
 		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
 		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
 		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
 		   PACKAGE_wpad-mesh-wolfssl || \
 		   PACKAGE_wpad-mesh-mbedtls
 	default 3
 	help
 	  Useful values are:
 	    0 = all messages
 		1 = raw message dumps
 		2 = most debugging messages
 		3 = info messages
 		4 = warnings
 		5 = errors
 config WPA_WOLFSSL
 	bool
 	default PACKAGE_wpa-supplicant-wolfssl ||\
 	        PACKAGE_wpad-wolfssl ||\
 	        PACKAGE_wpad-basic-wolfssl || \
 	        PACKAGE_wpad-mesh-wolfssl ||\
 	        PACKAGE_eapol-test-wolfssl
 	select WOLFSSL_HAS_AES_CCM
 	select WOLFSSL_HAS_ARC4
 	select WOLFSSL_HAS_DH
 	select WOLFSSL_HAS_OCSP
 	select WOLFSSL_HAS_SESSION_TICKET
 	select WOLFSSL_HAS_WPAS
 config DRIVER_11AC_SUPPORT
 	bool
 	default n
 config DRIVER_11AX_SUPPORT
 	bool
 	default n
 	select WPA_MBO_SUPPORT
 config WPA_ENABLE_WEP
 	bool "Enable support for unsecure and obsolete WEP"
 	help
 	  Wired equivalent privacy (WEP) is an obsolete cryptographic data
 	  confidentiality algorithm that is not considered secure. It should not be used
 	  for anything anymore. The functionality needed to use WEP is available in the
 	  current hostapd release under this optional build parameter and completely
 	  removed in a future release.
 config WPA_MBO_SUPPORT
 	bool "Multi Band Operation (Agile Multiband)"
 	default PACKAGE_wpa-supplicant || \
 		PACKAGE_wpa-supplicant-openssl || \
 		PACKAGE_wpa-supplicant-wolfssl || \
 		PACKAGE_wpa-supplicant-mbedtls || \
 		PACKAGE_wpad || \
 		PACKAGE_wpad-openssl || \
 		PACKAGE_wpad-wolfssl || \
 		PACKAGE_wpad-mbedtls
 	help
 	  Multi Band Operation aka (Agile Multiband) enables features
 	  that facilitate efficient use of multiple frequency bands.
 	  Enabling MBO on an AP using RSN requires 802.11w to be enabled.
 	  Hostapd will refuse to start if MBO and RSN are enabled without 11w.
--- a/feeds/hostapd/hostapd/Makefile
+++ b/feeds/hostapd/hostapd/Makefile
@@ -0,0 +1,851 @@
 # SPDX-License-Identifier: GPL-2.0-only
 #
 # Copyright (C) 2006-2021 OpenWrt.org
 include $(TOPDIR)/rules.mk
 PKG_NAME:=hostapd
 PKG_RELEASE:=4
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_DATE:=2023-09-08
 PKG_SOURCE_VERSION:=e5ccbfc69ecf297590341ae8b461edba9d8e964c
 PKG_MIRROR_HASH:=fcc6550f46c7f8bbdbf71e63f8f699b9a0878565ad1b90a17855f5ec21283b8f
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=BSD-3-Clause
 PKG_CPE_ID:=cpe:/a:w1.fi:hostapd
 PKG_BUILD_PARALLEL:=1
 PKG_ASLR_PIE_REGULAR:=1
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_PACKAGE_hostapd \
 	CONFIG_PACKAGE_hostapd-basic \
 	CONFIG_PACKAGE_hostapd-mini \
 	CONFIG_WPA_RFKILL_SUPPORT \
 	CONFIG_DRIVER_11AC_SUPPORT \
 	CONFIG_DRIVER_11AX_SUPPORT \
 	CONFIG_WPA_ENABLE_WEP
 PKG_BUILD_FLAGS:=gc-sections lto
 EAPOL_TEST_PROVIDERS:=eapol-test eapol-test-openssl eapol-test-wolfssl
 SUPPLICANT_PROVIDERS:=
 HOSTAPD_PROVIDERS:=
 LOCAL_TYPE=$(strip \
 		$(if $(findstring wpad,$(BUILD_VARIANT)),wpad, \
 		$(if $(findstring supplicant,$(BUILD_VARIANT)),supplicant, \
 		hostapd \
 		)))
 LOCAL_AND_LIB_VARIANT=$(patsubst hostapd-%,%,\
 		      $(patsubst wpad-%,%,\
 		      $(patsubst supplicant-%,%,\
 		      $(BUILD_VARIANT)\
 		      )))
 LOCAL_VARIANT=$(patsubst %-internal,%,\
 	      $(patsubst %-openssl,%,\
 	      $(patsubst %-wolfssl,%,\
 	      $(patsubst %-mbedtls,%,\
 	      $(LOCAL_AND_LIB_VARIANT)\
 	      ))))
 SSL_VARIANT=$(strip \
 		$(if $(findstring openssl,$(LOCAL_AND_LIB_VARIANT)),openssl,\
 		$(if $(findstring wolfssl,$(LOCAL_AND_LIB_VARIANT)),wolfssl,\
 		$(if $(findstring mbedtls,$(LOCAL_AND_LIB_VARIANT)),mbedtls,\
 		internal\
 		))))
 CONFIG_VARIANT:=$(LOCAL_VARIANT)
 ifeq ($(LOCAL_VARIANT),mesh)
  CONFIG_VARIANT:=full
 endif
 include $(INCLUDE_DIR)/package.mk
 STAMP_CONFIGURED:=$(STAMP_CONFIGURED)_$(CONFIG_WPA_MSG_MIN_PRIORITY)
 ifneq ($(CONFIG_DRIVER_11AC_SUPPORT),)
  HOSTAPD_IEEE80211AC:=y
 endif
 ifneq ($(CONFIG_DRIVER_11AX_SUPPORT),)
  HOSTAPD_IEEE80211AX:=y
 endif
 CORE_DEPENDS = +ucode +libubus +libucode +ucode-mod-fs +ucode-mod-nl80211 +ucode-mod-rtnl +ucode-mod-ubus +ucode-mod-uloop +libblobmsg-json
 OPENSSL_DEPENDS = +PACKAGE_$(1):libopenssl +PACKAGE_$(1):libopenssl-legacy
 DRIVER_MAKEOPTS= \
 	CONFIG_ACS=y CONFIG_DRIVER_NL80211=y \
 	CONFIG_IEEE80211AC=$(HOSTAPD_IEEE80211AC) \
 	CONFIG_IEEE80211AX=$(HOSTAPD_IEEE80211AX) \
 	CONFIG_MBO=$(CONFIG_WPA_MBO_SUPPORT) \
 	CONFIG_UCODE=y
 ifeq ($(SSL_VARIANT),openssl)
  DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y
  TARGET_LDFLAGS += -lcrypto -lssl
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y
  endif
 endif
 ifeq ($(SSL_VARIANT),wolfssl)
  DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_SAE=y
  TARGET_LDFLAGS += -lwolfssl
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
 endif
 ifeq ($(SSL_VARIANT),mbedtls)
  DRIVER_MAKEOPTS += CONFIG_TLS=mbedtls CONFIG_SAE=y
  TARGET_LDFLAGS += -lmbedcrypto -lmbedx509 -lmbedtls
  ifeq ($(LOCAL_VARIANT),basic)
    DRIVER_MAKEOPTS += CONFIG_OWE=y
  endif
  ifeq ($(LOCAL_VARIANT),mesh)
    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
  ifeq ($(LOCAL_VARIANT),full)
    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
  endif
 endif
 ifneq ($(LOCAL_TYPE),hostapd)
  ifdef CONFIG_WPA_RFKILL_SUPPORT
    DRIVER_MAKEOPTS += NEED_RFKILL=y
  endif
 endif
 DRV_DEPENDS:=+libnl-tiny
 define Package/hostapd/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Authenticator
  URL:=http://hostap.epitest.fi/
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
  USERID:=network=101:network=101
  PROVIDES:=hostapd
  CONFLICTS:=$(HOSTAPD_PROVIDERS)
  HOSTAPD_PROVIDERS+=$(1)
 endef
 define Package/hostapd
 $(call Package/hostapd/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=full-internal
 endef
 define Package/hostapd/description
 This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
 Authenticator.
 endef
 define Package/hostapd-openssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 Package/hostapd-openssl/description = $(Package/hostapd/description)
 define Package/hostapd-wolfssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=full-wolfssl
  DEPENDS+=+PACKAGE_hostapd-wolfssl:libwolfssl
 endef
 Package/hostapd-wolfssl/description = $(Package/hostapd/description)
 define Package/hostapd-mbedtls
 $(call Package/hostapd/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=full-mbedtls
  DEPENDS+=+PACKAGE_hostapd-mbedtls:libmbedtls
 endef
 Package/hostapd-mbedtls/description = $(Package/hostapd/description)
 define Package/hostapd-basic
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r, 11w)
  VARIANT:=basic
 endef
 define Package/hostapd-basic/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-openssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-openssl
  DEPENDS+=+PACKAGE_hostapd-basic-openssl:libopenssl
 endef
 define Package/hostapd-basic-openssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-wolfssl
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-wolfssl
  DEPENDS+=+PACKAGE_hostapd-basic-wolfssl:libwolfssl
 endef
 define Package/hostapd-basic-wolfssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-basic-mbedtls
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK, 11r and 11w)
  VARIANT:=basic-mbedtls
  DEPENDS+=+PACKAGE_hostapd-basic-mbedtls:libmbedtls
 endef
 define Package/hostapd-basic-mbedtls/description
 This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/hostapd-mini
 $(call Package/hostapd/Default,$(1))
  TITLE+= (WPA-PSK only)
  VARIANT:=mini
 endef
 define Package/hostapd-mini/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator (WPA-PSK only).
 endef
 define Package/wpad/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Auth/Supplicant
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
  USERID:=network=101:network=101
  URL:=http://hostap.epitest.fi/
  PROVIDES:=hostapd wpa-supplicant
  CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
  HOSTAPD_PROVIDERS+=$(1)
  SUPPLICANT_PROVIDERS+=$(1)
 endef
 define Package/wpad
 $(call Package/wpad/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=wpad-full-internal
 endef
 define Package/wpad/description
 This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
 Authenticator and Supplicant
 endef
 define Package/wpad-openssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=wpad-full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 Package/wpad-openssl/description = $(Package/wpad/description)
 define Package/wpad-wolfssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=wpad-full-wolfssl
  DEPENDS+=+PACKAGE_wpad-wolfssl:libwolfssl
 endef
 Package/wpad-wolfssl/description = $(Package/wpad/description)
 define Package/wpad-mbedtls
 $(call Package/wpad/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=wpad-full-mbedtls
  DEPENDS+=+PACKAGE_wpad-mbedtls:libmbedtls
 endef
 Package/wpad-mbedtls/description = $(Package/wpad/description)
 define Package/wpad-basic
 $(call Package/wpad/Default,$(1))
  TITLE+= (WPA-PSK, 11r, 11w)
  VARIANT:=wpad-basic
 endef
 define Package/wpad-basic/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-openssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (OpenSSL, 11r, 11w)
  VARIANT:=wpad-basic-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpad-basic-openssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-wolfssl
 $(call Package/wpad/Default,$(1))
  TITLE+= (wolfSSL, 11r, 11w)
  VARIANT:=wpad-basic-wolfssl
  DEPENDS+=+PACKAGE_wpad-basic-wolfssl:libwolfssl
 endef
 define Package/wpad-basic-wolfssl/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-basic-mbedtls
 $(call Package/wpad/Default,$(1))
  TITLE+= (mbedTLS, 11r, 11w)
  VARIANT:=wpad-basic-mbedtls
  DEPENDS+=+PACKAGE_wpad-basic-mbedtls:libmbedtls
 endef
 define Package/wpad-basic-mbedtls/description
 This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 define Package/wpad-mini
 $(call Package/wpad/Default,$(1))
  TITLE+= (WPA-PSK only)
  VARIANT:=wpad-mini
 endef
 define Package/wpad-mini/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (WPA-PSK only).
 endef
 define Package/wpad-mesh
 $(call Package/wpad/Default,$(1))
  DEPENDS+=@(!TARGET_uml||BROKEN)
  PROVIDES+=wpa-supplicant-mesh wpad-mesh
 endef
 define Package/wpad-mesh/description
 This package contains a minimal IEEE 802.1x/WPA Authenticator and Supplicant (with 802.11s mesh and SAE support).
 endef
 define Package/wpad-mesh-openssl
 $(call Package/wpad-mesh,$(1))
  TITLE+= (OpenSSL, 11s, SAE)
  DEPENDS+=$(OPENSSL_DEPENDS)
  VARIANT:=wpad-mesh-openssl
 endef
 Package/wpad-mesh-openssl/description = $(Package/wpad-mesh/description)
 define Package/wpad-mesh-wolfssl
 $(call Package/wpad-mesh,$(1))
  TITLE+= (wolfSSL, 11s, SAE)
  DEPENDS+=+PACKAGE_wpad-mesh-wolfssl:libwolfssl
  VARIANT:=wpad-mesh-wolfssl
 endef
 Package/wpad-mesh-wolfssl/description = $(Package/wpad-mesh/description)
 define Package/wpad-mesh-mbedtls
 $(call Package/wpad-mesh,$(1))
  TITLE+= (mbedTLS, 11s, SAE)
  DEPENDS+=+PACKAGE_wpad-mesh-mbedtls:libmbedtls
  VARIANT:=wpad-mesh-mbedtls
 endef
 Package/wpad-mesh-mbedtls/description = $(Package/wpad-mesh/description)
 define Package/wpa-supplicant/Default
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=WPA Supplicant
  URL:=http://hostap.epitest.fi/wpa_supplicant/
  DEPENDS:=$(DRV_DEPENDS) +hostapd-common $(CORE_DEPENDS)
  EXTRA_DEPENDS:=hostapd-common (=$(PKG_VERSION)-$(PKG_RELEASE))
  USERID:=network=101:network=101
  PROVIDES:=wpa-supplicant
  CONFLICTS:=$(SUPPLICANT_PROVIDERS)
  SUPPLICANT_PROVIDERS+=$(1)
 endef
 define Package/wpa-supplicant
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=supplicant-full-internal
 endef
 define Package/wpa-supplicant-openssl
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=supplicant-full-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpa-supplicant-wolfssl
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=supplicant-full-wolfssl
  DEPENDS+=+PACKAGE_wpa-supplicant-wolfssl:libwolfssl
 endef
 define Package/wpa-supplicant-mbedtls
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=supplicant-full-mbedtls
  DEPENDS+=+PACKAGE_wpa-supplicant-mbedtls:libmbedtls
 endef
 define Package/wpa-supplicant/config
 	source "$(SOURCE)/Config.in"
 endef
 define Package/wpa-supplicant-p2p
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (Wi-Fi P2P support)
  VARIANT:=supplicant-p2p-internal
 endef
 define Package/wpa-supplicant-mesh/Default
 $(call Package/wpa-supplicant/Default,$(1))
  DEPENDS+=@(!TARGET_uml||BROKEN)
  PROVIDES+=wpa-supplicant-mesh
 endef
 define Package/wpa-supplicant-mesh-openssl
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (OpenSSL, 11s, SAE)
  VARIANT:=supplicant-mesh-openssl
  DEPENDS+=$(OPENSSL_DEPENDS)
 endef
 define Package/wpa-supplicant-mesh-wolfssl
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (wolfSSL, 11s, SAE)
  VARIANT:=supplicant-mesh-wolfssl
  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-wolfssl:libwolfssl
 endef
 define Package/wpa-supplicant-mesh-mbedtls
 $(call Package/wpa-supplicant-mesh/Default,$(1))
  TITLE+= (mbedTLS, 11s, SAE)
  VARIANT:=supplicant-mesh-mbedtls
  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-mbedtls:libmbedtls
 endef
 define Package/wpa-supplicant-basic
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (11r, 11w)
  VARIANT:=supplicant-basic
 endef
 define Package/wpa-supplicant-mini
 $(call Package/wpa-supplicant/Default,$(1))
  TITLE+= (minimal)
  VARIANT:=supplicant-mini
 endef
 define Package/hostapd-common
  TITLE:=hostapd/wpa_supplicant common support files
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
 endef
 define Package/hostapd-utils
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  TITLE:=IEEE 802.1x Authenticator (utils)
  URL:=http://hostap.epitest.fi/
  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(HOSTAPD_PROVIDERS),PACKAGE_$(pkg)))
  VARIANT:=*
 endef
 define Package/hostapd-utils/description
 This package contains a command line utility to control the
 IEEE 802.1x/WPA/EAP/RADIUS Authenticator.
 endef
 define Package/wpa-cli
  SECTION:=net
  CATEGORY:=Network
  SUBMENU:=WirelessAPD
  DEPENDS:=@$(subst $(space),||,$(foreach pkg,$(SUPPLICANT_PROVIDERS),PACKAGE_$(pkg)))
  TITLE:=WPA Supplicant command line control utility
  VARIANT:=*
 endef
 define Package/eapol-test/Default
  TITLE:=802.1x auth test utility
  SECTION:=net
  SUBMENU:=WirelessAPD
  CATEGORY:=Network
  DEPENDS:=$(DRV_DEPENDS) $(CORE_DEPENDS)
 endef
 define Package/eapol-test
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (built-in full)
  VARIANT:=supplicant-full-internal
 endef
 define Package/eapol-test-openssl
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (OpenSSL full)
  VARIANT:=supplicant-full-openssl
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(EAPOL_TEST_PROVIDERS))
  DEPENDS+=$(OPENSSL_DEPENDS)
  PROVIDES:=eapol-test
 endef
 define Package/eapol-test-wolfssl
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (wolfSSL full)
  VARIANT:=supplicant-full-wolfssl
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-wolfssl ,$(EAPOL_TEST_PROVIDERS)))
  DEPENDS+=+PACKAGE_eapol-test-wolfssl:libwolfssl
  PROVIDES:=eapol-test
 endef
 define Package/eapol-test-mbedtls
  $(call Package/eapol-test/Default,$(1))
  TITLE+= (mbedTLS full)
  VARIANT:=supplicant-full-mbedtls
  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-mbedtls ,$(EAPOL_TEST_PROVIDERS)))
  DEPENDS+=+PACKAGE_eapol-test-mbedtls:libmbedtls
  PROVIDES:=eapol-test
 endef
 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
  define Build/Configure/rebuild
 	$(FIND) $(PKG_BUILD_DIR) -name \*.o -or -name \*.a | $(XARGS) rm -f
 	rm -f $(PKG_BUILD_DIR)/hostapd/hostapd
 	rm -f $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant
 	rm -f $(PKG_BUILD_DIR)/.config_*
 	touch $(subst .configured_,.config_,$(STAMP_CONFIGURED))
  endef
 endif
 define Build/Configure
 	$(Build/Configure/rebuild)
 	$(if $(wildcard ./files/hostapd-$(CONFIG_VARIANT).config), \
 		$(CP) ./files/hostapd-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/hostapd/.config \
 	)
 	$(if $(wildcard ./files/wpa_supplicant-$(CONFIG_VARIANT).config), \
 		$(CP) ./files/wpa_supplicant-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/wpa_supplicant/.config
 	)
 endef
 TARGET_CPPFLAGS := \
 	-I$(STAGING_DIR)/usr/include/libnl-tiny \
 	-I$(PKG_BUILD_DIR)/src/crypto \
 	$(TARGET_CPPFLAGS) \
 	-DCONFIG_LIBNL20 \
 	-D_GNU_SOURCE \
 	$(if $(CONFIG_WPA_MSG_MIN_PRIORITY),-DCONFIG_MSG_MIN_PRIORITY=$(CONFIG_WPA_MSG_MIN_PRIORITY))
 TARGET_LDFLAGS += -lubox -lubus -lblobmsg_json -lucode -lm -lnl-tiny
 ifdef CONFIG_WPA_ENABLE_WEP
    DRIVER_MAKEOPTS += CONFIG_WEP=y
 endif
 define Build/RunMake
 	CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \
 	$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(1) \
 		$(TARGET_CONFIGURE_OPTS) \
 		$(DRIVER_MAKEOPTS) \
 		LIBS="$(TARGET_LDFLAGS)" \
 		LIBS_c="$(TARGET_LDFLAGS_C)" \
 		AR="$(TARGET_CROSS)gcc-ar" \
 		BCHECK= \
 		$(if $(findstring s,$(OPENWRT_VERBOSE)),V=1) \
 		$(2)
 endef
 define Build/Compile/wpad
 	echo ` \
 		$(call Build/RunMake,hostapd,-s MULTICALL=1 dump_cflags); \
 		$(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \
 		sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \
 	` > $(PKG_BUILD_DIR)/.cflags
 	sed -i 's/"/\\"/g' $(PKG_BUILD_DIR)/.cflags
 	+$(call Build/RunMake,hostapd, \
 		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
 		MULTICALL=1 \
 		hostapd_cli hostapd_multi.a \
 	)
 	+$(call Build/RunMake,wpa_supplicant, \
 		CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
 		MULTICALL=1 \
 		wpa_cli wpa_supplicant_multi.a \
 	)
 	+export MAKEFLAGS="$(MAKE_JOBSERVER)"; $(TARGET_CC) -o $(PKG_BUILD_DIR)/wpad \
 		$(TARGET_CFLAGS) \
 		./files/multicall.c \
 		$(PKG_BUILD_DIR)/hostapd/hostapd_multi.a \
 		$(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant_multi.a \
 		$(TARGET_LDFLAGS)
 endef
 define Build/Compile/hostapd
 	+$(call Build/RunMake,hostapd, \
 		hostapd hostapd_cli \
 	)
 endef
 define Build/Compile/supplicant
 	+$(call Build/RunMake,wpa_supplicant, \
 		wpa_cli wpa_supplicant \
 	)
 endef
 define Build/Compile/supplicant-full-internal
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-openssl
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-wolfssl
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile/supplicant-full-mbedtls
 	+$(call Build/RunMake,wpa_supplicant, \
 		eapol_test \
 	)
 endef
 define Build/Compile
 	$(Build/Compile/$(LOCAL_TYPE))
 	$(Build/Compile/$(BUILD_VARIANT))
 endef
 define Install/hostapd/full
 	$(INSTALL_DIR) $(1)/etc/init.d $(1)/etc/config $(1)/etc/radius
 	ln -sf hostapd $(1)/usr/sbin/hostapd-radius
 	$(INSTALL_BIN) ./files/radius.init $(1)/etc/init.d/radius
 	$(INSTALL_DATA) ./files/radius.config $(1)/etc/config/radius
 	$(INSTALL_DATA) ./files/radius.clients $(1)/etc/radius/clients
 	$(INSTALL_DATA) ./files/radius.users $(1)/etc/radius/users
 endef
 define Package/hostapd-full/conffiles
 /etc/config/radius
 /etc/radius
 endef
 ifeq ($(CONFIG_VARIANT),full)
 Package/wpad-mesh-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/wpad-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-openssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-wolfssl/conffiles = $(Package/hostapd-full/conffiles)
 Package/hostapd-mbedtls/conffiles = $(Package/hostapd-full/conffiles)
 endif
 define Install/hostapd
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
 	$(INSTALL_DATA) ./files/hostapd.uc $(1)/usr/share/hostap/
 	$(if $(findstring full,$(CONFIG_VARIANT)),$(Install/hostapd/full))
 endef
 define Install/supplicant
 	$(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/share/hostap
 	$(INSTALL_DATA) ./files/wpa_supplicant.uc $(1)/usr/share/hostap/
 endef
 define Package/hostapd-common/install
 	$(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd  $(1)/usr/share/acl.d $(1)/usr/share/hostap
 	$(INSTALL_BIN) ./files/dhcp-get-server.sh $(1)/lib/netifd/dhcp-get-server.sh
 	$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
 	$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
 	$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
 	$(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
 	$(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
 	$(INSTALL_DATA) ./files/common.uc $(1)/usr/share/hostap/
 	$(INSTALL_DATA) ./files/wdev.uc $(1)/usr/share/hostap/
 endef
 define Package/hostapd/install
 	$(call Install/hostapd,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd $(1)/usr/sbin/
 endef
 Package/hostapd-basic/install = $(Package/hostapd/install)
 Package/hostapd-basic-openssl/install = $(Package/hostapd/install)
 Package/hostapd-basic-wolfssl/install = $(Package/hostapd/install)
 Package/hostapd-basic-mbedtls/install = $(Package/hostapd/install)
 Package/hostapd-mini/install = $(Package/hostapd/install)
 Package/hostapd-openssl/install = $(Package/hostapd/install)
 Package/hostapd-wolfssl/install = $(Package/hostapd/install)
 Package/hostapd-mbedtls/install = $(Package/hostapd/install)
 ifneq ($(LOCAL_TYPE),supplicant)
  define Package/hostapd-utils/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/hostapd/hostapd_cli $(1)/usr/sbin/
  endef
 endif
 define Package/wpad/install
 	$(call Install/hostapd,$(1))
 	$(call Install/supplicant,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpad $(1)/usr/sbin/
 	$(LN) wpad $(1)/usr/sbin/hostapd
 	$(LN) wpad $(1)/usr/sbin/wpa_supplicant
 endef
 Package/wpad-basic/install = $(Package/wpad/install)
 Package/wpad-basic-openssl/install = $(Package/wpad/install)
 Package/wpad-basic-wolfssl/install = $(Package/wpad/install)
 Package/wpad-basic-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mini/install = $(Package/wpad/install)
 Package/wpad-openssl/install = $(Package/wpad/install)
 Package/wpad-wolfssl/install = $(Package/wpad/install)
 Package/wpad-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mesh-openssl/install = $(Package/wpad/install)
 Package/wpad-mesh-wolfssl/install = $(Package/wpad/install)
 Package/wpad-mesh-mbedtls/install = $(Package/wpad/install)
 define Package/wpa-supplicant/install
 	$(call Install/supplicant,$(1))
 	$(INSTALL_BIN) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_supplicant $(1)/usr/sbin/
 endef
 Package/wpa-supplicant-basic/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-wolfssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mbedtls/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-wolfssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-mbedtls/install = $(Package/wpa-supplicant/install)
 ifneq ($(LOCAL_TYPE),hostapd)
  define Package/wpa-cli/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/wpa_cli $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-internal)
  define Package/eapol-test/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-openssl)
  define Package/eapol-test-openssl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
  define Package/eapol-test-wolfssl/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 ifeq ($(BUILD_VARIANT),supplicant-full-mbedtls)
  define Package/eapol-test-mbedtls/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
  endef
 endif
 # Build hostapd-common before its dependents, to avoid
 # spurious rebuilds when building multiple variants.
 $(eval $(call BuildPackage,hostapd-common))
 $(eval $(call BuildPackage,hostapd))
 $(eval $(call BuildPackage,hostapd-basic))
 $(eval $(call BuildPackage,hostapd-basic-openssl))
 $(eval $(call BuildPackage,hostapd-basic-wolfssl))
 $(eval $(call BuildPackage,hostapd-basic-mbedtls))
 $(eval $(call BuildPackage,hostapd-mini))
 $(eval $(call BuildPackage,hostapd-openssl))
 $(eval $(call BuildPackage,hostapd-wolfssl))
 $(eval $(call BuildPackage,hostapd-mbedtls))
 $(eval $(call BuildPackage,wpad))
 $(eval $(call BuildPackage,wpad-mesh-openssl))
 $(eval $(call BuildPackage,wpad-mesh-wolfssl))
 $(eval $(call BuildPackage,wpad-mesh-mbedtls))
 $(eval $(call BuildPackage,wpad-basic))
 $(eval $(call BuildPackage,wpad-basic-openssl))
 $(eval $(call BuildPackage,wpad-basic-wolfssl))
 $(eval $(call BuildPackage,wpad-basic-mbedtls))
 $(eval $(call BuildPackage,wpad-mini))
 $(eval $(call BuildPackage,wpad-openssl))
 $(eval $(call BuildPackage,wpad-wolfssl))
 $(eval $(call BuildPackage,wpad-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant-basic))
 $(eval $(call BuildPackage,wpa-supplicant-mini))
 $(eval $(call BuildPackage,wpa-supplicant-p2p))
 $(eval $(call BuildPackage,wpa-supplicant-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-wolfssl))
 $(eval $(call BuildPackage,wpa-supplicant-mbedtls))
 $(eval $(call BuildPackage,wpa-cli))
 $(eval $(call BuildPackage,hostapd-utils))
 $(eval $(call BuildPackage,eapol-test))
 $(eval $(call BuildPackage,eapol-test-openssl))
 $(eval $(call BuildPackage,eapol-test-wolfssl))
 $(eval $(call BuildPackage,eapol-test-mbedtls))
--- a/feeds/hostapd/hostapd/README.md
+++ b/feeds/hostapd/hostapd/README.md
@@ -0,0 +1,419 @@
 # UBUS methods - hostapd
 ## bss_mgmt_enable
 Enable 802.11k/v features.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | neighbor_report | bool | no | enable 802.11k neighbor reports |
 | beacon_report | bool | no | enable 802.11k beacon reports |
 | link_measurements | bool | no | enable 802.11k link measurements |
 | bss_transition | bool | no | enable 802.11v BSS transition support |
 ### example
 `ubus call hostapd.wl5-fb bss_mgmt_enable '{ "neighbor_report": true, "beacon_report": true, "link_measurements": true, "bss_transition": true
 }'`
 ## bss_transition_request
 Initiate an 802.11v transition request.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | disassociation_imminent | bool | no | set Disassociation Imminent bit |
 | disassociation_timer | int32 | no | disassociate client if it doesn't roam after this time |
 | validity_period | int32 | no | validity of the BSS Transition Candiate List |
 | neighbors | array | no | BSS Transition Candidate List |
 | abridged | bool | no | prefer APs in the BSS Transition Candidate List |
 | dialog_token | int32 | no | identifier for the request/report transaction |
 | mbo_reason | int32 | no | MBO Transition Reason Code Attribute |
 | cell_pref | int32 | no | MBO Cellular Data Connection Preference Attribute |
 | reassoc_delay | int32 | no | MBO Re-association retry delay |
 ### example
 `ubus call hostapd.wl5-fb bss_transition_request '{ "addr": "68:2F:67:8B:98:ED", "disassociation_imminent": false, "disassociation_timer": 0, "validity_period": 30, "neighbors": ["b6a7b9cbeebabf5900008064090603026a00"], "abridged": 1 }'`
 ## config_add
 Dynamically load a BSS configuration from a file. This is used by netifd's mac80211 support script to configure BSSes on multiple PHYs in a single hostapd instance.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | iface | string | yes | WiFi interface name |
 | config | string | yes | path to hostapd config file |
 ## config_remove
 Dynamically remove a BSS configuration.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | iface | string | yes | WiFi interface name |
 ## del_client
 Kick a client off the network.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | reason | int32 | no | 802.11 reason code |
 | deauth | bool | no | deauthenticates client instead of disassociating |
 | ban_time | int32 | no | ban client for N milliseconds |
 ### example
 `ubus call hostapd.wl5-fb del_client '{ "addr": "68:2f:67:8b:98:ed", "reason": 5, "deauth": true, "ban_time": 10000 }'`
 ## get_clients
 Show associated clients.
 ### example
 `ubus call hostapd.wl5-fb get_clients`
 ### output
 ```json
 {
        "freq": 5260,
        "clients": {
                "68:2f:67:8b:98:ed": {
                        "auth": true,
                        "assoc": true,
                        "authorized": true,
                        "preauth": false,
                        "wds": false,
                        "wmm": true,
                        "ht": true,
                        "vht": true,
                        "he": false,
                        "wps": false,
                        "mfp": true,
                        "rrm": [
                                0,
                                0,
                                0,
                                0,
                                0
                        ],
                        "extended_capabilities": [
                                0,
                                0,
                                0,
                                0,
                                0,
                                0,
                                0,
                                64
                        ],
                        "aid": 3,
                        "signature": "wifi4|probe:0,1,45,127,107,191,221(0017f2,10),221(001018,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,extcap:0000008000000040|assoc:0,1,33,36,48,45,127,191,221(0017f2,10),221(001018,2),221(0050f2,2),htcap:006f,htagg:1b,htmcs:0000ffff,vhtcap:0f825832,vhtrxmcs:0000ffea,vhttxmcs:0000ffea,txpow:14f9,extcap:0000000000000040",
                        "bytes": {
                                "rx": 1933667,
                                "tx": 746805
                        },
                        "airtime": {
                                "rx": 208863,
                                "tx": 9037883
                        },
                        "packets": {
                                "rx": 3587,
                                "tx": 2185
                        },
                        "rate": {
                                "rx": 866700,
                                "tx": 866700
                        },
                        "signal": -50,
                        "capabilities": {
                                "vht": {
                                        "su_beamformee": true,
                                        "mu_beamformee": false,
                                        "mcs_map": {
                                                "rx": {
                                                        "1ss": 9,
                                                        "2ss": 9,
                                                        "3ss": 9,
                                                        "4ss": -1,
                                                        "5ss": -1,
                                                        "6ss": -1,
                                                        "7ss": -1,
                                                        "8ss": -1
                                                },
                                                "tx": {
                                                        "1ss": 9,
                                                        "2ss": 9,
                                                        "3ss": 9,
                                                        "4ss": -1,
                                                        "5ss": -1,
                                                        "6ss": -1,
                                                        "7ss": -1,
                                                        "8ss": -1
                                                }
                                        }
                                }
                        }
                }
        }
 }
 ```
 ## get_features
 Show HT/VHT support.
 ### example
 `ubus call hostapd.wl5-fb get_features`
 ### output
 ```json
 {
        "ht_supported": true,
        "vht_supported": true
 }
 ```
 ## get_status
 Get BSS status.
 ### example
 `ubus call hostapd.wl5-fb get_status`
 ### output
 ```json
 {
        "status": "ENABLED",
        "bssid": "b6:a7:b9:cb:ee:bc",
        "ssid": "fb",
        "freq": 5260,
        "channel": 52,
        "op_class": 128,
        "beacon_interval": 100,
        "phy": "wl5-lan",
        "rrm": {
                "neighbor_report_tx": 0
        },
        "wnm": {
                "bss_transition_query_rx": 0,
                "bss_transition_request_tx": 0,
                "bss_transition_response_rx": 0
        },
        "airtime": {
                "time": 259561738,
                "time_busy": 2844249,
                "utilization": 0
        },
        "dfs": {
                "cac_seconds": 60,
                "cac_active": false,
                "cac_seconds_left": 0
        }
 }
 ```
 ## link_measurement_req
 Initiate an 802.11k Link Measurement Request.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | tx-power-used | int32 | no | transmit power used to transmit the Link Measurement Request frame |
 | tx-power-max | int32 | no | upper limit of transmit power to be used by the client |
 ## list_bans
 List banned clients.
 ### example
 `ubus call hostapd.wl5-fb list_bans`
 ### output
 ```json
 {
        "clients": [
                "68:2f:67:8b:98:ed"
        ]
 }
 ```
 ## notify_response
 When enabled, hostapd will send a ubus notification and wait for a response before responding to various requests. This is used by e.g. usteer to make it possible to ignore probe requests.
 :warning: enabling this will cause hostapd to stop responding to probe requests unless a ubus subscriber responds to the ubus notifications.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | notify_response | int32 | yes | disable (0) or enable (!0) |
 ### example
 `ubus call hostapd.wl5-fb notify_response '{ "notify_response": 1 }'`
 ## reload
 Reload BSS configuration.
 :warning: this can cause problems for certain configurations:
 ```
 Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
 Mon May 16 16:09:08 2022 daemon.warn hostapd: Failed to check if DFS is required; ret=-1
 Mon May 16 16:09:08 2022 daemon.err hostapd: Wrong coupling between HT and VHT/HE channel setting
 ```
 ### example
 `ubus call hostapd.wl5-fb reload`
 ## rrm_beacon_req
 Send a Beacon Measurement Request to a client.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | addr | string | yes | client MAC address |
 | op_class | int32 | yes | the Regulatory Class for which this Measurement Request applies |
 | channel | int32 | yes | channel to measure |
 | duration | int32 | yes | compile Beacon Measurement Report after N TU |
 | mode | int32 | yes | mode to be used for measurement (0: passive, 1: active, 2: beacon table) |
 | bssid | string | no | filter BSSes in Beacon Measurement Report by BSSID |
 | ssid | string | no | filter BSSes in Beacon Measurement Report by SSID|
 ## rrm_nr_get_own
 Show Neighbor Report Element for this BSS.
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_get_own`
 ### output
 ```json
 {
        "value": [
                "b6:a7:b9:cb:ee:bc",
                "fb",
                "b6a7b9cbeebcaf5900008095090603029b00"
        ]
 }
 ```
 ## rrm_nr_list
 Show Neighbor Report Elements for other BSSes in this ESS.
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_list`
 ### output
 ```json
 {
        "list": [
                [
                        "b6:a7:b9:cb:ee:ba",
                        "fb",
                        "b6a7b9cbeebabf5900008064090603026a00"
                ]
        ]
 }
 ```
 ## rrm_nr_set
 Set the Neighbor Report Elements. An element for the node on which this command is executed will always be added.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | list | array | yes | array of Neighbor Report Elements in the format of the rrm_nr_list output |
 ### example
 `ubus call hostapd.wl5-fb rrm_nr_set '{ "list": [ [ "b6:a7:b9:cb:ee:ba", "fb", "b6a7b9cbeebabf5900008064090603026a00" ] ] }'`
 ## set_vendor_elements
 Configure Vendor-specific Information Elements for BSS.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | vendor_elements | string | yes | Vendor-specific Information Elements as hex string |
 ### example
 `ubus call hostapd.wl5-fb set_vendor_elements '{ "vendor_elements": "dd054857dd6662" }'`
 ## switch_chan
 Initiate a channel switch.
 :warning: trying to switch to the channel that is currently in use will fail: `Command failed: Operation not supported`
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | freq | int32 | yes | frequency in MHz to switch to |
 | bcn_count | int32 | no | count in Beacon frames (TBTT) to perform the switch |
 | center_freq1 | int32 | no | segment 0 center frequency in MHz (valid for HT and VHT) |
 | center_freq2 | int32 | no | segment 1 center frequency in MHz (valid only for 80 MHz channel width and an 80+80 channel) |
 | bandwidth | int32 | no | channel width to use |
 | sec_channel_offset| int32 | no | secondary channel offset for HT40 (0 = disabled, 1 = HT40+, -1 = HT40-) |
 | ht | bool | no | enable 802.11n |
 | vht | bool | no | enable 802.11ac |
 | he | bool | no | enable 802.11ax |
 | block_tx | bool | no | block transmission during CSA period |
 | csa_force | bool | no | restart the interface in case the CSA fails |
 ## example
 `ubus call hostapd.wl5-fb switch_chan '{ "freq": 5180, "bcn_count": 10, "center_freq1": 5210, "bandwidth": 80, "he": 1, "block_tx": 1, "csa_force": 0 }'`
 ## update_airtime
 Set dynamic airtime weight for client.
 ### arguments
 | Name | Type | Required | Description |
 |---|---|---|---|
 | sta | string | yes | client MAC address |
 | weight | int32 | yes | airtime weight |
 ## update_beacon
 Force beacon frame content to be updated and to start beaconing on an interface that uses start_disabled=1.
 ### example
 `ubus call hostapd.wl5-fb update_beacon`
 ## wps_status
 Get WPS status for BSS.
 ### example
 `ubus call hostapd.wl5-fb wps_status`
 ### output
 ```json
 {
        "pbc_status": "Disabled",
        "last_wps_result": "None"
 }
 ```
 ## wps_cancel
 Cancel WPS Push Button Configuration.
 ### example
 `ubus call hostapd.wl5-fb wps_cancel`
 ## wps_start
 Start WPS Push Button Configuration.
 ### example
 `ubus call hostapd.wl5-fb wps_start`
--- a/feeds/hostapd/hostapd/files/common.uc
+++ b/feeds/hostapd/hostapd/files/common.uc
--- a/feeds/hostapd/hostapd/files/dhcp-get-server.sh
+++ b/feeds/hostapd/hostapd/files/dhcp-get-server.sh
@@ -0,0 +1,2 @@
 #!/bin/sh
 [ "$1" = bound ] && echo "$serverid"
--- a/feeds/hostapd/hostapd/files/hostapd-basic.config
+++ b/feeds/hostapd/hostapd/files/hostapd-basic.config
@@ -0,0 +1,404 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 #CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Integrated EAP server
 #CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 #CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 #CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 #CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 #CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 #CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 #CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 #CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 #CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 #CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 #CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 #CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 #CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 #CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd-full.config
+++ b/feeds/hostapd/hostapd/files/hostapd-full.config
@@ -0,0 +1,404 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Integrated EAP server
 CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 #CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 #CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 CONFIG_INTERWORKING=y
 # Hotspot 2.0
 CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd-mini.config
+++ b/feeds/hostapd/hostapd/files/hostapd-mini.config
@@ -0,0 +1,404 @@
 # Example hostapd build time configuration
 #
 # This file lists the configuration options that are used when building the
 # hostapd binary. All lines starting with # are ignored. Configuration option
 # lines must be commented out complete, if they are not to be included, i.e.,
 # just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 # Driver interface for Host AP driver
 #CONFIG_DRIVER_HOSTAP=y
 # Driver interface for wired authenticator
 CONFIG_DRIVER_WIRED=y
 # Driver interface for drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for no driver (e.g., RADIUS server only)
 #CONFIG_DRIVER_NONE=y
 # IEEE 802.11F/IAPP
 #CONFIG_IAPP=y
 # WPA2/IEEE 802.11i RSN pre-authentication
 CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Integrated EAP server
 #CONFIG_EAP=y
 # EAP Re-authentication Protocol (ERP) in integrated EAP server
 #CONFIG_ERP=y
 # EAP-MD5 for the integrated EAP server
 #CONFIG_EAP_MD5=y
 # EAP-TLS for the integrated EAP server
 #CONFIG_EAP_TLS=y
 # EAP-MSCHAPv2 for the integrated EAP server
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-PEAP for the integrated EAP server
 #CONFIG_EAP_PEAP=y
 # EAP-GTC for the integrated EAP server
 #CONFIG_EAP_GTC=y
 # EAP-TTLS for the integrated EAP server
 #CONFIG_EAP_TTLS=y
 # EAP-SIM for the integrated EAP server
 #CONFIG_EAP_SIM=y
 # EAP-AKA for the integrated EAP server
 #CONFIG_EAP_AKA=y
 # EAP-AKA' for the integrated EAP server
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # EAP-PAX for the integrated EAP server
 #CONFIG_EAP_PAX=y
 # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd for the integrated EAP server (secure authentication with a password)
 #CONFIG_EAP_PWD=y
 # EAP-SAKE for the integrated EAP server
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK for the integrated EAP server
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-FAST for the integrated EAP server
 #CONFIG_EAP_FAST=y
 # EAP-TEAP for the integrated EAP server
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
 #CONFIG_WPS_UPNP=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # Trusted Network Connect (EAP-TNC)
 #CONFIG_EAP_TNC=y
 # EAP-EKE for the integrated EAP server
 #CONFIG_EAP_EKE=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # RADIUS authentication server. This provides access to the integrated EAP
 # server from external hosts using RADIUS.
 #CONFIG_RADIUS_SERVER=y
 # Build IPv6 support for RADIUS operations
 #CONFIG_IPV6=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 #CONFIG_IEEE80211R=y
 # Use the hostapd's IEEE 802.11 authentication (ACL), but without
 # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
 #CONFIG_DRIVER_RADIUS_ACL=y
 # IEEE 802.11n (High Throughput) support
 CONFIG_IEEE80211N=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # IEEE 802.11ac (Very High Throughput) support
 CONFIG_IEEE80211AC=y
 # IEEE 802.11ax HE support
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
 # final IEEE 802.11ax version.
 #CONFIG_IEEE80211AX=y
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
 # code is not needed.
 #CONFIG_NO_STDOUT_DEBUG=y
 # Add support for writing debug log to a file: -f /tmp/hostapd.log
 # Disabled by default.
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Remove support for RADIUS accounting
 CONFIG_NO_ACCOUNTING=y
 # Remove support for RADIUS
 CONFIG_NO_RADIUS=y
 # Remove support for VLANs
 #CONFIG_NO_VLAN=y
 # Enable support for fully dynamic VLANs. This enables hostapd to
 # automatically create bridge and VLAN interfaces if necessary.
 #CONFIG_FULL_DYNAMIC_VLAN=y
 # Use netlink-based kernel API for VLAN operations instead of ioctl()
 # Note: This requires libnl 3.1 or newer.
 #CONFIG_VLAN_NETLINK=y
 # Remove support for dumping internal state through control interface commands
 # This can be used to reduce binary size at the cost of disabling a debugging
 # option.
 CONFIG_NO_DUMP_STATE=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, comment out these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, comment out these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # hostapd depends on strong random number generation being available from the
 # operating system. os_get_random() function is used to fetch random data when
 # needed, e.g., for key generation. On Linux and BSD systems, this works by
 # reading /dev/urandom. It should be noted that the OS entropy pool needs to be
 # properly initialized before hostapd is started. This is important especially
 # on embedded devices that do not have a hardware random number generator and
 # may by default start up with minimal entropy available for random number
 # generation.
 #
 # As a safety net, hostapd is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data
 # fetched from the OS. This by itself is not considered to be very strong, but
 # it may help in cases where the system pool is not initialized properly.
 # However, it is very strongly recommended that the system pool is initialized
 # with enough entropy either by using hardware assisted random number
 # generator or by storing state over device reboots.
 #
 # hostapd can be configured to maintain its own entropy store over restarts to
 # enhance random number generation. This is not perfect, but it is much more
 # secure than using the same sequence of random numbers after every reboot.
 # This can be enabled with -e<entropy file> command line option. The specified
 # file needs to be readable and writable by hostapd.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal hostapd random pool can be disabled.
 # This will save some in binary size and CPU use. However, this should only be
 # considered for builds that are known to be used on devices that meet the
 # requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used.
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms.
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks.
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
 #CONFIG_SQLITE=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # Testing options
 # This can be used to enable some testing options (see also the example
 # configuration file) that are really useful only for testing clients that
 # connect to this hostapd. These options allow, for example, to drop a
 # certain percentage of probe requests or auth/(re)assoc frames.
 #
 #CONFIG_TESTING_OPTIONS=y
 # Automatic Channel Selection
 # This will allow hostapd to pick the channel automatically when channel is set
 # to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # You can customize the ACS survey algorithm with the hostapd.conf variable
 # acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #
 #CONFIG_ACS=y
 # Multiband Operation support
 # These extentions facilitate efficient use of multiple frequency bands
 # available to the AP and the devices that may associate with it.
 #CONFIG_MBO=y
 # Client Taxonomy
 # Has the AP retain the Probe Request and (Re)Association Request frames from
 # a client, from which a signature can be produced which can identify the model
 # of client device like "Nexus 6P" or "iPhone 5s".
 #CONFIG_TAXONOMY=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Include internal line edit mode in hostapd_cli. This can be used to provide
 # limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Airtime policy support
 #CONFIG_AIRTIME_POLICY=y
 # Proxy ARP support
 #CONFIG_PROXYARP=y
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.
 #CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/hostapd.sh
+++ b/feeds/hostapd/hostapd/files/hostapd.sh
--- a/feeds/hostapd/hostapd/files/hostapd.uc
+++ b/feeds/hostapd/hostapd/files/hostapd.uc
--- a/feeds/ipq95xx/hostapd.old/files/multicall.c
+++ b/feeds/ipq95xx/hostapd.old/files/multicall.c
--- a/feeds/hostapd/hostapd/files/radius.clients
+++ b/feeds/hostapd/hostapd/files/radius.clients
@@ -0,0 +1 @@
 0.0.0.0/0 radius
--- a/feeds/hostapd/hostapd/files/radius.config
+++ b/feeds/hostapd/hostapd/files/radius.config
@@ -0,0 +1,9 @@
 config radius
 	option disabled '1'
 	option ca_cert '/etc/radius/ca.pem'
 	option cert '/etc/radius/cert.pem'
 	option key '/etc/radius/key.pem'
 	option users '/etc/radius/users'
 	option clients '/etc/radius/clients'
 	option auth_port '1812'
 	option acct_port '1813'
--- a/feeds/hostapd/hostapd/files/radius.init
+++ b/feeds/hostapd/hostapd/files/radius.init
@@ -0,0 +1,42 @@
 #!/bin/sh /etc/rc.common
 START=30
 USE_PROCD=1
 NAME=radius
 radius_start() {
 	local cfg="$1"
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return
 	config_get ca "$cfg" ca_cert
 	config_get key "$cfg" key
 	config_get cert "$cfg" cert
 	config_get users "$cfg" users
 	config_get clients "$cfg" clients
 	config_get auth_port "$cfg" auth_port 1812
 	config_get acct_port "$cfg" acct_port 1813
 	config_get identity "$cfg" identity "$(cat /proc/sys/kernel/hostname)"
 	procd_open_instance $cfg
 	procd_set_param command /usr/sbin/hostapd-radius \
 		-C "$ca" \
 		-c "$cert" -k "$key" \
 		-s "$clients" -u "$users" \
 		-p "$auth_port" -P "$acct_port" \
 		-i "$identity"
 	procd_close_instance
 }
 start_service() {
 	config_load radius
 	config_foreach radius_start radius
 }
 service_triggers()
 {
 	procd_add_reload_trigger "radius"
 }
--- a/feeds/hostapd/hostapd/files/radius.users
+++ b/feeds/hostapd/hostapd/files/radius.users
@@ -0,0 +1,14 @@
 {
 	"phase1": {
 		"wildcard": [
 			{
 				"name": "*",
 				"methods": [ "PEAP" ]
 			}
 		]
 	},
 	"phase2": {
 		"users": {
 		}
 	}
 }
--- a/feeds/hostapd/hostapd/files/wdev.uc
+++ b/feeds/hostapd/hostapd/files/wdev.uc
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-basic.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-basic.config
@@ -0,0 +1,625 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 #CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 #CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 #CONFIG_EAP_TLS=y
 # EAL-PEAP
 #CONFIG_EAP_PEAP=y
 # EAP-TTLS
 #CONFIG_EAP_TTLS=y
 # EAP-FAST
 #CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 #CONFIG_EAP_GTC=y
 # EAP-OTP
 #CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 #CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 #CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 #CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-full.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-full.config
@@ -0,0 +1,625 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 CONFIG_EAP_TLS=y
 # EAL-PEAP
 CONFIG_EAP_PEAP=y
 # EAP-TTLS
 CONFIG_EAP_TTLS=y
 # EAP-FAST
 CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 CONFIG_EAP_GTC=y
 # EAP-OTP
 CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 #CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 CONFIG_INTERWORKING=y
 # Hotspot 2.0
 CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-mini.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-mini.config
@@ -0,0 +1,625 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 #CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 #CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 #CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 #CONFIG_EAP_TLS=y
 # EAL-PEAP
 #CONFIG_EAP_PEAP=y
 # EAP-TTLS
 #CONFIG_EAP_TTLS=y
 # EAP-FAST
 #CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 #CONFIG_EAP_GTC=y
 # EAP-OTP
 #CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 #CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 #CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 #CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 #CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 #CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 #CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 #CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 #CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 #CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 #CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 #CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant-p2p.config
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant-p2p.config
@@ -0,0 +1,625 @@
 # Example wpa_supplicant build time configuration
 #
 # This file lists the configuration options that are used when building the
 # wpa_supplicant binary. All lines starting with # are ignored. Configuration
 # option lines must be commented out complete, if they are not to be included,
 # i.e., just setting VARIABLE=n is not disabling that variable.
 #
 # This file is included in Makefile, so variables like CFLAGS and LIBS can also
 # be modified from here. In most cases, these lines should use += in order not
 # to override previous values of the variables.
 # Uncomment following two lines and fix the paths if you have installed OpenSSL
 # or GnuTLS in non-default location
 #CFLAGS += -I/usr/local/openssl/include
 #LIBS += -L/usr/local/openssl/lib
 # Some Red Hat versions seem to include kerberos header files from OpenSSL, but
 # the kerberos files are not in the default include path. Following line can be
 # used to fix build issues on such systems (krb5.h not found).
 #CFLAGS += -I/usr/include/kerberos
 # Driver interface for generic Linux wireless extensions
 # Note: WEXT is deprecated in the current Linux kernel version and no new
 # functionality is added to it. nl80211-based interface is the new
 # replacement for WEXT and its use allows wpa_supplicant to properly control
 # the driver to improve existing functionality like roaming and to support new
 # functionality.
 #CONFIG_DRIVER_WEXT=y
 # Driver interface for Linux drivers using the nl80211 kernel interface
 CONFIG_DRIVER_NL80211=y
 # QCA vendor extensions to nl80211
 #CONFIG_DRIVER_NL80211_QCA=y
 # driver_nl80211.c requires libnl. If you are compiling it yourself
 # you may need to point hostapd to your version of libnl.
 #
 #CFLAGS += -I$<path to libnl include files>
 #LIBS += -L$<path to libnl library files>
 # Use libnl v2.0 (or 3.0) libraries.
 #CONFIG_LIBNL20=y
 # Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
 #CONFIG_LIBNL32=y
 # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
 #CONFIG_DRIVER_BSD=y
 #CFLAGS += -I/usr/local/include
 #LIBS += -L/usr/local/lib
 #LIBS_p += -L/usr/local/lib
 #LIBS_c += -L/usr/local/lib
 # Driver interface for Windows NDIS
 #CONFIG_DRIVER_NDIS=y
 #CFLAGS += -I/usr/include/w32api/ddk
 #LIBS += -L/usr/local/lib
 # For native build using mingw
 #CONFIG_NATIVE_WINDOWS=y
 # Additional directories for cross-compilation on Linux host for mingw target
 #CFLAGS += -I/opt/mingw/mingw32/include/ddk
 #LIBS += -L/opt/mingw/mingw32/lib
 #CC=mingw32-gcc
 # By default, driver_ndis uses WinPcap for low-level operations. This can be
 # replaced with the following option which replaces WinPcap calls with NDISUIO.
 # However, this requires that WZC is disabled (net stop wzcsvc) before starting
 # wpa_supplicant.
 # CONFIG_USE_NDISUIO=y
 # Driver interface for wired Ethernet drivers
 CONFIG_DRIVER_WIRED=y
 # Driver interface for MACsec capable Qualcomm Atheros drivers
 #CONFIG_DRIVER_MACSEC_QCA=y
 # Driver interface for Linux MACsec drivers
 #CONFIG_DRIVER_MACSEC_LINUX=y
 # Driver interface for the Broadcom RoboSwitch family
 #CONFIG_DRIVER_ROBOSWITCH=y
 # Driver interface for no driver (e.g., WPS ER only)
 #CONFIG_DRIVER_NONE=y
 # Solaris libraries
 #LIBS += -lsocket -ldlpi -lnsl
 #LIBS_c += -lsocket
 # Enable IEEE 802.1X Supplicant (automatically included if any EAP method or
 # MACsec is included)
 CONFIG_IEEE8021X_EAPOL=y
 # EAP-MD5
 CONFIG_EAP_MD5=y
 # EAP-MSCHAPv2
 CONFIG_EAP_MSCHAPV2=y
 # EAP-TLS
 CONFIG_EAP_TLS=y
 # EAL-PEAP
 CONFIG_EAP_PEAP=y
 # EAP-TTLS
 CONFIG_EAP_TTLS=y
 # EAP-FAST
 CONFIG_EAP_FAST=y
 # EAP-TEAP
 # Note: The current EAP-TEAP implementation is experimental and should not be
 # enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
 # of conflicting statements and missing details and the implementation has
 # vendor specific workarounds for those and as such, may not interoperate with
 # any other implementation. This should not be used for anything else than
 # experimentation and interoperability testing until those issues has been
 # resolved.
 #CONFIG_EAP_TEAP=y
 # EAP-GTC
 CONFIG_EAP_GTC=y
 # EAP-OTP
 CONFIG_EAP_OTP=y
 # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
 #CONFIG_EAP_SIM=y
 # Enable SIM simulator (Milenage) for EAP-SIM
 #CONFIG_SIM_SIMULATOR=y
 # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
 #CONFIG_EAP_PSK=y
 # EAP-pwd (secure authentication using only a password)
 #CONFIG_EAP_PWD=y
 # EAP-PAX
 #CONFIG_EAP_PAX=y
 # LEAP
 CONFIG_EAP_LEAP=y
 # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
 #CONFIG_EAP_AKA=y
 # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
 # This requires CONFIG_EAP_AKA to be enabled, too.
 #CONFIG_EAP_AKA_PRIME=y
 # Enable USIM simulator (Milenage) for EAP-AKA
 #CONFIG_USIM_SIMULATOR=y
 # EAP-SAKE
 #CONFIG_EAP_SAKE=y
 # EAP-GPSK
 #CONFIG_EAP_GPSK=y
 # Include support for optional SHA256 cipher suite in EAP-GPSK
 #CONFIG_EAP_GPSK_SHA256=y
 # EAP-TNC and related Trusted Network Connect support (experimental)
 #CONFIG_EAP_TNC=y
 # Wi-Fi Protected Setup (WPS)
 CONFIG_WPS=y
 # Enable WPS external registrar functionality
 #CONFIG_WPS_ER=y
 # Disable credentials for an open network by default when acting as a WPS
 # registrar.
 #CONFIG_WPS_REG_DISABLE_OPEN=y
 # Enable WPS support with NFC config method
 #CONFIG_WPS_NFC=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 # EAP-EKE
 #CONFIG_EAP_EKE=y
 # MACsec
 #CONFIG_MACSEC=y
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
 # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
 # engine.
 CONFIG_SMARTCARD=y
 # PC/SC interface for smartcards (USIM, GSM SIM)
 # Enable this if EAP-SIM or EAP-AKA is included
 #CONFIG_PCSC=y
 # Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
 CONFIG_HT_OVERRIDES=y
 # Support VHT overrides (disable VHT, mask MCS rates, etc.)
 CONFIG_VHT_OVERRIDES=y
 # Development testing
 #CONFIG_EAPOL_TEST=y
 # Select control interface backend for external programs, e.g, wpa_cli:
 # unix = UNIX domain sockets (default for Linux/*BSD)
 # udp = UDP sockets using localhost (127.0.0.1)
 # udp6 = UDP IPv6 sockets using localhost (::1)
 # named_pipe = Windows Named Pipe (default for Windows)
 # udp-remote = UDP sockets with remote access (only for tests systems/purpose)
 # udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
 # y = use default (backwards compatibility)
 # If this option is commented out, control interface is not included in the
 # build.
 CONFIG_CTRL_IFACE=y
 # Include support for GNU Readline and History Libraries in wpa_cli.
 # When building a wpa_cli binary for distribution, please note that these
 # libraries are licensed under GPL and as such, BSD license may not apply for
 # the resulting binary.
 #CONFIG_READLINE=y
 # Include internal line edit mode in wpa_cli. This can be used as a replacement
 # for GNU Readline to provide limited command line editing and history support.
 #CONFIG_WPA_CLI_EDIT=y
 # Remove debugging code that is printing out debug message to stdout.
 # This can be used to reduce the size of the wpa_supplicant considerably
 # if debugging code is not needed. The size reduction can be around 35%
 # (e.g., 90 kB).
 #CONFIG_NO_STDOUT_DEBUG=y
 # Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
 # 35-50 kB in code size.
 #CONFIG_NO_WPA=y
 # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
 # This option can be used to reduce code size by removing support for
 # converting ASCII passphrases into PSK. If this functionality is removed, the
 # PSK can only be configured as the 64-octet hexstring (e.g., from
 # wpa_passphrase). This saves about 0.5 kB in code size.
 #CONFIG_NO_WPA_PASSPHRASE=y
 # Simultaneous Authentication of Equals (SAE), WPA3-Personal
 #CONFIG_SAE=y
 # Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
 # This can be used if ap_scan=1 mode is never enabled.
 #CONFIG_NO_SCAN_PROCESSING=y
 # Select configuration backend:
 # file = text file (e.g., wpa_supplicant.conf; note: the configuration file
 #	path is given on command line, not here; this option is just used to
 #	select the backend that allows configuration files to be used)
 # winreg = Windows registry (see win_example.reg for an example)
 CONFIG_BACKEND=file
 # Remove configuration write functionality (i.e., to allow the configuration
 # file to be updated based on runtime configuration changes). The runtime
 # configuration can still be changed, the changes are just not going to be
 # persistent over restarts. This option can be used to reduce code size by
 # about 3.5 kB.
 #CONFIG_NO_CONFIG_WRITE=y
 # Remove support for configuration blobs to reduce code size by about 1.5 kB.
 #CONFIG_NO_CONFIG_BLOBS=y
 # Select program entry point implementation:
 # main = UNIX/POSIX like main() function (default)
 # main_winsvc = Windows service (read parameters from registry)
 # main_none = Very basic example (development use only)
 #CONFIG_MAIN=main
 # Select wrapper for operating system and C library specific functions
 # unix = UNIX/POSIX like systems (default)
 # win32 = Windows systems
 # none = Empty template
 #CONFIG_OS=unix
 # Select event loop implementation
 # eloop = select() loop (default)
 # eloop_win = Windows events and WaitForMultipleObject() loop
 #CONFIG_ELOOP=eloop
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 # Should we use epoll instead of select? Select is used by default.
 CONFIG_ELOOP_EPOLL=y
 # Should we use kqueue instead of select? Select is used by default.
 #CONFIG_ELOOP_KQUEUE=y
 # Select layer 2 packet implementation
 # linux = Linux packet socket (default)
 # pcap = libpcap/libdnet/WinPcap
 # freebsd = FreeBSD libpcap
 # winpcap = WinPcap with receive thread
 # ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
 # none = Empty template
 #CONFIG_L2_PACKET=linux
 # Disable Linux packet socket workaround applicable for station interface
 # in a bridge for EAPOL frames. This should be uncommented only if the kernel
 # is known to not have the regression issue in packet socket behavior with
 # bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
 CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
 # IEEE 802.11w (management frame protection), also known as PMF
 # Driver support is also needed for IEEE 802.11w.
 CONFIG_IEEE80211W=y
 # Support Operating Channel Validation
 #CONFIG_OCV=y
 # Select TLS implementation
 # openssl = OpenSSL (default)
 # gnutls = GnuTLS
 # internal = Internal TLSv1 implementation (experimental)
 # linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
 # none = Empty template
 CONFIG_TLS=internal
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
 # can be enabled to get a stronger construction of messages when block ciphers
 # are used. It should be noted that some existing TLS v1.0 -based
 # implementation may not be compatible with TLS v1.1 message (ClientHello is
 # sent prior to negotiating which version will be used)
 #CONFIG_TLSV11=y
 # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
 # can be enabled to enable use of stronger crypto algorithms. It should be
 # noted that some existing TLS v1.0 -based implementation may not be compatible
 # with TLS v1.2 message (ClientHello is sent prior to negotiating which version
 # will be used)
 #CONFIG_TLSV12=y
 # Select which ciphers to use by default with OpenSSL if the user does not
 # specify them.
 #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
 # If CONFIG_TLS=internal is used, additional library and include paths are
 # needed for LibTomMath. Alternatively, an integrated, minimal version of
 # LibTomMath can be used. See beginning of libtommath.c for details on benefits
 # and drawbacks of this option.
 CONFIG_INTERNAL_LIBTOMMATH=y
 #ifndef CONFIG_INTERNAL_LIBTOMMATH
 #LTM_PATH=/usr/src/libtommath-0.39
 #CFLAGS += -I$(LTM_PATH)
 #LIBS += -L$(LTM_PATH)
 #LIBS_p += -L$(LTM_PATH)
 #endif
 # At the cost of about 4 kB of additional binary size, the internal LibTomMath
 # can be configured to include faster routines for exptmod, sqr, and div to
 # speed up DH and RSA calculation considerably
 CONFIG_INTERNAL_LIBTOMMATH_FAST=y
 # Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
 # This is only for Windows builds and requires WMI-related header files and
 # WbemUuid.Lib from Platform SDK even when building with MinGW.
 #CONFIG_NDIS_EVENTS_INTEGRATED=y
 #PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
 # Add support for new DBus control interface
 # (fi.w1.hostap.wpa_supplicant1)
 #CONFIG_CTRL_IFACE_DBUS_NEW=y
 # Add introspection support for new DBus control interface
 #CONFIG_CTRL_IFACE_DBUS_INTRO=y
 # Add support for loading EAP methods dynamically as shared libraries.
 # When this option is enabled, each EAP method can be either included
 # statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
 # Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
 # be loaded in the beginning of the wpa_supplicant configuration file
 # (see load_dynamic_eap parameter in the example file) before being used in
 # the network blocks.
 #
 # Note that some shared parts of EAP methods are included in the main program
 # and in order to be able to use dynamic EAP methods using these parts, the
 # main program must have been build with the EAP method enabled (=y or =dyn).
 # This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
 # unless at least one of them was included in the main build to force inclusion
 # of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
 # in the main build to be able to load these methods dynamically.
 #
 # Please also note that using dynamic libraries will increase the total binary
 # size. Thus, it may not be the best option for targets that have limited
 # amount of memory/flash.
 #CONFIG_DYNAMIC_EAP_METHODS=y
 # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
 #CONFIG_IEEE80211R=y
 # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
 #CONFIG_DEBUG_FILE=y
 # Send debug messages to syslog instead of stdout
 CONFIG_DEBUG_SYSLOG=y
 # Set syslog facility for debug messages
 CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
 # Add support for sending all debug messages (regardless of debug verbosity)
 # to the Linux kernel tracing facility. This helps debug the entire stack by
 # making it easy to record everything happening from the driver up into the
 # same file, e.g., using trace-cmd.
 #CONFIG_DEBUG_LINUX_TRACING=y
 # Add support for writing debug log to Android logcat instead of standard
 # output
 #CONFIG_ANDROID_LOG=y
 # Enable privilege separation (see README 'Privilege separation' for details)
 #CONFIG_PRIVSEP=y
 # Enable mitigation against certain attacks against TKIP by delaying Michael
 # MIC error reports by a random amount of time between 0 and 60 seconds
 #CONFIG_DELAYED_MIC_ERROR_REPORT=y
 # Enable tracing code for developer debugging
 # This tracks use of memory allocations and other registrations and reports
 # incorrect use with a backtrace of call (or allocation) location.
 #CONFIG_WPA_TRACE=y
 # For BSD, uncomment these.
 #LIBS += -lexecinfo
 #LIBS_p += -lexecinfo
 #LIBS_c += -lexecinfo
 # Use libbfd to get more details for developer debugging
 # This enables use of libbfd to get more detailed symbols for the backtraces
 # generated by CONFIG_WPA_TRACE=y.
 #CONFIG_WPA_TRACE_BFD=y
 # For BSD, uncomment these.
 #LIBS += -lbfd -liberty -lz
 #LIBS_p += -lbfd -liberty -lz
 #LIBS_c += -lbfd -liberty -lz
 # wpa_supplicant depends on strong random number generation being available
 # from the operating system. os_get_random() function is used to fetch random
 # data when needed, e.g., for key generation. On Linux and BSD systems, this
 # works by reading /dev/urandom. It should be noted that the OS entropy pool
 # needs to be properly initialized before wpa_supplicant is started. This is
 # important especially on embedded devices that do not have a hardware random
 # number generator and may by default start up with minimal entropy available
 # for random number generation.
 #
 # As a safety net, wpa_supplicant is by default trying to internally collect
 # additional entropy for generating random data to mix in with the data fetched
 # from the OS. This by itself is not considered to be very strong, but it may
 # help in cases where the system pool is not initialized properly. However, it
 # is very strongly recommended that the system pool is initialized with enough
 # entropy either by using hardware assisted random number generator or by
 # storing state over device reboots.
 #
 # wpa_supplicant can be configured to maintain its own entropy store over
 # restarts to enhance random number generation. This is not perfect, but it is
 # much more secure than using the same sequence of random numbers after every
 # reboot. This can be enabled with -e<entropy file> command line option. The
 # specified file needs to be readable and writable by wpa_supplicant.
 #
 # If the os_get_random() is known to provide strong random data (e.g., on
 # Linux/BSD, the board in question is known to have reliable source of random
 # data from /dev/urandom), the internal wpa_supplicant random pool can be
 # disabled. This will save some in binary size and CPU use. However, this
 # should only be considered for builds that are known to be used on devices
 # that meet the requirements described above.
 CONFIG_NO_RANDOM_POOL=y
 # Should we attempt to use the getrandom(2) call that provides more reliable
 # yet secure randomness source than /dev/random on Linux 3.17 and newer.
 # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
 CONFIG_GETRANDOM=y
 # IEEE 802.11n (High Throughput) support (mainly for AP mode)
 #CONFIG_IEEE80211N=y
 # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
 # (depends on CONFIG_IEEE80211N)
 #CONFIG_IEEE80211AC=y
 # Wireless Network Management (IEEE Std 802.11v-2011)
 # Note: This is experimental and not complete implementation.
 #CONFIG_WNM=y
 # Interworking (IEEE 802.11u)
 # This can be used to enable functionality to improve interworking with
 # external networks (GAS/ANQP to learn more about the networks and network
 # selection based on available credentials).
 #CONFIG_INTERWORKING=y
 # Hotspot 2.0
 #CONFIG_HS20=y
 # Enable interface matching in wpa_supplicant
 #CONFIG_MATCH_IFACE=y
 # Disable roaming in wpa_supplicant
 #CONFIG_NO_ROAMING=y
 # AP mode operations with wpa_supplicant
 # This can be used for controlling AP mode operations with wpa_supplicant. It
 # should be noted that this is mainly aimed at simple cases like
 # WPA2-Personal while more complex configurations like WPA2-Enterprise with an
 # external RADIUS server can be supported with hostapd.
 CONFIG_AP=y
 # P2P (Wi-Fi Direct)
 # This can be used to enable P2P support in wpa_supplicant. See README-P2P for
 # more information on P2P operations.
 CONFIG_P2P=y
 # Enable TDLS support
 #CONFIG_TDLS=y
 # Wi-Fi Display
 # This can be used to enable Wi-Fi Display extensions for P2P using an external
 # program to control the additional information exchanges in the messages.
 #CONFIG_WIFI_DISPLAY=y
 # Autoscan
 # This can be used to enable automatic scan support in wpa_supplicant.
 # See wpa_supplicant.conf for more information on autoscan usage.
 #
 # Enabling directly a module will enable autoscan support.
 # For exponential module:
 #CONFIG_AUTOSCAN_EXPONENTIAL=y
 # For periodic module:
 #CONFIG_AUTOSCAN_PERIODIC=y
 # Password (and passphrase, etc.) backend for external storage
 # These optional mechanisms can be used to add support for storing passwords
 # and other secrets in external (to wpa_supplicant) location. This allows, for
 # example, operating system specific key storage to be used
 #
 # External password backend for testing purposes (developer use)
 #CONFIG_EXT_PASSWORD_TEST=y
 # Enable Fast Session Transfer (FST)
 #CONFIG_FST=y
 # Enable CLI commands for FST testing
 #CONFIG_FST_TEST=y
 # OS X builds. This is only for building eapol_test.
 #CONFIG_OSX=y
 # Automatic Channel Selection
 # This will allow wpa_supplicant to pick the channel automatically when channel
 # is set to "0".
 #
 # TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
 # to "channel=0". This would enable us to eventually add other ACS algorithms in
 # similar way.
 #
 # Automatic selection is currently only done through initialization, later on
 # we hope to do background checks to keep us moving to more ideal channels as
 # time goes by. ACS is currently only supported through the nl80211 driver and
 # your driver must have survey dump capability that is filled by the driver
 # during scanning.
 #
 # TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
 # a newly to create wpa_supplicant.conf variable acs_num_scans.
 #
 # Supported ACS drivers:
 # * ath9k
 # * ath5k
 # * ath10k
 #
 # For more details refer to:
 # http://wireless.kernel.org/en/users/Documentation/acs
 #CONFIG_ACS=y
 # Support Multi Band Operation
 #CONFIG_MBO=y
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
 CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y
 # Support RSN on IBSS networks
 # This is needed to be able to use mode=1 network profile with proto=RSN and
 # key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
 CONFIG_IBSS_RSN=y
 # External PMKSA cache control
 # This can be used to enable control interface commands that allow the current
 # PMKSA cache entries to be fetched and new entries to be added.
 #CONFIG_PMKSA_CACHE_EXTERNAL=y
 # Mesh Networking (IEEE 802.11s)
 #CONFIG_MESH=y
 # Background scanning modules
 # These can be used to request wpa_supplicant to perform background scanning
 # operations for roaming within an ESS (same SSID). See the bgscan parameter in
 # the wpa_supplicant.conf file for more details.
 # Periodic background scans based on signal strength
 #CONFIG_BGSCAN_SIMPLE=y
 # Learn channels used by the network and try to avoid bgscans on other
 # channels (experimental)
 #CONFIG_BGSCAN_LEARN=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
 # Device Provisioning Protocol (DPP)
 # This requires CONFIG_IEEE80211W=y to be enabled, too. (see
 # wpa_supplicant/README-DPP for details)
 #CONFIG_DPP=y
 # uBus IPC/RPC System
 # Services can connect to the bus and provide methods
 # that can be called by other services or clients.
 CONFIG_UBUS=y
 # OpenWrt patch 380-disable-ctrl-iface-mib.patch
 # leads to the MIB only being compiled in if
 # CONFIG_CTRL_IFACE_MIB is enabled.
 CONFIG_CTRL_IFACE_MIB=y
--- a/feeds/hostapd/hostapd/files/wpa_supplicant.uc
+++ b/feeds/hostapd/hostapd/files/wpa_supplicant.uc
--- a/feeds/hostapd/hostapd/files/wpad.init
+++ b/feeds/hostapd/hostapd/files/wpad.init
--- a/feeds/hostapd/hostapd/files/wpad.json
+++ b/feeds/hostapd/hostapd/files/wpad.json
--- a/feeds/hostapd/hostapd/files/wpad_acl.json
+++ b/feeds/hostapd/hostapd/files/wpad_acl.json
@@ -0,0 +1,16 @@
 {
 	"user": "network",
 	"access": {
 		"service": {
 			"methods": [ "event" ]
 		},
 		"wpa_supplicant": {
 			"methods": [ "phy_set_state", "phy_set_macaddr_list", "phy_status" ]
 		},
 		"hostapd": {
 			"methods": [ "apsta_state" ]
 		}
 	},
 	"publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
 	"send": [ "bss.*", "wps_credentials" ]
 }
--- a/feeds/hostapd/hostapd/files/wps-hotplug.sh
+++ b/feeds/hostapd/hostapd/files/wps-hotplug.sh
@@ -0,0 +1,69 @@
 #!/bin/sh
 wps_catch_credentials() {
 	local iface ifaces ifc ifname ssid encryption key radio radios
 	local found=0
 	. /usr/share/libubox/jshn.sh
 	ubus -S -t 30 listen wps_credentials | while read creds; do
 		json_init
 		json_load "$creds"
 		json_select wps_credentials || continue
 		json_get_vars ifname ssid key encryption
 		local ifcname="$ifname"
 		json_init
 		json_load "$(ubus -S call network.wireless status)"
 		json_get_keys radios
 		for radio in $radios; do
 			json_select $radio
 			json_select interfaces
 			json_get_keys ifaces
 			for ifc in $ifaces; do
 				json_select $ifc
 				json_get_vars ifname
 				[ "$ifname" = "$ifcname" ] && {
 					ubus -S call uci set "{\"config\":\"wireless\", \"type\":\"wifi-iface\",		\
 								\"match\": { \"device\": \"$radio\", \"encryption\": \"wps\" },	\
 								\"values\": { \"encryption\": \"$encryption\", 			\
 										\"ssid\": \"$ssid\", 				\
 										\"key\": \"$key\" } }"
 					ubus -S call uci commit '{"config": "wireless"}'
 					ubus -S call uci apply
 				}
 				json_select ..
 			done
 			json_select ..
 			json_select ..
 		done
 	done
 }
 if [ "$ACTION" = "released" ] && [ "$BUTTON" = "wps" ]; then
 	# If the button was pressed for 3 seconds or more, trigger WPS on
 	# wpa_supplicant only, no matter if hostapd is running or not.  If
 	# was pressed for less than 3 seconds, try triggering on
 	# hostapd. If there is no hostapd instance to trigger it on or WPS
 	# is not enabled on them, trigger it on wpa_supplicant.
 	if [ "$SEEN" -lt 3 ] ; then
 		wps_done=0
 		ubusobjs="$( ubus -S list hostapd.* )"
 		for ubusobj in $ubusobjs; do
 			ubus -S call $ubusobj wps_start && wps_done=1
 		done
 		[ $wps_done = 0 ] || return 0
 	fi
 	wps_done=0
 	ubusobjs="$( ubus -S list wpa_supplicant.* )"
 	for ubusobj in $ubusobjs; do
 		ifname="$(echo $ubusobj | cut -d'.' -f2 )"
 		multi_ap=""
 		if [ -e "/var/run/wpa_supplicant-${ifname}.conf.is_multiap" ]; then
 			ubus -S call $ubusobj wps_start '{ "multi_ap": true }' && wps_done=1
 		else
 			ubus -S call $ubusobj wps_start && wps_done=1
 		fi
 	done
 	[ $wps_done = 0 ] || wps_catch_credentials &
 fi
 return 0
--- a/feeds/hostapd/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch
+++ b/feeds/hostapd/hostapd/patches/001-wolfssl-init-RNG-with-ECC-key.patch
@@ -0,0 +1,43 @@
 From 21ce83b4ae2b9563175fdb4fc4312096cc399cf8 Mon Sep 17 00:00:00 2001
 From: David Bauer <mail@david-bauer.net>
 Date: Wed, 5 May 2021 00:44:34 +0200
 Subject: [PATCH] wolfssl: add RNG to EC key
 Since upstream commit 6467de5a8840 ("Randomize z ordinates in
 scalar mult when timing resistant") WolfSSL requires a RNG for
 the EC key when built hardened which is the default.
 Set the RNG for the EC key to fix connections for OWE clients.
 Signed-off-by: David Bauer <mail@david-bauer.net>
 ---
 src/crypto/crypto_wolfssl.c | 4 ++++
 1 file changed, 4 insertions(+)
 --- a/src/crypto/crypto_wolfssl.c
 +++ b/src/crypto/crypto_wolfssl.c
@@ -1340,6 +1340,7 @@ int ecc_projective_add_point(ecc_point *
 struct crypto_ec {
 	ecc_key key;
 +	WC_RNG rng;
 	mp_int a;
 	mp_int prime;
 	mp_int order;
@@ -1394,6 +1395,8 @@ struct crypto_ec * crypto_ec_init(int gr
 		return NULL;
 	if (wc_ecc_init(&e->key) != 0 ||
 +	    wc_InitRng(&e->rng) != 0 ||
 +	    wc_ecc_set_rng(&e->key, &e->rng) != 0 ||
 	    wc_ecc_set_curve(&e->key, 0, curve_id) != 0 ||
 	    mp_init(&e->a) != MP_OKAY ||
 	    mp_init(&e->prime) != MP_OKAY ||
@@ -1425,6 +1428,7 @@ void crypto_ec_deinit(struct crypto_ec*
 	mp_clear(&e->order);
 	mp_clear(&e->prime);
 	mp_clear(&e->a);
 +	wc_FreeRng(&e->rng);
 	wc_ecc_free(&e->key);
 	os_free(e);
 }
--- a/feeds/hostapd/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
+++ b/feeds/hostapd/hostapd/patches/010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
@@ -0,0 +1,135 @@
 From 8de8cd8380af0c43d4fde67a668d79ef73b26b26 Mon Sep 17 00:00:00 2001
 From: Peter Oh <peter.oh@bowerswilkins.com>
 Date: Tue, 30 Jun 2020 14:18:58 +0200
 Subject: [PATCH 10/19] mesh: Allow DFS channels to be selected if dfs is
 enabled
 Note: DFS is assumed to be usable if a country code has been set
 Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
 Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
 ---
 wpa_supplicant/wpa_supplicant.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -2638,7 +2638,7 @@ static int drv_supports_vht(struct wpa_s
 }
 -static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode)
 +static bool ibss_mesh_is_80mhz_avail(int channel, struct hostapd_hw_modes *mode, bool dfs_enabled)
 {
 	int i;
@@ -2647,7 +2647,10 @@ static bool ibss_mesh_is_80mhz_avail(int
 		chan = hw_get_channel_chan(mode, i, NULL);
 		if (!chan ||
 -		    chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +		    chan->flag & HOSTAPD_CHAN_DISABLED)
 +			return false;
 +		
 +		if (!dfs_enabled && chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 			return false;
 	}
@@ -2774,7 +2777,7 @@ static void ibss_mesh_select_40mhz(struc
 				   const struct wpa_ssid *ssid,
 				   struct hostapd_hw_modes *mode,
 				   struct hostapd_freq_params *freq,
 -				   int obss_scan) {
 +				   int obss_scan, bool dfs_enabled) {
 	int chan_idx;
 	struct hostapd_channel_data *pri_chan = NULL, *sec_chan = NULL;
 	int i, res;
@@ -2798,8 +2801,11 @@ static void ibss_mesh_select_40mhz(struc
 		return;
 	/* Check primary channel flags */
 -	if (pri_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +	if (pri_chan->flag & HOSTAPD_CHAN_DISABLED)
 		return;
 +	if (pri_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 +		if (!dfs_enabled)
 +			return;
 #ifdef CONFIG_HT_OVERRIDES
 	if (ssid->disable_ht40)
@@ -2825,8 +2831,11 @@ static void ibss_mesh_select_40mhz(struc
 		return;
 	/* Check secondary channel flags */
 -	if (sec_chan->flag & (HOSTAPD_CHAN_DISABLED | HOSTAPD_CHAN_NO_IR))
 +	if (sec_chan->flag & HOSTAPD_CHAN_DISABLED)
 		return;
 +	if (sec_chan->flag & (HOSTAPD_CHAN_RADAR | HOSTAPD_CHAN_NO_IR))
 +		if (!dfs_enabled)
 +			return;
 	if (ht40 == -1) {
 		if (!(pri_chan->flag & HOSTAPD_CHAN_HT40MINUS))
@@ -2880,7 +2889,7 @@ static bool ibss_mesh_select_80_160mhz(s
 				       const struct wpa_ssid *ssid,
 				       struct hostapd_hw_modes *mode,
 				       struct hostapd_freq_params *freq,
 -				       int ieee80211_mode, bool is_6ghz) {
 +				       int ieee80211_mode, bool is_6ghz, bool dfs_enabled) {
 	static const int bw80[] = {
 		5180, 5260, 5500, 5580, 5660, 5745, 5825,
 		5955, 6035, 6115, 6195, 6275, 6355, 6435,
@@ -2925,7 +2934,7 @@ static bool ibss_mesh_select_80_160mhz(s
 		goto skip_80mhz;
 	/* Use 40 MHz if channel not usable */
 -	if (!ibss_mesh_is_80mhz_avail(channel, mode))
 +	if (!ibss_mesh_is_80mhz_avail(channel, mode, dfs_enabled))
 		goto skip_80mhz;
 	chwidth = CONF_OPER_CHWIDTH_80MHZ;
@@ -2939,7 +2948,7 @@ static bool ibss_mesh_select_80_160mhz(s
 	if ((mode->he_capab[ieee80211_mode].phy_cap[
 		     HE_PHYCAP_CHANNEL_WIDTH_SET_IDX] &
 	     HE_PHYCAP_CHANNEL_WIDTH_SET_160MHZ_IN_5G) && is_6ghz &&
 -	    ibss_mesh_is_80mhz_avail(channel + 16, mode)) {
 +	    ibss_mesh_is_80mhz_avail(channel + 16, mode, dfs_enabled)) {
 		for (j = 0; j < ARRAY_SIZE(bw160); j++) {
 			if (freq->freq == bw160[j]) {
 				chwidth = CONF_OPER_CHWIDTH_160MHZ;
@@ -2967,10 +2976,12 @@ static bool ibss_mesh_select_80_160mhz(s
 				if (!chan)
 					continue;
 -				if (chan->flag & (HOSTAPD_CHAN_DISABLED |
 -						  HOSTAPD_CHAN_NO_IR |
 -						  HOSTAPD_CHAN_RADAR))
 +				if (chan->flag & HOSTAPD_CHAN_DISABLED)
 					continue;
 +				if (chan->flag & (HOSTAPD_CHAN_RADAR |
 +						  HOSTAPD_CHAN_NO_IR))
 +					if (!dfs_enabled)
 +						continue;
 				/* Found a suitable second segment for 80+80 */
 				chwidth = CONF_OPER_CHWIDTH_80P80MHZ;
@@ -3025,6 +3036,7 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	int i, obss_scan = 1;
 	u8 channel;
 	bool is_6ghz;
 +	bool dfs_enabled = wpa_s->conf->country[0] && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_RADAR);
 	freq->freq = ssid->frequency;
@@ -3070,9 +3082,9 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	freq->channel = channel;
 	/* Setup higher BW only for 5 GHz */
 	if (mode->mode == HOSTAPD_MODE_IEEE80211A) {
 -		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan);
 +		ibss_mesh_select_40mhz(wpa_s, ssid, mode, freq, obss_scan, dfs_enabled);
 		if (!ibss_mesh_select_80_160mhz(wpa_s, ssid, mode, freq,
 -						ieee80211_mode, is_6ghz))
 +						ieee80211_mode, is_6ghz, dfs_enabled))
 			freq->he_enabled = freq->vht_enabled = false;
 	}
--- a/feeds/hostapd/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch
+++ b/feeds/hostapd/hostapd/patches/011-mesh-use-deterministic-channel-on-channel-switch.patch
@@ -0,0 +1,81 @@
 From fc8ea40f6130ac18d9c66797de2cf1d5af55d496 Mon Sep 17 00:00:00 2001
 From: Markus Theil <markus.theil@tu-ilmenau.de>
 Date: Tue, 30 Jun 2020 14:19:07 +0200
 Subject: [PATCH 19/19] mesh: use deterministic channel on channel switch
 This patch uses a deterministic channel on DFS channel switch
 in mesh networks. Otherwise, when switching to a usable but not
 available channel, no CSA can be sent and a random channel is choosen
 without notification of other nodes. It is then quite likely, that
 the mesh network gets disconnected.
 Fix this by using a deterministic number, based on the sha256 hash
 of the mesh ID, in order to use at least a different number in each
 mesh network.
 Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
 ---
 src/ap/dfs.c                 | 20 +++++++++++++++++++-
 src/drivers/driver_nl80211.c |  4 ++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 --- a/src/ap/dfs.c
 +++ b/src/ap/dfs.c
@@ -17,6 +17,7 @@
 #include "ap_drv_ops.h"
 #include "drivers/driver.h"
 #include "dfs.h"
 +#include "crypto/crypto.h"
 enum dfs_channel_type {
@@ -526,9 +527,14 @@ dfs_get_valid_channel(struct hostapd_ifa
 	int num_available_chandefs;
 	int chan_idx, chan_idx2;
 	int sec_chan_idx_80p80 = -1;
 +	bool is_mesh = false;
 	int i;
 	u32 _rand;
 +#ifdef CONFIG_MESH
 +	is_mesh = iface->mconf;
 +#endif
 +
 	wpa_printf(MSG_DEBUG, "DFS: Selecting random channel");
 	*secondary_channel = 0;
 	*oper_centr_freq_seg0_idx = 0;
@@ -548,8 +554,20 @@ dfs_get_valid_channel(struct hostapd_ifa
 	if (num_available_chandefs == 0)
 		return NULL;
 -	if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
 +	/* try to use deterministic channel in mesh, so that both sides
 +	 * have a chance to switch to the same channel */
 +	if (is_mesh) {
 +#ifdef CONFIG_MESH
 +		u64 hash[4];
 +		const u8 *meshid[1] = { &iface->mconf->meshid[0] };
 +		const size_t meshid_len = iface->mconf->meshid_len;
 +
 +		sha256_vector(1, meshid, &meshid_len, (u8 *)&hash[0]);
 +		_rand = hash[0] + hash[1] + hash[2] + hash[3];
 +#endif
 +	} else if (os_get_random((u8 *) &_rand, sizeof(_rand)) < 0)
 		return NULL;
 +
 	chan_idx = _rand % num_available_chandefs;
 	dfs_find_channel(iface, &chan, chan_idx, type);
 	if (!chan) {
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -11017,6 +11017,10 @@ static int nl80211_switch_channel(void *
 	if (ret)
 		goto error;
 +	if (drv->nlmode == NL80211_IFTYPE_MESH_POINT) {
 +		nla_put_flag(msg, NL80211_ATTR_HANDLE_DFS);
 +	}
 +
 	/* beacon_csa params */
 	beacon_csa = nla_nest_start(msg, NL80211_ATTR_CSA_IES);
 	if (!beacon_csa)
--- a/feeds/hostapd/hostapd/patches/021-fix-sta-add-after-previous-connection.patch
+++ b/feeds/hostapd/hostapd/patches/021-fix-sta-add-after-previous-connection.patch
@@ -0,0 +1,26 @@
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -4621,6 +4621,13 @@ static int add_associated_sta(struct hos
 	 * drivers to accept the STA parameter configuration. Since this is
 	 * after a new FT-over-DS exchange, a new TK has been derived, so key
 	 * reinstallation is not a concern for this case.
 +	 *
 +	 * If the STA was associated and authorized earlier, but came for a new
 +	 * connection (!added_unassoc + !reassoc), remove the existing STA entry
 +	 * so that it can be re-added. This case is rarely seen when the AP could
 +	 * not receive the deauth/disassoc frame from the STA. And the STA comes
 +	 * back with new connection within a short period or before the inactive
 +	 * STA entry is removed from the list.
 	 */
 	wpa_printf(MSG_DEBUG, "Add associated STA " MACSTR
 		   " (added_unassoc=%d auth_alg=%u ft_over_ds=%u reassoc=%d authorized=%d ft_tk=%d fils_tk=%d)",
@@ -4634,7 +4641,8 @@ static int add_associated_sta(struct hos
 	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
 	     (reassoc && sta->ft_over_ds && sta->auth_alg == WLAN_AUTH_FT) ||
 	     (!wpa_auth_sta_ft_tk_already_set(sta->wpa_sm) &&
 -	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)))) {
 +	      !wpa_auth_sta_fils_tk_already_set(sta->wpa_sm)) ||
 +	     (!reassoc && (sta->flags & WLAN_STA_AUTHORIZED)))) {
 		hostapd_drv_sta_remove(hapd, sta->addr);
 		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
 		set = 0;
--- a/feeds/hostapd/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch
+++ b/feeds/hostapd/hostapd/patches/022-hostapd-fix-use-of-uninitialized-stack-variables.patch
@@ -0,0 +1,25 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Thu, 8 Jul 2021 16:33:03 +0200
 Subject: [PATCH] hostapd: fix use of uninitialized stack variables
 When a CSA is performed on an 80 MHz channel, hostapd_change_config_freq
 unconditionally calls hostapd_set_oper_centr_freq_seg0/1_idx with seg0/1
 filled by ieee80211_freq_to_chan.
 However, if ieee80211_freq_to_chan fails (because the freq is 0 or invalid),
 seg0/1 remains uninitialized and filled with stack garbage, causing errors
 such as "hostapd: 80 MHz: center segment 1 configured"
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -3764,7 +3764,7 @@ static int hostapd_change_config_freq(st
 				      struct hostapd_freq_params *old_params)
 {
 	int channel;
 -	u8 seg0, seg1;
 +	u8 seg0 = 0, seg1 = 0;
 	struct hostapd_hw_modes *mode;
 	if (!params->channel) {
--- a/feeds/hostapd/hostapd/patches/023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
+++ b/feeds/hostapd/hostapd/patches/023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
--- a/feeds/hostapd/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
+++ b/feeds/hostapd/hostapd/patches/030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
@@ -0,0 +1,275 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Wed, 28 Jul 2021 05:49:46 +0200
 Subject: [PATCH] driver_nl80211: rewrite neigh code to not depend on
 libnl3-route
 Removes an unnecessary dependency and also makes the code smaller
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -16,9 +16,6 @@
 #include <net/if.h>
 #include <netlink/genl/genl.h>
 #include <netlink/genl/ctrl.h>
 -#ifdef CONFIG_LIBNL3_ROUTE
 -#include <netlink/route/neighbour.h>
 -#endif /* CONFIG_LIBNL3_ROUTE */
 #include <linux/rtnetlink.h>
 #include <netpacket/packet.h>
 #include <linux/errqueue.h>
@@ -5783,26 +5780,29 @@ fail:
 static void rtnl_neigh_delete_fdb_entry(struct i802_bss *bss, const u8 *addr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_addr;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->ifindex,
 +		.ndm_family = AF_BRIDGE,
 +	};
 +	struct nl_msg *msg;
 	int err;
 -	rn = rtnl_neigh_alloc();
 -	if (!rn)
 +	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return;
 -	rtnl_neigh_set_family(rn, AF_BRIDGE);
 -	rtnl_neigh_set_ifindex(rn, bss->ifindex);
 -	nl_addr = nl_addr_build(AF_BRIDGE, (void *) addr, ETH_ALEN);
 -	if (!nl_addr) {
 -		rtnl_neigh_put(rn);
 -		return;
 -	}
 -	rtnl_neigh_set_lladdr(rn, nl_addr);
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 +		goto errout;
 +
 +	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
 +		goto errout;
 +
 +	if (nl_send_auto_complete(drv->rtnl_sk, msg) < 0)
 +		goto errout;
 -	err = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
 +	err = nl_wait_for_ack(drv->rtnl_sk);
 	if (err < 0) {
 		wpa_printf(MSG_DEBUG, "nl80211: bridge FDB entry delete for "
 			   MACSTR " ifindex=%d failed: %s", MAC2STR(addr),
@@ -5812,9 +5812,8 @@ static void rtnl_neigh_delete_fdb_entry(
 			   MACSTR, MAC2STR(addr));
 	}
 -	nl_addr_put(nl_addr);
 -	rtnl_neigh_put(rn);
 -#endif /* CONFIG_LIBNL3_ROUTE */
 +errout:
 +	nlmsg_free(msg);
 }
@@ -8492,7 +8491,6 @@ static void *i802_init(struct hostapd_da
 	    (params->num_bridge == 0 || !params->bridge[0]))
 		add_ifidx(drv, br_ifindex, drv->ifindex);
 -#ifdef CONFIG_LIBNL3_ROUTE
 	if (bss->added_if_into_bridge || bss->already_in_bridge) {
 		int err;
@@ -8509,7 +8507,6 @@ static void *i802_init(struct hostapd_da
 			goto failed;
 		}
 	}
 -#endif /* CONFIG_LIBNL3_ROUTE */
 	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
 		wpa_printf(MSG_DEBUG,
@@ -11883,13 +11880,14 @@ static int wpa_driver_br_add_ip_neigh(vo
 				      const u8 *ipaddr, int prefixlen,
 				      const u8 *addr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct i802_bss *bss = priv;
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_ipaddr = NULL;
 -	struct nl_addr *nl_lladdr = NULL;
 -	int family, addrsize;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->br_ifindex,
 +	};
 +	struct nl_msg *msg;
 +	int addrsize;
 	int res;
 	if (!ipaddr || prefixlen == 0 || !addr)
@@ -11908,85 +11906,66 @@ static int wpa_driver_br_add_ip_neigh(vo
 	}
 	if (version == 4) {
 -		family = AF_INET;
 +		nhdr.ndm_family = AF_INET;
 		addrsize = 4;
 	} else if (version == 6) {
 -		family = AF_INET6;
 +		nhdr.ndm_family = AF_INET6;
 		addrsize = 16;
 	} else {
 		return -EINVAL;
 	}
 -	rn = rtnl_neigh_alloc();
 -	if (rn == NULL)
 +	msg = nlmsg_alloc_simple(RTM_NEWNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return -ENOMEM;
 -	/* set the destination ip address for neigh */
 -	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
 -	if (nl_ipaddr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
 -		res = -ENOMEM;
 +	res = -ENOMEM;
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 		goto errout;
 -	}
 -	nl_addr_set_prefixlen(nl_ipaddr, prefixlen);
 -	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
 -	if (res) {
 -		wpa_printf(MSG_DEBUG,
 -			   "nl80211: neigh set destination addr failed");
 +
 +	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
 		goto errout;
 -	}
 -	/* set the corresponding lladdr for neigh */
 -	nl_lladdr = nl_addr_build(AF_BRIDGE, (u8 *) addr, ETH_ALEN);
 -	if (nl_lladdr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: neigh set lladdr failed");
 -		res = -ENOMEM;
 +	if (nla_put(msg, NDA_LLADDR, ETH_ALEN, (void *)addr))
 		goto errout;
 -	}
 -	rtnl_neigh_set_lladdr(rn, nl_lladdr);
 -	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
 -	rtnl_neigh_set_state(rn, NUD_PERMANENT);
 +	res = nl_send_auto_complete(drv->rtnl_sk, msg);
 +	if (res < 0)
 +		goto errout;
 -	res = rtnl_neigh_add(drv->rtnl_sk, rn, NLM_F_CREATE);
 +	res = nl_wait_for_ack(drv->rtnl_sk);
 	if (res) {
 		wpa_printf(MSG_DEBUG,
 			   "nl80211: Adding bridge ip neigh failed: %s",
 			   nl_geterror(res));
 	}
 errout:
 -	if (nl_lladdr)
 -		nl_addr_put(nl_lladdr);
 -	if (nl_ipaddr)
 -		nl_addr_put(nl_ipaddr);
 -	if (rn)
 -		rtnl_neigh_put(rn);
 +	nlmsg_free(msg);
 	return res;
 -#else /* CONFIG_LIBNL3_ROUTE */
 -	return -1;
 -#endif /* CONFIG_LIBNL3_ROUTE */
 }
 static int wpa_driver_br_delete_ip_neigh(void *priv, u8 version,
 					 const u8 *ipaddr)
 {
 -#ifdef CONFIG_LIBNL3_ROUTE
 	struct i802_bss *bss = priv;
 	struct wpa_driver_nl80211_data *drv = bss->drv;
 -	struct rtnl_neigh *rn;
 -	struct nl_addr *nl_ipaddr;
 -	int family, addrsize;
 +	struct ndmsg nhdr = {
 +		.ndm_state = NUD_PERMANENT,
 +		.ndm_ifindex = bss->br_ifindex,
 +	};
 +	struct nl_msg *msg;
 +	int addrsize;
 	int res;
 	if (!ipaddr)
 		return -EINVAL;
 	if (version == 4) {
 -		family = AF_INET;
 +		nhdr.ndm_family = AF_INET;
 		addrsize = 4;
 	} else if (version == 6) {
 -		family = AF_INET6;
 +		nhdr.ndm_family = AF_INET6;
 		addrsize = 16;
 	} else {
 		return -EINVAL;
@@ -12004,41 +11983,30 @@ static int wpa_driver_br_delete_ip_neigh
 		return -1;
 	}
 -	rn = rtnl_neigh_alloc();
 -	if (rn == NULL)
 +	msg = nlmsg_alloc_simple(RTM_DELNEIGH, NLM_F_CREATE);
 +	if (!msg)
 		return -ENOMEM;
 -	/* set the destination ip address for neigh */
 -	nl_ipaddr = nl_addr_build(family, (void *) ipaddr, addrsize);
 -	if (nl_ipaddr == NULL) {
 -		wpa_printf(MSG_DEBUG, "nl80211: nl_ipaddr build failed");
 -		res = -ENOMEM;
 +	res = -ENOMEM;
 +	if (nlmsg_append(msg, &nhdr, sizeof(nhdr), NLMSG_ALIGNTO) < 0)
 		goto errout;
 -	}
 -	res = rtnl_neigh_set_dst(rn, nl_ipaddr);
 -	if (res) {
 -		wpa_printf(MSG_DEBUG,
 -			   "nl80211: neigh set destination addr failed");
 +
 +	if (nla_put(msg, NDA_DST, addrsize, (void *)ipaddr))
 		goto errout;
 -	}
 -	rtnl_neigh_set_ifindex(rn, bss->br_ifindex);
 +	res = nl_send_auto_complete(drv->rtnl_sk, msg);
 +	if (res < 0)
 +		goto errout;
 -	res = rtnl_neigh_delete(drv->rtnl_sk, rn, 0);
 +	res = nl_wait_for_ack(drv->rtnl_sk);
 	if (res) {
 		wpa_printf(MSG_DEBUG,
 			   "nl80211: Deleting bridge ip neigh failed: %s",
 			   nl_geterror(res));
 	}
 errout:
 -	if (nl_ipaddr)
 -		nl_addr_put(nl_ipaddr);
 -	if (rn)
 -		rtnl_neigh_put(rn);
 +	nlmsg_free(msg);
 	return res;
 -#else /* CONFIG_LIBNL3_ROUTE */
 -	return -1;
 -#endif /* CONFIG_LIBNL3_ROUTE */
 }
--- a/feeds/hostapd/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
+++ b/feeds/hostapd/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
@@ -0,0 +1,34 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Mon, 18 Feb 2019 12:57:11 +0100
 Subject: [PATCH] mesh: allow processing authentication frames in blocked state
 If authentication fails repeatedly e.g. because of a weak signal, the link
 can end up in blocked state. If one of the nodes tries to establish a link
 again before it is unblocked on the other side, it will block the link to
 that other side. The same happens on the other side when it unblocks the
 link. In that scenario, the link never recovers on its own.
 To fix this, allow restarting authentication even if the link is in blocked
 state, but don't initiate the attempt until the blocked period is over.
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -3020,15 +3020,6 @@ static void handle_auth(struct hostapd_d
 				       seq_ctrl);
 			return;
 		}
 -#ifdef CONFIG_MESH
 -		if ((hapd->conf->mesh & MESH_ENABLED) &&
 -		    sta->plink_state == PLINK_BLOCKED) {
 -			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
 -				   " is blocked - drop Authentication frame",
 -				   MAC2STR(sa));
 -			return;
 -		}
 -#endif /* CONFIG_MESH */
 #ifdef CONFIG_PASN
 		if (auth_alg == WLAN_AUTH_PASN &&
 		    (sta->flags & WLAN_STA_ASSOC)) {
--- a/feeds/hostapd/hostapd/patches/050-build_fix.patch
+++ b/feeds/hostapd/hostapd/patches/050-build_fix.patch
@@ -0,0 +1,20 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -324,6 +324,7 @@ ifdef CONFIG_FILS
 CFLAGS += -DCONFIG_FILS
 OBJS += ../src/ap/fils_hlp.o
 NEED_SHA384=y
 +NEED_HMAC_SHA384_KDF=y
 NEED_AES_SIV=y
 ifdef CONFIG_FILS_SK_PFS
 CFLAGS += -DCONFIG_FILS_SK_PFS
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -331,6 +331,7 @@ endif
 ifdef CONFIG_FILS
 CFLAGS += -DCONFIG_FILS
 NEED_SHA384=y
 +NEED_HMAC_SHA384_KDF=y
 NEED_AES_SIV=y
 ifdef CONFIG_FILS_SK_PFS
 CFLAGS += -DCONFIG_FILS_SK_PFS
--- a/feeds/hostapd/hostapd/patches/110-mbedtls-TLS-crypto-option-initial-port.patch
+++ b/feeds/hostapd/hostapd/patches/110-mbedtls-TLS-crypto-option-initial-port.patch
--- a/feeds/hostapd/hostapd/patches/120-mbedtls-fips186_2_prf.patch
+++ b/feeds/hostapd/hostapd/patches/120-mbedtls-fips186_2_prf.patch
@@ -0,0 +1,114 @@
 From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Tue, 19 Jul 2022 20:02:21 -0400
 Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 hostapd/Makefile            |  4 ---
 src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
 wpa_supplicant/Makefile     |  4 ---
 3 files changed, 60 insertions(+), 8 deletions(-)
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -759,10 +759,6 @@ endif
 OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 -ifdef NEED_FIPS186_2_PRF
 -OBJS += ../src/crypto/fips_prf_internal.o
 -SHA1OBJS += ../src/crypto/sha1-internal.o
 -endif
 ifeq ($(CONFIG_CRYPTO), mbedtls)
 ifdef CONFIG_DPP
 LIBS += -lmbedx509
 --- a/src/crypto/crypto_mbedtls.c
 +++ b/src/crypto/crypto_mbedtls.c
@@ -132,6 +132,12 @@
 #define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
 #endif
 +#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
 + || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
 +/* EAP_SIM=y EAP_AKA=y */
 +#define CRYPTO_MBEDTLS_FIPS186_2_PRF
 +#endif
 +
 #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
  || defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
 #define CRYPTO_MBEDTLS_SHA1_T_PRF
@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
 #endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
 +#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
 +
 +/* fips_prf_internal.c sha1-internal.c */
 +
 +/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
 + * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
 + * where xlen is 160 */
 +
 +int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
 +{
 +	/* FIPS 186-2 + change notice 1 */
 +
 +	mbedtls_sha1_context ctx;
 +	u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
 +	u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
 +	const u32 xstate_init[] =
 +	  { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
 +
 +	mbedtls_sha1_init(&ctx);
 +	os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
 +
 +	/* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
 +	for (; xlen >= 20; xlen -= 20) {
 +		/* XSEED_j = 0 */
 +		/* XVAL = (XKEY + XSEED_j) mod 2^b */
 +
 +		/* w_i = G(t, XVAL) */
 +		os_memcpy(xstate, xstate_init, sizeof(xstate_init));
 +		mbedtls_internal_sha1_process(&ctx, xkey);
 +
 +	  #if __BYTE_ORDER == __LITTLE_ENDIAN
 +		xstate[0] = host_to_be32(xstate[0]);
 +		xstate[1] = host_to_be32(xstate[1]);
 +		xstate[2] = host_to_be32(xstate[2]);
 +		xstate[3] = host_to_be32(xstate[3]);
 +		xstate[4] = host_to_be32(xstate[4]);
 +	  #endif
 +		os_memcpy(x, xstate, 20);
 +		if (xlen == 20) /*(done; skip prep for next loop)*/
 +			break;
 +
 +		/* XKEY = (1 + XKEY + w_i) mod 2^b */
 +		for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
 +			xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
 +		x += 20;
 +		/* x_j = w_0|w_1 (each pair of iterations through loop)*/
 +	}
 +
 +	mbedtls_sha1_free(&ctx);
 +	return 0;
 +}
 +
 +#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
 +
 #endif /* MBEDTLS_SHA1_C */
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -1174,10 +1174,6 @@ endif
 OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
 -ifdef NEED_FIPS186_2_PRF
 -OBJS += ../src/crypto/fips_prf_internal.o
 -SHA1OBJS += ../src/crypto/sha1-internal.o
 -endif
 ifeq ($(CONFIG_CRYPTO), mbedtls)
 LIBS += -lmbedcrypto
 LIBS_p += -lmbedcrypto
--- a/feeds/hostapd/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch
+++ b/feeds/hostapd/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch
@@ -0,0 +1,421 @@
 From 31bd19e0e0254b910cccfd3ddc6a6a9222bbcfc0 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Sun, 9 Oct 2022 05:12:17 -0400
 Subject: [PATCH 3/7] mbedtls: annotate with TEST_FAIL() for hwsim tests
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 src/crypto/crypto_mbedtls.c | 124 ++++++++++++++++++++++++++++++++++++
 1 file changed, 124 insertions(+)
 --- a/src/crypto/crypto_mbedtls.c
 +++ b/src/crypto/crypto_mbedtls.c
@@ -280,6 +280,9 @@ __attribute_noinline__
 static int md_vector(size_t num_elem, const u8 *addr[], const size_t *len,
                      u8 *mac, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 0) != 0){
@@ -343,6 +346,9 @@ __attribute_noinline__
 static int sha384_512_vector(size_t num_elem, const u8 *addr[],
                              const size_t *len, u8 *mac, int is384)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha512_context ctx;
 	mbedtls_sha512_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -375,6 +381,9 @@ int sha384_vector(size_t num_elem, const
 #include <mbedtls/sha256.h>
 int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha256_context ctx;
 	mbedtls_sha256_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -397,6 +406,9 @@ int sha256_vector(size_t num_elem, const
 #include <mbedtls/sha1.h>
 int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_sha1_context ctx;
 	mbedtls_sha1_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -419,6 +431,9 @@ int sha1_vector(size_t num_elem, const u
 #include <mbedtls/md5.h>
 int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_md5_context ctx;
 	mbedtls_md5_init(&ctx);
   #if MBEDTLS_VERSION_MAJOR >= 3
@@ -441,6 +456,9 @@ int md5_vector(size_t num_elem, const u8
 #include <mbedtls/md4.h>
 int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	struct mbedtls_md4_context ctx;
 	mbedtls_md4_init(&ctx);
 	mbedtls_md4_starts_ret(&ctx);
@@ -460,6 +478,9 @@ static int hmac_vector(const u8 *key, si
                        const u8 *addr[], const size_t *len, u8 *mac,
                        mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 1) != 0){
@@ -571,6 +592,9 @@ static int hmac_kdf_expand(const u8 *prk
                            const char *label, const u8 *info, size_t info_len,
                            u8 *okm, size_t okm_len, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
   #ifdef MBEDTLS_HKDF_C
 	if (label == NULL)  /* RFC 5869 HKDF-Expand when (label == NULL) */
@@ -663,6 +687,9 @@ static int hmac_prf_bits(const u8 *key,
                          const u8 *data, size_t data_len, u8 *buf,
                          size_t buf_len_bits, mbedtls_md_type_t md_type)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_md_context_t ctx;
 	mbedtls_md_init(&ctx);
 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
@@ -938,6 +965,9 @@ int pbkdf2_sha1(const char *passphrase,
 static void *aes_crypt_init_mode(const u8 *key, size_t len, int mode)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
 	if (!aes)
 		return NULL;
@@ -996,6 +1026,9 @@ void aes_decrypt_deinit(void *ctx)
 /* aes-wrap.c */
 int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_nist_kw_context ctx;
 	mbedtls_nist_kw_init(&ctx);
 	size_t olen;
@@ -1010,6 +1043,9 @@ int aes_wrap(const u8 *kek, size_t kek_l
 /* aes-unwrap.c */
 int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 *plain)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_nist_kw_context ctx;
 	mbedtls_nist_kw_init(&ctx);
 	size_t olen;
@@ -1041,6 +1077,9 @@ int omac1_aes_vector(
     const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[],
     const size_t *len, u8 *mac)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_cipher_type_t cipher_type;
 	switch (key_len) {
 	case 16: cipher_type = MBEDTLS_CIPHER_AES_128_ECB; break;
@@ -1103,6 +1142,9 @@ int omac1_aes_256(const u8 *key, const u
 /* aes-encblock.c */
 int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_aes_context aes;
 	mbedtls_aes_init(&aes);
 	int ret = mbedtls_aes_setkey_enc(&aes, key, 128)
@@ -1118,6 +1160,9 @@ int aes_128_encrypt_block(const u8 *key,
 int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
 		    u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	unsigned char counter[MBEDTLS_AES_BLOCK_SIZE];
 	unsigned char stream_block[MBEDTLS_AES_BLOCK_SIZE];
 	os_memcpy(counter, nonce, MBEDTLS_AES_BLOCK_SIZE);/*(must be writable)*/
@@ -1160,11 +1205,17 @@ static int aes_128_cbc_oper(const u8 *ke
 int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_ENCRYPT);
 }
 int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_DECRYPT);
 }
@@ -1407,6 +1458,10 @@ int crypto_hash_finish(struct crypto_has
 	}
 	mbedtls_md_free(mctx);
 	os_free(mctx);
 +
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return 0;
 }
@@ -1421,6 +1476,9 @@ int crypto_hash_finish(struct crypto_has
 struct crypto_bignum *crypto_bignum_init(void)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
 	if (bn)
 		mbedtls_mpi_init(bn);
@@ -1429,6 +1487,9 @@ struct crypto_bignum *crypto_bignum_init
 struct crypto_bignum *crypto_bignum_init_set(const u8 *buf, size_t len)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
 	if (bn) {
 		mbedtls_mpi_init(bn);
@@ -1442,6 +1503,9 @@ struct crypto_bignum *crypto_bignum_init
 struct crypto_bignum *crypto_bignum_init_uint(unsigned int val)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
   #if 0 /*(hostap use of this interface passes int, not uint)*/
 	val = host_to_be32(val);
 	return crypto_bignum_init_set((const u8 *)&val, sizeof(val));
@@ -1467,6 +1531,9 @@ void crypto_bignum_deinit(struct crypto_
 int crypto_bignum_to_bin(const struct crypto_bignum *a,
 			 u8 *buf, size_t buflen, size_t padlen)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	size_t n = mbedtls_mpi_size((mbedtls_mpi *)a);
 	if (n < padlen)
 		n = padlen;
@@ -1477,6 +1544,9 @@ int crypto_bignum_to_bin(const struct cr
 int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/*assert(r != m);*//* r must not be same as m for mbedtls_mpi_random()*/
   #if MBEDTLS_VERSION_NUMBER >= 0x021B0000 /* mbedtls 2.27.0 */
 	return mbedtls_mpi_random((mbedtls_mpi *)r, 0, (mbedtls_mpi *)m,
@@ -1513,6 +1583,9 @@ int crypto_bignum_exptmod(const struct c
 			  const struct crypto_bignum *c,
 			  struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* (check if input params match d; d is the result) */
 	/* (a == d) is ok in current mbedtls implementation */
 	if (b == d || c == d) { /*(not ok; store result in intermediate)*/
@@ -1540,6 +1613,9 @@ int crypto_bignum_inverse(const struct c
 			  const struct crypto_bignum *b,
 			  struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_inv_mod((mbedtls_mpi *)c,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b) ? -1 : 0;
@@ -1549,6 +1625,9 @@ int crypto_bignum_sub(const struct crypt
 		      const struct crypto_bignum *b,
 		      struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_sub_mpi((mbedtls_mpi *)c,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b) ? -1 : 0;
@@ -1558,6 +1637,9 @@ int crypto_bignum_div(const struct crypt
 		      const struct crypto_bignum *b,
 		      struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/*(most current use of this crypto.h interface has a == c (result),
 	 * so store result in an intermediate to avoid overwritten input)*/
 	mbedtls_mpi R;
@@ -1575,6 +1657,9 @@ int crypto_bignum_addmod(const struct cr
 			 const struct crypto_bignum *c,
 			 struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_add_mpi((mbedtls_mpi *)d,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b)
@@ -1588,6 +1673,9 @@ int crypto_bignum_mulmod(const struct cr
 			 const struct crypto_bignum *c,
 			 struct crypto_bignum *d)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_mpi_mul_mpi((mbedtls_mpi *)d,
 				   (const mbedtls_mpi *)a,
 				   (const mbedtls_mpi *)b)
@@ -1600,6 +1688,9 @@ int crypto_bignum_sqrmod(const struct cr
 			 const struct crypto_bignum *b,
 			 struct crypto_bignum *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 1
 	return crypto_bignum_mulmod(a, a, b, c);
   #else
@@ -1650,6 +1741,9 @@ int crypto_bignum_is_odd(const struct cr
 int crypto_bignum_legendre(const struct crypto_bignum *a,
 			   const struct crypto_bignum *p)
 {
 +	if (TEST_FAIL())
 +		return -2;
 +
 	/* Security Note:
 	 * mbedtls_mpi_exp_mod() is not documented to run in constant time,
 	 * though mbedtls/library/bignum.c uses constant_time_internal.h funcs.
@@ -1702,6 +1796,9 @@ int crypto_mod_exp(const u8 *base, size_
 		   const u8 *modulus, size_t modulus_len,
 		   u8 *result, size_t *result_len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result;
 	mbedtls_mpi_init(&bn_base);
 	mbedtls_mpi_init(&bn_exp);
@@ -1769,6 +1866,9 @@ static int crypto_mbedtls_dh_init_public
 int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
 		   u8 *pubkey)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 0 /*(crypto_dh_init() duplicated (and identical) in crypto_*.c modules)*/
 	size_t pubkey_len, pad;
@@ -1810,6 +1910,9 @@ int crypto_dh_derive_secret(u8 generator
 			    const u8 *pubkey, size_t pubkey_len,
 			    u8 *secret, size_t *len)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
   #if 0
 	if (pubkey_len > prime_len ||
 	    (pubkey_len == prime_len &&
@@ -2512,6 +2615,9 @@ const struct crypto_ec_point * crypto_ec
 struct crypto_ec_point *crypto_ec_point_init(struct crypto_ec *e)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
 	if (p != NULL)
 		mbedtls_ecp_point_init(p);
@@ -2536,6 +2642,9 @@ int crypto_ec_point_x(struct crypto_ec *
 int crypto_ec_point_to_bin(struct crypto_ec *e,
 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* crypto.h documents crypto_ec_point_to_bin() output is big-endian */
 	size_t len = CRYPTO_EC_plen(e);
 	if (x) {
@@ -2563,6 +2672,9 @@ int crypto_ec_point_to_bin(struct crypto
 struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
 						  const u8 *val)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	size_t len = CRYPTO_EC_plen(e);
 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
 	u8 buf[1+MBEDTLS_MPI_MAX_SIZE*2];
@@ -2615,6 +2727,9 @@ int crypto_ec_point_add(struct crypto_ec
 			const struct crypto_ec_point *b,
 			struct crypto_ec_point *c)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	/* mbedtls does not provide an mbedtls_ecp_point add function */
 	mbedtls_mpi one;
 	mbedtls_mpi_init(&one);
@@ -2631,6 +2746,9 @@ int crypto_ec_point_mul(struct crypto_ec
 			const struct crypto_bignum *b,
 			struct crypto_ec_point *res)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	return mbedtls_ecp_mul(
 		(mbedtls_ecp_group *)e, (mbedtls_ecp_point *)res,
 		(const mbedtls_mpi *)b, (const mbedtls_ecp_point *)p,
@@ -2639,6 +2757,9 @@ int crypto_ec_point_mul(struct crypto_ec
 int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
 {
 +	if (TEST_FAIL())
 +		return -1;
 +
 	if (mbedtls_ecp_get_type((mbedtls_ecp_group *)e)
 	    == MBEDTLS_ECP_TYPE_MONTGOMERY) {
 		/* e.g. MBEDTLS_ECP_DP_CURVE25519 and MBEDTLS_ECP_DP_CURVE448 */
@@ -2751,6 +2872,9 @@ struct crypto_bignum *
 crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
 			      const struct crypto_bignum *x)
 {
 +	if (TEST_FAIL())
 +		return NULL;
 +
 	mbedtls_mpi *y2 = os_malloc(sizeof(*y2));
 	if (y2 == NULL)
 		return NULL;
--- a/feeds/hostapd/hostapd/patches/140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
+++ b/feeds/hostapd/hostapd/patches/140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
--- a/feeds/hostapd/hostapd/patches/150-add-NULL-checks-encountered-during-tests-hwsim.patch
+++ b/feeds/hostapd/hostapd/patches/150-add-NULL-checks-encountered-during-tests-hwsim.patch
@@ -0,0 +1,45 @@
 From 33afce36c54b0cad38643629ded10ff5d727f077 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Fri, 12 Aug 2022 05:34:47 -0400
 Subject: [PATCH 5/7] add NULL checks (encountered during tests/hwsim)
 sae_derive_commit_element_ecc NULL pwe_ecc check
 dpp_gen_keypair() NULL curve check
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 src/common/dpp_crypto.c | 6 ++++++
 src/common/sae.c        | 7 +++++++
 2 files changed, 13 insertions(+)
 --- a/src/common/dpp_crypto.c
 +++ b/src/common/dpp_crypto.c
@@ -269,6 +269,12 @@ int dpp_get_pubkey_hash(struct crypto_ec
 struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
 {
 +	if (curve == NULL) {
 +		wpa_printf(MSG_DEBUG,
 +		           "DPP: %s curve must be initialized", __func__);
 +		return NULL;
 +	}
 +
 	struct crypto_ec_key *key;
 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
 --- a/src/common/sae.c
 +++ b/src/common/sae.c
@@ -1278,6 +1278,13 @@ void sae_deinit_pt(struct sae_pt *pt)
 static int sae_derive_commit_element_ecc(struct sae_data *sae,
 					 struct crypto_bignum *mask)
 {
 +	if (sae->tmp->pwe_ecc == NULL) {
 +		wpa_printf(MSG_DEBUG,
 +		           "SAE: %s sae->tmp->pwe_ecc must be initialized",
 +		           __func__);
 +		return -1;
 +	}
 +
 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
 	if (!sae->tmp->own_commit_element_ecc) {
 		sae->tmp->own_commit_element_ecc =
--- a/feeds/hostapd/hostapd/patches/160-dpp_pkex-EC-point-mul-w-value-prime.patch
+++ b/feeds/hostapd/hostapd/patches/160-dpp_pkex-EC-point-mul-w-value-prime.patch
@@ -0,0 +1,26 @@
 From 54211caa2e0e5163aefef390daf88a971367a702 Mon Sep 17 00:00:00 2001
 From: Glenn Strauss <gstrauss@gluelogic.com>
 Date: Tue, 4 Oct 2022 17:09:24 -0400
 Subject: [PATCH 6/7] dpp_pkex: EC point mul w/ value < prime
 crypto_ec_point_mul() with mbedtls requires point
 be multiplied by a multiplicand with value < prime
 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 ---
 src/common/dpp_crypto.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 --- a/src/common/dpp_crypto.c
 +++ b/src/common/dpp_crypto.c
@@ -1588,7 +1588,9 @@ dpp_pkex_derive_Qr(const struct dpp_curv
 	Pr = crypto_ec_key_get_public_key(Pr_key);
 	Qr = crypto_ec_point_init(ec);
 	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
 -	if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
 +	if (!Pr || !Qr || !hash_bn ||
 +	    crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
 +	    crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
 		goto fail;
 	if (crypto_ec_point_is_at_infinity(ec, Qr)) {
--- a/feeds/hostapd/hostapd/patches/170-hostapd-update-cfs0-and-cfs1-for-160MHz.patch
+++ b/feeds/hostapd/hostapd/patches/170-hostapd-update-cfs0-and-cfs1-for-160MHz.patch
@@ -0,0 +1,141 @@
 From d4c4ef302f98fd6bce173b8636e7e350d8b44981 Mon Sep 17 00:00:00 2001
 From: P Praneesh <ppranees@codeaurora.org>
 Date: Fri, 19 Mar 2021 12:17:27 +0530
 Subject: [PATCH] hostapd: update cfs0 and cfs1 for 160MHz
 As per standard Draft P802.11ax_D8.0,( Table 26-9—Setting
 of the VHT Channel Width and VHT NSS at an HE STA
 transmitting the OM Control subfield ), center frequency of
 160MHz should be published in HT information subset 2 of
 HT information when EXT NSS BW field is enabled.
 If the supported number of NSS in 160MHz is at least max NSS
 support, then center_freq_seg0 indicates the center frequency of 80MHz and
 center_freq_seg1 indicates the center frequency of 160MHz.
 If the supported number of NSS in 160MHz is less than max NSS
 support, then center_freq_seg0 indicates the center frequency of 80MHz and
 center_freq_seg1 is 0. The center frequency of 160MHz is published in HT
 operation information element instead.
 Signed-off-by: P Praneesh <ppranees@codeaurora.org>
 ---
 hostapd/config_file.c           |  2 ++
 src/ap/ieee802_11_ht.c          |  7 +++++++
 src/ap/ieee802_11_vht.c         | 16 ++++++++++++++++
 src/common/hw_features_common.c |  1 +
 src/common/ieee802_11_defs.h    |  1 +
 5 files changed, 27 insertions(+)
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -1153,6 +1153,8 @@ static int hostapd_config_vht_capab(stru
 		conf->vht_capab |= VHT_CAP_RX_ANTENNA_PATTERN;
 	if (os_strstr(capab, "[TX-ANTENNA-PATTERN]"))
 		conf->vht_capab |= VHT_CAP_TX_ANTENNA_PATTERN;
 +	if (os_strstr(capab, "[EXT-NSS-BW-SUPP]"))
 +		conf->vht_capab |= VHT_CAP_EXTENDED_NSS_BW_SUPPORT;
 	return 0;
 }
 #endif /* CONFIG_IEEE80211AC */
 --- a/src/ap/ieee802_11_ht.c
 +++ b/src/ap/ieee802_11_ht.c
@@ -82,7 +82,9 @@ u8 * hostapd_eid_ht_capabilities(struct
 u8 * hostapd_eid_ht_operation(struct hostapd_data *hapd, u8 *eid)
 {
 	struct ieee80211_ht_operation *oper;
 +	le32 vht_capabilities_info;
 	u8 *pos = eid;
 +	u8 chwidth;
 	if (!hapd->iconf->ieee80211n || hapd->conf->disable_11n ||
 	    is_6ghz_op_class(hapd->iconf->op_class))
@@ -103,6 +105,13 @@ u8 * hostapd_eid_ht_operation(struct hos
 		oper->ht_param |= HT_INFO_HT_PARAM_SECONDARY_CHNL_BELOW |
 			HT_INFO_HT_PARAM_STA_CHNL_WIDTH;
 +	vht_capabilities_info = host_to_le32(hapd->iface->current_mode->vht_capab);
 +	chwidth = hostapd_get_oper_chwidth(hapd->iconf);
 +	if (vht_capabilities_info & VHT_CAP_EXTENDED_NSS_BW_SUPPORT
 +		&& ((chwidth == CHANWIDTH_160MHZ) || (chwidth == CHANWIDTH_80P80MHZ))) {
 +		oper->operation_mode = host_to_le16(hapd->iconf->vht_oper_centr_freq_seg0_idx << 5);
 +	}
 +
 	pos += sizeof(*oper);
 	return pos;
 --- a/src/ap/ieee802_11_vht.c
 +++ b/src/ap/ieee802_11_vht.c
@@ -25,6 +25,7 @@ u8 * hostapd_eid_vht_capabilities(struct
 	struct ieee80211_vht_capabilities *cap;
 	struct hostapd_hw_modes *mode = hapd->iface->current_mode;
 	u8 *pos = eid;
 +	u8 chwidth;
 	if (!mode || is_6ghz_op_class(hapd->iconf->op_class))
 		return eid;
@@ -62,6 +63,17 @@ u8 * hostapd_eid_vht_capabilities(struct
 			host_to_le32(nsts << VHT_CAP_BEAMFORMEE_STS_OFFSET);
 	}
 +	chwidth = hostapd_get_oper_chwidth(hapd->iconf);
 +	if (((host_to_le32(mode->vht_capab)) & VHT_CAP_EXTENDED_NSS_BW_SUPPORT)
 +		&& ((chwidth == CHANWIDTH_160MHZ) || (chwidth == CHANWIDTH_80P80MHZ))) {
 +		cap->vht_capabilities_info |= VHT_CAP_EXTENDED_NSS_BW_SUPPORT;
 +		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ));
 +		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_160MHZ));
 +		cap->vht_capabilities_info &= ~(host_to_le32(VHT_CAP_SUPP_CHAN_WIDTH_MASK));
 +	} else {
 +		cap->vht_capabilities_info &= ~VHT_CAP_EXTENDED_NSS_BW_SUPPORT_MASK;
 +	}
 +
 	/* Supported MCS set comes from hw */
 	os_memcpy(&cap->vht_supported_mcs_set, mode->vht_mcs_set, 8);
@@ -74,6 +86,7 @@ u8 * hostapd_eid_vht_capabilities(struct
 u8 * hostapd_eid_vht_operation(struct hostapd_data *hapd, u8 *eid)
 {
 	struct ieee80211_vht_operation *oper;
 +	le32 vht_capabilities_info;
 	u8 *pos = eid;
 	enum oper_chan_width oper_chwidth =
 		hostapd_get_oper_chwidth(hapd->iconf);
@@ -106,6 +119,7 @@ u8 * hostapd_eid_vht_operation(struct ho
 	oper->vht_op_info_chan_center_freq_seg1_idx = seg1;
 	oper->vht_op_info_chwidth = oper_chwidth;
 +	vht_capabilities_info = host_to_le32(hapd->iface->current_mode->vht_capab);
 	if (oper_chwidth == CONF_OPER_CHWIDTH_160MHZ) {
 		/*
 		 * Convert 160 MHz channel width to new style as interop
@@ -119,6 +133,9 @@ u8 * hostapd_eid_vht_operation(struct ho
 			oper->vht_op_info_chan_center_freq_seg0_idx -= 8;
 		else
 			oper->vht_op_info_chan_center_freq_seg0_idx += 8;
 +
 +		if (vht_capabilities_info & VHT_CAP_EXTENDED_NSS_BW_SUPPORT)
 +			oper->vht_op_info_chan_center_freq_seg1_idx = 0;
 	} else if (oper_chwidth == CONF_OPER_CHWIDTH_80P80MHZ) {
 		/*
 		 * Convert 80+80 MHz channel width to new style as interop
 --- a/src/common/hw_features_common.c
 +++ b/src/common/hw_features_common.c
@@ -811,6 +811,7 @@ int ieee80211ac_cap_check(u32 hw, u32 co
 	VHT_CAP_CHECK(VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB);
 	VHT_CAP_CHECK(VHT_CAP_RX_ANTENNA_PATTERN);
 	VHT_CAP_CHECK(VHT_CAP_TX_ANTENNA_PATTERN);
 +	VHT_CAP_CHECK(VHT_CAP_EXTENDED_NSS_BW_SUPPORT);
 #undef VHT_CAP_CHECK
 #undef VHT_CAP_CHECK_MAX
 --- a/src/common/ieee802_11_defs.h
 +++ b/src/common/ieee802_11_defs.h
@@ -1349,6 +1349,8 @@ struct ieee80211_ampe_ie {
 #define VHT_CAP_VHT_LINK_ADAPTATION_VHT_MRQ_MFB     ((u32) BIT(26) | BIT(27))
 #define VHT_CAP_RX_ANTENNA_PATTERN                  ((u32) BIT(28))
 #define VHT_CAP_TX_ANTENNA_PATTERN                  ((u32) BIT(29))
 +#define VHT_CAP_EXTENDED_NSS_BW_SUPPORT		    ((u32) BIT(30))
 +#define VHT_CAP_EXTENDED_NSS_BW_SUPPORT_MASK	    ((u32) BIT(30) | BIT(31))
 #define VHT_OPMODE_CHANNEL_WIDTH_MASK		    ((u8) BIT(0) | BIT(1))
 #define VHT_OPMODE_CHANNEL_RxNSS_MASK		    ((u8) BIT(4) | BIT(5) | \
--- a/feeds/hostapd/hostapd/patches/180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch
+++ b/feeds/hostapd/hostapd/patches/180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch
@@ -0,0 +1,20 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Thu, 14 Sep 2023 10:53:50 +0200
 Subject: [PATCH] driver_nl80211: fix setting QoS map on secondary BSSs
 The setting is per-BSS, not per PHY
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -11341,7 +11341,7 @@ static int nl80211_set_qos_map(void *pri
 	wpa_hexdump(MSG_DEBUG, "nl80211: Setting QoS Map",
 		    qos_map_set, qos_map_set_len);
 -	if (!(msg = nl80211_drv_msg(drv, 0, NL80211_CMD_SET_QOS_MAP)) ||
 +	if (!(msg = nl80211_bss_msg(bss, 0, NL80211_CMD_SET_QOS_MAP)) ||
 	    nla_put(msg, NL80211_ATTR_QOS_MAP, qos_map_set_len, qos_map_set)) {
 		nlmsg_free(msg);
 		return -ENOBUFS;
--- a/feeds/hostapd/hostapd/patches/181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
+++ b/feeds/hostapd/hostapd/patches/181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
@@ -0,0 +1,18 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Thu, 14 Sep 2023 11:28:03 +0200
 Subject: [PATCH] driver_nl80211: update drv->ifindex on removing the first
 BSS
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -8867,6 +8867,7 @@ static int wpa_driver_nl80211_if_remove(
 		if (drv->first_bss->next) {
 			drv->first_bss = drv->first_bss->next;
 			drv->ctx = drv->first_bss->ctx;
 +			drv->ifindex = drv->first_bss->ifindex;
 			os_free(bss);
 		} else {
 			wpa_printf(MSG_DEBUG, "nl80211: No second BSS to reassign context to");
--- a/feeds/hostapd/hostapd/patches/182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
+++ b/feeds/hostapd/hostapd/patches/182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
@@ -0,0 +1,34 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Mon, 18 Sep 2023 16:47:41 +0200
 Subject: [PATCH] nl80211: move nl80211_put_freq_params call outside of
 802.11ax #ifdef
 The relevance of this call is not specific to 802.11ax, so it should be done
 even with CONFIG_IEEE80211AX disabled.
 Fixes: b3921db426ea ("nl80211: Add frequency info in start AP command")
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -5226,6 +5226,9 @@ static int wpa_driver_nl80211_set_ap(voi
 		nla_nest_end(msg, ftm);
 	}
 +	if (params->freq && nl80211_put_freq_params(msg, params->freq) < 0)
 +		goto fail;
 +
 #ifdef CONFIG_IEEE80211AX
 	if (params->he_spr_ctrl) {
 		struct nlattr *spr;
@@ -5260,9 +5263,6 @@ static int wpa_driver_nl80211_set_ap(voi
 		nla_nest_end(msg, spr);
 	}
 -	if (params->freq && nl80211_put_freq_params(msg, params->freq) < 0)
 -		goto fail;
 -
 	if (params->freq && params->freq->he_enabled) {
 		struct nlattr *bss_color;
--- a/feeds/hostapd/hostapd/patches/183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
+++ b/feeds/hostapd/hostapd/patches/183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
@@ -0,0 +1,28 @@
 From: Felix Fietkau <nbd@nbd.name>
 Date: Wed, 20 Sep 2023 13:41:10 +0200
 Subject: [PATCH] hostapd: cancel channel_list_update_timeout in
 hostapd_cleanup_iface_partial
 Fixes a crash when disabling an interface during channel list update
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 ---
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -569,6 +569,7 @@ static void sta_track_deinit(struct host
 void hostapd_cleanup_iface_partial(struct hostapd_iface *iface)
 {
 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
 +	eloop_cancel_timeout(channel_list_update_timeout, iface, NULL);
 #ifdef NEED_AP_MLME
 	hostapd_stop_setup_timers(iface);
 #endif /* NEED_AP_MLME */
@@ -598,7 +599,6 @@ void hostapd_cleanup_iface_partial(struc
 static void hostapd_cleanup_iface(struct hostapd_iface *iface)
 {
 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
 -	eloop_cancel_timeout(channel_list_update_timeout, iface, NULL);
 	eloop_cancel_timeout(hostapd_interface_setup_failure_handler, iface,
 			     NULL);
--- a/feeds/hostapd/hostapd/patches/200-multicall.patch
+++ b/feeds/hostapd/hostapd/patches/200-multicall.patch
@@ -0,0 +1,355 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -1,6 +1,7 @@
 ALL=hostapd hostapd_cli
 CONFIG_FILE = .config
 +-include $(if $(MULTICALL), ../wpa_supplicant/.config)
 include ../src/build.rules
 ifdef LIBS
@@ -199,7 +200,8 @@ endif
 ifdef CONFIG_NO_VLAN
 CFLAGS += -DCONFIG_NO_VLAN
 -else
 +endif
 +ifneq ($(findstring CONFIG_NO_VLAN,$(CFLAGS)), CONFIG_NO_VLAN)
 OBJS += ../src/ap/vlan_init.o
 OBJS += ../src/ap/vlan_ifconfig.o
 OBJS += ../src/ap/vlan.o
@@ -357,10 +359,14 @@ CFLAGS += -DCONFIG_MBO
 OBJS += ../src/ap/mbo_ap.o
 endif
 +ifndef MULTICALL
 +CFLAGS += -DNO_SUPPLICANT
 +endif
 +
 include ../src/drivers/drivers.mak
 -OBJS += $(DRV_AP_OBJS)
 -CFLAGS += $(DRV_AP_CFLAGS)
 -LDFLAGS += $(DRV_AP_LDFLAGS)
 +OBJS += $(sort $(DRV_AP_OBJS) $(if $(MULTICALL),$(DRV_WPA_OBJS)))
 +CFLAGS += $(DRV_AP_CFLAGS) $(if $(MULTICALL),$(DRV_WPA_CFLAGS))
 +LDFLAGS += $(DRV_AP_LDFLAGS) $(if $(MULTICALL),$(DRV_WPA_LDFLAGS))
 LIBS += $(DRV_AP_LIBS)
 ifdef CONFIG_L2_PACKET
@@ -1380,6 +1386,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
 _OBJS_VAR := OBJS
 include ../src/objs.mk
 +hostapd_multi.a: $(BCHECK) $(OBJS)
 +	$(Q)$(CC) -c -o hostapd_multi.o -Dmain=hostapd_main $(CFLAGS) main.c
 +	@$(E) "  CC " $<
 +	@rm -f $@
 +	@$(AR) cr $@ hostapd_multi.o $(OBJS)
 +
 hostapd: $(OBJS)
 	$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
 	@$(E) "  LD " $@
@@ -1460,6 +1472,12 @@ include ../src/objs.mk
 _OBJS_VAR := SOBJS
 include ../src/objs.mk
 +dump_cflags:
 +	@printf "%s " "$(CFLAGS)"
 +
 +dump_ldflags:
 +	@printf "%s " "$(LDFLAGS) $(LIBS) $(EXTRALIBS)"
 +
 nt_password_hash: $(NOBJS)
 	$(Q)$(CC) $(LDFLAGS) -o nt_password_hash $(NOBJS) $(LIBS_n)
 	@$(E) "  LD " $@
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -10,6 +10,7 @@ ALL += dbus/fi.w1.wpa_supplicant1.servic
 EXTRA_TARGETS=dynamic_eap_methods
 CONFIG_FILE=.config
 +-include $(if $(MULTICALL),../hostapd/.config)
 include ../src/build.rules
 ifdef CONFIG_BUILD_PASN_SO
@@ -382,7 +383,9 @@ endif
 ifdef CONFIG_IBSS_RSN
 NEED_RSN_AUTHENTICATOR=y
 CFLAGS += -DCONFIG_IBSS_RSN
 +ifndef MULTICALL
 CFLAGS += -DCONFIG_NO_VLAN
 +endif
 OBJS += ibss_rsn.o
 endif
@@ -924,6 +927,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
 CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
 LIBS += -ldl -rdynamic
 endif
 +else
 +  ifdef MULTICALL
 +    OBJS += ../src/eap_common/eap_common.o
 +  endif
 endif
 ifdef CONFIG_AP
@@ -931,9 +938,11 @@ NEED_EAP_COMMON=y
 NEED_RSN_AUTHENTICATOR=y
 CFLAGS += -DCONFIG_AP
 OBJS += ap.o
 +ifndef MULTICALL
 CFLAGS += -DCONFIG_NO_RADIUS
 CFLAGS += -DCONFIG_NO_ACCOUNTING
 CFLAGS += -DCONFIG_NO_VLAN
 +endif
 OBJS += ../src/ap/hostapd.o
 OBJS += ../src/ap/wpa_auth_glue.o
 OBJS += ../src/ap/utils.o
@@ -1022,6 +1031,12 @@ endif
 ifdef CONFIG_HS20
 OBJS += ../src/ap/hs20.o
 endif
 +else
 +  ifdef MULTICALL
 +    OBJS += ../src/eap_server/eap_server.o
 +    OBJS += ../src/eap_server/eap_server_identity.o
 +    OBJS += ../src/eap_server/eap_server_methods.o
 +  endif
 endif
 ifdef CONFIG_MBO
@@ -1030,7 +1045,9 @@ CFLAGS += -DCONFIG_MBO
 endif
 ifdef NEED_RSN_AUTHENTICATOR
 +ifndef MULTICALL
 CFLAGS += -DCONFIG_NO_RADIUS
 +endif
 NEED_AES_WRAP=y
 OBJS += ../src/ap/wpa_auth.o
 OBJS += ../src/ap/wpa_auth_ie.o
@@ -2010,6 +2027,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
 _OBJS_VAR := OBJS
 include ../src/objs.mk
 +wpa_supplicant_multi.a: .config $(BCHECK) $(OBJS) $(EXTRA_progs)
 +	$(Q)$(CC) -c -o wpa_supplicant_multi.o -Dmain=wpa_supplicant_main $(CFLAGS) main.c
 +	@$(E) "  CC " $<
 +	@rm -f $@
 +	@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
 +
 wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
 	$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
 	@$(E) "  LD " $@
@@ -2142,6 +2165,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
 	$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
 	@$(E) "  sed" $<
 +dump_cflags:
 +	@printf "%s " "$(CFLAGS)"
 +
 +dump_ldflags:
 +	@printf "%s " "$(LDFLAGS) $(LIBS) $(EXTRALIBS)"
 +
 wpa_supplicant.exe: wpa_supplicant
 	mv -f $< $@
 wpa_cli.exe: wpa_cli
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
@@ -6667,8 +6667,8 @@ union wpa_event_data {
  * Driver wrapper code should call this function whenever an event is received
  * from the driver.
  */
 -void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 -			  union wpa_event_data *data);
 +extern void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +				    union wpa_event_data *data);
 /**
  * wpa_supplicant_event_global - Report a driver event for wpa_supplicant
@@ -6680,7 +6680,7 @@ void wpa_supplicant_event(void *ctx, enu
  * Same as wpa_supplicant_event(), but we search for the interface in
  * wpa_global.
  */
 -void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
 +extern void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
 				 union wpa_event_data *data);
 /*
 --- a/src/ap/drv_callbacks.c
 +++ b/src/ap/drv_callbacks.c
@@ -2184,8 +2184,8 @@ err:
 #endif /* CONFIG_OWE */
 -void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 -			  union wpa_event_data *data)
 +void hostapd_wpa_event(void *ctx, enum wpa_event_type event,
 +		       union wpa_event_data *data)
 {
 	struct hostapd_data *hapd = ctx;
 #ifndef CONFIG_NO_STDOUT_DEBUG
@@ -2489,7 +2489,7 @@ void wpa_supplicant_event(void *ctx, enu
 }
 -void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
 +void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
 				 union wpa_event_data *data)
 {
 	struct hapd_interfaces *interfaces = ctx;
 --- a/wpa_supplicant/wpa_priv.c
 +++ b/wpa_supplicant/wpa_priv.c
@@ -1039,8 +1039,8 @@ static void wpa_priv_send_ft_response(st
 }
 -void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 -			  union wpa_event_data *data)
 +static void supplicant_event(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data)
 {
 	struct wpa_priv_interface *iface = ctx;
@@ -1103,7 +1103,7 @@ void wpa_supplicant_event(void *ctx, enu
 }
 -void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
 +void supplicant_event_global(void *ctx, enum wpa_event_type event,
 				 union wpa_event_data *data)
 {
 	struct wpa_priv_global *global = ctx;
@@ -1217,6 +1217,8 @@ int main(int argc, char *argv[])
 	if (os_program_init())
 		return -1;
 +	wpa_supplicant_event = supplicant_event;
 +	wpa_supplicant_event_global = supplicant_event_global;
 	wpa_priv_fd_workaround();
 	os_memset(&global, 0, sizeof(global));
 --- a/wpa_supplicant/events.c
 +++ b/wpa_supplicant/events.c
@@ -5353,8 +5353,8 @@ static void wpas_link_reconfig(struct wp
 }
 -void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
 -			  union wpa_event_data *data)
 +void supplicant_event(void *ctx, enum wpa_event_type event,
 +		      union wpa_event_data *data)
 {
 	struct wpa_supplicant *wpa_s = ctx;
 	int resched;
@@ -6272,7 +6272,7 @@ void wpa_supplicant_event(void *ctx, enu
 }
 -void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
 +void supplicant_event_global(void *ctx, enum wpa_event_type event,
 				 union wpa_event_data *data)
 {
 	struct wpa_supplicant *wpa_s;
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -7462,7 +7462,6 @@ struct wpa_interface * wpa_supplicant_ma
 	return NULL;
 }
 -
 /**
  * wpa_supplicant_match_existing - Match existing interfaces
  * @global: Pointer to global data from wpa_supplicant_init()
@@ -7497,6 +7496,11 @@ static int wpa_supplicant_match_existing
 #endif /* CONFIG_MATCH_IFACE */
 +extern void supplicant_event(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 +
 +extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
 + 				 union wpa_event_data *data);
 /**
  * wpa_supplicant_add_iface - Add a new network interface
@@ -7753,6 +7757,8 @@ struct wpa_global * wpa_supplicant_init(
 #ifndef CONFIG_NO_WPA_MSG
 	wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
 #endif /* CONFIG_NO_WPA_MSG */
 +	wpa_supplicant_event = supplicant_event;
 +	wpa_supplicant_event_global = supplicant_event_global;
 	if (params->wpa_debug_file_path)
 		wpa_debug_open_file(params->wpa_debug_file_path);
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
@@ -698,6 +698,11 @@ fail:
 	return -1;
 }
 +void hostapd_wpa_event(void *ctx, enum wpa_event_type event,
 +                       union wpa_event_data *data);
 +
 +void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
 + 				 union wpa_event_data *data);
 #ifdef CONFIG_WPS
 static int gen_uuid(const char *txt_addr)
@@ -791,6 +796,8 @@ int main(int argc, char *argv[])
 		return -1;
 #endif /* CONFIG_DPP */
 +	wpa_supplicant_event = hostapd_wpa_event;
 +	wpa_supplicant_event_global = hostapd_wpa_event_global;
 	for (;;) {
 		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:q");
 		if (c < 0)
 --- a/src/drivers/drivers.c
 +++ b/src/drivers/drivers.c
@@ -10,6 +10,10 @@
 #include "utils/common.h"
 #include "driver.h"
 +void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 +void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 const struct wpa_driver_ops *const wpa_drivers[] =
 {
 --- a/wpa_supplicant/eapol_test.c
 +++ b/wpa_supplicant/eapol_test.c
@@ -31,7 +31,12 @@
 #include "ctrl_iface.h"
 #include "pcsc_funcs.h"
 #include "wpas_glue.h"
 +#include "drivers/driver.h"
 +void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 +void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
@@ -1303,6 +1308,10 @@ static void usage(void)
 	       "option several times.\n");
 }
 +extern void supplicant_event(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 +extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
 +			     union wpa_event_data *data);
 int main(int argc, char *argv[])
 {
@@ -1323,6 +1332,8 @@ int main(int argc, char *argv[])
 	if (os_program_init())
 		return -1;
 +	wpa_supplicant_event = supplicant_event;
 +	wpa_supplicant_event_global = supplicant_event_global;
 	hostapd_logger_register_cb(hostapd_logger_cb);
 	os_memset(&eapol_test, 0, sizeof(eapol_test));
--- a/feeds/hostapd/hostapd/patches/300-noscan.patch
+++ b/feeds/hostapd/hostapd/patches/300-noscan.patch
@@ -0,0 +1,58 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -3448,6 +3448,10 @@ static int hostapd_config_fill(struct ho
 		if (bss->ocv && !bss->ieee80211w)
 			bss->ieee80211w = 1;
 #endif /* CONFIG_OCV */
 +	} else if (os_strcmp(buf, "noscan") == 0) {
 +		conf->noscan = atoi(pos);
 +	} else if (os_strcmp(buf, "ht_coex") == 0) {
 +		conf->no_ht_coex = !atoi(pos);
 	} else if (os_strcmp(buf, "ieee80211n") == 0) {
 		conf->ieee80211n = atoi(pos);
 	} else if (os_strcmp(buf, "ht_capab") == 0) {
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -1075,6 +1075,8 @@ struct hostapd_config {
 	int ht_op_mode_fixed;
 	u16 ht_capab;
 +	int noscan;
 +	int no_ht_coex;
 	int ieee80211n;
 	int secondary_channel;
 	int no_pri_sec_switch;
 --- a/src/ap/hw_features.c
 +++ b/src/ap/hw_features.c
@@ -546,7 +546,8 @@ static int ieee80211n_check_40mhz(struct
 	int ret;
 	/* Check that HT40 is used and PRI / SEC switch is allowed */
 -	if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
 +	if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
 +		iface->conf->noscan)
 		return 0;
 	hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
 --- a/src/ap/ieee802_11_ht.c
 +++ b/src/ap/ieee802_11_ht.c
@@ -239,6 +239,9 @@ void hostapd_2040_coex_action(struct hos
 		return;
 	}
 +	if (iface->conf->noscan || iface->conf->no_ht_coex)
 +		return;
 +
 	if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
 		wpa_printf(MSG_DEBUG,
 			   "Ignore too short 20/40 BSS Coexistence Management frame");
@@ -399,6 +402,9 @@ void ht40_intolerant_add(struct hostapd_
 	if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
 		return;
 +	if (iface->conf->noscan || iface->conf->no_ht_coex)
 +		return;
 +
 	wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
 		   " in Association Request", MAC2STR(sta->addr));
--- a/feeds/hostapd/hostapd/patches/301-mesh-noscan.patch
+++ b/feeds/hostapd/hostapd/patches/301-mesh-noscan.patch
@@ -0,0 +1,71 @@
 --- a/wpa_supplicant/config.c
 +++ b/wpa_supplicant/config.c
@@ -2600,6 +2600,7 @@ static const struct parse_data ssid_fiel
 #else /* CONFIG_MESH */
 	{ INT_RANGE(mode, 0, 4) },
 #endif /* CONFIG_MESH */
 +	{ INT_RANGE(noscan, 0, 1) },
 	{ INT_RANGE(proactive_key_caching, 0, 1) },
 	{ INT_RANGE(disabled, 0, 2) },
 	{ STR(id_str) },
 --- a/wpa_supplicant/config_file.c
 +++ b/wpa_supplicant/config_file.c
@@ -775,6 +775,7 @@ static void wpa_config_write_network(FIL
 #endif /* IEEE8021X_EAPOL */
 	INT(mode);
 	INT(no_auto_peer);
 +	INT(noscan);
 	INT(mesh_fwding);
 	INT(frequency);
 	INT(enable_edmg);
 --- a/wpa_supplicant/mesh.c
 +++ b/wpa_supplicant/mesh.c
@@ -506,6 +506,8 @@ static int wpa_supplicant_mesh_init(stru
 			   frequency);
 		goto out_free;
 	}
 +	if (ssid->noscan)
 +		conf->noscan = 1;
 	if (ssid->mesh_basic_rates == NULL) {
 		/*
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -2710,7 +2710,7 @@ static bool ibss_mesh_can_use_vht(struct
 				  const struct wpa_ssid *ssid,
 				  struct hostapd_hw_modes *mode)
 {
 -	if (mode->mode != HOSTAPD_MODE_IEEE80211A)
 +	if (mode->mode != HOSTAPD_MODE_IEEE80211A && !(ssid->noscan))
 		return false;
 	if (!drv_supports_vht(wpa_s, ssid))
@@ -2783,7 +2783,7 @@ static void ibss_mesh_select_40mhz(struc
 	int i, res;
 	unsigned int j;
 	static const int ht40plus[] = {
 -		36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157, 165, 173,
 +		1, 2, 3, 4, 5, 6, 36, 44, 52, 60, 100, 108, 116, 124, 132, 149, 157, 165, 173,
 		184, 192
 	};
 	int ht40 = -1;
@@ -3033,7 +3033,7 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	int ieee80211_mode = wpas_mode_to_ieee80211_mode(ssid->mode);
 	enum hostapd_hw_mode hw_mode;
 	struct hostapd_hw_modes *mode = NULL;
 -	int i, obss_scan = 1;
 +	int i, obss_scan = !(ssid->noscan);
 	u8 channel;
 	bool is_6ghz;
 	bool dfs_enabled = wpa_s->conf->country[0] && (wpa_s->drv_flags & WPA_DRIVER_FLAGS_RADAR);
 --- a/wpa_supplicant/config_ssid.h
 +++ b/wpa_supplicant/config_ssid.h
@@ -1035,6 +1035,8 @@ struct wpa_ssid {
 	 */
 	int no_auto_peer;
 +	int noscan;
 +
 	/**
 	 * mesh_rssi_threshold - Set mesh parameter mesh_rssi_threshold (dBm)
 	 *
--- a/feeds/hostapd/hostapd/patches/310-rescan_immediately.patch
+++ b/feeds/hostapd/hostapd/patches/310-rescan_immediately.patch
@@ -0,0 +1,11 @@
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -5767,7 +5767,7 @@ wpa_supplicant_alloc(struct wpa_supplica
 	if (wpa_s == NULL)
 		return NULL;
 	wpa_s->scan_req = INITIAL_SCAN_REQ;
 -	wpa_s->scan_interval = 5;
 +	wpa_s->scan_interval = 1;
 	wpa_s->new_connection = 1;
 	wpa_s->parent = parent ? parent : wpa_s;
 	wpa_s->p2pdev = wpa_s->parent;
--- a/feeds/hostapd/hostapd/patches/320-optional_rfkill.patch
+++ b/feeds/hostapd/hostapd/patches/320-optional_rfkill.patch
@@ -0,0 +1,61 @@
 --- a/src/drivers/drivers.mak
 +++ b/src/drivers/drivers.mak
@@ -54,7 +54,6 @@ NEED_SME=y
 NEED_AP_MLME=y
 NEED_NETLINK=y
 NEED_LINUX_IOCTL=y
 -NEED_RFKILL=y
 NEED_RADIOTAP=y
 NEED_LIBNL=y
 endif
@@ -111,7 +110,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
 CONFIG_WIRELESS_EXTENSION=y
 NEED_NETLINK=y
 NEED_LINUX_IOCTL=y
 -NEED_RFKILL=y
 endif
 ifdef CONFIG_DRIVER_NDIS
@@ -137,7 +135,6 @@ endif
 ifdef CONFIG_WIRELESS_EXTENSION
 DRV_WPA_CFLAGS += -DCONFIG_WIRELESS_EXTENSION
 DRV_WPA_OBJS += ../src/drivers/driver_wext.o
 -NEED_RFKILL=y
 endif
 ifdef NEED_NETLINK
@@ -146,6 +143,7 @@ endif
 ifdef NEED_RFKILL
 DRV_OBJS += ../src/drivers/rfkill.o
 +DRV_WPA_CFLAGS += -DCONFIG_RFKILL
 endif
 ifdef NEED_RADIOTAP
 --- a/src/drivers/rfkill.h
 +++ b/src/drivers/rfkill.h
@@ -18,8 +18,24 @@ struct rfkill_config {
 	void (*unblocked_cb)(void *ctx);
 };
 +#ifdef CONFIG_RFKILL
 struct rfkill_data * rfkill_init(struct rfkill_config *cfg);
 void rfkill_deinit(struct rfkill_data *rfkill);
 int rfkill_is_blocked(struct rfkill_data *rfkill);
 +#else
 +static inline struct rfkill_data * rfkill_init(struct rfkill_config *cfg)
 +{
 +	return (void *) 1;
 +}
 +
 +static inline void rfkill_deinit(struct rfkill_data *rfkill)
 +{
 +}
 +
 +static inline int rfkill_is_blocked(struct rfkill_data *rfkill)
 +{
 +	return 0;
 +}
 +#endif
 #endif /* RFKILL_H */
--- a/feeds/hostapd/hostapd/patches/330-nl80211_fix_set_freq.patch
+++ b/feeds/hostapd/hostapd/patches/330-nl80211_fix_set_freq.patch
@@ -0,0 +1,11 @@
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -5407,7 +5407,7 @@ static int nl80211_set_channel(struct i8
 		   freq->he_enabled, freq->eht_enabled, freq->bandwidth,
 		   freq->center_freq1, freq->center_freq2);
 -	msg = nl80211_drv_msg(drv, 0, set_chan ? NL80211_CMD_SET_CHANNEL :
 +	msg = nl80211_bss_msg(bss, 0, set_chan ? NL80211_CMD_SET_CHANNEL :
 			      NL80211_CMD_SET_WIPHY);
 	if (!msg || nl80211_put_freq_params(msg, freq) < 0) {
 		nlmsg_free(msg);
--- a/feeds/hostapd/hostapd/patches/341-mesh-ctrl-iface-channel-switch.patch
+++ b/feeds/hostapd/hostapd/patches/341-mesh-ctrl-iface-channel-switch.patch
@@ -0,0 +1,39 @@
 --- a/wpa_supplicant/ap.c
 +++ b/wpa_supplicant/ap.c
@@ -1825,15 +1825,35 @@ int ap_switch_channel(struct wpa_supplic
 #ifdef CONFIG_CTRL_IFACE
 +
 +static int __ap_ctrl_iface_chanswitch(struct hostapd_iface *iface,
 +				      struct csa_settings *settings)
 +{
 +#ifdef NEED_AP_MLME
 +	if (!iface || !iface->bss[0])
 +		return 0;
 +
 +	return hostapd_switch_channel(iface->bss[0], settings);
 +#else
 +	return -1;
 +#endif
 +}
 +
 +
 int ap_ctrl_iface_chanswitch(struct wpa_supplicant *wpa_s, const char *pos)
 {
 	struct csa_settings settings;
 	int ret = hostapd_parse_csa_settings(pos, &settings);
 +	if (!(wpa_s->ap_iface && wpa_s->ap_iface->bss[0]) &&
 +	    !(wpa_s->ifmsh && wpa_s->ifmsh->bss[0]))
 +		return -1;
 +
 +	ret = __ap_ctrl_iface_chanswitch(wpa_s->ap_iface, &settings);
 	if (ret)
 		return ret;
 -	return ap_switch_channel(wpa_s, &settings);
 +	return __ap_ctrl_iface_chanswitch(wpa_s->ifmsh, &settings);
 }
 #endif /* CONFIG_CTRL_IFACE */
--- a/feeds/hostapd/hostapd/patches/350-nl80211_del_beacon_bss.patch
+++ b/feeds/hostapd/hostapd/patches/350-nl80211_del_beacon_bss.patch
@@ -0,0 +1,35 @@
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -3008,12 +3008,12 @@ static int wpa_driver_nl80211_del_beacon
 		return 0;
 	wpa_printf(MSG_DEBUG, "nl80211: Remove beacon (ifindex=%d)",
 -		   drv->ifindex);
 +		   bss->ifindex);
 	link->beacon_set = 0;
 	link->freq = 0;
 	nl80211_put_wiphy_data_ap(bss);
 -	msg = nl80211_drv_msg(drv, 0, NL80211_CMD_DEL_BEACON);
 +	msg = nl80211_bss_msg(bss, 0, NL80211_CMD_DEL_BEACON);
 	if (!msg)
 		return -ENOBUFS;
@@ -6100,7 +6100,7 @@ static void nl80211_teardown_ap(struct i
 		nl80211_mgmt_unsubscribe(bss, "AP teardown");
 	nl80211_put_wiphy_data_ap(bss);
 -	bss->flink->beacon_set = 0;
 +	wpa_driver_nl80211_del_beacon_all(bss);
 }
@@ -8859,8 +8859,6 @@ static int wpa_driver_nl80211_if_remove(
 	} else {
 		wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
 		nl80211_teardown_ap(bss);
 -		if (!bss->added_if && !drv->first_bss->next)
 -			wpa_driver_nl80211_del_beacon_all(bss);
 		nl80211_destroy_bss(bss);
 		if (!bss->added_if)
 			i802_set_iface_flags(bss, 0);
--- a/feeds/hostapd/hostapd/patches/380-disable_ctrl_iface_mib.patch
+++ b/feeds/hostapd/hostapd/patches/380-disable_ctrl_iface_mib.patch
@@ -0,0 +1,239 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -221,6 +221,9 @@ endif
 ifdef CONFIG_NO_CTRL_IFACE
 CFLAGS += -DCONFIG_NO_CTRL_IFACE
 else
 +ifdef CONFIG_CTRL_IFACE_MIB
 +CFLAGS += -DCONFIG_CTRL_IFACE_MIB
 +endif
 ifeq ($(CONFIG_CTRL_IFACE), udp)
 CFLAGS += -DCONFIG_CTRL_IFACE_UDP
 else
 --- a/hostapd/ctrl_iface.c
 +++ b/hostapd/ctrl_iface.c
@@ -3314,6 +3314,7 @@ static int hostapd_ctrl_iface_receive_pr
 						      reply_size);
 	} else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
 		reply_len = hostapd_drv_status(hapd, reply, reply_size);
 +#ifdef CONFIG_CTRL_IFACE_MIB
 	} else if (os_strcmp(buf, "MIB") == 0) {
 		reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
 		if (reply_len >= 0) {
@@ -3355,6 +3356,7 @@ static int hostapd_ctrl_iface_receive_pr
 	} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
 		reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
 							reply_size);
 +#endif
 	} else if (os_strcmp(buf, "ATTACH") == 0) {
 		if (hostapd_ctrl_iface_attach(hapd, from, fromlen, NULL))
 			reply_len = -1;
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -983,6 +983,9 @@ ifdef CONFIG_FILS
 OBJS += ../src/ap/fils_hlp.o
 endif
 ifdef CONFIG_CTRL_IFACE
 +ifdef CONFIG_CTRL_IFACE_MIB
 +CFLAGS += -DCONFIG_CTRL_IFACE_MIB
 +endif
 OBJS += ../src/ap/ctrl_iface_ap.o
 endif
 --- a/wpa_supplicant/ctrl_iface.c
 +++ b/wpa_supplicant/ctrl_iface.c
@@ -2326,7 +2326,7 @@ static int wpa_supplicant_ctrl_iface_sta
 			pos += ret;
 		}
 -#ifdef CONFIG_AP
 +#if defined(CONFIG_AP) && defined(CONFIG_CTRL_IFACE_MIB)
 		if (wpa_s->ap_iface) {
 			pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
 							    end - pos,
@@ -12087,6 +12087,7 @@ char * wpa_supplicant_ctrl_iface_process
 			reply_len = -1;
 	} else if (os_strncmp(buf, "NOTE ", 5) == 0) {
 		wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
 +#ifdef CONFIG_CTRL_IFACE_MIB
 	} else if (os_strcmp(buf, "MIB") == 0) {
 		reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
 		if (reply_len >= 0) {
@@ -12099,6 +12100,7 @@ char * wpa_supplicant_ctrl_iface_process
 				reply_size - reply_len);
 #endif /* CONFIG_MACSEC */
 		}
 +#endif
 	} else if (os_strncmp(buf, "STATUS", 6) == 0) {
 		reply_len = wpa_supplicant_ctrl_iface_status(
 			wpa_s, buf + 6, reply, reply_size);
@@ -12587,6 +12589,7 @@ char * wpa_supplicant_ctrl_iface_process
 		reply_len = wpa_supplicant_ctrl_iface_bss(
 			wpa_s, buf + 4, reply, reply_size);
 #ifdef CONFIG_AP
 +#ifdef CONFIG_CTRL_IFACE_MIB
 	} else if (os_strcmp(buf, "STA-FIRST") == 0) {
 		reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
 	} else if (os_strncmp(buf, "STA ", 4) == 0) {
@@ -12595,12 +12598,15 @@ char * wpa_supplicant_ctrl_iface_process
 	} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
 		reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
 						   reply_size);
 +#endif
 +#ifdef CONFIG_CTRL_IFACE_MIB
 	} else if (os_strncmp(buf, "DEAUTHENTICATE ", 15) == 0) {
 		if (ap_ctrl_iface_sta_deauthenticate(wpa_s, buf + 15))
 			reply_len = -1;
 	} else if (os_strncmp(buf, "DISASSOCIATE ", 13) == 0) {
 		if (ap_ctrl_iface_sta_disassociate(wpa_s, buf + 13))
 			reply_len = -1;
 +#endif
 	} else if (os_strncmp(buf, "CHAN_SWITCH ", 12) == 0) {
 		if (ap_ctrl_iface_chanswitch(wpa_s, buf + 12))
 			reply_len = -1;
 --- a/src/ap/ctrl_iface_ap.c
 +++ b/src/ap/ctrl_iface_ap.c
@@ -26,6 +26,26 @@
 #include "taxonomy.h"
 #include "wnm_ap.h"
 +static const char * hw_mode_str(enum hostapd_hw_mode mode)
 +{
 +	switch (mode) {
 +	case HOSTAPD_MODE_IEEE80211B:
 +		return "b";
 +	case HOSTAPD_MODE_IEEE80211G:
 +		return "g";
 +	case HOSTAPD_MODE_IEEE80211A:
 +		return "a";
 +	case HOSTAPD_MODE_IEEE80211AD:
 +		return "ad";
 +	case HOSTAPD_MODE_IEEE80211ANY:
 +		return "any";
 +	case NUM_HOSTAPD_MODES:
 +		return "invalid";
 +	}
 +	return "unknown";
 +}
 +
 +#ifdef CONFIG_CTRL_IFACE_MIB
 static size_t hostapd_write_ht_mcs_bitmask(char *buf, size_t buflen,
 					   size_t curr_len, const u8 *mcs_set)
@@ -212,26 +232,6 @@ static const char * timeout_next_str(int
 }
 -static const char * hw_mode_str(enum hostapd_hw_mode mode)
 -{
 -	switch (mode) {
 -	case HOSTAPD_MODE_IEEE80211B:
 -		return "b";
 -	case HOSTAPD_MODE_IEEE80211G:
 -		return "g";
 -	case HOSTAPD_MODE_IEEE80211A:
 -		return "a";
 -	case HOSTAPD_MODE_IEEE80211AD:
 -		return "ad";
 -	case HOSTAPD_MODE_IEEE80211ANY:
 -		return "any";
 -	case NUM_HOSTAPD_MODES:
 -		return "invalid";
 -	}
 -	return "unknown";
 -}
 -
 -
 static int hostapd_ctrl_iface_sta_mib(struct hostapd_data *hapd,
 				      struct sta_info *sta,
 				      char *buf, size_t buflen)
@@ -493,6 +493,7 @@ int hostapd_ctrl_iface_sta_next(struct h
 	return hostapd_ctrl_iface_sta_mib(hapd, sta->next, buf, buflen);
 }
 +#endif
 #ifdef CONFIG_P2P_MANAGER
 static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
@@ -884,12 +885,12 @@ int hostapd_ctrl_iface_status(struct hos
 			return len;
 		len += ret;
 	}
 -
 +#ifdef CONFIG_CTRL_IFACE_MIB
 	if (iface->conf->ieee80211n && !hapd->conf->disable_11n && mode) {
 		len = hostapd_write_ht_mcs_bitmask(buf, buflen, len,
 						   mode->mcs_set);
 	}
 -
 +#endif /* CONFIG_CTRL_IFACE_MIB */
 	if (iface->current_rates && iface->num_rates) {
 		ret = os_snprintf(buf + len, buflen - len, "supported_rates=");
 		if (os_snprintf_error(buflen - len, ret))
 --- a/src/ap/ieee802_1x.c
 +++ b/src/ap/ieee802_1x.c
@@ -2834,6 +2834,7 @@ static const char * bool_txt(bool val)
 	return val ? "TRUE" : "FALSE";
 }
 +#ifdef CONFIG_CTRL_IFACE_MIB
 int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
 {
@@ -3020,6 +3021,7 @@ int ieee802_1x_get_mib_sta(struct hostap
 	return len;
 }
 +#endif
 #ifdef CONFIG_HS20
 static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
 --- a/src/ap/wpa_auth.c
 +++ b/src/ap/wpa_auth.c
@@ -5328,6 +5328,7 @@ static const char * wpa_bool_txt(int val
 	return val ? "TRUE" : "FALSE";
 }
 +#ifdef CONFIG_CTRL_IFACE_MIB
 #define RSN_SUITE "%02x-%02x-%02x-%d"
 #define RSN_SUITE_ARG(s) \
@@ -5480,7 +5481,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
 	return len;
 }
 -
 +#endif
 void wpa_auth_countermeasures_start(struct wpa_authenticator *wpa_auth)
 {
 --- a/src/rsn_supp/wpa.c
 +++ b/src/rsn_supp/wpa.c
@@ -3834,6 +3834,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
 }
 +#ifdef CONFIG_CTRL_IFACE_MIB
 +
 #define RSN_SUITE "%02x-%02x-%02x-%d"
 #define RSN_SUITE_ARG(s) \
 ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
@@ -3915,6 +3917,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
 	return (int) len;
 }
 +#endif
 #endif /* CONFIG_CTRL_IFACE */
 --- a/wpa_supplicant/ap.c
 +++ b/wpa_supplicant/ap.c
@@ -1499,7 +1499,7 @@ int wpas_ap_wps_nfc_report_handover(stru
 #endif /* CONFIG_WPS */
 -#ifdef CONFIG_CTRL_IFACE
 +#if defined(CONFIG_CTRL_IFACE) && defined(CONFIG_CTRL_IFACE_MIB)
 int ap_ctrl_iface_sta_first(struct wpa_supplicant *wpa_s,
 			    char *buf, size_t buflen)
--- a/feeds/hostapd/hostapd/patches/381-hostapd_cli_UNKNOWN-COMMAND.patch
+++ b/feeds/hostapd/hostapd/patches/381-hostapd_cli_UNKNOWN-COMMAND.patch
@@ -0,0 +1,11 @@
 --- a/hostapd/hostapd_cli.c
 +++ b/hostapd/hostapd_cli.c
@@ -757,7 +757,7 @@ static int wpa_ctrl_command_sta(struct w
 	}
 	buf[len] = '\0';
 -	if (memcmp(buf, "FAIL", 4) == 0)
 +	if (memcmp(buf, "FAIL", 4) == 0 || memcmp(buf, "UNKNOWN COMMAND", 15) == 0)
 		return -1;
 	if (print)
 		printf("%s", buf);
--- a/feeds/hostapd/hostapd/patches/390-wpa_ie_cap_workaround.patch
+++ b/feeds/hostapd/hostapd/patches/390-wpa_ie_cap_workaround.patch
@@ -0,0 +1,56 @@
 --- a/src/common/wpa_common.c
 +++ b/src/common/wpa_common.c
@@ -2841,6 +2841,31 @@ u32 wpa_akm_to_suite(int akm)
 }
 +static void wpa_fixup_wpa_ie_rsn(u8 *assoc_ie, const u8 *wpa_msg_ie,
 +				 size_t rsn_ie_len)
 +{
 +	int pos, count;
 +
 +	pos = sizeof(struct rsn_ie_hdr) + RSN_SELECTOR_LEN;
 +	if (rsn_ie_len < pos + 2)
 +		return;
 +
 +	count = WPA_GET_LE16(wpa_msg_ie + pos);
 +	pos += 2 + count * RSN_SELECTOR_LEN;
 +	if (rsn_ie_len < pos + 2)
 +		return;
 +
 +	count = WPA_GET_LE16(wpa_msg_ie + pos);
 +	pos += 2 + count * RSN_SELECTOR_LEN;
 +	if (rsn_ie_len < pos + 2)
 +		return;
 +
 +	if (!assoc_ie[pos] && !assoc_ie[pos + 1] &&
 +	    (wpa_msg_ie[pos] || wpa_msg_ie[pos + 1]))
 +		memcpy(&assoc_ie[pos], &wpa_msg_ie[pos], 2);
 +}
 +
 +
 int wpa_compare_rsn_ie(int ft_initial_assoc,
 		       const u8 *ie1, size_t ie1len,
 		       const u8 *ie2, size_t ie2len)
@@ -2848,8 +2873,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
 	if (ie1 == NULL || ie2 == NULL)
 		return -1;
 -	if (ie1len == ie2len && os_memcmp(ie1, ie2, ie1len) == 0)
 -		return 0; /* identical IEs */
 +	if (ie1len == ie2len) {
 +		u8 *ie_tmp;
 +
 +		if (os_memcmp(ie1, ie2, ie1len) == 0)
 +			return 0; /* identical IEs */
 +
 +		ie_tmp = alloca(ie1len);
 +		memcpy(ie_tmp, ie1, ie1len);
 +		wpa_fixup_wpa_ie_rsn(ie_tmp, ie2, ie1len);
 +
 +		if (os_memcmp(ie_tmp, ie2, ie1len) == 0)
 +			return 0; /* only mismatch in RSN capabilties */
 +	}
 #ifdef CONFIG_IEEE80211R
 	if (ft_initial_assoc) {
--- a/feeds/hostapd/hostapd/patches/400-wps_single_auth_enc_type.patch
+++ b/feeds/hostapd/hostapd/patches/400-wps_single_auth_enc_type.patch
@@ -0,0 +1,23 @@
 --- a/src/ap/wps_hostapd.c
 +++ b/src/ap/wps_hostapd.c
@@ -394,9 +394,8 @@ static int hapd_wps_reconfig_in_memory(s
 				bss->wpa_pairwise |= WPA_CIPHER_GCMP;
 			else
 				bss->wpa_pairwise |= WPA_CIPHER_CCMP;
 -		}
 #ifndef CONFIG_NO_TKIP
 -		if (cred->encr_type & WPS_ENCR_TKIP)
 +		} else if (cred->encr_type & WPS_ENCR_TKIP)
 			bss->wpa_pairwise |= WPA_CIPHER_TKIP;
 #endif /* CONFIG_NO_TKIP */
 		bss->rsn_pairwise = bss->wpa_pairwise;
@@ -1181,8 +1180,7 @@ int hostapd_init_wps(struct hostapd_data
 					  WPA_CIPHER_GCMP_256)) {
 			wps->encr_types |= WPS_ENCR_AES;
 			wps->encr_types_rsn |= WPS_ENCR_AES;
 -		}
 -		if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
 +		} else if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
 #ifdef CONFIG_NO_TKIP
 			wpa_printf(MSG_INFO, "WPS: TKIP not supported");
 			goto fail;
--- a/feeds/hostapd/hostapd/patches/410-limit_debug_messages.patch
+++ b/feeds/hostapd/hostapd/patches/410-limit_debug_messages.patch
@@ -0,0 +1,210 @@
 --- a/src/utils/wpa_debug.c
 +++ b/src/utils/wpa_debug.c
@@ -206,7 +206,7 @@ void wpa_debug_close_linux_tracing(void)
  *
  * Note: New line '\n' is added to the end of the text when printing to stdout.
  */
 -void wpa_printf(int level, const char *fmt, ...)
 +void _wpa_printf(int level, const char *fmt, ...)
 {
 	va_list ap;
@@ -255,7 +255,7 @@ void wpa_printf(int level, const char *f
 }
 -static void _wpa_hexdump(int level, const char *title, const u8 *buf,
 +void _wpa_hexdump(int level, const char *title, const u8 *buf,
 			 size_t len, int show, int only_syslog)
 {
 	size_t i;
@@ -382,19 +382,7 @@ static void _wpa_hexdump(int level, cons
 #endif /* CONFIG_ANDROID_LOG */
 }
 -void wpa_hexdump(int level, const char *title, const void *buf, size_t len)
 -{
 -	_wpa_hexdump(level, title, buf, len, 1, 0);
 -}
 -
 -
 -void wpa_hexdump_key(int level, const char *title, const void *buf, size_t len)
 -{
 -	_wpa_hexdump(level, title, buf, len, wpa_debug_show_keys, 0);
 -}
 -
 -
 -static void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
 +void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
 			       size_t len, int show)
 {
 	size_t i, llen;
@@ -507,20 +495,6 @@ file_done:
 }
 -void wpa_hexdump_ascii(int level, const char *title, const void *buf,
 -		       size_t len)
 -{
 -	_wpa_hexdump_ascii(level, title, buf, len, 1);
 -}
 -
 -
 -void wpa_hexdump_ascii_key(int level, const char *title, const void *buf,
 -			   size_t len)
 -{
 -	_wpa_hexdump_ascii(level, title, buf, len, wpa_debug_show_keys);
 -}
 -
 -
 #ifdef CONFIG_DEBUG_FILE
 static char *last_path = NULL;
 #endif /* CONFIG_DEBUG_FILE */
@@ -644,7 +618,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
 }
 -void wpa_msg(void *ctx, int level, const char *fmt, ...)
 +void _wpa_msg(void *ctx, int level, const char *fmt, ...)
 {
 	va_list ap;
 	char *buf;
@@ -682,7 +656,7 @@ void wpa_msg(void *ctx, int level, const
 }
 -void wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
 +void _wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
 {
 	va_list ap;
 	char *buf;
 --- a/src/utils/wpa_debug.h
 +++ b/src/utils/wpa_debug.h
@@ -51,6 +51,17 @@ void wpa_debug_close_file(void);
 void wpa_debug_setup_stdout(void);
 void wpa_debug_stop_log(void);
 +/* internal */
 +void _wpa_hexdump(int level, const char *title, const u8 *buf,
 +		  size_t len, int show, int only_syslog);
 +void _wpa_hexdump_ascii(int level, const char *title, const void *buf,
 +			size_t len, int show);
 +extern int wpa_debug_show_keys;
 +
 +#ifndef CONFIG_MSG_MIN_PRIORITY
 +#define CONFIG_MSG_MIN_PRIORITY 0
 +#endif
 +
 /**
  * wpa_debug_printf_timestamp - Print timestamp for debug output
  *
@@ -71,9 +82,15 @@ void wpa_debug_print_timestamp(void);
  *
  * Note: New line '\n' is added to the end of the text when printing to stdout.
  */
 -void wpa_printf(int level, const char *fmt, ...)
 +void _wpa_printf(int level, const char *fmt, ...)
 PRINTF_FORMAT(2, 3);
 +#define wpa_printf(level, ...)						\
 +	do {								\
 +		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
 +			_wpa_printf(level, __VA_ARGS__);		\
 +	} while(0)
 +
 /**
  * wpa_hexdump - conditional hex dump
  * @level: priority level (MSG_*) of the message
@@ -85,7 +102,13 @@ PRINTF_FORMAT(2, 3);
  * output may be directed to stdout, stderr, and/or syslog based on
  * configuration. The contents of buf is printed out has hex dump.
  */
 -void wpa_hexdump(int level, const char *title, const void *buf, size_t len);
 +static inline void wpa_hexdump(int level, const char *title, const void *buf, size_t len)
 +{
 +	if (level < CONFIG_MSG_MIN_PRIORITY)
 +		return;
 +
 +	_wpa_hexdump(level, title, buf, len, 1, 1);
 +}
 static inline void wpa_hexdump_buf(int level, const char *title,
 				   const struct wpabuf *buf)
@@ -107,7 +130,13 @@ static inline void wpa_hexdump_buf(int l
  * like wpa_hexdump(), but by default, does not include secret keys (passwords,
  * etc.) in debug output.
  */
 -void wpa_hexdump_key(int level, const char *title, const void *buf, size_t len);
 +static inline void wpa_hexdump_key(int level, const char *title, const u8 *buf, size_t len)
 +{
 +	if (level < CONFIG_MSG_MIN_PRIORITY)
 +		return;
 +
 +	_wpa_hexdump(level, title, buf, len, wpa_debug_show_keys, 1);
 +}
 static inline void wpa_hexdump_buf_key(int level, const char *title,
 				       const struct wpabuf *buf)
@@ -129,8 +158,14 @@ static inline void wpa_hexdump_buf_key(i
  * the hex numbers and ASCII characters (for printable range) are shown. 16
  * bytes per line will be shown.
  */
 -void wpa_hexdump_ascii(int level, const char *title, const void *buf,
 -		       size_t len);
 +static inline void wpa_hexdump_ascii(int level, const char *title,
 +				     const u8 *buf, size_t len)
 +{
 +	if (level < CONFIG_MSG_MIN_PRIORITY)
 +		return;
 +
 +	_wpa_hexdump_ascii(level, title, buf, len, 1);
 +}
 /**
  * wpa_hexdump_ascii_key - conditional hex dump, hide keys
@@ -146,8 +181,14 @@ void wpa_hexdump_ascii(int level, const
  * bytes per line will be shown. This works like wpa_hexdump_ascii(), but by
  * default, does not include secret keys (passwords, etc.) in debug output.
  */
 -void wpa_hexdump_ascii_key(int level, const char *title, const void *buf,
 -			   size_t len);
 +static inline void wpa_hexdump_ascii_key(int level, const char *title,
 +					 const u8 *buf, size_t len)
 +{
 +	if (level < CONFIG_MSG_MIN_PRIORITY)
 +		return;
 +
 +	_wpa_hexdump_ascii(level, title, buf, len, wpa_debug_show_keys);
 +}
 /*
  * wpa_dbg() behaves like wpa_msg(), but it can be removed from build to reduce
@@ -184,7 +225,12 @@ void wpa_hexdump_ascii_key(int level, co
  *
  * Note: New line '\n' is added to the end of the text when printing to stdout.
  */
 -void wpa_msg(void *ctx, int level, const char *fmt, ...) PRINTF_FORMAT(3, 4);
 +void _wpa_msg(void *ctx, int level, const char *fmt, ...) PRINTF_FORMAT(3, 4);
 +#define wpa_msg(ctx, level, ...)					\
 +	do {								\
 +		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
 +			_wpa_msg(ctx, level, __VA_ARGS__);		\
 +	} while(0)
 /**
  * wpa_msg_ctrl - Conditional printf for ctrl_iface monitors
@@ -198,8 +244,13 @@ void wpa_msg(void *ctx, int level, const
  * attached ctrl_iface monitors. In other words, it can be used for frequent
  * events that do not need to be sent to syslog.
  */
 -void wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
 +void _wpa_msg_ctrl(void *ctx, int level, const char *fmt, ...)
 PRINTF_FORMAT(3, 4);
 +#define wpa_msg_ctrl(ctx, level, ...)					\
 +	do {								\
 +		if (level >= CONFIG_MSG_MIN_PRIORITY)			\
 +			_wpa_msg_ctrl(ctx, level, __VA_ARGS__);		\
 +	} while(0)
 /**
  * wpa_msg_global - Global printf for ctrl_iface monitors
--- a/feeds/hostapd/hostapd/patches/420-indicate-features.patch
+++ b/feeds/hostapd/hostapd/patches/420-indicate-features.patch
@@ -0,0 +1,63 @@
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
@@ -31,7 +31,7 @@
 #include "config_file.h"
 #include "eap_register.h"
 #include "ctrl_iface.h"
 -
 +#include "build_features.h"
 struct hapd_global {
 	void **drv_priv;
@@ -799,7 +799,7 @@ int main(int argc, char *argv[])
 	wpa_supplicant_event = hostapd_wpa_event;
 	wpa_supplicant_event_global = hostapd_wpa_event_global;
 	for (;;) {
 -		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:q");
 +		c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:g:G:qv::");
 		if (c < 0)
 			break;
 		switch (c) {
@@ -836,6 +836,8 @@ int main(int argc, char *argv[])
 			break;
 #endif /* CONFIG_DEBUG_LINUX_TRACING */
 		case 'v':
 +			if (optarg)
 +				exit(!has_feature(optarg));
 			show_version();
 			exit(1);
 		case 'g':
 --- a/wpa_supplicant/main.c
 +++ b/wpa_supplicant/main.c
@@ -12,6 +12,7 @@
 #endif /* __linux__ */
 #include "common.h"
 +#include "build_features.h"
 #include "crypto/crypto.h"
 #include "fst/fst.h"
 #include "wpa_supplicant_i.h"
@@ -202,7 +203,7 @@ int main(int argc, char *argv[])
 	for (;;) {
 		c = getopt(argc, argv,
 -			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");
 +			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuv::W");
 		if (c < 0)
 			break;
 		switch (c) {
@@ -302,8 +303,12 @@ int main(int argc, char *argv[])
 			break;
 #endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
 		case 'v':
 -			printf("%s\n", wpa_supplicant_version);
 -			exitcode = 0;
 +			if (optarg) {
 +				exitcode = !has_feature(optarg);
 +			} else {
 +				printf("%s\n", wpa_supplicant_version);
 +				exitcode = 0;
 +			}
 			goto out;
 		case 'W':
 			params.wait_for_monitor++;
--- a/feeds/hostapd/hostapd/patches/430-hostapd_cli_ifdef.patch
+++ b/feeds/hostapd/hostapd/patches/430-hostapd_cli_ifdef.patch
@@ -0,0 +1,56 @@
 --- a/hostapd/hostapd_cli.c
 +++ b/hostapd/hostapd_cli.c
@@ -401,7 +401,6 @@ static int hostapd_cli_cmd_disassociate(
 }
 -#ifdef CONFIG_TAXONOMY
 static int hostapd_cli_cmd_signature(struct wpa_ctrl *ctrl, int argc,
 				     char *argv[])
 {
@@ -414,7 +413,6 @@ static int hostapd_cli_cmd_signature(str
 	os_snprintf(buf, sizeof(buf), "SIGNATURE %s", argv[0]);
 	return wpa_ctrl_command(ctrl, buf);
 }
 -#endif /* CONFIG_TAXONOMY */
 static int hostapd_cli_cmd_sa_query(struct wpa_ctrl *ctrl, int argc,
@@ -431,7 +429,6 @@ static int hostapd_cli_cmd_sa_query(stru
 }
 -#ifdef CONFIG_WPS
 static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
 				   char *argv[])
 {
@@ -657,7 +654,6 @@ static int hostapd_cli_cmd_wps_config(st
 			 ssid_hex, argv[1]);
 	return wpa_ctrl_command(ctrl, buf);
 }
 -#endif /* CONFIG_WPS */
 static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
@@ -1610,13 +1606,10 @@ static const struct hostapd_cli_cmd host
 	{ "disassociate", hostapd_cli_cmd_disassociate,
 	  hostapd_complete_stations,
 	  "<addr> = disassociate a station" },
 -#ifdef CONFIG_TAXONOMY
 	{ "signature", hostapd_cli_cmd_signature, hostapd_complete_stations,
 	  "<addr> = get taxonomy signature for a station" },
 -#endif /* CONFIG_TAXONOMY */
 	{ "sa_query", hostapd_cli_cmd_sa_query, hostapd_complete_stations,
 	  "<addr> = send SA Query to a station" },
 -#ifdef CONFIG_WPS
 	{ "wps_pin", hostapd_cli_cmd_wps_pin, NULL,
 	  "<uuid> <pin> [timeout] [addr] = add WPS Enrollee PIN" },
 	{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin, NULL,
@@ -1641,7 +1634,6 @@ static const struct hostapd_cli_cmd host
 	  "<SSID> <auth> <encr> <key> = configure AP" },
 	{ "wps_get_status", hostapd_cli_cmd_wps_get_status, NULL,
 	  "= show current WPS status" },
 -#endif /* CONFIG_WPS */
 	{ "disassoc_imminent", hostapd_cli_cmd_disassoc_imminent, NULL,
 	  "= send Disassociation Imminent notification" },
 	{ "ess_disassoc", hostapd_cli_cmd_ess_disassoc, NULL,
--- a/feeds/hostapd/hostapd/patches/431-wpa_cli_ifdef.patch
+++ b/feeds/hostapd/hostapd/patches/431-wpa_cli_ifdef.patch
--- a/feeds/hostapd/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
+++ b/feeds/hostapd/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
@@ -0,0 +1,189 @@
 From 4bb69d15477e0f2b00e166845341dc933de47c58 Mon Sep 17 00:00:00 2001
 From: Antonio Quartulli <ordex@autistici.org>
 Date: Sun, 3 Jun 2012 18:22:56 +0200
 Subject: [PATCHv2 601/602] wpa_supplicant: add new config params to be used
 with the ibss join command
 Signed-hostap: Antonio Quartulli <ordex@autistici.org>
 ---
 src/drivers/driver.h            |    6 +++
 wpa_supplicant/config.c         |   96 +++++++++++++++++++++++++++++++++++++++
 wpa_supplicant/config_ssid.h    |    6 +++
 wpa_supplicant/wpa_supplicant.c |   23 +++++++---
 4 files changed, 124 insertions(+), 7 deletions(-)
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
@@ -19,6 +19,7 @@
 #define WPA_SUPPLICANT_DRIVER_VERSION 4
 +#include "ap/sta_info.h"
 #include "common/defs.h"
 #include "common/ieee802_11_defs.h"
 #include "common/wpa_common.h"
@@ -953,6 +954,9 @@ struct wpa_driver_associate_params {
 	 * responsible for selecting with which BSS to associate. */
 	const u8 *bssid;
 +	unsigned char rates[WLAN_SUPP_RATES_MAX];
 +	int mcast_rate;
 +
 	/**
 	 * bssid_hint - BSSID of a proposed AP
 	 *
 --- a/wpa_supplicant/config.c
 +++ b/wpa_supplicant/config.c
@@ -18,6 +18,7 @@
 #include "eap_peer/eap.h"
 #include "p2p/p2p.h"
 #include "fst/fst.h"
 +#include "ap/sta_info.h"
 #include "config.h"
@@ -2389,6 +2390,97 @@ static char * wpa_config_write_mac_value
 #endif /* NO_CONFIG_WRITE */
 +static int wpa_config_parse_mcast_rate(const struct parse_data *data,
 +				       struct wpa_ssid *ssid, int line,
 +				       const char *value)
 +{
 +	ssid->mcast_rate = (int)(strtod(value, NULL) * 10);
 +
 +	return 0;
 +}
 +
 +#ifndef NO_CONFIG_WRITE
 +static char * wpa_config_write_mcast_rate(const struct parse_data *data,
 +					  struct wpa_ssid *ssid)
 +{
 +	char *value;
 +	int res;
 +
 +	if (!ssid->mcast_rate == 0)
 +		return NULL;
 +
 +	value = os_malloc(6); /* longest: 300.0 */
 +	if (value == NULL)
 +		return NULL;
 +	res = os_snprintf(value, 5, "%.1f", (double)ssid->mcast_rate / 10);
 +	if (res < 0) {
 +		os_free(value);
 +		return NULL;
 +	}
 +	return value;
 +}
 +#endif /* NO_CONFIG_WRITE */
 +
 +static int wpa_config_parse_rates(const struct parse_data *data,
 +				  struct wpa_ssid *ssid, int line,
 +				  const char *value)
 +{
 +	int i;
 +	char *pos, *r, *sptr, *end;
 +	double rate;
 +
 +	pos = (char *)value;
 +	r = strtok_r(pos, ",", &sptr);
 +	i = 0;
 +	while (pos && i < WLAN_SUPP_RATES_MAX) {
 +		rate = 0.0;
 +		if (r)
 +			rate = strtod(r, &end);
 +		ssid->rates[i] = rate * 2;
 +		if (*end != '\0' || rate * 2 != ssid->rates[i])
 +			return 1;
 +
 +		i++;
 +		r = strtok_r(NULL, ",", &sptr);
 +	}
 +
 +	return 0;
 +}
 +
 +#ifndef NO_CONFIG_WRITE
 +static char * wpa_config_write_rates(const struct parse_data *data,
 +				     struct wpa_ssid *ssid)
 +{
 +	char *value, *pos;
 +	int res, i;
 +
 +	if (ssid->rates[0] <= 0)
 +		return NULL;
 +
 +	value = os_malloc(6 * WLAN_SUPP_RATES_MAX + 1);
 +	if (value == NULL)
 +		return NULL;
 +	pos = value;
 +	for (i = 0; i < WLAN_SUPP_RATES_MAX - 1; i++) {
 +		res = os_snprintf(pos, 6, "%.1f,", (double)ssid->rates[i] / 2);
 +		if (res < 0) {
 +			os_free(value);
 +			return NULL;
 +		}
 +		pos += res;
 +	}
 +	res = os_snprintf(pos, 6, "%.1f",
 +			  (double)ssid->rates[WLAN_SUPP_RATES_MAX - 1] / 2);
 +	if (res < 0) {
 +		os_free(value);
 +		return NULL;
 +	}
 +
 +	value[6 * WLAN_SUPP_RATES_MAX] = '\0';
 +	return value;
 +}
 +#endif /* NO_CONFIG_WRITE */
 +
 /* Helper macros for network block parser */
 #ifdef OFFSET
@@ -2674,6 +2766,8 @@ static const struct parse_data ssid_fiel
 	{ INT(ap_max_inactivity) },
 	{ INT(dtim_period) },
 	{ INT(beacon_int) },
 +	{ FUNC(rates) },
 +	{ FUNC(mcast_rate) },
 #ifdef CONFIG_MACSEC
 	{ INT_RANGE(macsec_policy, 0, 1) },
 	{ INT_RANGE(macsec_integ_only, 0, 1) },
 --- a/wpa_supplicant/config_ssid.h
 +++ b/wpa_supplicant/config_ssid.h
@@ -10,8 +10,10 @@
 #define CONFIG_SSID_H
 #include "common/defs.h"
 +#include "ap/sta_info.h"
 #include "utils/list.h"
 #include "eap_peer/eap_config.h"
 +#include "drivers/nl80211_copy.h"
 #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
@@ -879,6 +881,9 @@ struct wpa_ssid {
 	 */
 	void *parent_cred;
 +	unsigned char rates[WLAN_SUPP_RATES_MAX];
 +	double mcast_rate;
 +
 #ifdef CONFIG_MACSEC
 	/**
 	 * macsec_policy - Determines the policy for MACsec secure session
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -4175,6 +4175,12 @@ static void wpas_start_assoc_cb(struct w
 			params.beacon_int = ssid->beacon_int;
 		else
 			params.beacon_int = wpa_s->conf->beacon_int;
 +		int i = 0;
 +		while (i < WLAN_SUPP_RATES_MAX) {
 +			params.rates[i] = ssid->rates[i];
 +			i++;
 +		}
 +		params.mcast_rate = ssid->mcast_rate;
 	}
 	if (bss && ssid->enable_edmg)
--- a/feeds/hostapd/hostapd/patches/463-add-mcast_rate-to-11s.patch
+++ b/feeds/hostapd/hostapd/patches/463-add-mcast_rate-to-11s.patch
@@ -0,0 +1,68 @@
 From: Sven Eckelmann <sven.eckelmann@openmesh.com>
 Date: Thu, 11 May 2017 08:21:45 +0200
 Subject: [PATCH] set mcast_rate in mesh mode
 The wpa_supplicant code for IBSS allows to set the mcast rate. It is
 recommended to increase this value from 1 or 6 Mbit/s to something higher
 when using a mesh protocol on top which uses the multicast packet loss as
 indicator for the link quality.
 This setting was unfortunately not applied for mesh mode. But it would be
 beneficial when wpa_supplicant would behave similar to IBSS mode and set
 this argument during mesh join like authsae already does. At least it is
 helpful for companies/projects which are currently switching to 802.11s
 (without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
 because newer drivers seem to support 802.11s but not IBSS anymore.
 Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
 Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
@@ -1827,6 +1827,7 @@ struct wpa_driver_mesh_join_params {
 #define WPA_DRIVER_MESH_FLAG_AMPE	0x00000008
 	unsigned int flags;
 	bool handle_dfs;
 +	int mcast_rate;
 };
 struct wpa_driver_set_key_params {
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -11667,6 +11667,18 @@ static int nl80211_put_mesh_id(struct nl
 }
 +static int nl80211_put_mcast_rate(struct nl_msg *msg, int mcast_rate)
 +{
 +	if (mcast_rate > 0) {
 +		wpa_printf(MSG_DEBUG, "  * mcast_rate=%.1f",
 +			   (double)mcast_rate / 10);
 +		return nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, mcast_rate);
 +	}
 +
 +	return 0;
 +}
 +
 +
 static int nl80211_put_mesh_config(struct nl_msg *msg,
 				   struct wpa_driver_mesh_bss_params *params)
 {
@@ -11728,6 +11740,7 @@ static int nl80211_join_mesh(struct i802
 	    nl80211_put_basic_rates(msg, params->basic_rates) ||
 	    nl80211_put_mesh_id(msg, params->meshid, params->meshid_len) ||
 	    nl80211_put_beacon_int(msg, params->beacon_int) ||
 +	    nl80211_put_mcast_rate(msg, params->mcast_rate) ||
 	    nl80211_put_dtim_period(msg, params->dtim_period))
 		goto fail;
 --- a/wpa_supplicant/mesh.c
 +++ b/wpa_supplicant/mesh.c
@@ -632,6 +632,7 @@ int wpa_supplicant_join_mesh(struct wpa_
 	params->meshid = ssid->ssid;
 	params->meshid_len = ssid->ssid_len;
 +	params->mcast_rate = ssid->mcast_rate;
 	ibss_mesh_setup_freq(wpa_s, ssid, &params->freq);
 	wpa_s->mesh_ht_enabled = !!params->freq.ht_enabled;
 	wpa_s->mesh_vht_enabled = !!params->freq.vht_enabled;
--- a/feeds/hostapd/hostapd/patches/464-fix-mesh-obss-check.patch
+++ b/feeds/hostapd/hostapd/patches/464-fix-mesh-obss-check.patch
@@ -0,0 +1,13 @@
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -3040,6 +3040,10 @@ void ibss_mesh_setup_freq(struct wpa_sup
 	freq->freq = ssid->frequency;
 +	if (ssid->fixed_freq) {
 +		obss_scan = 0;
 +	}
 +
 	if (ssid->mode == WPAS_MODE_IBSS && !ssid->fixed_freq) {
 		struct wpa_bss *bss = ibss_find_existing_bss(wpa_s, ssid);
--- a/feeds/hostapd/hostapd/patches/465-hostapd-config-support-random-BSS-color.patch
+++ b/feeds/hostapd/hostapd/patches/465-hostapd-config-support-random-BSS-color.patch
@@ -0,0 +1,24 @@
 From c9304d3303d563ad6d2619f4e07864ed12f96889 Mon Sep 17 00:00:00 2001
 From: David Bauer <mail@david-bauer.net>
 Date: Sat, 14 May 2022 21:41:03 +0200
 Subject: [PATCH] hostapd: config: support random BSS color
 Configure the HE BSS color to a random value in case the config defines
 a BSS color which exceeds the max BSS color (63).
 Signed-off-by: David Bauer <mail@david-bauer.net>
 ---
 hostapd/config_file.c | 2 ++
 1 file changed, 2 insertions(+)
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -3500,6 +3500,8 @@ static int hostapd_config_fill(struct ho
 	} else if (os_strcmp(buf, "he_bss_color") == 0) {
 		conf->he_op.he_bss_color = atoi(pos) & 0x3f;
 		conf->he_op.he_bss_color_disabled = 0;
 +		if (atoi(pos) > 63)
 +			conf->he_op.he_bss_color = os_random() % 63 + 1;
 	} else if (os_strcmp(buf, "he_bss_color_partial") == 0) {
 		conf->he_op.he_bss_color_partial = atoi(pos);
 	} else if (os_strcmp(buf, "he_default_pe_duration") == 0) {
--- a/feeds/hostapd/hostapd/patches/470-survey_data_fallback.patch
+++ b/feeds/hostapd/hostapd/patches/470-survey_data_fallback.patch
@@ -0,0 +1,30 @@
 --- a/src/ap/acs.c
 +++ b/src/ap/acs.c
@@ -455,17 +455,17 @@ static int acs_get_bw_center_chan(int fr
 static int acs_survey_is_sufficient(struct freq_survey *survey)
 {
 	if (!(survey->filled & SURVEY_HAS_NF)) {
 +		survey->nf = -95;
 		wpa_printf(MSG_INFO,
 			   "ACS: Survey for freq %d is missing noise floor",
 			   survey->freq);
 -		return 0;
 	}
 	if (!(survey->filled & SURVEY_HAS_CHAN_TIME)) {
 +		survey->channel_time = 0;
 		wpa_printf(MSG_INFO,
 			   "ACS: Survey for freq %d is missing channel time",
 			   survey->freq);
 -		return 0;
 	}
 	if (!(survey->filled & SURVEY_HAS_CHAN_TIME_BUSY) &&
@@ -473,7 +473,6 @@ static int acs_survey_is_sufficient(stru
 		wpa_printf(MSG_INFO,
 			   "ACS: Survey for freq %d is missing RX and busy time (at least one is required)",
 			   survey->freq);
 -		return 0;
 	}
 	return 1;
--- a/feeds/hostapd/hostapd/patches/500-lto-jobserver-support.patch
+++ b/feeds/hostapd/hostapd/patches/500-lto-jobserver-support.patch
@@ -0,0 +1,59 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -1396,7 +1396,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
 	@$(AR) cr $@ hostapd_multi.o $(OBJS)
 hostapd: $(OBJS)
 -	$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
 +	+$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
 	@$(E) "  LD " $@
 ifdef CONFIG_WPA_TRACE
@@ -1407,7 +1407,7 @@ _OBJS_VAR := OBJS_c
 include ../src/objs.mk
 hostapd_cli: $(OBJS_c)
 -	$(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
 +	+$(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
 	@$(E) "  LD " $@
 NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS)
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -2037,31 +2037,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
 	@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
 wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
 -	$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
 +	+$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
 	@$(E) "  LD " $@
 _OBJS_VAR := OBJS_t
 include ../src/objs.mk
 eapol_test: $(OBJS_t)
 -	$(Q)$(LDO) $(LDFLAGS) -o eapol_test $(OBJS_t) $(LIBS)
 +	+$(Q)$(LDO) $(LDFLAGS) -o eapol_test $(OBJS_t) $(LIBS)
 	@$(E) "  LD " $@
 _OBJS_VAR := OBJS_t2
 include ../src/objs.mk
 preauth_test: $(OBJS_t2)
 -	$(Q)$(LDO) $(LDFLAGS) -o preauth_test $(OBJS_t2) $(LIBS)
 +	+$(Q)$(LDO) $(LDFLAGS) -o preauth_test $(OBJS_t2) $(LIBS)
 	@$(E) "  LD " $@
 _OBJS_VAR := OBJS_p
 include ../src/objs.mk
 wpa_passphrase: $(OBJS_p)
 -	$(Q)$(LDO) $(LDFLAGS) -o wpa_passphrase $(OBJS_p) $(LIBS_p) $(LIBS)
 +	+$(Q)$(LDO) $(LDFLAGS) -o wpa_passphrase $(OBJS_p) $(LIBS_p) $(LIBS)
 	@$(E) "  LD " $@
 _OBJS_VAR := OBJS_c
 include ../src/objs.mk
 wpa_cli: $(OBJS_c)
 -	$(Q)$(LDO) $(LDFLAGS) -o wpa_cli $(OBJS_c) $(LIBS_c)
 +	+$(Q)$(LDO) $(LDFLAGS) -o wpa_cli $(OBJS_c) $(LIBS_c)
 	@$(E) "  LD " $@
 LIBCTRL += ../src/common/wpa_ctrl.o
--- a/feeds/hostapd/hostapd/patches/590-rrm-wnm-statistics.patch
+++ b/feeds/hostapd/hostapd/patches/590-rrm-wnm-statistics.patch
@@ -0,0 +1,92 @@
 --- a/src/ap/hostapd.h
 +++ b/src/ap/hostapd.h
@@ -163,6 +163,21 @@ struct hostapd_sae_commit_queue {
 };
 /**
 + * struct hostapd_openwrt_stats - OpenWrt custom STA/AP statistics
 + */
 +struct hostapd_openwrt_stats {
 +	struct {
 +		u64 neighbor_report_tx;
 +	} rrm;
 +
 +	struct {
 +		u64 bss_transition_query_rx;
 +		u64 bss_transition_request_tx;
 +		u64 bss_transition_response_rx;
 +	} wnm;
 +};
 +
 +/**
  * struct hostapd_data - hostapd per-BSS data structure
  */
 struct hostapd_data {
@@ -182,6 +197,9 @@ struct hostapd_data {
 	struct hostapd_data *mld_first_bss;
 +	/* OpenWrt specific statistics */
 +	struct hostapd_openwrt_stats openwrt_stats;
 +
 	int num_sta; /* number of entries in sta_list */
 	struct sta_info *sta_list; /* STA info list head */
 #define STA_HASH_SIZE 256
 --- a/src/ap/wnm_ap.c
 +++ b/src/ap/wnm_ap.c
@@ -386,6 +386,7 @@ static int ieee802_11_send_bss_trans_mgm
 	mgmt->u.action.u.bss_tm_req.validity_interval = 1;
 	pos = mgmt->u.action.u.bss_tm_req.variable;
 +	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
 	wpa_printf(MSG_DEBUG, "WNM: Send BSS Transition Management Request to "
 		   MACSTR " dialog_token=%u req_mode=0x%x disassoc_timer=%u "
 		   "validity_interval=%u",
@@ -790,10 +791,12 @@ int ieee802_11_rx_wnm_action_ap(struct h
 					       plen);
 		return 0;
 	case WNM_BSS_TRANS_MGMT_QUERY:
 +		hapd->openwrt_stats.wnm.bss_transition_query_rx++;
 		ieee802_11_rx_bss_trans_mgmt_query(hapd, mgmt->sa, payload,
 						   plen);
 		return 0;
 	case WNM_BSS_TRANS_MGMT_RESP:
 +		hapd->openwrt_stats.wnm.bss_transition_response_rx++;
 		ieee802_11_rx_bss_trans_mgmt_resp(hapd, mgmt->sa, payload,
 						  plen);
 		return 0;
@@ -840,6 +843,7 @@ int wnm_send_disassoc_imminent(struct ho
 	pos = mgmt->u.action.u.bss_tm_req.variable;
 +	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
 	wpa_printf(MSG_DEBUG, "WNM: Send BSS Transition Management Request frame to indicate imminent disassociation (disassoc_timer=%d) to "
 		   MACSTR, disassoc_timer, MAC2STR(sta->addr));
 	if (hostapd_drv_send_mlme(hapd, buf, pos - buf, 0, NULL, 0, 0) < 0) {
@@ -921,6 +925,7 @@ int wnm_send_ess_disassoc_imminent(struc
 		return -1;
 	}
 +	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
 	if (disassoc_timer) {
 		/* send disassociation frame after time-out */
 		set_disassoc_timer(hapd, sta, disassoc_timer);
@@ -1001,6 +1006,7 @@ int wnm_send_bss_tm_req(struct hostapd_d
 	}
 	os_free(buf);
 +	hapd->openwrt_stats.wnm.bss_transition_request_tx++;
 	if (disassoc_timer) {
 		/* send disassociation frame after time-out */
 		set_disassoc_timer(hapd, sta, disassoc_timer);
 --- a/src/ap/rrm.c
 +++ b/src/ap/rrm.c
@@ -269,6 +269,8 @@ static void hostapd_send_nei_report_resp
 		}
 	}
 +	hapd->openwrt_stats.rrm.neighbor_report_tx++;
 +
 	hostapd_drv_send_action(hapd, hapd->iface->freq, 0, addr,
 				wpabuf_head(buf), wpabuf_len(buf));
 	wpabuf_free(buf);
--- a/feeds/hostapd/hostapd/patches/599-wpa_supplicant-fix-warnings.patch
+++ b/feeds/hostapd/hostapd/patches/599-wpa_supplicant-fix-warnings.patch
--- a/feeds/hostapd/hostapd/patches/600-ubus_support.patch
+++ b/feeds/hostapd/hostapd/patches/600-ubus_support.patch
@@ -0,0 +1,738 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -166,6 +166,12 @@ OBJS += ../src/common/hw_features_common
 OBJS += ../src/eapol_auth/eapol_auth_sm.o
 +ifdef CONFIG_UBUS
 +CFLAGS += -DUBUS_SUPPORT
 +OBJS += ../src/utils/uloop.o
 +OBJS += ../src/ap/ubus.o
 +LIBS += -lubox -lubus
 +endif
 ifdef CONFIG_CODE_COVERAGE
 CFLAGS += -O0 -fprofile-arcs -ftest-coverage
 --- a/src/ap/hostapd.h
 +++ b/src/ap/hostapd.h
@@ -18,6 +18,7 @@
 #include "utils/list.h"
 #include "ap_config.h"
 #include "drivers/driver.h"
 +#include "ubus.h"
 #define OCE_STA_CFON_ENABLED(hapd) \
 	((hapd->conf->oce & OCE_STA_CFON) && \
@@ -184,6 +185,7 @@ struct hostapd_data {
 	struct hostapd_iface *iface;
 	struct hostapd_config *iconf;
 	struct hostapd_bss_config *conf;
 +	struct hostapd_ubus_bss ubus;
 	int interface_added; /* virtual interface added for this BSS */
 	unsigned int started:1;
 	unsigned int disabled:1;
@@ -695,6 +697,7 @@ hostapd_alloc_bss_data(struct hostapd_if
 		       struct hostapd_bss_config *bss);
 int hostapd_setup_interface(struct hostapd_iface *iface);
 int hostapd_setup_interface_complete(struct hostapd_iface *iface, int err);
 +void hostapd_set_own_neighbor_report(struct hostapd_data *hapd);
 void hostapd_interface_deinit(struct hostapd_iface *iface);
 void hostapd_interface_free(struct hostapd_iface *iface);
 struct hostapd_iface * hostapd_alloc_iface(void);
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -435,6 +435,7 @@ void hostapd_free_hapd_data(struct hosta
 	hapd->beacon_set_done = 0;
 	wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
 +	hostapd_ubus_free_bss(hapd);
 	accounting_deinit(hapd);
 	hostapd_deinit_wpa(hapd);
 	vlan_deinit(hapd);
@@ -1187,6 +1188,8 @@ static int hostapd_start_beacon(struct h
 	if (hapd->driver && hapd->driver->set_operstate)
 		hapd->driver->set_operstate(hapd->drv_priv, 1);
 +	hostapd_ubus_add_bss(hapd);
 +
 	return 0;
 }
@@ -2275,6 +2278,7 @@ static int hostapd_setup_interface_compl
 	if (err)
 		goto fail;
 +	hostapd_ubus_add_iface(iface);
 	wpa_printf(MSG_DEBUG, "Completing interface initialization");
 	if (iface->freq) {
 #ifdef NEED_AP_MLME
@@ -2494,6 +2498,7 @@ dfs_offload:
 fail:
 	wpa_printf(MSG_ERROR, "Interface initialization failed");
 +	hostapd_ubus_free_iface(iface);
 	if (iface->is_no_ir) {
 		hostapd_set_state(iface, HAPD_IFACE_NO_IR);
@@ -2984,6 +2989,7 @@ void hostapd_interface_deinit_free(struc
 		   (unsigned int) iface->conf->num_bss);
 	driver = iface->bss[0]->driver;
 	drv_priv = iface->bss[0]->drv_priv;
 +	hostapd_ubus_free_iface(iface);
 	hostapd_interface_deinit(iface);
 	wpa_printf(MSG_DEBUG, "%s: driver=%p drv_priv=%p -> hapd_deinit",
 		   __func__, driver, drv_priv);
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -2786,7 +2786,7 @@ static void handle_auth(struct hostapd_d
 	u16 auth_alg, auth_transaction, status_code;
 	u16 resp = WLAN_STATUS_SUCCESS;
 	struct sta_info *sta = NULL;
 -	int res, reply_res;
 +	int res, reply_res, ubus_resp;
 	u16 fc;
 	const u8 *challenge = NULL;
 	u8 resp_ies[2 + WLAN_AUTH_CHALLENGE_LEN];
@@ -2795,6 +2795,11 @@ static void handle_auth(struct hostapd_d
 	struct radius_sta rad_info;
 	const u8 *dst, *sa, *bssid;
 	bool mld_sta = false;
 +	struct hostapd_ubus_request req = {
 +		.type = HOSTAPD_UBUS_AUTH_REQ,
 +		.mgmt_frame = mgmt,
 +		.ssi_signal = rssi,
 +	};
 	if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
 		wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -2986,6 +2991,13 @@ static void handle_auth(struct hostapd_d
 		resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 		goto fail;
 	}
 +	ubus_resp = hostapd_ubus_handle_event(hapd, &req);
 +	if (0 && ubus_resp) {
 +		wpa_printf(MSG_DEBUG, "Station " MACSTR " rejected by ubus handler.\n",
 +			MAC2STR(mgmt->sa));
 +		resp = ubus_resp > 0 ? (u16) ubus_resp : WLAN_STATUS_UNSPECIFIED_FAILURE;
 +		goto fail;
 +	}
 	if (res == HOSTAPD_ACL_PENDING)
 		return;
@@ -5161,7 +5173,7 @@ static void handle_assoc(struct hostapd_
 	int resp = WLAN_STATUS_SUCCESS;
 	u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
 	const u8 *pos;
 -	int left, i;
 +	int left, i, ubus_resp;
 	struct sta_info *sta;
 	u8 *tmp = NULL;
 #ifdef CONFIG_FILS
@@ -5374,6 +5386,11 @@ static void handle_assoc(struct hostapd_
 		left = res;
 	}
 #endif /* CONFIG_FILS */
 +	struct hostapd_ubus_request req = {
 +		.type = HOSTAPD_UBUS_ASSOC_REQ,
 +		.mgmt_frame = mgmt,
 +		.ssi_signal = rssi,
 +	};
 	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
 	 * is used */
@@ -5472,6 +5489,13 @@ static void handle_assoc(struct hostapd_
 	}
 #endif /* CONFIG_FILS */
 +	ubus_resp = hostapd_ubus_handle_event(hapd, &req);
 +	if (0 && ubus_resp) {
 +		wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
 +		       MAC2STR(mgmt->sa));
 +		resp = ubus_resp > 0 ? (u16) ubus_resp : WLAN_STATUS_UNSPECIFIED_FAILURE;
 +		goto fail;
 +	}
  fail:
 	/*
@@ -5753,6 +5777,7 @@ static void handle_disassoc(struct hosta
 			   (unsigned long) len);
 		return;
 	}
 +	hostapd_ubus_notify(hapd, "disassoc", mgmt->sa);
 	sta = ap_get_sta(hapd, mgmt->sa);
 	if (!sta) {
@@ -5784,6 +5809,8 @@ static void handle_deauth(struct hostapd
 	/* Clear the PTKSA cache entries for PASN */
 	ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
 +	hostapd_ubus_notify(hapd, "deauth", mgmt->sa);
 +
 	sta = ap_get_sta(hapd, mgmt->sa);
 	if (!sta) {
 		wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR
 --- a/src/ap/beacon.c
 +++ b/src/ap/beacon.c
@@ -1036,6 +1036,12 @@ void handle_probe_req(struct hostapd_dat
 	u16 csa_offs[2];
 	size_t csa_offs_len;
 	struct radius_sta rad_info;
 +	struct hostapd_ubus_request req = {
 +		.type = HOSTAPD_UBUS_PROBE_REQ,
 +		.mgmt_frame = mgmt,
 +		.ssi_signal = ssi_signal,
 +		.elems = &elems,
 +	};
 	if (hapd->iconf->rssi_ignore_probe_request && ssi_signal &&
 	    ssi_signal < hapd->iconf->rssi_ignore_probe_request)
@@ -1222,6 +1228,12 @@ void handle_probe_req(struct hostapd_dat
 	}
 #endif /* CONFIG_P2P */
 +	if (hostapd_ubus_handle_event(hapd, &req)) {
 +		wpa_printf(MSG_DEBUG, "Probe request for " MACSTR " rejected by ubus handler.\n",
 +		       MAC2STR(mgmt->sa));
 +		return;
 +	}
 +
 	/* TODO: verify that supp_rates contains at least one matching rate
 	 * with AP configuration */
 --- a/src/ap/drv_callbacks.c
 +++ b/src/ap/drv_callbacks.c
@@ -260,6 +260,10 @@ int hostapd_notif_assoc(struct hostapd_d
 	u16 reason = WLAN_REASON_UNSPECIFIED;
 	int status = WLAN_STATUS_SUCCESS;
 	const u8 *p2p_dev_addr = NULL;
 +	struct hostapd_ubus_request req = {
 +		.type = HOSTAPD_UBUS_ASSOC_REQ,
 +		.addr = addr,
 +	};
 	if (addr == NULL) {
 		/*
@@ -396,6 +400,12 @@ int hostapd_notif_assoc(struct hostapd_d
 		goto fail;
 	}
 +	if (hostapd_ubus_handle_event(hapd, &req)) {
 +		wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
 +			   MAC2STR(req.addr));
 +		goto fail;
 +	}
 +
 #ifdef CONFIG_P2P
 	if (elems.p2p) {
 		wpabuf_free(sta->p2p_ie);
 --- a/src/ap/sta_info.c
 +++ b/src/ap/sta_info.c
@@ -471,6 +471,7 @@ void ap_handle_timer(void *eloop_ctx, vo
 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
 			       HOSTAPD_LEVEL_INFO, "deauthenticated due to "
 			       "local deauth request");
 +		hostapd_ubus_notify(hapd, "local-deauth", sta->addr);
 		ap_free_sta(hapd, sta);
 		return;
 	}
@@ -626,6 +627,7 @@ skip_poll:
 		mlme_deauthenticate_indication(
 			hapd, sta,
 			WLAN_REASON_PREV_AUTH_NOT_VALID);
 +		hostapd_ubus_notify(hapd, "inactive-deauth", sta->addr);
 		ap_free_sta(hapd, sta);
 		break;
 	}
@@ -1344,15 +1346,28 @@ void ap_sta_set_authorized(struct hostap
 					sta->addr, authorized, dev_addr);
 	if (authorized) {
 +		static const char * const auth_algs[] = {
 +			[WLAN_AUTH_OPEN] = "open",
 +			[WLAN_AUTH_SHARED_KEY] = "shared",
 +			[WLAN_AUTH_FT] = "ft",
 +			[WLAN_AUTH_SAE] = "sae",
 +			[WLAN_AUTH_FILS_SK] = "fils-sk",
 +			[WLAN_AUTH_FILS_SK_PFS] = "fils-sk-pfs",
 +			[WLAN_AUTH_FILS_PK] = "fils-pk",
 +			[WLAN_AUTH_PASN] = "pasn",
 +		};
 +		const char *auth_alg = NULL;
 		const u8 *dpp_pkhash;
 		const char *keyid;
 		char dpp_pkhash_buf[100];
 		char keyid_buf[100];
 		char ip_addr[100];
 +		char alg_buf[100];
 		dpp_pkhash_buf[0] = '\0';
 		keyid_buf[0] = '\0';
 		ip_addr[0] = '\0';
 +		alg_buf[0] = '\0';
 #ifdef CONFIG_P2P
 		if (wpa_auth_get_ip_addr(sta->wpa_sm, ip_addr_buf) == 0) {
 			os_snprintf(ip_addr, sizeof(ip_addr),
@@ -1362,6 +1377,13 @@ void ap_sta_set_authorized(struct hostap
 		}
 #endif /* CONFIG_P2P */
 +		if (sta->auth_alg < ARRAY_SIZE(auth_algs))
 +			auth_alg = auth_algs[sta->auth_alg];
 +
 +		if (auth_alg)
 +			os_snprintf(alg_buf, sizeof(alg_buf),
 +				" auth_alg=%s", auth_alg);
 +
 		keyid = ap_sta_wpa_get_keyid(hapd, sta);
 		if (keyid) {
 			os_snprintf(keyid_buf, sizeof(keyid_buf),
@@ -1380,17 +1402,19 @@ void ap_sta_set_authorized(struct hostap
 					 dpp_pkhash, SHA256_MAC_LEN);
 		}
 -		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s%s",
 -			buf, ip_addr, keyid_buf, dpp_pkhash_buf);
 +		hostapd_ubus_notify_authorized(hapd, sta);
 +		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_CONNECTED "%s%s%s%s%s",
 +			buf, ip_addr, keyid_buf, dpp_pkhash_buf, alg_buf);
 		if (hapd->msg_ctx_parent &&
 		    hapd->msg_ctx_parent != hapd->msg_ctx)
 			wpa_msg_no_global(hapd->msg_ctx_parent, MSG_INFO,
 -					  AP_STA_CONNECTED "%s%s%s%s",
 +					  AP_STA_CONNECTED "%s%s%s%s%s",
 					  buf, ip_addr, keyid_buf,
 -					  dpp_pkhash_buf);
 +					  dpp_pkhash_buf, alg_buf);
 	} else {
 		wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_DISCONNECTED "%s", buf);
 +		hostapd_ubus_notify(hapd, "disassoc", sta->addr);
 		if (hapd->msg_ctx_parent &&
 		    hapd->msg_ctx_parent != hapd->msg_ctx)
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
@@ -269,6 +269,7 @@ static void hostapd_wpa_auth_psk_failure
 	struct hostapd_data *hapd = ctx;
 	wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR,
 		MAC2STR(addr));
 +	hostapd_ubus_notify(hapd, "key-mismatch", addr);
 }
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -192,6 +192,13 @@ ifdef CONFIG_EAPOL_TEST
 CFLAGS += -Werror -DEAPOL_TEST
 endif
 +ifdef CONFIG_UBUS
 +CFLAGS += -DUBUS_SUPPORT
 +OBJS += ubus.o
 +OBJS += ../src/utils/uloop.o
 +LIBS += -lubox -lubus
 +endif
 +
 ifdef CONFIG_CODE_COVERAGE
 CFLAGS += -O0 -fprofile-arcs -ftest-coverage
 LIBS += -lgcov
@@ -987,6 +994,9 @@ ifdef CONFIG_CTRL_IFACE_MIB
 CFLAGS += -DCONFIG_CTRL_IFACE_MIB
 endif
 OBJS += ../src/ap/ctrl_iface_ap.o
 +ifdef CONFIG_UBUS
 +OBJS += ../src/ap/ubus.o
 +endif
 endif
 CFLAGS += -DEAP_SERVER -DEAP_SERVER_IDENTITY
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -7593,6 +7593,8 @@ struct wpa_supplicant * wpa_supplicant_a
 	}
 #endif /* CONFIG_P2P */
 +	wpas_ubus_add_bss(wpa_s);
 +
 	return wpa_s;
 }
@@ -7619,6 +7621,8 @@ int wpa_supplicant_remove_iface(struct w
 	struct wpa_supplicant *parent = wpa_s->parent;
 #endif /* CONFIG_MESH */
 +	wpas_ubus_free_bss(wpa_s);
 +
 	/* Remove interface from the global list of interfaces */
 	prev = global->ifaces;
 	if (prev == wpa_s) {
@@ -7965,8 +7969,12 @@ int wpa_supplicant_run(struct wpa_global
 	eloop_register_signal_terminate(wpa_supplicant_terminate, global);
 	eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
 +	wpas_ubus_add(global);
 +
 	eloop_run();
 +	wpas_ubus_free(global);
 +
 	return 0;
 }
 --- a/wpa_supplicant/wpa_supplicant_i.h
 +++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -21,6 +21,7 @@
 #include "config_ssid.h"
 #include "wmm_ac.h"
 #include "pasn/pasn_common.h"
 +#include "ubus.h"
 extern const char *const wpa_supplicant_version;
 extern const char *const wpa_supplicant_license;
@@ -319,6 +320,8 @@ struct wpa_global {
 #endif /* CONFIG_WIFI_DISPLAY */
 	struct psk_list_entry *add_psk; /* From group formation */
 +
 +	struct ubus_object ubus_global;
 };
@@ -685,6 +688,7 @@ struct wpa_supplicant {
 	unsigned char own_addr[ETH_ALEN];
 	unsigned char perm_addr[ETH_ALEN];
 	char ifname[100];
 +	struct wpas_ubus_bss ubus;
 #ifdef CONFIG_MATCH_IFACE
 	int matched;
 #endif /* CONFIG_MATCH_IFACE */
 --- a/wpa_supplicant/wps_supplicant.c
 +++ b/wpa_supplicant/wps_supplicant.c
@@ -33,6 +33,7 @@
 #include "p2p/p2p.h"
 #include "p2p_supplicant.h"
 #include "wps_supplicant.h"
 +#include "ubus.h"
 #ifndef WPS_PIN_SCAN_IGNORE_SEL_REG
@@ -402,6 +403,8 @@ static int wpa_supplicant_wps_cred(void
 	wpa_hexdump_key(MSG_DEBUG, "WPS: Received Credential attribute",
 			cred->cred_attr, cred->cred_attr_len);
 +	wpas_ubus_notify(wpa_s, cred);
 +
 	if (wpa_s->conf->wps_cred_processing == 1)
 		return 0;
 --- a/wpa_supplicant/main.c
 +++ b/wpa_supplicant/main.c
@@ -203,7 +203,7 @@ int main(int argc, char *argv[])
 	for (;;) {
 		c = getopt(argc, argv,
 -			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuv::W");
 +			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:nNo:O:p:P:qsTtuv::W");
 		if (c < 0)
 			break;
 		switch (c) {
@@ -268,6 +268,9 @@ int main(int argc, char *argv[])
 			params.conf_p2p_dev = optarg;
 			break;
 #endif /* CONFIG_P2P */
 +		case 'n':
 +			iface_count = 0;
 +			break;
 		case 'o':
 			params.override_driver = optarg;
 			break;
 --- a/src/ap/rrm.c
 +++ b/src/ap/rrm.c
@@ -89,6 +89,9 @@ static void hostapd_handle_beacon_report
 		return;
 	wpa_msg(hapd->msg_ctx, MSG_INFO, BEACON_RESP_RX MACSTR " %u %02x %s",
 		MAC2STR(addr), token, rep_mode, report);
 +	if (len < sizeof(struct rrm_measurement_beacon_report))
 +		return;
 +	hostapd_ubus_notify_beacon_report(hapd, addr, token, rep_mode, (struct rrm_measurement_beacon_report*) pos, len);
 }
 --- a/src/ap/vlan_init.c
 +++ b/src/ap/vlan_init.c
@@ -22,6 +22,7 @@
 static int vlan_if_add(struct hostapd_data *hapd, struct hostapd_vlan *vlan,
 		       int existsok)
 {
 +	bool vlan_exists = iface_exists(vlan->ifname);
 	int ret;
 #ifdef CONFIG_WEP
 	int i;
@@ -36,7 +37,7 @@ static int vlan_if_add(struct hostapd_da
 	}
 #endif /* CONFIG_WEP */
 -	if (!iface_exists(vlan->ifname))
 +	if (!vlan_exists)
 		ret = hostapd_vlan_if_add(hapd, vlan->ifname);
 	else if (!existsok)
 		return -1;
@@ -51,6 +52,9 @@ static int vlan_if_add(struct hostapd_da
 	if (hapd->wpa_auth)
 		ret = wpa_auth_ensure_group(hapd->wpa_auth, vlan->vlan_id);
 +	if (!ret && !vlan_exists)
 +		hostapd_ubus_add_vlan(hapd, vlan);
 +
 	if (ret == 0)
 		return ret;
@@ -77,6 +81,8 @@ int vlan_if_remove(struct hostapd_data *
 			   "WPA deinitialization for VLAN %d failed (%d)",
 			   vlan->vlan_id, ret);
 +	hostapd_ubus_remove_vlan(hapd, vlan);
 +
 	return hostapd_vlan_if_remove(hapd, vlan->ifname);
 }
 --- a/src/ap/dfs.c
 +++ b/src/ap/dfs.c
@@ -1216,6 +1216,8 @@ int hostapd_dfs_pre_cac_expired(struct h
 		"freq=%d ht_enabled=%d chan_offset=%d chan_width=%d cf1=%d cf2=%d",
 		freq, ht_enabled, chan_offset, chan_width, cf1, cf2);
 +	hostapd_ubus_notify_radar_detected(iface, freq, chan_width, cf1, cf2);
 +
 	/* Proceed only if DFS is not offloaded to the driver */
 	if (iface->drv_flags & WPA_DRIVER_FLAGS_DFS_OFFLOAD)
 		return 0;
 --- a/src/ap/airtime_policy.c
 +++ b/src/ap/airtime_policy.c
@@ -112,8 +112,14 @@ static void set_sta_weights(struct hosta
 {
 	struct sta_info *sta;
 -	for (sta = hapd->sta_list; sta; sta = sta->next)
 -		sta_set_airtime_weight(hapd, sta, weight);
 +	for (sta = hapd->sta_list; sta; sta = sta->next) {
 +		unsigned int sta_weight = weight;
 +
 +		if (sta->dyn_airtime_weight)
 +			sta_weight = (weight * sta->dyn_airtime_weight) / 256;
 +
 +		sta_set_airtime_weight(hapd, sta, sta_weight);
 +	}
 }
@@ -244,7 +250,10 @@ int airtime_policy_new_sta(struct hostap
 	unsigned int weight;
 	if (hapd->iconf->airtime_mode == AIRTIME_MODE_STATIC) {
 -		weight = get_weight_for_sta(hapd, sta->addr);
 +		if (sta->dyn_airtime_weight)
 +			weight = sta->dyn_airtime_weight;
 +		else
 +			weight = get_weight_for_sta(hapd, sta->addr);
 		if (weight)
 			return sta_set_airtime_weight(hapd, sta, weight);
 	}
 --- a/src/ap/sta_info.h
 +++ b/src/ap/sta_info.h
@@ -322,6 +322,7 @@ struct sta_info {
 #endif /* CONFIG_TESTING_OPTIONS */
 #ifdef CONFIG_AIRTIME_POLICY
 	unsigned int airtime_weight;
 +	unsigned int dyn_airtime_weight;
 	struct os_reltime backlogged_until;
 #endif /* CONFIG_AIRTIME_POLICY */
 --- a/src/ap/wnm_ap.c
 +++ b/src/ap/wnm_ap.c
@@ -455,7 +455,8 @@ static void ieee802_11_rx_bss_trans_mgmt
 		MAC2STR(addr), reason, hex ? " neighbor=" : "", hex);
 	os_free(hex);
 -	ieee802_11_send_bss_trans_mgmt_request(hapd, addr, dialog_token);
 +	if (!hostapd_ubus_notify_bss_transition_query(hapd, addr, dialog_token, reason, pos, end - pos))
 +		ieee802_11_send_bss_trans_mgmt_request(hapd, addr, dialog_token);
 }
@@ -477,7 +478,7 @@ static void ieee802_11_rx_bss_trans_mgmt
 					      size_t len)
 {
 	u8 dialog_token, status_code, bss_termination_delay;
 -	const u8 *pos, *end;
 +	const u8 *pos, *end, *target_bssid = NULL;
 	int enabled = hapd->conf->bss_transition;
 	struct sta_info *sta;
@@ -524,6 +525,7 @@ static void ieee802_11_rx_bss_trans_mgmt
 			wpa_printf(MSG_DEBUG, "WNM: not enough room for Target BSSID field");
 			return;
 		}
 +		target_bssid = pos;
 		sta->agreed_to_steer = 1;
 		eloop_cancel_timeout(ap_sta_reset_steer_flag_timer, hapd, sta);
 		eloop_register_timeout(2, 0, ap_sta_reset_steer_flag_timer,
@@ -543,6 +545,10 @@ static void ieee802_11_rx_bss_trans_mgmt
 			MAC2STR(addr), status_code, bss_termination_delay);
 	}
 +	hostapd_ubus_notify_bss_transition_response(hapd, sta->addr, dialog_token,
 +						    status_code, bss_termination_delay,
 +						    target_bssid, pos, end - pos);
 +
 	wpa_hexdump(MSG_DEBUG, "WNM: BSS Transition Candidate List Entries",
 		    pos, end - pos);
 }
 --- a/src/utils/eloop.c
 +++ b/src/utils/eloop.c
@@ -77,6 +77,9 @@ struct eloop_sock_table {
 struct eloop_data {
 	int max_sock;
 +	eloop_timeout_poll_handler timeout_poll_cb;
 +	eloop_poll_handler poll_cb;
 +
 	size_t count; /* sum of all table counts */
 #ifdef CONFIG_ELOOP_POLL
 	size_t max_pollfd_map; /* number of pollfds_map currently allocated */
@@ -1121,6 +1124,12 @@ void eloop_run(void)
 				os_reltime_sub(&timeout->time, &now, &tv);
 			else
 				tv.sec = tv.usec = 0;
 +		}
 +
 +		if (eloop.timeout_poll_cb && eloop.timeout_poll_cb(&tv, !!timeout))
 +			timeout = (void *)1;
 +
 +		if (timeout) {
 #if defined(CONFIG_ELOOP_POLL) || defined(CONFIG_ELOOP_EPOLL)
 			timeout_ms = tv.sec * 1000 + tv.usec / 1000;
 #endif /* defined(CONFIG_ELOOP_POLL) || defined(CONFIG_ELOOP_EPOLL) */
@@ -1190,7 +1199,8 @@ void eloop_run(void)
 		eloop.exceptions.changed = 0;
 		eloop_process_pending_signals();
 -
 +		if (eloop.poll_cb)
 +			eloop.poll_cb();
 		/* check if some registered timeouts have occurred */
 		timeout = dl_list_first(&eloop.timeout, struct eloop_timeout,
@@ -1252,6 +1262,14 @@ out:
 	return;
 }
 +int eloop_register_cb(eloop_poll_handler poll_cb,
 +		      eloop_timeout_poll_handler timeout_cb)
 +{
 +	eloop.poll_cb = poll_cb;
 +	eloop.timeout_poll_cb = timeout_cb;
 +
 +	return 0;
 +}
 void eloop_terminate(void)
 {
 --- a/src/utils/eloop.h
 +++ b/src/utils/eloop.h
@@ -65,6 +65,9 @@ typedef void (*eloop_timeout_handler)(vo
  */
 typedef void (*eloop_signal_handler)(int sig, void *signal_ctx);
 +typedef bool (*eloop_timeout_poll_handler)(struct os_reltime *tv, bool tv_set);
 +typedef void (*eloop_poll_handler)(void);
 +
 /**
  * eloop_init() - Initialize global event loop data
  * Returns: 0 on success, -1 on failure
@@ -73,6 +76,9 @@ typedef void (*eloop_signal_handler)(int
  */
 int eloop_init(void);
 +int eloop_register_cb(eloop_poll_handler poll_cb,
 +		      eloop_timeout_poll_handler timeout_cb);
 +
 /**
  * eloop_register_read_sock - Register handler for read events
  * @sock: File descriptor number for the socket
@@ -320,6 +326,8 @@ int eloop_register_signal_reconfig(eloop
  */
 int eloop_sock_requeue(void);
 +void eloop_add_uloop(void);
 +
 /**
  * eloop_run - Start the event loop
  *
 --- /dev/null
 +++ b/src/utils/uloop.c
@@ -0,0 +1,64 @@
 +#include <libubox/uloop.h>
 +#include "includes.h"
 +#include "common.h"
 +#include "eloop.h"
 +
 +static void eloop_uloop_event_cb(int sock, void *eloop_ctx, void *sock_ctx)
 +{
 +}
 +
 +static void eloop_uloop_fd_cb(struct uloop_fd *fd, unsigned int events)
 +{
 +	unsigned int changed = events ^ fd->flags;
 +
 +	if (changed & ULOOP_READ) {
 +		if (events & ULOOP_READ)
 +			eloop_register_sock(fd->fd, EVENT_TYPE_READ, eloop_uloop_event_cb, fd, fd);
 +		else
 +			eloop_unregister_sock(fd->fd, EVENT_TYPE_READ);
 +	}
 +
 +	if (changed & ULOOP_WRITE) {
 +		if (events & ULOOP_WRITE)
 +			eloop_register_sock(fd->fd, EVENT_TYPE_WRITE, eloop_uloop_event_cb, fd, fd);
 +		else
 +			eloop_unregister_sock(fd->fd, EVENT_TYPE_WRITE);
 +	}
 +}
 +
 +static bool uloop_timeout_poll_handler(struct os_reltime *tv, bool tv_set)
 +{
 +	struct os_reltime tv_uloop;
 +	int timeout_ms = uloop_get_next_timeout();
 +
 +	if (timeout_ms < 0)
 +		return false;
 +
 +	tv_uloop.sec = timeout_ms / 1000;
 +	tv_uloop.usec = (timeout_ms % 1000) * 1000;
 +
 +	if (!tv_set || os_reltime_before(&tv_uloop, tv)) {
 +		*tv = tv_uloop;
 +		return true;
 +	}
 +
 +	return false;
 +}
 +
 +static void uloop_poll_handler(void)
 +{
 +	uloop_run_timeout(0);
 +}
 +
 +void eloop_add_uloop(void)
 +{
 +	static bool init_done = false;
 +
 +	if (!init_done) {
 +		uloop_init();
 +		uloop_fd_set_cb = eloop_uloop_fd_cb;
 +		init_done = true;
 +	}
 +
 +	eloop_register_cb(uloop_poll_handler, uloop_timeout_poll_handler);
 +}
--- a/feeds/hostapd/hostapd/patches/601-ucode_support.patch
+++ b/feeds/hostapd/hostapd/patches/601-ucode_support.patch
@@ -0,0 +1,723 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -168,9 +168,21 @@ OBJS += ../src/eapol_auth/eapol_auth_sm.
 ifdef CONFIG_UBUS
 CFLAGS += -DUBUS_SUPPORT
 -OBJS += ../src/utils/uloop.o
 OBJS += ../src/ap/ubus.o
 -LIBS += -lubox -lubus
 +LIBS += -lubus
 +NEED_ULOOP:=y
 +endif
 +
 +ifdef CONFIG_UCODE
 +CFLAGS += -DUCODE_SUPPORT
 +OBJS += ../src/utils/ucode.o
 +OBJS += ../src/ap/ucode.o
 +NEED_ULOOP:=y
 +endif
 +
 +ifdef NEED_ULOOP
 +OBJS += ../src/utils/uloop.o
 +LIBS += -lubox
 endif
 ifdef CONFIG_CODE_COVERAGE
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
@@ -1007,6 +1007,7 @@ int main(int argc, char *argv[])
 	}
 	hostapd_global_ctrl_iface_init(&interfaces);
 +	hostapd_ucode_init(&interfaces);
 	if (hostapd_global_run(&interfaces, daemonize, pid_file)) {
 		wpa_printf(MSG_ERROR, "Failed to start eloop");
@@ -1016,6 +1017,7 @@ int main(int argc, char *argv[])
 	ret = 0;
  out:
 +	hostapd_ucode_free();
 	hostapd_global_ctrl_iface_deinit(&interfaces);
 	/* Deinitialize all interfaces */
 	for (i = 0; i < interfaces.count; i++) {
 --- a/src/ap/hostapd.h
 +++ b/src/ap/hostapd.h
@@ -19,6 +19,7 @@
 #include "ap_config.h"
 #include "drivers/driver.h"
 #include "ubus.h"
 +#include "ucode.h"
 #define OCE_STA_CFON_ENABLED(hapd) \
 	((hapd->conf->oce & OCE_STA_CFON) && \
@@ -51,6 +52,10 @@ struct hapd_interfaces {
 	struct hostapd_config * (*config_read_cb)(const char *config_fname);
 	int (*ctrl_iface_init)(struct hostapd_data *hapd);
 	void (*ctrl_iface_deinit)(struct hostapd_data *hapd);
 +	int (*ctrl_iface_recv)(struct hostapd_data *hapd,
 +			       char *buf, char *reply, int reply_size,
 +			       struct sockaddr_storage *from,
 +			       socklen_t fromlen);
 	int (*for_each_interface)(struct hapd_interfaces *interfaces,
 				  int (*cb)(struct hostapd_iface *iface,
 					    void *ctx), void *ctx);
@@ -186,6 +191,7 @@ struct hostapd_data {
 	struct hostapd_config *iconf;
 	struct hostapd_bss_config *conf;
 	struct hostapd_ubus_bss ubus;
 +	struct hostapd_ucode_bss ucode;
 	int interface_added; /* virtual interface added for this BSS */
 	unsigned int started:1;
 	unsigned int disabled:1;
@@ -506,6 +512,7 @@ struct hostapd_sta_info {
  */
 struct hostapd_iface {
 	struct hapd_interfaces *interfaces;
 +	struct hostapd_ucode_iface ucode;
 	void *owner;
 	char *config_fname;
 	struct hostapd_config *conf;
@@ -706,6 +713,8 @@ struct hostapd_iface * hostapd_init(stru
 struct hostapd_iface *
 hostapd_interface_init_bss(struct hapd_interfaces *interfaces, const char *phy,
 			   const char *config_fname, int debug);
 +int hostapd_setup_bss(struct hostapd_data *hapd, int first, bool start_beacon);
 +void hostapd_bss_deinit(struct hostapd_data *hapd);
 void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
 			   int reassoc);
 void hostapd_interface_deinit_free(struct hostapd_iface *iface);
@@ -732,6 +741,7 @@ hostapd_switch_channel_fallback(struct h
 void hostapd_cleanup_cs_params(struct hostapd_data *hapd);
 void hostapd_periodic_iface(struct hostapd_iface *iface);
 int hostapd_owe_trans_get_info(struct hostapd_data *hapd);
 +void hostapd_owe_update_trans(struct hostapd_iface *iface);
 void hostapd_ocv_check_csa_sa_query(void *eloop_ctx, void *timeout_ctx);
 void hostapd_switch_color(struct hostapd_data *hapd, u64 bitmap);
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -252,6 +252,8 @@ int hostapd_reload_config(struct hostapd
 	struct hostapd_config *newconf, *oldconf;
 	size_t j;
 +	hostapd_ucode_reload_bss(hapd);
 +
 	if (iface->config_fname == NULL) {
 		/* Only in-memory config in use - assume it has been updated */
 		hostapd_clear_old(iface);
@@ -435,6 +437,7 @@ void hostapd_free_hapd_data(struct hosta
 	hapd->beacon_set_done = 0;
 	wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
 +	hostapd_ucode_free_bss(hapd);
 	hostapd_ubus_free_bss(hapd);
 	accounting_deinit(hapd);
 	hostapd_deinit_wpa(hapd);
@@ -538,7 +541,7 @@ void hostapd_free_hapd_data(struct hosta
  * Most of the modules that are initialized in hostapd_setup_bss() are
  * deinitialized here.
  */
 -static void hostapd_cleanup(struct hostapd_data *hapd)
 +void hostapd_cleanup(struct hostapd_data *hapd)
 {
 	wpa_printf(MSG_DEBUG, "%s(hapd=%p (%s))", __func__, hapd,
 		   hapd->conf ? hapd->conf->iface : "N/A");
@@ -600,6 +603,7 @@ void hostapd_cleanup_iface_partial(struc
 static void hostapd_cleanup_iface(struct hostapd_iface *iface)
 {
 	wpa_printf(MSG_DEBUG, "%s(%p)", __func__, iface);
 +	hostapd_ucode_free_iface(iface);
 	eloop_cancel_timeout(hostapd_interface_setup_failure_handler, iface,
 			     NULL);
@@ -1189,6 +1193,7 @@ static int hostapd_start_beacon(struct h
 		hapd->driver->set_operstate(hapd->drv_priv, 1);
 	hostapd_ubus_add_bss(hapd);
 +	hostapd_ucode_add_bss(hapd);
 	return 0;
 }
@@ -1211,7 +1216,7 @@ static int hostapd_start_beacon(struct h
  * initialized. Most of the modules that are initialized here will be
  * deinitialized in hostapd_cleanup().
  */
 -static int hostapd_setup_bss(struct hostapd_data *hapd, int first,
 +int hostapd_setup_bss(struct hostapd_data *hapd, int first,
 			     bool start_beacon)
 {
 	struct hostapd_bss_config *conf = hapd->conf;
@@ -2237,7 +2242,7 @@ static int hostapd_owe_iface_iter2(struc
 #endif /* CONFIG_OWE */
 -static void hostapd_owe_update_trans(struct hostapd_iface *iface)
 +void hostapd_owe_update_trans(struct hostapd_iface *iface)
 {
 #ifdef CONFIG_OWE
 	/* Check whether the enabled BSS can complete OWE transition mode
@@ -2698,7 +2703,7 @@ hostapd_alloc_bss_data(struct hostapd_if
 }
 -static void hostapd_bss_deinit(struct hostapd_data *hapd)
 +void hostapd_bss_deinit(struct hostapd_data *hapd)
 {
 	if (!hapd)
 		return;
@@ -3491,7 +3496,8 @@ int hostapd_remove_iface(struct hapd_int
 		hapd_iface = interfaces->iface[i];
 		if (hapd_iface == NULL)
 			return -1;
 -		if (!os_strcmp(hapd_iface->conf->bss[0]->iface, buf)) {
 +		if (!os_strcmp(hapd_iface->phy, buf) ||
 +		    !os_strcmp(hapd_iface->conf->bss[0]->iface, buf)) {
 			wpa_printf(MSG_INFO, "Remove interface '%s'", buf);
 			hapd_iface->driver_ap_teardown =
 				!!(hapd_iface->drv_flags &
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
@@ -195,8 +195,20 @@ endif
 ifdef CONFIG_UBUS
 CFLAGS += -DUBUS_SUPPORT
 OBJS += ubus.o
 +LIBS += -lubus
 +NEED_ULOOP:=y
 +endif
 +
 +ifdef CONFIG_UCODE
 +CFLAGS += -DUCODE_SUPPORT
 +OBJS += ../src/utils/ucode.o
 +OBJS += ucode.o
 +NEED_ULOOP:=y
 +endif
 +
 +ifdef NEED_ULOOP
 OBJS += ../src/utils/uloop.o
 -LIBS += -lubox -lubus
 +LIBS += -lubox
 endif
 ifdef CONFIG_CODE_COVERAGE
@@ -997,6 +1009,9 @@ OBJS += ../src/ap/ctrl_iface_ap.o
 ifdef CONFIG_UBUS
 OBJS += ../src/ap/ubus.o
 endif
 +ifdef CONFIG_UCODE
 +OBJS += ../src/ap/ucode.o
 +endif
 endif
 CFLAGS += -DEAP_SERVER -DEAP_SERVER_IDENTITY
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
@@ -1044,6 +1044,7 @@ void wpa_supplicant_set_state(struct wpa
 		sme_sched_obss_scan(wpa_s, 0);
 	}
 	wpa_s->wpa_state = state;
 +	wpas_ucode_update_state(wpa_s);
 #ifdef CONFIG_BGSCAN
 	if (state == WPA_COMPLETED && wpa_s->current_ssid != wpa_s->bgscan_ssid)
@@ -7594,6 +7595,7 @@ struct wpa_supplicant * wpa_supplicant_a
 #endif /* CONFIG_P2P */
 	wpas_ubus_add_bss(wpa_s);
 +	wpas_ucode_add_bss(wpa_s);
 	return wpa_s;
 }
@@ -7621,6 +7623,7 @@ int wpa_supplicant_remove_iface(struct w
 	struct wpa_supplicant *parent = wpa_s->parent;
 #endif /* CONFIG_MESH */
 +	wpas_ucode_free_bss(wpa_s);
 	wpas_ubus_free_bss(wpa_s);
 	/* Remove interface from the global list of interfaces */
@@ -7931,6 +7934,7 @@ struct wpa_global * wpa_supplicant_init(
 	eloop_register_timeout(WPA_SUPPLICANT_CLEANUP_INTERVAL, 0,
 			       wpas_periodic, global, NULL);
 +	wpas_ucode_init(global);
 	return global;
 }
@@ -7969,12 +7973,8 @@ int wpa_supplicant_run(struct wpa_global
 	eloop_register_signal_terminate(wpa_supplicant_terminate, global);
 	eloop_register_signal_reconfig(wpa_supplicant_reconfig, global);
 -	wpas_ubus_add(global);
 -
 	eloop_run();
 -	wpas_ubus_free(global);
 -
 	return 0;
 }
@@ -8007,6 +8007,8 @@ void wpa_supplicant_deinit(struct wpa_gl
 	wpas_notify_supplicant_deinitialized(global);
 +	wpas_ucode_free();
 +
 	eap_peer_unregister_methods();
 #ifdef CONFIG_AP
 	eap_server_unregister_methods();
 --- a/wpa_supplicant/wpa_supplicant_i.h
 +++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -22,6 +22,7 @@
 #include "wmm_ac.h"
 #include "pasn/pasn_common.h"
 #include "ubus.h"
 +#include "ucode.h"
 extern const char *const wpa_supplicant_version;
 extern const char *const wpa_supplicant_license;
@@ -689,6 +690,7 @@ struct wpa_supplicant {
 	unsigned char perm_addr[ETH_ALEN];
 	char ifname[100];
 	struct wpas_ubus_bss ubus;
 +	struct wpas_ucode_bss ucode;
 #ifdef CONFIG_MATCH_IFACE
 	int matched;
 #endif /* CONFIG_MATCH_IFACE */
 --- a/hostapd/ctrl_iface.c
 +++ b/hostapd/ctrl_iface.c
@@ -4856,6 +4856,7 @@ try_again:
 		return -1;
 	}
 +	interface->ctrl_iface_recv = hostapd_ctrl_iface_receive_process;
 	wpa_msg_register_cb(hostapd_ctrl_iface_msg_cb);
 	return 0;
@@ -4957,6 +4958,7 @@ fail:
 	os_free(fname);
 	interface->global_ctrl_sock = s;
 +	interface->ctrl_iface_recv = hostapd_ctrl_iface_receive_process;
 	eloop_register_read_sock(s, hostapd_global_ctrl_iface_receive,
 				 interface, NULL);
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
@@ -3787,6 +3787,25 @@ struct wpa_driver_ops {
 			 const char *ifname);
 	/**
 +	 * if_rename - Rename a virtual interface
 +	 * @priv: Private driver interface data
 +	 * @type: Interface type
 +	 * @ifname: Interface name of the virtual interface to be renamed
 +	 *	    (NULL when renaming the AP BSS interface)
 +	 * @new_name: New interface name of the virtual interface
 +	 * Returns: 0 on success, -1 on failure
 +	 */
 +	int (*if_rename)(void *priv, enum wpa_driver_if_type type,
 +			 const char *ifname, const char *new_name);
 +
 +	/**
 +	 * set_first_bss - Make a virtual interface the first (primary) bss
 +	 * @priv: Private driver interface data
 +	 * Returns: 0 on success, -1 on failure
 +	 */
 +	int (*set_first_bss)(void *priv);
 +
 +	/**
 	 * set_sta_vlan - Bind a station into a specific interface (AP only)
 	 * @priv: Private driver interface data
 	 * @ifname: Interface (main or virtual BSS or VLAN)
@@ -6440,6 +6459,7 @@ union wpa_event_data {
 	/**
 	 * struct ch_switch
 +	 * @count: Count until channel switch activates
 	 * @freq: Frequency of new channel in MHz
 	 * @ht_enabled: Whether this is an HT channel
 	 * @ch_offset: Secondary channel offset
@@ -6450,6 +6470,7 @@ union wpa_event_data {
 	 * @punct_bitmap: Puncturing bitmap
 	 */
 	struct ch_switch {
 +		int count;
 		int freq;
 		int ht_enabled;
 		int ch_offset;
 --- a/src/drivers/driver_nl80211_event.c
 +++ b/src/drivers/driver_nl80211_event.c
@@ -1202,6 +1202,7 @@ static void mlme_event_ch_switch(struct
 				 struct nlattr *bw, struct nlattr *cf1,
 				 struct nlattr *cf2,
 				 struct nlattr *punct_bitmap,
 +				 struct nlattr *count,
 				 int finished)
 {
 	struct i802_bss *bss;
@@ -1265,6 +1266,8 @@ static void mlme_event_ch_switch(struct
 		data.ch_switch.cf1 = nla_get_u32(cf1);
 	if (cf2)
 		data.ch_switch.cf2 = nla_get_u32(cf2);
 +	if (count)
 +		data.ch_switch.count = nla_get_u32(count);
 	if (finished)
 		bss->flink->freq = data.ch_switch.freq;
@@ -3912,6 +3915,7 @@ static void do_process_drv_event(struct
 				     tb[NL80211_ATTR_CENTER_FREQ1],
 				     tb[NL80211_ATTR_CENTER_FREQ2],
 				     tb[NL80211_ATTR_PUNCT_BITMAP],
 +				     tb[NL80211_ATTR_CH_SWITCH_COUNT],
 				     0);
 		break;
 	case NL80211_CMD_CH_SWITCH_NOTIFY:
@@ -3924,6 +3928,7 @@ static void do_process_drv_event(struct
 				     tb[NL80211_ATTR_CENTER_FREQ1],
 				     tb[NL80211_ATTR_CENTER_FREQ2],
 				     tb[NL80211_ATTR_PUNCT_BITMAP],
 +					 NULL,
 				     1);
 		break;
 	case NL80211_CMD_DISCONNECT:
 --- a/wpa_supplicant/events.c
 +++ b/wpa_supplicant/events.c
@@ -5389,6 +5389,7 @@ void supplicant_event(void *ctx, enum wp
 		event_to_string(event), event);
 #endif /* CONFIG_NO_STDOUT_DEBUG */
 +	wpas_ucode_event(wpa_s, event, data);
 	switch (event) {
 	case EVENT_AUTH:
 #ifdef CONFIG_FST
 --- a/src/ap/ap_drv_ops.h
 +++ b/src/ap/ap_drv_ops.h
@@ -393,6 +393,23 @@ static inline int hostapd_drv_stop_ap(st
 	return hapd->driver->stop_ap(hapd->drv_priv);
 }
 +static inline int hostapd_drv_if_rename(struct hostapd_data *hapd,
 +					enum wpa_driver_if_type type,
 +					const char *ifname,
 +					const char *new_name)
 +{
 +	if (!hapd->driver || !hapd->driver->if_rename || !hapd->drv_priv)
 +		return -1;
 +	return hapd->driver->if_rename(hapd->drv_priv, type, ifname, new_name);
 +}
 +
 +static inline int hostapd_drv_set_first_bss(struct hostapd_data *hapd)
 +{
 +	if (!hapd->driver || !hapd->driver->set_first_bss || !hapd->drv_priv)
 +		return 0;
 +	return hapd->driver->set_first_bss(hapd->drv_priv);
 +}
 +
 static inline int hostapd_drv_channel_info(struct hostapd_data *hapd,
 					   struct wpa_channel_info *ci)
 {
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -1333,7 +1333,7 @@ static void wpa_driver_nl80211_event_rtm
 		}
 		wpa_printf(MSG_DEBUG, "nl80211: Interface down (%s/%s)",
 			   namebuf, ifname);
 -		if (os_strcmp(drv->first_bss->ifname, ifname) != 0) {
 +		if (drv->first_bss->ifindex != ifi->ifi_index) {
 			wpa_printf(MSG_DEBUG,
 				   "nl80211: Not the main interface (%s) - do not indicate interface down",
 				   drv->first_bss->ifname);
@@ -1369,7 +1369,7 @@ static void wpa_driver_nl80211_event_rtm
 		}
 		wpa_printf(MSG_DEBUG, "nl80211: Interface up (%s/%s)",
 			   namebuf, ifname);
 -		if (os_strcmp(drv->first_bss->ifname, ifname) != 0) {
 +		if (drv->first_bss->ifindex != ifi->ifi_index) {
 			wpa_printf(MSG_DEBUG,
 				   "nl80211: Not the main interface (%s) - do not indicate interface up",
 				   drv->first_bss->ifname);
@@ -8432,6 +8432,7 @@ static void *i802_init(struct hostapd_da
 	char master_ifname[IFNAMSIZ];
 	int ifindex, br_ifindex = 0;
 	int br_added = 0;
 +	int err;
 	bss = wpa_driver_nl80211_drv_init(hapd, params->ifname,
 					  params->global_priv, 1,
@@ -8491,21 +8492,17 @@ static void *i802_init(struct hostapd_da
 	    (params->num_bridge == 0 || !params->bridge[0]))
 		add_ifidx(drv, br_ifindex, drv->ifindex);
 -	if (bss->added_if_into_bridge || bss->already_in_bridge) {
 -		int err;
 -
 -		drv->rtnl_sk = nl_socket_alloc();
 -		if (drv->rtnl_sk == NULL) {
 -			wpa_printf(MSG_ERROR, "nl80211: Failed to allocate nl_sock");
 -			goto failed;
 -		}
 +	drv->rtnl_sk = nl_socket_alloc();
 +	if (drv->rtnl_sk == NULL) {
 +		wpa_printf(MSG_ERROR, "nl80211: Failed to allocate nl_sock");
 +		goto failed;
 +	}
 -		err = nl_connect(drv->rtnl_sk, NETLINK_ROUTE);
 -		if (err) {
 -			wpa_printf(MSG_ERROR, "nl80211: Failed to connect nl_sock to NETLINK_ROUTE: %s",
 -				   nl_geterror(err));
 -			goto failed;
 -		}
 +	err = nl_connect(drv->rtnl_sk, NETLINK_ROUTE);
 +	if (err) {
 +		wpa_printf(MSG_ERROR, "nl80211: Failed to connect nl_sock to NETLINK_ROUTE: %s",
 +			   nl_geterror(err));
 +		goto failed;
 	}
 	if (drv->capa.flags2 & WPA_DRIVER_FLAGS2_CONTROL_PORT_RX) {
@@ -8875,6 +8872,50 @@ static int wpa_driver_nl80211_if_remove(
 	return 0;
 }
 +static int wpa_driver_nl80211_if_rename(struct i802_bss *bss,
 +					enum wpa_driver_if_type type,
 +					const char *ifname, const char *new_name)
 +{
 +	struct wpa_driver_nl80211_data *drv = bss->drv;
 +	struct ifinfomsg ifi = {
 +		.ifi_family = AF_UNSPEC,
 +		.ifi_index = bss->ifindex,
 +	};
 +	struct nl_msg *msg;
 +	int res = -ENOMEM;
 +
 +	if (ifname)
 +		ifi.ifi_index = if_nametoindex(ifname);
 +
 +	msg = nlmsg_alloc_simple(RTM_SETLINK, 0);
 +	if (!msg)
 +		return res;
 +
 +	if (nlmsg_append(msg, &ifi, sizeof(ifi), NLMSG_ALIGNTO) < 0)
 +		goto out;
 +
 +	if (nla_put_string(msg, IFLA_IFNAME, new_name))
 +		goto out;
 +
 +	res = nl_send_auto_complete(drv->rtnl_sk, msg);
 +	if (res < 0)
 +		goto out;
 +
 +	res = nl_wait_for_ack(drv->rtnl_sk);
 +	if (res) {
 +		wpa_printf(MSG_INFO,
 +			   "nl80211: Renaming device %s to %s failed: %s",
 +			   ifname ? ifname : bss->ifname, new_name, nl_geterror(res));
 +		goto out;
 +	}
 +
 +	if (type == WPA_IF_AP_BSS && !ifname)
 +		os_strlcpy(bss->ifname, new_name, sizeof(bss->ifname));
 +
 +out:
 +	nlmsg_free(msg);
 +	return res;
 +}
 static int cookie_handler(struct nl_msg *msg, void *arg)
 {
@@ -10513,6 +10554,37 @@ static int driver_nl80211_if_remove(void
 }
 +static int driver_nl80211_if_rename(void *priv, enum wpa_driver_if_type type,
 +				    const char *ifname, const char *new_name)
 +{
 +	struct i802_bss *bss = priv;
 +	return wpa_driver_nl80211_if_rename(bss, type, ifname, new_name);
 +}
 +
 +
 +static int driver_nl80211_set_first_bss(void *priv)
 +{
 +	struct i802_bss *bss = priv, *tbss;
 +	struct wpa_driver_nl80211_data *drv = bss->drv;
 +
 +	if (drv->first_bss == bss)
 +		return 0;
 +
 +	for (tbss = drv->first_bss; tbss; tbss = tbss->next) {
 +		if (tbss->next != bss)
 +			continue;
 +
 +		tbss->next = bss->next;
 +		bss->next = drv->first_bss;
 +		drv->first_bss = bss;
 +		drv->ctx = bss->ctx;
 +		return 0;
 +	}
 +
 +	return -1;
 +}
 +
 +
 static int driver_nl80211_send_mlme(void *priv, const u8 *data,
 				    size_t data_len, int noack,
 				    unsigned int freq,
@@ -13697,6 +13769,8 @@ const struct wpa_driver_ops wpa_driver_n
 	.set_acl = wpa_driver_nl80211_set_acl,
 	.if_add = wpa_driver_nl80211_if_add,
 	.if_remove = driver_nl80211_if_remove,
 +	.if_rename = driver_nl80211_if_rename,
 +	.set_first_bss = driver_nl80211_set_first_bss,
 	.send_mlme = driver_nl80211_send_mlme,
 	.get_hw_feature_data = nl80211_get_hw_feature_data,
 	.sta_add = wpa_driver_nl80211_sta_add,
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
@@ -547,11 +547,16 @@ static const char * sae_get_password(str
 				     struct sae_pt **s_pt,
 				     const struct sae_pk **s_pk)
 {
 +	struct hostapd_bss_config *conf = hapd->conf;
 +	struct hostapd_ssid *ssid = &conf->ssid;
 +	struct hostapd_sta_wpa_psk_short *psk;
 	const char *password = NULL;
 -	struct sae_password_entry *pw;
 -	struct sae_pt *pt = NULL;
 -	const struct sae_pk *pk = NULL;
 -	struct hostapd_sta_wpa_psk_short *psk = NULL;
 +	struct sae_password_entry *pw = NULL;
 + 	struct sae_pt *pt = NULL;
 + 	const struct sae_pk *pk = NULL;
 + 
 +	if (sta && sta->use_sta_psk)
 +		goto use_sta_psk;
 	for (pw = hapd->conf->sae_passwords; pw; pw = pw->next) {
 		if (!is_broadcast_ether_addr(pw->peer_addr) &&
@@ -582,6 +587,31 @@ static const char * sae_get_password(str
 		}
 	}
 +use_sta_psk:
 +	if (!password && sta) {
 +		for (psk = sta->psk; psk; psk = psk->next) {
 +			if (!psk->is_passphrase)
 +				continue;
 +
 +			password = psk->passphrase;
 +			if (!sta->use_sta_psk)
 +				break;
 +
 +			if (sta->sae_pt) {
 +				pt = sta->sae_pt;
 +				break;
 +			}
 +
 +			pt = sae_derive_pt(conf->sae_groups, ssid->ssid,
 +					   ssid->ssid_len,
 +					   (const u8 *) password,
 +					   os_strlen(password),
 +					   NULL);
 +			sta->sae_pt = pt;
 +			break;
 +		}
 +	}
 +
 	if (pw_entry)
 		*pw_entry = pw;
 	if (s_pt)
@@ -3105,6 +3135,12 @@ static void handle_auth(struct hostapd_d
 		goto fail;
 	}
 +	res = hostapd_ucode_sta_auth(hapd, sta);
 +	if (res) {
 +		resp = res;
 +		goto fail;
 +	}
 +
 	sta->flags &= ~WLAN_STA_PREAUTH;
 	ieee802_1x_notify_pre_auth(sta->eapol_sm, 0);
 --- a/src/ap/sta_info.c
 +++ b/src/ap/sta_info.c
@@ -425,6 +425,9 @@ void ap_free_sta(struct hostapd_data *ha
 	forced_memzero(sta->last_tk, WPA_TK_MAX_LEN);
 #endif /* CONFIG_TESTING_OPTIONS */
 +	if (sta->sae_pt)
 +		sae_deinit_pt(sta->sae_pt);
 +
 	os_free(sta);
 }
@@ -1326,6 +1329,8 @@ void ap_sta_set_authorized(struct hostap
 		sta->flags &= ~WLAN_STA_AUTHORIZED;
 	}
 +	if (authorized)
 +		hostapd_ucode_sta_connected(hapd, sta);
 #ifdef CONFIG_P2P
 	if (hapd->p2p_group == NULL) {
 		if (sta->p2p_ie != NULL &&
 --- a/src/ap/sta_info.h
 +++ b/src/ap/sta_info.h
@@ -198,6 +198,9 @@ struct sta_info {
 	int vlan_id_bound; /* updated by ap_sta_bind_vlan() */
 	 /* PSKs from RADIUS authentication server */
 	struct hostapd_sta_wpa_psk_short *psk;
 +	struct sae_pt *sae_pt;
 +	int use_sta_psk;
 +	int psk_idx;
 	char *identity; /* User-Name from RADIUS */
 	char *radius_cui; /* Chargeable-User-Identity from RADIUS */
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
@@ -341,6 +341,7 @@ static const u8 * hostapd_wpa_auth_get_p
 	struct sta_info *sta = ap_get_sta(hapd, addr);
 	const u8 *psk;
 +	sta->psk_idx = 0;
 	if (vlan_id)
 		*vlan_id = 0;
 	if (psk_len)
@@ -387,13 +388,18 @@ static const u8 * hostapd_wpa_auth_get_p
 	 * returned psk which should not be returned again.
 	 * logic list (all hostapd_get_psk; all sta->psk)
 	 */
 +	if (sta && sta->use_sta_psk)
 +		psk = NULL;
 	if (sta && sta->psk && !psk) {
 		struct hostapd_sta_wpa_psk_short *pos;
 +		int psk_idx;
 		if (vlan_id)
 			*vlan_id = 0;
 		psk = sta->psk->psk;
 +		sta->psk_idx = psk_idx = 1;
 		for (pos = sta->psk; pos; pos = pos->next) {
 +			psk_idx++;
 			if (pos->is_passphrase) {
 				if (pbkdf2_sha1(pos->passphrase,
 						hapd->conf->ssid.ssid,
@@ -406,10 +412,14 @@ static const u8 * hostapd_wpa_auth_get_p
 				pos->is_passphrase = 0;
 			}
 			if (pos->psk == prev_psk) {
 +				sta->psk_idx = psk_idx;
 				psk = pos->next ? pos->next->psk : NULL;
 				break;
 			}
 		}
 +
 +		if (!psk)
 +			sta->psk_idx = 0;
 	}
 	return psk;
 }
--- a/feeds/hostapd/hostapd/patches/610-hostapd_cli_ujail_permission.patch
+++ b/feeds/hostapd/hostapd/patches/610-hostapd_cli_ujail_permission.patch
@@ -0,0 +1,33 @@
 --- a/src/common/wpa_ctrl.c
 +++ b/src/common/wpa_ctrl.c
@@ -135,7 +135,7 @@ try_again:
 		return NULL;
 	}
 	tries++;
 -#ifdef ANDROID
 +
 	/* Set client socket file permissions so that bind() creates the client
 	 * socket with these permissions and there is no need to try to change
 	 * them with chmod() after bind() which would have potential issues with
@@ -147,7 +147,7 @@ try_again:
 	 * operations to allow the response to go through. Those are using the
 	 * no-deference-symlinks version to avoid races. */
 	fchmod(ctrl->s, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
 -#endif /* ANDROID */
 +
 	if (bind(ctrl->s, (struct sockaddr *) &ctrl->local,
 		    sizeof(ctrl->local)) < 0) {
 		if (errno == EADDRINUSE && tries < 2) {
@@ -165,7 +165,11 @@ try_again:
 		return NULL;
 	}
 -#ifdef ANDROID
 +#ifndef ANDROID
 +	/* Set group even if we do not have privileges to change owner */
 +	lchown(ctrl->local.sun_path, -1, 101);
 +	lchown(ctrl->local.sun_path, 101, 101);
 +#else
 	/* Set group even if we do not have privileges to change owner */
 	lchown(ctrl->local.sun_path, -1, AID_WIFI);
 	lchown(ctrl->local.sun_path, AID_SYSTEM, AID_WIFI);
--- a/feeds/hostapd/hostapd/patches/701-reload_config_inline.patch
+++ b/feeds/hostapd/hostapd/patches/701-reload_config_inline.patch
@@ -1,6 +1,6 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
-@@ -4699,7 +4699,12 @@ struct hostapd_config * hostapd_config_r
+@@ -4816,7 +4816,12 @@ struct hostapd_config * hostapd_config_r
 	int errors = 0;
 	size_t i;
@@ -16,7 +16,7 @@
 			   "for reading.", fname);
 --- a/wpa_supplicant/config_file.c
 +++ b/wpa_supplicant/config_file.c
-@@ -318,8 +318,13 @@ struct wpa_config * wpa_config_read(cons
+@@ -326,8 +326,13 @@ struct wpa_config * wpa_config_read(cons
 	while (cred_tail && cred_tail->next)
 		cred_tail = cred_tail->next;
--- a/feeds/hostapd/hostapd/patches/710-vlan_no_bridge.patch
+++ b/feeds/hostapd/hostapd/patches/710-vlan_no_bridge.patch
@@ -0,0 +1,41 @@
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -121,6 +121,7 @@ struct hostapd_ssid {
 #define DYNAMIC_VLAN_OPTIONAL 1
 #define DYNAMIC_VLAN_REQUIRED 2
 	int dynamic_vlan;
 +	int vlan_no_bridge;
 #define DYNAMIC_VLAN_NAMING_WITHOUT_DEVICE 0
 #define DYNAMIC_VLAN_NAMING_WITH_DEVICE 1
 #define DYNAMIC_VLAN_NAMING_END 2
 --- a/src/ap/vlan_full.c
 +++ b/src/ap/vlan_full.c
@@ -475,6 +475,9 @@ void vlan_newlink(const char *ifname, st
 	if (!vlan)
 		return;
 +	if (hapd->conf->ssid.vlan_no_bridge)
 +		goto out;
 +
 	vlan->configured = 1;
 	notempty = vlan->vlan_desc.notempty;
@@ -506,6 +509,7 @@ void vlan_newlink(const char *ifname, st
 				    ifname, br_name, tagged[i], hapd);
 	}
 +out:
 	ifconfig_up(ifname);
 }
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -3351,6 +3351,8 @@ static int hostapd_config_fill(struct ho
 #ifndef CONFIG_NO_VLAN
 	} else if (os_strcmp(buf, "dynamic_vlan") == 0) {
 		bss->ssid.dynamic_vlan = atoi(pos);
 +	} else if (os_strcmp(buf, "vlan_no_bridge") == 0) {
 +		bss->ssid.vlan_no_bridge = atoi(pos);
 	} else if (os_strcmp(buf, "per_sta_vif") == 0) {
 		bss->ssid.per_sta_vif = atoi(pos);
 	} else if (os_strcmp(buf, "vlan_file") == 0) {
--- a/feeds/hostapd/hostapd/patches/711-wds_bridge_force.patch
+++ b/feeds/hostapd/hostapd/patches/711-wds_bridge_force.patch
@@ -0,0 +1,22 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -2318,6 +2318,8 @@ static int hostapd_config_fill(struct ho
 			   sizeof(conf->bss[0]->iface));
 	} else if (os_strcmp(buf, "bridge") == 0) {
 		os_strlcpy(bss->bridge, pos, sizeof(bss->bridge));
 +		if (!bss->wds_bridge[0])
 +			os_strlcpy(bss->wds_bridge, pos, sizeof(bss->wds_bridge));
 	} else if (os_strcmp(buf, "bridge_hairpin") == 0) {
 		bss->bridge_hairpin = atoi(pos);
 	} else if (os_strcmp(buf, "vlan_bridge") == 0) {
 --- a/src/ap/ap_drv_ops.c
 +++ b/src/ap/ap_drv_ops.c
@@ -348,8 +348,6 @@ int hostapd_set_wds_sta(struct hostapd_d
 		return -1;
 	if (hapd->conf->wds_bridge[0])
 		bridge = hapd->conf->wds_bridge;
 -	else if (hapd->conf->bridge[0])
 -		bridge = hapd->conf->bridge;
 	return hapd->driver->set_wds_sta(hapd->drv_priv, addr, aid, val,
 					 bridge, ifname_wds);
 }
--- a/feeds/hostapd/hostapd/patches/720-iface_max_num_sta.patch
+++ b/feeds/hostapd/hostapd/patches/720-iface_max_num_sta.patch
@@ -0,0 +1,81 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -2848,6 +2848,14 @@ static int hostapd_config_fill(struct ho
 				   line, bss->max_num_sta, MAX_STA_COUNT);
 			return 1;
 		}
 +	} else if (os_strcmp(buf, "iface_max_num_sta") == 0) {
 +		conf->max_num_sta = atoi(pos);
 +		if (conf->max_num_sta < 0 ||
 +		    conf->max_num_sta > MAX_STA_COUNT) {
 +			wpa_printf(MSG_ERROR, "Line %d: Invalid max_num_sta=%d; allowed range 0..%d",
 +				   line, conf->max_num_sta, MAX_STA_COUNT);
 +			return 1;
 +		}
 	} else if (os_strcmp(buf, "wpa") == 0) {
 		bss->wpa = atoi(pos);
 	} else if (os_strcmp(buf, "extended_key_id") == 0) {
 --- a/src/ap/hostapd.h
 +++ b/src/ap/hostapd.h
@@ -742,6 +742,7 @@ void hostapd_cleanup_cs_params(struct ho
 void hostapd_periodic_iface(struct hostapd_iface *iface);
 int hostapd_owe_trans_get_info(struct hostapd_data *hapd);
 void hostapd_ocv_check_csa_sa_query(void *eloop_ctx, void *timeout_ctx);
 +int hostapd_check_max_sta(struct hostapd_data *hapd);
 void hostapd_switch_color(struct hostapd_data *hapd, u64 bitmap);
 void hostapd_cleanup_cca_params(struct hostapd_data *hapd);
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -244,6 +244,29 @@ static int hostapd_iface_conf_changed(st
 	return 0;
 }
 +static inline int hostapd_iface_num_sta(struct hostapd_iface *iface)
 +{
 +	int num_sta = 0;
 +	int i;
 +
 +	for (i = 0; i < iface->num_bss; i++)
 +		num_sta += iface->bss[i]->num_sta;
 +
 +	return num_sta;
 +}
 +
 +
 +int hostapd_check_max_sta(struct hostapd_data *hapd)
 +{
 +	if (hapd->num_sta >= hapd->conf->max_num_sta)
 +		return 1;
 +
 +	if (hapd->iconf->max_num_sta &&
 +	    hostapd_iface_num_sta(hapd->iface) >= hapd->iconf->max_num_sta)
 +		return 1;
 +
 +	return 0;
 +}
 int hostapd_reload_config(struct hostapd_iface *iface)
 {
 --- a/src/ap/beacon.c
 +++ b/src/ap/beacon.c
@@ -1252,7 +1252,7 @@ void handle_probe_req(struct hostapd_dat
 	if (hapd->conf->no_probe_resp_if_max_sta &&
 	    is_multicast_ether_addr(mgmt->da) &&
 	    is_multicast_ether_addr(mgmt->bssid) &&
 -	    hapd->num_sta >= hapd->conf->max_num_sta &&
 +	    hostapd_check_max_sta(hapd) &&
 	    !ap_get_sta(hapd, mgmt->sa)) {
 		wpa_printf(MSG_MSGDUMP, "%s: Ignore Probe Request from " MACSTR
 			   " since no room for additional STA",
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -1039,6 +1039,8 @@ struct hostapd_config {
 	unsigned int track_sta_max_num;
 	unsigned int track_sta_max_age;
 +	int max_num_sta;
 +
 	char country[3]; /* first two octets: country code as described in
 			  * ISO/IEC 3166-1. Third octet:
 			  * ' ' (ascii 32): all environments
--- a/feeds/hostapd/hostapd/patches/730-ft_iface.patch
+++ b/feeds/hostapd/hostapd/patches/730-ft_iface.patch
@@ -0,0 +1,38 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -3007,6 +3007,8 @@ static int hostapd_config_fill(struct ho
 		wpa_printf(MSG_INFO,
 			   "Line %d: Obsolete peerkey parameter ignored", line);
 #ifdef CONFIG_IEEE80211R_AP
 +	} else if (os_strcmp(buf, "ft_iface") == 0) {
 +		os_strlcpy(bss->ft_iface, pos, sizeof(bss->ft_iface));
 	} else if (os_strcmp(buf, "mobility_domain") == 0) {
 		if (os_strlen(pos) != 2 * MOBILITY_DOMAIN_ID_LEN ||
 		    hexstr2bin(pos, bss->mobility_domain,
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -283,6 +283,7 @@ struct airtime_sta_weight {
 struct hostapd_bss_config {
 	char iface[IFNAMSIZ + 1];
 	char bridge[IFNAMSIZ + 1];
 +	char ft_iface[IFNAMSIZ + 1];
 	char vlan_bridge[IFNAMSIZ + 1];
 	char wds_bridge[IFNAMSIZ + 1];
 	int bridge_hairpin; /* hairpin_mode on bridge members */
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
@@ -1727,8 +1727,12 @@ int hostapd_setup_wpa(struct hostapd_dat
 	    wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) {
 		const char *ft_iface;
 -		ft_iface = hapd->conf->bridge[0] ? hapd->conf->bridge :
 -			   hapd->conf->iface;
 +		if (hapd->conf->ft_iface[0])
 +			ft_iface = hapd->conf->ft_iface;
 +		else if (hapd->conf->bridge[0])
 +			ft_iface = hapd->conf->bridge;
 +		else
 +			ft_iface = hapd->conf->iface;
 		hapd->l2 = l2_packet_init(ft_iface, NULL, ETH_P_RRB,
 					  hostapd_rrb_receive, hapd, 1);
 		if (!hapd->l2) {
--- a/feeds/hostapd/hostapd/patches/740-snoop_iface.patch
+++ b/feeds/hostapd/hostapd/patches/740-snoop_iface.patch
@@ -0,0 +1,139 @@
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -284,6 +284,7 @@ struct hostapd_bss_config {
 	char iface[IFNAMSIZ + 1];
 	char bridge[IFNAMSIZ + 1];
 	char ft_iface[IFNAMSIZ + 1];
 +	char snoop_iface[IFNAMSIZ + 1];
 	char vlan_bridge[IFNAMSIZ + 1];
 	char wds_bridge[IFNAMSIZ + 1];
 	int bridge_hairpin; /* hairpin_mode on bridge members */
 --- a/src/ap/x_snoop.c
 +++ b/src/ap/x_snoop.c
@@ -33,28 +33,31 @@ int x_snoop_init(struct hostapd_data *ha
 	hapd->x_snoop_initialized = true;
 -	if (hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE,
 +	if (!conf->snoop_iface[0] &&
 +	    hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE,
 					 1)) {
 		wpa_printf(MSG_DEBUG,
 			   "x_snoop: Failed to enable hairpin_mode on the bridge port");
 		return -1;
 	}
 -	if (hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 1)) {
 +	if (!conf->snoop_iface[0] &&
 +	    hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 1)) {
 		wpa_printf(MSG_DEBUG,
 			   "x_snoop: Failed to enable proxyarp on the bridge port");
 		return -1;
 	}
 	if (hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT,
 -					 1)) {
 +					 conf->snoop_iface[0] ? conf->snoop_iface : NULL, 1)) {
 		wpa_printf(MSG_DEBUG,
 			   "x_snoop: Failed to enable accepting gratuitous ARP on the bridge");
 		return -1;
 	}
 #ifdef CONFIG_IPV6
 -	if (hostapd_drv_br_set_net_param(hapd, DRV_BR_MULTICAST_SNOOPING, 1)) {
 +	if (!conf->snoop_iface[0] &&
 +	    hostapd_drv_br_set_net_param(hapd, DRV_BR_MULTICAST_SNOOPING, NULL, 1)) {
 		wpa_printf(MSG_DEBUG,
 			   "x_snoop: Failed to enable multicast snooping on the bridge");
 		return -1;
@@ -73,8 +76,12 @@ x_snoop_get_l2_packet(struct hostapd_dat
 {
 	struct hostapd_bss_config *conf = hapd->conf;
 	struct l2_packet_data *l2;
 +	const char *ifname = conf->bridge;
 +
 +	if (conf->snoop_iface[0])
 +		ifname = conf->snoop_iface;
 -	l2 = l2_packet_init(conf->bridge, NULL, ETH_P_ALL, handler, hapd, 1);
 +	l2 = l2_packet_init(ifname, NULL, ETH_P_ALL, handler, hapd, 1);
 	if (l2 == NULL) {
 		wpa_printf(MSG_DEBUG,
 			   "x_snoop: Failed to initialize L2 packet processing %s",
@@ -127,9 +134,12 @@ void x_snoop_mcast_to_ucast_convert_send
 void x_snoop_deinit(struct hostapd_data *hapd)
 {
 +	struct hostapd_bss_config *conf = hapd->conf;
 +
 	if (!hapd->x_snoop_initialized)
 		return;
 -	hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT, 0);
 +	hostapd_drv_br_set_net_param(hapd, DRV_BR_NET_PARAM_GARP_ACCEPT,
 +				     conf->snoop_iface[0] ? conf->snoop_iface : NULL, 0);
 	hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_PROXYARP, 0);
 	hostapd_drv_br_port_set_attr(hapd, DRV_BR_PORT_ATTR_HAIRPIN_MODE, 0);
 	hapd->x_snoop_initialized = false;
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -2322,6 +2322,8 @@ static int hostapd_config_fill(struct ho
 			os_strlcpy(bss->wds_bridge, pos, sizeof(bss->wds_bridge));
 	} else if (os_strcmp(buf, "bridge_hairpin") == 0) {
 		bss->bridge_hairpin = atoi(pos);
 +	} else if (os_strcmp(buf, "snoop_iface") == 0) {
 +		os_strlcpy(bss->snoop_iface, pos, sizeof(bss->snoop_iface));
 	} else if (os_strcmp(buf, "vlan_bridge") == 0) {
 		os_strlcpy(bss->vlan_bridge, pos, sizeof(bss->vlan_bridge));
 	} else if (os_strcmp(buf, "wds_bridge") == 0) {
 --- a/src/ap/ap_drv_ops.h
 +++ b/src/ap/ap_drv_ops.h
@@ -366,12 +366,12 @@ static inline int hostapd_drv_br_port_se
 static inline int hostapd_drv_br_set_net_param(struct hostapd_data *hapd,
 					       enum drv_br_net_param param,
 -					       unsigned int val)
 +					       const char *ifname, unsigned int val)
 {
 	if (hapd->driver == NULL || hapd->drv_priv == NULL ||
 	    hapd->driver->br_set_net_param == NULL)
 		return -1;
 -	return hapd->driver->br_set_net_param(hapd->drv_priv, param, val);
 +	return hapd->driver->br_set_net_param(hapd->drv_priv, param, ifname, val);
 }
 static inline int hostapd_drv_vendor_cmd(struct hostapd_data *hapd,
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
@@ -4209,7 +4209,7 @@ struct wpa_driver_ops {
 	 * Returns: 0 on success, negative (<0) on failure
 	 */
 	int (*br_set_net_param)(void *priv, enum drv_br_net_param param,
 -				unsigned int val);
 +				const char *ifname, unsigned int val);
 	/**
 	 * get_wowlan - Get wake-on-wireless status
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
@@ -12168,7 +12168,7 @@ static const char * drv_br_net_param_str
 static int wpa_driver_br_set_net_param(void *priv, enum drv_br_net_param param,
 -				       unsigned int val)
 +				       const char *ifname, unsigned int val)
 {
 	struct i802_bss *bss = priv;
 	char path[128];
@@ -12194,8 +12194,11 @@ static int wpa_driver_br_set_net_param(v
 			return -EINVAL;
 	}
 +	if (!ifname)
 +		ifname = bss->brname;
 +
 	os_snprintf(path, sizeof(path), "/proc/sys/net/ipv%d/conf/%s/%s",
 -		    ip_version, bss->brname, param_txt);
 +		    ip_version, ifname, param_txt);
 set_val:
 	if (linux_write_system_file(path, val))
--- a/feeds/hostapd/hostapd/patches/750-qos_map_set_without_interworking.patch
+++ b/feeds/hostapd/hostapd/patches/750-qos_map_set_without_interworking.patch
@@ -0,0 +1,97 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -1604,6 +1604,8 @@ static int parse_anqp_elem(struct hostap
 	return 0;
 }
 +#endif /* CONFIG_INTERWORKING */
 +
 static int parse_qos_map_set(struct hostapd_bss_config *bss,
 			     char *buf, int line)
@@ -1645,8 +1647,6 @@ static int parse_qos_map_set(struct host
 	return 0;
 }
 -#endif /* CONFIG_INTERWORKING */
 -
 #ifdef CONFIG_HS20
 static int hs20_parse_conn_capab(struct hostapd_bss_config *bss, char *buf,
@@ -4062,10 +4062,10 @@ static int hostapd_config_fill(struct ho
 		bss->gas_frag_limit = val;
 	} else if (os_strcmp(buf, "gas_comeback_delay") == 0) {
 		bss->gas_comeback_delay = atoi(pos);
 +#endif /* CONFIG_INTERWORKING */
 	} else if (os_strcmp(buf, "qos_map_set") == 0) {
 		if (parse_qos_map_set(bss, pos, line) < 0)
 			return 1;
 -#endif /* CONFIG_INTERWORKING */
 #ifdef CONFIG_RADIUS_TEST
 	} else if (os_strcmp(buf, "dump_msk_file") == 0) {
 		os_free(bss->dump_msk_file);
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -1486,6 +1486,7 @@ int hostapd_setup_bss(struct hostapd_dat
 		wpa_printf(MSG_ERROR, "GAS server initialization failed");
 		return -1;
 	}
 +#endif /* CONFIG_INTERWORKING */
 	if (conf->qos_map_set_len &&
 	    hostapd_drv_set_qos_map(hapd, conf->qos_map_set,
@@ -1493,7 +1494,6 @@ int hostapd_setup_bss(struct hostapd_dat
 		wpa_printf(MSG_ERROR, "Failed to initialize QoS Map");
 		return -1;
 	}
 -#endif /* CONFIG_INTERWORKING */
 	if (conf->bss_load_update_period && bss_load_update_init(hapd)) {
 		wpa_printf(MSG_ERROR, "BSS Load initialization failed");
 --- a/wpa_supplicant/events.c
 +++ b/wpa_supplicant/events.c
@@ -2683,8 +2683,6 @@ void wnm_bss_keep_alive_deinit(struct wp
 }
 -#ifdef CONFIG_INTERWORKING
 -
 static int wpas_qos_map_set(struct wpa_supplicant *wpa_s, const u8 *qos_map,
 			    size_t len)
 {
@@ -2717,8 +2715,6 @@ static void interworking_process_assoc_r
 	}
 }
 -#endif /* CONFIG_INTERWORKING */
 -
 static void wpa_supplicant_set_4addr_mode(struct wpa_supplicant *wpa_s)
 {
@@ -3098,10 +3094,8 @@ static int wpa_supplicant_event_associnf
 		wnm_process_assoc_resp(wpa_s, data->assoc_info.resp_ies,
 				       data->assoc_info.resp_ies_len);
 #endif /* CONFIG_WNM */
 -#ifdef CONFIG_INTERWORKING
 		interworking_process_assoc_resp(wpa_s, data->assoc_info.resp_ies,
 						data->assoc_info.resp_ies_len);
 -#endif /* CONFIG_INTERWORKING */
 		if (wpa_s->hw_capab == CAPAB_VHT &&
 		    get_ie(data->assoc_info.resp_ies,
 			   data->assoc_info.resp_ies_len, WLAN_EID_VHT_CAP))
 --- a/src/ap/ieee802_11_shared.c
 +++ b/src/ap/ieee802_11_shared.c
@@ -1116,13 +1116,11 @@ u8 * hostapd_eid_rsnxe(struct hostapd_da
 u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
 		    const u8 *ext_capab_ie, size_t ext_capab_ie_len)
 {
 -#ifdef CONFIG_INTERWORKING
 	/* check for QoS Map support */
 	if (ext_capab_ie_len >= 5) {
 		if (ext_capab_ie[4] & 0x01)
 			sta->qos_map_enabled = 1;
 	}
 -#endif /* CONFIG_INTERWORKING */
 	if (ext_capab_ie_len > 0) {
 		sta->ecsa_supported = !!(ext_capab_ie[0] & BIT(2));
--- a/feeds/hostapd/hostapd/patches/750-wispr.patch
+++ b/feeds/hostapd/hostapd/patches/750-wispr.patch
@@ -0,0 +1,113 @@
 Index: hostapd-2021-02-20-59e9794c/src/ap/ieee802_1x.c
 ===================================================================
 --- hostapd-2021-02-20-59e9794c.orig/src/ap/ieee802_1x.c
 +++ hostapd-2021-02-20-59e9794c/src/ap/ieee802_1x.c
@@ -1904,6 +1904,25 @@ static int ieee802_1x_update_vlan(struct
 }
 #endif /* CONFIG_NO_VLAN */
 +static int ieee802_1x_update_wispr(struct hostapd_data *hapd,
 +				   struct sta_info *sta,
 +				   struct radius_msg *msg)
 +{
 +	memset(sta->bandwidth, 0, sizeof(sta->bandwidth));
 +
 +	if (radius_msg_get_wispr(msg, &sta->bandwidth))
 +		return 0;
 +
 +	if (!sta->bandwidth[0] && !sta->bandwidth[1])
 +		return 0;
 +
 +	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE8021X,
 +		       HOSTAPD_LEVEL_INFO,
 +		       "received wispr bandwidth from RADIUS server %d/%d",
 +		       sta->bandwidth[0], sta->bandwidth[1]);
 +
 +	return 0;
 +}
 /**
  * ieee802_1x_receive_auth - Process RADIUS frames from Authentication Server
@@ -2029,6 +2048,7 @@ ieee802_1x_receive_auth(struct radius_ms
 		ieee802_1x_check_hs20(hapd, sta, msg,
 				      session_timeout_set ?
 				      (int) session_timeout : -1);
 +		ieee802_1x_update_wispr(hapd, sta, msg);
 		break;
 	case RADIUS_CODE_ACCESS_REJECT:
 		sm->eap_if->aaaFail = true;
 Index: hostapd-2021-02-20-59e9794c/src/ap/sta_info.h
 ===================================================================
 --- hostapd-2021-02-20-59e9794c.orig/src/ap/sta_info.h
 +++ hostapd-2021-02-20-59e9794c/src/ap/sta_info.h
@@ -117,6 +117,7 @@ struct sta_info {
 	u8 supported_rates[WLAN_SUPP_RATES_MAX];
 	int supported_rates_len;
 	u8 qosinfo; /* Valid when WLAN_STA_WMM is set */
 +	u32 bandwidth[2];
 #ifdef CONFIG_MESH
 	enum mesh_plink_state plink_state;
 Index: hostapd-2021-02-20-59e9794c/src/radius/radius.c
 ===================================================================
 --- hostapd-2021-02-20-59e9794c.orig/src/radius/radius.c
 +++ hostapd-2021-02-20-59e9794c/src/radius/radius.c
@@ -1182,6 +1182,35 @@ radius_msg_get_cisco_keys(struct radius_
 	return keys;
 }
 +#define RADIUS_VENDOR_ID_WISPR	14122
 +#define RADIUS_WISPR_AV_BW_UP	7
 +#define RADIUS_WISPR_AV_BW_DOWN	8
 +
 +int
 +radius_msg_get_wispr(struct radius_msg *msg, u32 *bandwidth)
 +{
 +	int i;
 +
 +	if (msg == NULL || bandwidth == NULL)
 +		return 1;
 +
 +	for (i = 0; i < 2; i++) {
 +		size_t keylen;
 +		u8 *key;
 +
 +		key = radius_msg_get_vendor_attr(msg, RADIUS_VENDOR_ID_WISPR,
 +						 RADIUS_WISPR_AV_BW_UP + i, &keylen);
 +		if (!key)
 +			continue;
 +
 +		if (keylen == 4)
 +			bandwidth[i] = ntohl(*((u32 *)key));
 +		os_free(key);
 +	}
 +
 +	return 0;
 +}
 +
 int radius_msg_add_mppe_keys(struct radius_msg *msg,
 			     const u8 *req_authenticator,
 Index: hostapd-2021-02-20-59e9794c/src/radius/radius.h
 ===================================================================
 --- hostapd-2021-02-20-59e9794c.orig/src/radius/radius.h
 +++ hostapd-2021-02-20-59e9794c/src/radius/radius.h
@@ -205,6 +205,10 @@ enum {
 	RADIUS_VENDOR_ATTR_WFA_HS20_T_C_URL = 10,
 };
 +#define RADIUS_VENDOR_ID_WISPR	14122
 +#define RADIUS_WISPR_AV_BW_UP	7
 +#define RADIUS_WISPR_AV_BW_DOWN	8
 +
 #ifdef _MSC_VER
 #pragma pack(pop)
 #endif /* _MSC_VER */
@@ -277,6 +281,7 @@ radius_msg_get_ms_keys(struct radius_msg
 struct radius_ms_mppe_keys *
 radius_msg_get_cisco_keys(struct radius_msg *msg, struct radius_msg *sent_msg,
 			  const u8 *secret, size_t secret_len);
 +int radius_msg_get_wispr(struct radius_msg *msg, u32 *bandwidth);
 int radius_msg_add_mppe_keys(struct radius_msg *msg,
 			     const u8 *req_authenticator,
 			     const u8 *secret, size_t secret_len,
--- a/feeds/hostapd/hostapd/patches/751-qos_map_ignore_when_unsupported.patch
+++ b/feeds/hostapd/hostapd/patches/751-qos_map_ignore_when_unsupported.patch
@@ -0,0 +1,12 @@
 --- a/src/ap/ap_drv_ops.c
 +++ b/src/ap/ap_drv_ops.c
@@ -927,7 +927,8 @@ int hostapd_start_dfs_cac(struct hostapd
 int hostapd_drv_set_qos_map(struct hostapd_data *hapd,
 			    const u8 *qos_map_set, u8 qos_map_set_len)
 {
 -	if (!hapd->driver || !hapd->driver->set_qos_map || !hapd->drv_priv)
 +	if (!hapd->driver || !hapd->driver->set_qos_map || !hapd->drv_priv ||
 +	    !(hapd->iface->drv_flags & WPA_DRIVER_FLAGS_QOS_MAPPING))
 		return 0;
 	return hapd->driver->set_qos_map(hapd->drv_priv, qos_map_set,
 					 qos_map_set_len);
--- a/feeds/hostapd/hostapd/patches/751-wispr-ft.patch
+++ b/feeds/hostapd/hostapd/patches/751-wispr-ft.patch
@@ -0,0 +1,539 @@
 --- a/src/ap/wpa_auth.h
 +++ b/src/ap/wpa_auth.h
@@ -16,7 +16,11 @@
 struct vlan_description;
 struct mld_info;
 -
 +struct rate_description {
 +	u32 rx;
 +	u32 tx;
 +};
 + 
 #define MAX_OWN_IE_OVERRIDE 256
 #ifdef _MSC_VER
@@ -88,6 +92,7 @@ struct ft_rrb_frame {
 #define FT_RRB_IDENTITY      15
 #define FT_RRB_RADIUS_CUI    16
 #define FT_RRB_SESSION_TIMEOUT  17 /* le32 seconds */
 +#define FT_RRB_RATE_LIMIT	18
 struct ft_rrb_tlv {
 	le16 type;
@@ -368,6 +373,10 @@ struct wpa_auth_callbacks {
 			struct vlan_description *vlan);
 	int (*get_vlan)(void *ctx, const u8 *sta_addr,
 			struct vlan_description *vlan);
 +	int (*set_rate_limit)(void *ctx, const u8 *sta_addr,
 +			      struct rate_description *rate);
 +	int (*get_rate_limit)(void *ctx, const u8 *sta_addr,
 +			      struct rate_description *rate);
 	int (*set_identity)(void *ctx, const u8 *sta_addr,
 			    const u8 *identity, size_t identity_len);
 	size_t (*get_identity)(void *ctx, const u8 *sta_addr, const u8 **buf);
@@ -536,7 +545,7 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
 			struct vlan_description *vlan,
 			const u8 **identity, size_t *identity_len,
 			const u8 **radius_cui, size_t *radius_cui_len,
 -			int *session_timeout);
 +			int *session_timeout, struct rate_description *rate);
 #endif /* CONFIG_IEEE80211R_AP */
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
@@ -1200,6 +1200,40 @@ static int hostapd_wpa_auth_get_vlan(voi
 }
 +static int hostapd_wpa_auth_set_rate_limit(void *ctx, const u8 *sta_addr,
 +					   struct rate_description *rate)
 +{
 +	struct hostapd_data *hapd = ctx;
 +	struct sta_info *sta;
 +
 +	sta = ap_get_sta(hapd, sta_addr);
 +	if (!sta || !sta->wpa_sm)
 +		return -1;
 +
 +	memcpy(sta->bandwidth, rate, sizeof(*rate));
 +	hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
 +		       HOSTAPD_LEVEL_INFO, "rate-limit %d %d", sta->bandwidth[0], sta->bandwidth[1]);
 +
 +	return 0;
 +}
 +
 +
 +static int hostapd_wpa_auth_get_rate_limit(void *ctx, const u8 *sta_addr,
 +					   struct rate_description *rate)
 +{
 +	struct hostapd_data *hapd = ctx;
 +	struct sta_info *sta;
 +
 +	sta = ap_get_sta(hapd, sta_addr);
 +	if (!sta)
 +		return -1;
 +
 +	memcpy(rate, sta->bandwidth, sizeof(*rate));
 +
 +	return 0;
 +}
 +
 +
 static int
 hostapd_wpa_auth_set_identity(void *ctx, const u8 *sta_addr,
 			      const u8 *identity, size_t identity_len)
@@ -1640,6 +1674,8 @@ int hostapd_setup_wpa(struct hostapd_dat
 		.add_tspec = hostapd_wpa_auth_add_tspec,
 		.set_vlan = hostapd_wpa_auth_set_vlan,
 		.get_vlan = hostapd_wpa_auth_get_vlan,
 +		.set_rate_limit = hostapd_wpa_auth_set_rate_limit,
 +		.get_rate_limit = hostapd_wpa_auth_get_rate_limit,
 		.set_identity = hostapd_wpa_auth_set_identity,
 		.get_identity = hostapd_wpa_auth_get_identity,
 		.set_radius_cui = hostapd_wpa_auth_set_radius_cui,
 --- a/src/ap/wpa_auth_ft.c
 +++ b/src/ap/wpa_auth_ft.c
@@ -379,6 +379,14 @@ static size_t wpa_ft_vlan_len(const stru
 	return tlv_len;
 }
 +static size_t wpa_ft_rate_limit_len(const struct rate_description *rate)
 +{
 +	if (!rate || (!rate->rx && !rate->tx))
 +		return 0;
 +
 +	return (sizeof(struct ft_rrb_tlv) + 8);
 +}
 +
 static size_t wpa_ft_vlan_lin(const struct vlan_description *vlan,
 			      u8 *start, u8 *endpos)
@@ -434,10 +442,48 @@ static size_t wpa_ft_vlan_lin(const stru
 }
 +static size_t wpa_ft_rate_limit_lin(const struct rate_description *rate,
 +				    u8 *start, u8 *endpos)
 +{
 +	size_t tlv_len;
 +	int i, len;
 +	struct ft_rrb_tlv *hdr;
 +	u8 *pos = start;
 +
 +	if (!rate)
 +		return 0;
 +
 +	tlv_len = 0;
 +	if (rate->rx || rate->tx) {
 +		tlv_len += sizeof(*hdr);
 +		if (start + tlv_len > endpos)
 +			return tlv_len;
 +		hdr = (struct ft_rrb_tlv *) pos;
 +		hdr->type = host_to_le16(FT_RRB_RATE_LIMIT);
 +		hdr->len = host_to_le16(2 * sizeof(le32));
 +		pos = start + tlv_len;
 +
 +		tlv_len += sizeof(u32);
 +		if (start + tlv_len > endpos)
 +			return tlv_len;
 +		WPA_PUT_LE32(pos, rate->rx);
 +		pos = start + tlv_len;
 +		tlv_len += sizeof(u32);
 +		if (start + tlv_len > endpos)
 +			return tlv_len;
 +		WPA_PUT_LE32(pos, rate->tx);
 +		pos = start + tlv_len;
 +	}
 +
 +	return tlv_len;
 +}
 +
 +
 static int wpa_ft_rrb_lin(const struct tlv_list *tlvs1,
 			  const struct tlv_list *tlvs2,
 			  const struct vlan_description *vlan,
 -			  u8 **plain, size_t *plain_len)
 +			  u8 **plain, size_t *plain_len,
 +			  const struct rate_description *rate)
 {
 	u8 *pos, *endpos;
 	size_t tlv_len;
@@ -445,6 +491,7 @@ static int wpa_ft_rrb_lin(const struct t
 	tlv_len = wpa_ft_tlv_len(tlvs1);
 	tlv_len += wpa_ft_tlv_len(tlvs2);
 	tlv_len += wpa_ft_vlan_len(vlan);
 +	tlv_len += wpa_ft_rate_limit_len(rate);
 	*plain_len = tlv_len;
 	*plain = os_zalloc(tlv_len);
@@ -458,6 +505,7 @@ static int wpa_ft_rrb_lin(const struct t
 	pos += wpa_ft_tlv_lin(tlvs1, pos, endpos);
 	pos += wpa_ft_tlv_lin(tlvs2, pos, endpos);
 	pos += wpa_ft_vlan_lin(vlan, pos, endpos);
 +	pos += wpa_ft_rate_limit_lin(rate, pos, endpos);
 	/* validity check */
 	if (pos != endpos) {
@@ -526,7 +574,8 @@ static int wpa_ft_rrb_build(const u8 *ke
 			    const struct tlv_list *tlvs_auth,
 			    const struct vlan_description *vlan,
 			    const u8 *src_addr, u8 type,
 -			    u8 **packet, size_t *packet_len)
 +			    u8 **packet, size_t *packet_len,
 +			    const struct rate_description *rate)
 {
 	u8 *plain = NULL, *auth = NULL, *pos, *tmp;
 	size_t plain_len = 0, auth_len = 0;
@@ -534,10 +583,10 @@ static int wpa_ft_rrb_build(const u8 *ke
 	size_t pad_len = 0;
 	*packet = NULL;
 -	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, vlan, &plain, &plain_len) < 0)
 +	if (wpa_ft_rrb_lin(tlvs_enc0, tlvs_enc1, vlan, &plain, &plain_len, rate) < 0)
 		goto out;
 -	if (wpa_ft_rrb_lin(tlvs_auth, NULL, NULL, &auth, &auth_len) < 0)
 +	if (wpa_ft_rrb_lin(tlvs_auth, NULL, NULL, &auth, &auth_len, NULL) < 0)
 		goto out;
 	*packet_len = sizeof(u16) + auth_len + plain_len;
@@ -700,6 +749,24 @@ static int wpa_ft_get_vlan(struct wpa_au
 }
 +static int wpa_ft_get_rate_limit(struct wpa_authenticator *wpa_auth,
 +				 const u8 *sta_addr, struct rate_description *rate)
 +{
 +	if (!wpa_auth->cb->get_rate_limit)
 +		return -1;
 +	return wpa_auth->cb->get_rate_limit(wpa_auth->cb_ctx, sta_addr, rate);
 +}
 +
 +
 +static int wpa_ft_set_rate_limit(struct wpa_authenticator *wpa_auth,
 +				 const u8 *sta_addr, struct rate_description *rate)
 +{
 +	if (!wpa_auth->cb->set_rate_limit)
 +		return -1;
 +	return wpa_auth->cb->set_rate_limit(wpa_auth->cb_ctx, sta_addr, rate);
 +}
 +
 +
 static int
 wpa_ft_set_identity(struct wpa_authenticator *wpa_auth, const u8 *sta_addr,
 		    const u8 *identity, size_t identity_len)
@@ -1025,7 +1092,7 @@ wpa_ft_rrb_seq_req(struct wpa_authentica
 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_req_auth, NULL,
 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_REQ,
 -			     &packet, &packet_len) < 0) {
 +			     &packet, &packet_len, NULL) < 0) {
 		item = NULL; /* some other seq resp might still accept this */
 		goto err;
 	}
@@ -1208,6 +1275,7 @@ struct wpa_ft_pmk_r0_sa {
 	u8 spa[ETH_ALEN];
 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
 	struct vlan_description *vlan;
 +	struct rate_description *rate;
 	os_time_t expiration; /* 0 for no expiration */
 	u8 *identity;
 	size_t identity_len;
@@ -1226,6 +1294,7 @@ struct wpa_ft_pmk_r1_sa {
 	u8 spa[ETH_ALEN];
 	int pairwise; /* Pairwise cipher suite, WPA_CIPHER_* */
 	struct vlan_description *vlan;
 +	struct rate_description *rate;
 	u8 *identity;
 	size_t identity_len;
 	u8 *radius_cui;
@@ -1254,6 +1323,7 @@ static void wpa_ft_free_pmk_r0(struct wp
 	os_memset(r0->pmk_r0, 0, PMK_LEN_MAX);
 	os_free(r0->vlan);
 +	os_free(r0->rate);
 	os_free(r0->identity);
 	os_free(r0->radius_cui);
 	os_free(r0);
@@ -1307,6 +1377,7 @@ static void wpa_ft_free_pmk_r1(struct wp
 	eloop_cancel_timeout(wpa_ft_expire_pmk_r1, r1, NULL);
 	os_memset(r1->pmk_r1, 0, PMK_LEN_MAX);
 +	os_free(r1->rate);
 	os_free(r1->vlan);
 	os_free(r1->identity);
 	os_free(r1->radius_cui);
@@ -1360,7 +1431,8 @@ static int wpa_ft_store_pmk_r0(struct wp
 			       const struct vlan_description *vlan,
 			       int expires_in, int session_timeout,
 			       const u8 *identity, size_t identity_len,
 -			       const u8 *radius_cui, size_t radius_cui_len)
 +			       const u8 *radius_cui, size_t radius_cui_len,
 +			       struct rate_description *rate)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r0_sa *r0;
@@ -1388,6 +1460,14 @@ static int wpa_ft_store_pmk_r0(struct wp
 		}
 		*r0->vlan = *vlan;
 	}
 +	if (rate) {
 +		r0->rate = os_zalloc(sizeof(*rate));
 +		if (!r0->rate) {
 +			bin_clear_free(r0, sizeof(*r0));
 +			return -1;
 +		}
 +		*r0->rate = *rate;
 +	}
 	if (identity) {
 		r0->identity = os_malloc(identity_len);
 		if (r0->identity) {
@@ -1447,7 +1527,8 @@ static int wpa_ft_store_pmk_r1(struct wp
 			       const struct vlan_description *vlan,
 			       int expires_in, int session_timeout,
 			       const u8 *identity, size_t identity_len,
 -			       const u8 *radius_cui, size_t radius_cui_len)
 +			       const u8 *radius_cui, size_t radius_cui_len,
 +			       struct rate_description *rate)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	int max_expires_in = wpa_auth->conf.r1_max_key_lifetime;
@@ -1477,6 +1558,14 @@ static int wpa_ft_store_pmk_r1(struct wp
 		}
 		*r1->vlan = *vlan;
 	}
 +	if (rate) {
 +		r1->rate = os_zalloc(sizeof(*rate));
 +		if (!r1->rate) {
 +			bin_clear_free(r1, sizeof(*r1));
 +			return -1;
 +		}
 +		*r1->rate = *rate;
 +	}
 	if (identity) {
 		r1->identity = os_malloc(identity_len);
 		if (r1->identity) {
@@ -1513,7 +1602,7 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
 			struct vlan_description *vlan,
 			const u8 **identity, size_t *identity_len,
 			const u8 **radius_cui, size_t *radius_cui_len,
 -			int *session_timeout)
 +			int *session_timeout, struct rate_description *rate)
 {
 	struct wpa_ft_pmk_cache *cache = wpa_auth->ft_pmk_cache;
 	struct wpa_ft_pmk_r1_sa *r1;
@@ -1533,6 +1622,12 @@ int wpa_ft_fetch_pmk_r1(struct wpa_authe
 				*vlan = *r1->vlan;
 			if (vlan && !r1->vlan)
 				os_memset(vlan, 0, sizeof(*vlan));
 +			if (rate) {
 +				if (r1->rate)
 +					*rate = *r1->rate;
 +				else
 +					memset(rate, 0, sizeof(*rate));
 +			}
 			if (identity && identity_len) {
 				*identity = r1->identity;
 				*identity_len = r1->identity_len;
@@ -2059,7 +2154,7 @@ static int wpa_ft_pull_pmk_r1(struct wpa
 	if (wpa_ft_rrb_build(key, key_len, req_enc, NULL, req_auth, NULL,
 			     sm->wpa_auth->addr, FT_PACKET_R0KH_R1KH_PULL,
 -			     &packet, &packet_len) < 0)
 +			     &packet, &packet_len, NULL) < 0)
 		return -1;
 	ft_pending_req_ies = wpabuf_alloc_copy(ies, ies_len);
@@ -2088,6 +2183,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
 {
 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
 	struct vlan_description vlan;
 +	struct rate_description rate;
 	const u8 *identity, *radius_cui;
 	size_t identity_len, radius_cui_len;
 	int session_timeout;
@@ -2099,6 +2195,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
 			   MAC2STR(sm->addr));
 		return -1;
 	}
 +	wpa_ft_get_rate_limit(sm->wpa_auth, sm->addr, &rate);
 	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
 	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
@@ -2108,7 +2205,7 @@ int wpa_ft_store_pmk_fils(struct wpa_sta
 	return wpa_ft_store_pmk_r0(sm->wpa_auth, sm->addr, pmk_r0, pmk_r0_len,
 				   pmk_r0_name, sm->pairwise, &vlan, expires_in,
 				   session_timeout, identity, identity_len,
 -				   radius_cui, radius_cui_len);
 +				   radius_cui, radius_cui_len, &rate);
 }
@@ -2172,6 +2269,7 @@ void wpa_auth_ft_store_keys(struct wpa_s
 	int psk_local = sm->wpa_auth->conf.ft_psk_generate_local;
 	int expires_in = sm->wpa_auth->conf.r0_key_lifetime;
 	struct vlan_description vlan;
 +	struct rate_description rate;
 	const u8 *identity, *radius_cui;
 	size_t identity_len, radius_cui_len;
 	int session_timeout;
@@ -2185,6 +2283,8 @@ void wpa_auth_ft_store_keys(struct wpa_s
 		return;
 	}
 +	wpa_ft_get_rate_limit(sm->wpa_auth, sm->addr, &rate);
 +
 	identity_len = wpa_ft_get_identity(sm->wpa_auth, sm->addr, &identity);
 	radius_cui_len = wpa_ft_get_radius_cui(sm->wpa_auth, sm->addr,
 					       &radius_cui);
@@ -2195,11 +2295,12 @@ void wpa_auth_ft_store_keys(struct wpa_s
 			    pmk_r0_name,
 			    sm->pairwise, &vlan, expires_in,
 			    session_timeout, identity, identity_len,
 -			    radius_cui, radius_cui_len);
 +			    radius_cui, radius_cui_len, &rate);
 	wpa_ft_store_pmk_r1(sm->wpa_auth, sm->addr, pmk_r1, key_len,
 			    sm->pmk_r1_name, sm->pairwise, &vlan,
 			    expires_in, session_timeout, identity,
 -			    identity_len, radius_cui, radius_cui_len);
 +			    identity_len, radius_cui, radius_cui_len,
 +			    &rate);
 }
@@ -3100,7 +3201,8 @@ static int wpa_ft_local_derive_pmk_r1(st
 				      const u8 **radius_cui,
 				      size_t *radius_cui_len,
 				      int *out_session_timeout,
 -				      size_t *pmk_r1_len)
 +				      size_t *pmk_r1_len,
 +				      struct rate_description *rate)
 {
 	struct wpa_auth_config *conf = &wpa_auth->conf;
 	const struct wpa_ft_pmk_r0_sa *r0;
@@ -3136,7 +3238,8 @@ static int wpa_ft_local_derive_pmk_r1(st
 			    out_pmk_r1_name,
 			    sm->pairwise, r0->vlan, expires_in, session_timeout,
 			    r0->identity, r0->identity_len,
 -			    r0->radius_cui, r0->radius_cui_len);
 +			    r0->radius_cui, r0->radius_cui_len,
 +			    r0->rate);
 	*out_pairwise = sm->pairwise;
 	if (vlan) {
@@ -3146,6 +3249,13 @@ static int wpa_ft_local_derive_pmk_r1(st
 			os_memset(vlan, 0, sizeof(*vlan));
 	}
 +	if (rate) {
 +		if (r0->rate)
 +			*rate = *r0->rate;
 +		else
 +			os_memset(rate, 0, sizeof(*rate));
 +	}
 +
 	if (identity && identity_len) {
 		*identity = r0->identity;
 		*identity_len = r0->identity_len;
@@ -3178,6 +3288,7 @@ static int wpa_ft_process_auth_req(struc
 	u8 *pos, *end;
 	int pairwise, session_timeout = 0;
 	struct vlan_description vlan;
 +	struct rate_description rate = {};
 	const u8 *identity, *radius_cui;
 	size_t identity_len = 0, radius_cui_len = 0;
 	size_t pmk_r1_len, kdk_len, len;
@@ -3274,7 +3385,7 @@ static int wpa_ft_process_auth_req(struc
 					pmk_r1, &pmk_r1_len, &pairwise, &vlan,
 					&identity, &identity_len, &radius_cui,
 					&radius_cui_len,
 -					&session_timeout) == 0) {
 +					&session_timeout, &rate) == 0) {
 			wpa_printf(MSG_DEBUG,
 				   "FT: Found PMKR1Name (using SHA%zu) from local cache",
 				   pmk_r1_len * 8);
@@ -3290,7 +3401,7 @@ static int wpa_ft_process_auth_req(struc
 				       pmk_r1_name, pmk_r1, &pairwise,
 				       &vlan, &identity, &identity_len,
 				       &radius_cui, &radius_cui_len,
 -				       &session_timeout, &pmk_r1_len) == 0) {
 +				       &session_timeout, &pmk_r1_len, &rate) == 0) {
 		wpa_printf(MSG_DEBUG,
 			   "FT: Generated PMK-R1 based on local PMK-R0");
 		goto pmk_r1_derived;
@@ -3392,6 +3503,7 @@ pmk_r1_derived:
 		wpa_printf(MSG_DEBUG, "FT: Failed to configure VLAN");
 		goto out;
 	}
 +	wpa_ft_set_rate_limit(sm->wpa_auth, sm->addr, &rate);
 	if (wpa_ft_set_identity(sm->wpa_auth, sm->addr,
 				identity, identity_len) < 0 ||
 	    wpa_ft_set_radius_cui(sm->wpa_auth, sm->addr,
@@ -3973,7 +4085,7 @@ static int wpa_ft_rrb_build_r0(const u8
 	ret = wpa_ft_rrb_build(key, key_len, tlvs, sess_tlv, tlv_auth,
 			       pmk_r0->vlan, src_addr, type,
 -			       packet, packet_len);
 +			       packet, packet_len, pmk_r0->rate);
 	forced_memzero(pmk_r1, sizeof(pmk_r1));
@@ -4113,7 +4225,7 @@ static int wpa_ft_rrb_rx_pull(struct wpa
 		ret = wpa_ft_rrb_build(key, key_len, resp, NULL, resp_auth,
 				       NULL, wpa_auth->addr,
 				       FT_PACKET_R0KH_R1KH_RESP,
 -				       &packet, &packet_len);
 +				       &packet, &packet_len, NULL);
 	} else {
 		ret = wpa_ft_rrb_build_r0(key, key_len, resp, r0, f_r1kh_id,
 					  f_s1kh_id, resp_auth, wpa_auth->addr,
@@ -4165,11 +4277,15 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
 	size_t f_expires_in_len;
 	size_t f_identity_len, f_radius_cui_len;
 	size_t f_session_timeout_len;
 +	size_t f_rate_len;
 +	const u8 *f_rate;
 	int pairwise;
 	int ret = -1;
 	int expires_in;
 	int session_timeout;
 	struct vlan_description vlan;
 +	struct rate_description rate;
 +	int has_rate = 0;
 	size_t pmk_r1_len;
 	RRB_GET_AUTH(FT_RRB_R0KH_ID, r0kh_id, msgtype, -1);
@@ -4279,6 +4395,13 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
 	wpa_printf(MSG_DEBUG, "FT: vlan %d%s",
 		   le_to_host16(vlan.untagged), vlan.tagged[0] ? "+" : "");
 +	RRB_GET_OPTIONAL(FT_RRB_RATE_LIMIT, rate, msgtype, 2 * sizeof(le32));
 +	if (f_rate) {
 +		memcpy(&rate, f_rate, sizeof(rate));
 +		rate.rx = le_to_host32(rate.rx);
 +		rate.tx = le_to_host32(rate.tx);
 +		has_rate = 1;
 +	};
 	RRB_GET_OPTIONAL(FT_RRB_IDENTITY, identity, msgtype, -1);
 	if (f_identity)
 		wpa_hexdump_ascii(MSG_DEBUG, "FT: Identity", f_identity,
@@ -4301,7 +4424,7 @@ static int wpa_ft_rrb_rx_r1(struct wpa_a
 				f_pmk_r1_name,
 				pairwise, &vlan, expires_in, session_timeout,
 				f_identity, f_identity_len, f_radius_cui,
 -				f_radius_cui_len) < 0)
 +				f_radius_cui_len, has_rate ? &rate : 0) < 0)
 		goto out;
 	ret = 0;
@@ -4614,7 +4737,7 @@ static int wpa_ft_rrb_rx_seq_req(struct
 	if (wpa_ft_rrb_build(key, key_len, NULL, NULL, seq_resp_auth, NULL,
 			     wpa_auth->addr, FT_PACKET_R0KH_R1KH_SEQ_RESP,
 -			     &packet, &packet_len) < 0)
 +			     &packet, &packet_len, NULL) < 0)
 		goto out;
 	wpa_ft_rrb_oui_send(wpa_auth, src_addr,
--- a/feeds/hostapd/hostapd/patches/760-acs_exclude_dfs.patch
+++ b/feeds/hostapd/hostapd/patches/760-acs_exclude_dfs.patch
--- a/feeds/hostapd/hostapd/patches/760-dynamic_own_ip.patch
+++ b/feeds/hostapd/hostapd/patches/760-dynamic_own_ip.patch
@@ -0,0 +1,109 @@
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
@@ -310,6 +310,7 @@ struct hostapd_bss_config {
 	unsigned int eap_sim_db_timeout;
 	int eap_server_erp; /* Whether ERP is enabled on internal EAP server */
 	struct hostapd_ip_addr own_ip_addr;
 +	int dynamic_own_ip_addr;
 	char *nas_identifier;
 	struct hostapd_radius_servers *radius;
 	int acct_interim_interval;
 --- a/src/radius/radius_client.c
 +++ b/src/radius/radius_client.c
@@ -163,6 +163,8 @@ struct radius_client_data {
 	 */
 	void *ctx;
 +	struct hostapd_ip_addr local_ip;
 +
 	/**
 	 * conf - RADIUS client configuration (list of RADIUS servers to use)
 	 */
@@ -720,6 +722,30 @@ static void radius_client_list_add(struc
 /**
 + * radius_client_send - Get local address for the RADIUS auth socket
 + * @radius: RADIUS client context from radius_client_init()
 + * @addr: pointer to store the address
 + *
 + * This function returns the local address for the connection to the RADIUS
 + * auth server. It also opens the socket if it's not available yet.
 + */
 +int radius_client_get_local_addr(struct radius_client_data *radius,
 +				 struct hostapd_ip_addr *addr)
 +{
 +	struct hostapd_radius_servers *conf = radius->conf;
 +
 +	if (conf->auth_server && radius->auth_sock < 0)
 +		radius_client_init_auth(radius);
 +
 +	if (radius->auth_sock < 0)
 +		return -1;
 +
 +	memcpy(addr, &radius->local_ip, sizeof(*addr));
 +
 +	return 0;
 +}
 +
 +/**
  * radius_client_send - Send a RADIUS request
  * @radius: RADIUS client context from radius_client_init()
  * @msg: RADIUS message to be sent
@@ -1238,6 +1264,10 @@ radius_change_server(struct radius_clien
 			wpa_printf(MSG_DEBUG, "RADIUS local address: %s:%u",
 				   inet_ntoa(claddr.sin_addr),
 				   ntohs(claddr.sin_port));
 +			if (auth) {
 +				radius->local_ip.af = AF_INET;
 +				radius->local_ip.u.v4 = claddr.sin_addr;
 +			}
 		}
 		break;
 #ifdef CONFIG_IPV6
@@ -1249,6 +1279,10 @@ radius_change_server(struct radius_clien
 				   inet_ntop(AF_INET6, &claddr6.sin6_addr,
 					     abuf, sizeof(abuf)),
 				   ntohs(claddr6.sin6_port));
 +			if (auth) {
 +				radius->local_ip.af = AF_INET6;
 +				radius->local_ip.u.v6 = claddr6.sin6_addr;
 +			}
 		}
 		break;
 	}
 --- a/src/radius/radius_client.h
 +++ b/src/radius/radius_client.h
@@ -249,6 +249,8 @@ int radius_client_register(struct radius
 void radius_client_set_interim_error_cb(struct radius_client_data *radius,
 					void (*cb)(const u8 *addr, void *ctx),
 					void *ctx);
 +int radius_client_get_local_addr(struct radius_client_data *radius,
 +				 struct hostapd_ip_addr * addr);
 int radius_client_send(struct radius_client_data *radius,
 		       struct radius_msg *msg,
 		       RadiusType msg_type, const u8 *addr);
 --- a/src/ap/ieee802_1x.c
 +++ b/src/ap/ieee802_1x.c
@@ -598,6 +598,10 @@ int add_common_radius_attr(struct hostap
 	struct hostapd_radius_attr *attr;
 	int len;
 +	if (hapd->conf->dynamic_own_ip_addr)
 +		radius_client_get_local_addr(hapd->radius,
 +					     &hapd->conf->own_ip_addr);
 +
 	if (!hostapd_config_get_radius_attr(req_attr,
 					    RADIUS_ATTR_NAS_IP_ADDRESS) &&
 	    hapd->conf->own_ip_addr.af == AF_INET &&
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
@@ -2688,6 +2688,8 @@ static int hostapd_config_fill(struct ho
 	} else if (os_strcmp(buf, "iapp_interface") == 0) {
 		wpa_printf(MSG_INFO, "DEPRECATED: iapp_interface not used");
 #endif /* CONFIG_IAPP */
 +	} else if (os_strcmp(buf, "dynamic_own_ip_addr") == 0) {
 +		bss->dynamic_own_ip_addr = atoi(pos);
 	} else if (os_strcmp(buf, "own_ip_addr") == 0) {
 		if (hostapd_parse_ip_addr(pos, &bss->own_ip_addr)) {
 			wpa_printf(MSG_ERROR,
--- a/feeds/hostapd/hostapd/patches/761-shared_das_port.patch
+++ b/feeds/hostapd/hostapd/patches/761-shared_das_port.patch
@@ -0,0 +1,298 @@
 --- a/src/radius/radius_das.h
 +++ b/src/radius/radius_das.h
@@ -44,6 +44,7 @@ struct radius_das_attrs {
 struct radius_das_conf {
 	int port;
 	const u8 *shared_secret;
 +	const u8 *nas_identifier;
 	size_t shared_secret_len;
 	const struct hostapd_ip_addr *client_addr;
 	unsigned int time_window;
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -1423,6 +1423,7 @@ int hostapd_setup_bss(struct hostapd_dat
 			os_memset(&das_conf, 0, sizeof(das_conf));
 			das_conf.port = conf->radius_das_port;
 +			das_conf.nas_identifier = conf->nas_identifier;
 			das_conf.shared_secret = conf->radius_das_shared_secret;
 			das_conf.shared_secret_len =
 				conf->radius_das_shared_secret_len;
 --- a/src/radius/radius_das.c
 +++ b/src/radius/radius_das.c
@@ -12,13 +12,26 @@
 #include "utils/common.h"
 #include "utils/eloop.h"
 #include "utils/ip_addr.h"
 +#include "utils/list.h"
 #include "radius.h"
 #include "radius_das.h"
 -struct radius_das_data {
 +static struct dl_list das_ports = DL_LIST_HEAD_INIT(das_ports);
 +
 +struct radius_das_port {
 +	struct dl_list list;
 +	struct dl_list das_data;
 +
 +	int port;
 	int sock;
 +};
 +
 +struct radius_das_data {
 +	struct dl_list list;
 +	struct radius_das_port *port;
 	u8 *shared_secret;
 +	u8 *nas_identifier;
 	size_t shared_secret_len;
 	struct hostapd_ip_addr client_addr;
 	unsigned int time_window;
@@ -378,56 +391,17 @@ fail:
 }
 -static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 +static void
 +radius_das_receive_msg(struct radius_das_data *das, struct radius_msg *msg,
 +		       struct sockaddr *from, socklen_t fromlen,
 +		       char *abuf, int from_port)
 {
 -	struct radius_das_data *das = eloop_ctx;
 -	u8 buf[1500];
 -	union {
 -		struct sockaddr_storage ss;
 -		struct sockaddr_in sin;
 -#ifdef CONFIG_IPV6
 -		struct sockaddr_in6 sin6;
 -#endif /* CONFIG_IPV6 */
 -	} from;
 -	char abuf[50];
 -	int from_port = 0;
 -	socklen_t fromlen;
 -	int len;
 -	struct radius_msg *msg, *reply = NULL;
 +	struct radius_msg *reply = NULL;
 	struct radius_hdr *hdr;
 	struct wpabuf *rbuf;
 +	struct os_time now;
 	u32 val;
 	int res;
 -	struct os_time now;
 -
 -	fromlen = sizeof(from);
 -	len = recvfrom(sock, buf, sizeof(buf), 0,
 -		       (struct sockaddr *) &from.ss, &fromlen);
 -	if (len < 0) {
 -		wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
 -		return;
 -	}
 -
 -	os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
 -	from_port = ntohs(from.sin.sin_port);
 -
 -	wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
 -		   len, abuf, from_port);
 -	if (das->client_addr.u.v4.s_addr &&
 -	    das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr) {
 -		wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
 -		return;
 -	}
 -
 -	msg = radius_msg_parse(buf, len);
 -	if (msg == NULL) {
 -		wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
 -			   "from %s:%d failed", abuf, from_port);
 -		return;
 -	}
 -
 -	if (wpa_debug_level <= MSG_MSGDUMP)
 -		radius_msg_dump(msg);
 	if (radius_msg_verify_das_req(msg, das->shared_secret,
 				       das->shared_secret_len,
@@ -494,9 +468,8 @@ static void radius_das_receive(int sock,
 			radius_msg_dump(reply);
 		rbuf = radius_msg_get_buf(reply);
 -		res = sendto(das->sock, wpabuf_head(rbuf),
 -			     wpabuf_len(rbuf), 0,
 -			     (struct sockaddr *) &from.ss, fromlen);
 +		res = sendto(das->port->sock, wpabuf_head(rbuf),
 +			     wpabuf_len(rbuf), 0, from, fromlen);
 		if (res < 0) {
 			wpa_printf(MSG_ERROR, "DAS: sendto(to %s:%d): %s",
 				   abuf, from_port, strerror(errno));
@@ -508,6 +481,72 @@ fail:
 	radius_msg_free(reply);
 }
 +static void radius_das_receive(int sock, void *eloop_ctx, void *sock_ctx)
 +{
 +	struct radius_das_port *p = eloop_ctx;
 +	struct radius_das_data *das;
 +	u8 buf[1500];
 +	union {
 +		struct sockaddr_storage ss;
 +		struct sockaddr_in sin;
 +#ifdef CONFIG_IPV6
 +		struct sockaddr_in6 sin6;
 +#endif /* CONFIG_IPV6 */
 +	} from;
 +	struct radius_msg *msg;
 +	size_t nasid_len = 0;
 +	u8 *nasid_buf = NULL;
 +	char abuf[50];
 +	int from_port = 0;
 +	socklen_t fromlen;
 +	int found = 0;
 +	int len;
 +
 +	fromlen = sizeof(from);
 +	len = recvfrom(sock, buf, sizeof(buf), 0,
 +		       (struct sockaddr *) &from.ss, &fromlen);
 +	if (len < 0) {
 +		wpa_printf(MSG_ERROR, "DAS: recvfrom: %s", strerror(errno));
 +		return;
 +	}
 +
 +	os_strlcpy(abuf, inet_ntoa(from.sin.sin_addr), sizeof(abuf));
 +	from_port = ntohs(from.sin.sin_port);
 +
 +	msg = radius_msg_parse(buf, len);
 +	if (msg == NULL) {
 +		wpa_printf(MSG_DEBUG, "DAS: Parsing incoming RADIUS packet "
 +			   "from %s:%d failed", abuf, from_port);
 +		return;
 +	}
 +
 +	wpa_printf(MSG_DEBUG, "DAS: Received %d bytes from %s:%d",
 +		   len, abuf, from_port);
 +
 +	if (wpa_debug_level <= MSG_MSGDUMP)
 +		radius_msg_dump(msg);
 +
 +	radius_msg_get_attr_ptr(msg, RADIUS_ATTR_NAS_IDENTIFIER,
 +				&nasid_buf, &nasid_len, NULL);
 +	dl_list_for_each(das, &p->das_data, struct radius_das_data, list) {
 +		if (das->client_addr.u.v4.s_addr &&
 +		    das->client_addr.u.v4.s_addr != from.sin.sin_addr.s_addr)
 +			continue;
 +
 +		if (das->nas_identifier && nasid_buf &&
 +		    (nasid_len != os_strlen(das->nas_identifier) ||
 +		     os_memcmp(das->nas_identifier, nasid_buf, nasid_len) != 0))
 +			continue;
 +
 +		found = 1;
 +		radius_das_receive_msg(das, msg, (struct sockaddr *)&from.ss,
 +				       fromlen, abuf, from_port);
 +	}
 +
 +	if (!found)
 +		wpa_printf(MSG_DEBUG, "DAS: Drop message from unknown client");
 +}
 +
 static int radius_das_open_socket(int port)
 {
@@ -533,6 +572,49 @@ static int radius_das_open_socket(int po
 }
 +static struct radius_das_port *
 +radius_das_open_port(int port)
 +{
 +	struct radius_das_port *p;
 +
 +	dl_list_for_each(p, &das_ports, struct radius_das_port, list) {
 +		if (p->port == port)
 +			return p;
 +	}
 +
 +	p = os_zalloc(sizeof(*p));
 +	if (p == NULL)
 +		return NULL;
 +
 +	dl_list_init(&p->das_data);
 +	p->port = port;
 +	p->sock = radius_das_open_socket(port);
 +	if (p->sock < 0)
 +		goto free_port;
 +
 +	if (eloop_register_read_sock(p->sock, radius_das_receive, p, NULL))
 +		goto close_port;
 +
 +	dl_list_add(&das_ports, &p->list);
 +
 +	return p;
 +
 +close_port:
 +	close(p->sock);
 +free_port:
 +	os_free(p);
 +
 +	return NULL;
 +}
 +
 +static void radius_das_close_port(struct radius_das_port *p)
 +{
 +	dl_list_del(&p->list);
 +	eloop_unregister_read_sock(p->sock);
 +	close(p->sock);
 +	free(p);
 +}
 +
 struct radius_das_data *
 radius_das_init(struct radius_das_conf *conf)
 {
@@ -553,6 +635,8 @@ radius_das_init(struct radius_das_conf *
 	das->ctx = conf->ctx;
 	das->disconnect = conf->disconnect;
 	das->coa = conf->coa;
 +	if (conf->nas_identifier)
 +		das->nas_identifier = os_strdup(conf->nas_identifier);
 	os_memcpy(&das->client_addr, conf->client_addr,
 		  sizeof(das->client_addr));
@@ -565,19 +649,15 @@ radius_das_init(struct radius_das_conf *
 	}
 	das->shared_secret_len = conf->shared_secret_len;
 -	das->sock = radius_das_open_socket(conf->port);
 -	if (das->sock < 0) {
 +	das->port = radius_das_open_port(conf->port);
 +	if (!das->port) {
 		wpa_printf(MSG_ERROR, "Failed to open UDP socket for RADIUS "
 			   "DAS");
 		radius_das_deinit(das);
 		return NULL;
 	}
 -	if (eloop_register_read_sock(das->sock, radius_das_receive, das, NULL))
 -	{
 -		radius_das_deinit(das);
 -		return NULL;
 -	}
 +	dl_list_add(&das->port->das_data, &das->list);
 	return das;
 }
@@ -588,11 +668,14 @@ void radius_das_deinit(struct radius_das
 	if (das == NULL)
 		return;
 -	if (das->sock >= 0) {
 -		eloop_unregister_read_sock(das->sock);
 -		close(das->sock);
 +	if (das->port) {
 +		dl_list_del(&das->list);
 +
 +		if (dl_list_empty(&das->port->das_data))
 +			radius_das_close_port(das->port);
 	}
 +	os_free(das->nas_identifier);
 	os_free(das->shared_secret);
 	os_free(das);
 }
--- a/feeds/hostapd/hostapd/patches/770-radius_server.patch
+++ b/feeds/hostapd/hostapd/patches/770-radius_server.patch
@@ -0,0 +1,154 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
@@ -63,6 +63,10 @@ endif
 OBJS += main.o
 OBJS += config_file.o
 +ifdef CONFIG_RADIUS_SERVER
 +OBJS += radius.o
 +endif
 +
 OBJS += ../src/ap/hostapd.o
 OBJS += ../src/ap/wpa_auth_glue.o
 OBJS += ../src/ap/drv_callbacks.o
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
@@ -40,6 +40,7 @@ struct hapd_global {
 static struct hapd_global global;
 +extern int radius_main(int argc, char **argv);
 #ifndef CONFIG_NO_HOSTAPD_LOGGER
 static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
@@ -771,6 +772,11 @@ int main(int argc, char *argv[])
 	if (os_program_init())
 		return -1;
 +#ifdef RADIUS_SERVER
 +	if (strstr(argv[0], "radius"))
 +		return radius_main(argc, argv);
 +#endif
 +
 	os_memset(&interfaces, 0, sizeof(interfaces));
 	interfaces.reload_config = hostapd_reload_config;
 	interfaces.config_read_cb = hostapd_config_read;
 --- a/src/radius/radius_server.c
 +++ b/src/radius/radius_server.c
@@ -63,6 +63,12 @@ struct radius_server_counters {
 	u32 unknown_acct_types;
 };
 +struct radius_accept_attr {
 +	u8 type;
 +	u16 len;
 +	void *data;
 +};
 +
 /**
  * struct radius_session - Internal RADIUS server data for a session
  */
@@ -90,7 +96,7 @@ struct radius_session {
 	unsigned int macacl:1;
 	unsigned int t_c_filtering:1;
 -	struct hostapd_radius_attr *accept_attr;
 +	struct radius_accept_attr *accept_attr;
 	u32 t_c_timestamp; /* Last read T&C timestamp from user DB */
 };
@@ -394,6 +400,7 @@ static void radius_server_session_free(s
 	radius_msg_free(sess->last_reply);
 	os_free(sess->username);
 	os_free(sess->nas_ip);
 +	os_free(sess->accept_attr);
 	os_free(sess);
 	data->num_sess--;
 }
@@ -554,6 +561,36 @@ radius_server_erp_find_key(struct radius
 }
 #endif /* CONFIG_ERP */
 +static struct radius_accept_attr *
 +radius_server_copy_attr(const struct hostapd_radius_attr *data)
 +{
 +	const struct hostapd_radius_attr *attr;
 +	struct radius_accept_attr *attr_new;
 +	size_t data_size = 0;
 +	void *data_buf;
 +	int n_attr = 1;
 +
 +	for (attr = data; attr; attr = attr->next) {
 +		n_attr++;
 +		data_size += wpabuf_len(attr->val);
 +	}
 +
 +	attr_new = os_zalloc(n_attr * sizeof(*attr) + data_size);
 +	if (!attr_new)
 +		return NULL;
 +
 +	data_buf = &attr_new[n_attr];
 +	for (n_attr = 0, attr = data; attr; attr = attr->next) {
 +		struct radius_accept_attr *cur = &attr_new[n_attr++];
 +
 +		cur->type = attr->type;
 +		cur->len = wpabuf_len(attr->val);
 +		cur->data = memcpy(data_buf, wpabuf_head(attr->val), cur->len);
 +		data_buf += cur->len;
 +	}
 +
 +	return attr_new;
 +}
 static struct radius_session *
 radius_server_get_new_session(struct radius_server_data *data,
@@ -607,7 +644,7 @@ radius_server_get_new_session(struct rad
 		eap_user_free(tmp);
 		return NULL;
 	}
 -	sess->accept_attr = tmp->accept_attr;
 +	sess->accept_attr = radius_server_copy_attr(tmp->accept_attr);
 	sess->macacl = tmp->macacl;
 	eap_user_free(tmp);
@@ -1118,11 +1155,10 @@ radius_server_encapsulate_eap(struct rad
 	}
 	if (code == RADIUS_CODE_ACCESS_ACCEPT) {
 -		struct hostapd_radius_attr *attr;
 -		for (attr = sess->accept_attr; attr; attr = attr->next) {
 -			if (!radius_msg_add_attr(msg, attr->type,
 -						 wpabuf_head(attr->val),
 -						 wpabuf_len(attr->val))) {
 +		struct radius_accept_attr *attr;
 +		for (attr = sess->accept_attr; attr->data; attr++) {
 +			if (!radius_msg_add_attr(msg, attr->type, attr->data,
 +						 attr->len)) {
 				wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
 				radius_msg_free(msg);
 				return NULL;
@@ -1211,11 +1247,10 @@ radius_server_macacl(struct radius_serve
 	}
 	if (code == RADIUS_CODE_ACCESS_ACCEPT) {
 -		struct hostapd_radius_attr *attr;
 -		for (attr = sess->accept_attr; attr; attr = attr->next) {
 -			if (!radius_msg_add_attr(msg, attr->type,
 -						 wpabuf_head(attr->val),
 -						 wpabuf_len(attr->val))) {
 +		struct radius_accept_attr *attr;
 +		for (attr = sess->accept_attr; attr->data; attr++) {
 +			if (!radius_msg_add_attr(msg, attr->type, attr->data,
 +						 attr->len)) {
 				wpa_printf(MSG_ERROR, "Could not add RADIUS attribute");
 				radius_msg_free(msg);
 				return NULL;
@@ -2512,7 +2547,7 @@ static int radius_server_get_eap_user(vo
 	ret = data->get_eap_user(data->conf_ctx, identity, identity_len,
 				 phase2, user);
 	if (ret == 0 && user) {
 -		sess->accept_attr = user->accept_attr;
 +		sess->accept_attr = radius_server_copy_attr(user->accept_attr);
 		sess->remediation = user->remediation;
 		sess->macacl = user->macacl;
 		sess->t_c_timestamp = user->t_c_timestamp;
--- a/feeds/hostapd/hostapd/patches/780-maxassoc.patch
+++ b/feeds/hostapd/hostapd/patches/780-maxassoc.patch
--- a/feeds/hostapd/hostapd/patches/790-wired-dynamic-vlan.patch
+++ b/feeds/hostapd/hostapd/patches/790-wired-dynamic-vlan.patch
--- a/feeds/hostapd/hostapd/patches/800-fix-ap-sta-channel-setup-failed.patch
+++ b/feeds/hostapd/hostapd/patches/800-fix-ap-sta-channel-setup-failed.patch
@@ -0,0 +1,29 @@
 diff --git a/src/common/hw_features_common.c b/src/common/hw_features_common.c
 index ad2aebf..355b4a8 100644
 --- a/src/common/hw_features_common.c
 +++ b/src/common/hw_features_common.c
@@ -615,9 +615,21 @@ int hostapd_set_freq_params(struct hostapd_freq_params *data,
 			    center_segment0 == channel - 6)
 				data->center_freq1 = 5000 + center_segment0 * 5;
 			else {
 -				wpa_printf(MSG_ERROR,
 -					   "Wrong coupling between HT and VHT/HE channel setting");
 -				return -1;
 +				if (channel <= 48)
 +					center_segment0 = 42;
 +				else if (channel <= 64)
 +					center_segment0 = 58;
 +				else if (channel <= 112)
 +					center_segment0 = 106;
 +				else if (channel <= 128)
 +					center_segment0 = 122;
 +				else if (channel <= 144)
 +					center_segment0 = 138;
 +				else if (channel <= 161)
 +					center_segment0 = 155;
 +				else if (channel <= 177)
 +					center_segment0 = 171;
 +				data->center_freq1 = 5000 + center_segment0 * 5;
 			}
 		}
 		break;
--- a/feeds/hostapd/hostapd/patches/900-coa.patch
+++ b/feeds/hostapd/hostapd/patches/900-coa.patch
--- a/feeds/hostapd/hostapd/patches/901-cfg-section.patch
+++ b/feeds/hostapd/hostapd/patches/901-cfg-section.patch
@@ -0,0 +1,37 @@
 Index: hostapd-2023-09-08-e5ccbfc6/hostapd/config_file.c
 ===================================================================
 --- hostapd-2023-09-08-e5ccbfc6.orig/hostapd/config_file.c
 +++ hostapd-2023-09-08-e5ccbfc6/hostapd/config_file.c
@@ -2345,6 +2345,8 @@ static int hostapd_config_fill(struct ho
 			return 1;
 		}
 		conf->driver = driver;
 +	} else if (os_strcmp(buf, "uci_section") == 0) {
 +		bss->uci_section = os_strdup(pos);
 	} else if (os_strcmp(buf, "driver_params") == 0) {
 		os_free(conf->driver_params);
 		conf->driver_params = os_strdup(pos);
 Index: hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.h
 ===================================================================
 --- hostapd-2023-09-08-e5ccbfc6.orig/src/ap/ap_config.h
 +++ hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.h
@@ -287,6 +287,7 @@ struct hostapd_bss_config {
 	char snoop_iface[IFNAMSIZ + 1];
 	char vlan_bridge[IFNAMSIZ + 1];
 	char wds_bridge[IFNAMSIZ + 1];
 +	char *uci_section;
 	int bridge_hairpin; /* hairpin_mode on bridge members */
 	enum hostapd_logger_level logger_syslog_level, logger_stdout_level;
 Index: hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.c
 ===================================================================
 --- hostapd-2023-09-08-e5ccbfc6.orig/src/ap/ap_config.c
 +++ hostapd-2023-09-08-e5ccbfc6/src/ap/ap_config.c
@@ -798,6 +798,7 @@ void hostapd_config_free_bss(struct host
 	os_free(conf->radius_req_attr_sqlite);
 	os_free(conf->rsn_preauth_interfaces);
 	os_free(conf->ctrl_interface);
 +	os_free(conf->uci_section);
 	os_free(conf->config_id);
 	os_free(conf->ca_cert);
 	os_free(conf->server_cert);
--- a/feeds/hostapd/hostapd/patches/901-coa-ubus.patch
+++ b/feeds/hostapd/hostapd/patches/901-coa-ubus.patch
--- a/feeds/hostapd/hostapd/patches/990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch
+++ b/feeds/hostapd/hostapd/patches/990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch
@@ -0,0 +1,33 @@
 From f0e9f5aab52b3eab85d28338cc996972ced4c39c Mon Sep 17 00:00:00 2001
 From: David Bauer <mail@david-bauer.net>
 Date: Tue, 17 May 2022 23:07:59 +0200
 Subject: [PATCH] ctrl: make WNM_AP functions dependant on CONFIG_AP
 This fixes linking errors found when compiling wpa_supplicant with
 CONFIG_WNM_AP enabled but CONFIG_AP disabled.
 Signed-off-by: David Bauer <mail@david-bauer.net>
 ---
 wpa_supplicant/ctrl_iface.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 --- a/wpa_supplicant/ctrl_iface.c
 +++ b/wpa_supplicant/ctrl_iface.c
@@ -12763,7 +12763,7 @@ char * wpa_supplicant_ctrl_iface_process
 		if (wpas_ctrl_iface_coloc_intf_report(wpa_s, buf + 18))
 			reply_len = -1;
 #endif /* CONFIG_WNM */
 -#ifdef CONFIG_WNM_AP
 +#if defined(CONFIG_AP) && defined(CONFIG_WNM_AP)
 	} else if (os_strncmp(buf, "DISASSOC_IMMINENT ", 18) == 0) {
 		if (ap_ctrl_iface_disassoc_imminent(wpa_s, buf + 18))
 			reply_len = -1;
@@ -12773,7 +12773,7 @@ char * wpa_supplicant_ctrl_iface_process
 	} else if (os_strncmp(buf, "BSS_TM_REQ ", 11) == 0) {
 		if (ap_ctrl_iface_bss_tm_req(wpa_s, buf + 11))
 			reply_len = -1;
 -#endif /* CONFIG_WNM_AP */
 +#endif /* CONFIG_AP && CONFIG_WNM_AP */
 	} else if (os_strcmp(buf, "FLUSH") == 0) {
 		wpa_supplicant_ctrl_iface_flush(wpa_s);
 	} else if (os_strncmp(buf, "RADIO_WORK ", 11) == 0) {
--- a/feeds/hostapd/hostapd/patches/991-Fix-OpenWrt-13156.patch
+++ b/feeds/hostapd/hostapd/patches/991-Fix-OpenWrt-13156.patch
@@ -0,0 +1,63 @@
 From 26cd9bafc1d25e602952ee86cd2a5b8c3a995490 Mon Sep 17 00:00:00 2001
 From: Stijn Tintel <stijn@linux-ipv6.be>
 Date: Fri, 28 Jul 2023 16:27:47 +0300
 Subject: [PATCH] Revert "Do prune_association only after the STA is
 authorized"
 Commit e978072baaca ("Do prune_association only after the STA is
 authorized") causes issues when an STA roams from one interface to
 another interface on the same PHY. The mt7915 driver is not able to
 handle this properly. While the commits fixes a DoS, there are other
 devices and drivers with the same limitation, so revert to the orginal
 behavior for now, until we have a better solution in place.
 Ref: https://github.com/openwrt/openwrt/issues/13156
 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
 ---
 src/ap/hostapd.c  | 14 +++++++++++---
 src/ap/sta_info.c |  3 ---
 2 files changed, 11 insertions(+), 6 deletions(-)
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
@@ -3564,6 +3564,8 @@ int hostapd_remove_iface(struct hapd_int
 void hostapd_new_assoc_sta(struct hostapd_data *hapd, struct sta_info *sta,
 			   int reassoc)
 {
 +	int mld_assoc_link_id = -1;
 +
 	if (hapd->tkip_countermeasures) {
 		hostapd_drv_sta_deauth(hapd, sta->addr,
 				       WLAN_REASON_MICHAEL_MIC_FAILURE);
@@ -3571,10 +3573,16 @@ void hostapd_new_assoc_sta(struct hostap
 	}
 #ifdef CONFIG_IEEE80211BE
 -	if (hapd->conf->mld_ap && sta->mld_info.mld_sta &&
 -	    sta->mld_assoc_link_id != hapd->mld_link_id)
 -		return;
 +	if (hapd->conf->mld_ap && sta->mld_info.mld_sta) {
 +		if (sta->mld_assoc_link_id == hapd->mld_link_id) {
 +			mld_assoc_link_id = sta->mld_assoc_link_id;
 +		} else {
 +			return;
 +		}
 +	}
 #endif /* CONFIG_IEEE80211BE */
 +        if (mld_assoc_link_id != -2)
 +		hostapd_prune_associations(hapd, sta->addr, mld_assoc_link_id);
 	ap_sta_clear_disconnect_timeouts(hapd, sta);
 	sta->post_csa_sa_query = 0;
 --- a/src/ap/sta_info.c
 +++ b/src/ap/sta_info.c
@@ -1318,9 +1318,6 @@ void ap_sta_set_authorized(struct hostap
 				mld_assoc_link_id = -2;
 		}
 #endif /* CONFIG_IEEE80211BE */
 -		if (mld_assoc_link_id != -2)
 -			hostapd_prune_associations(hapd, sta->addr,
 -						   mld_assoc_link_id);
 		sta->flags |= WLAN_STA_AUTHORIZED;
 	} else {
 		sta->flags &= ~WLAN_STA_AUTHORIZED;
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`#!/bin/sh`
							`[ "$1" = bound ] && echo "$serverid"`