Discussion: Moving WPA_SUPPLICANT out of base and into dports
John Marino
dragonflybsd at marino.st
Sun Oct 12 15:20:05 PDT 2014
On 10/12/2014 17:45, Matthew Dillon wrote:
> I think wpa_supplicant really has to stay in base. Many new laptops,
> particularly chromebooks, do not have hard ethernet ports any more.
> They only have wifi. So if it isn't in base the person installing
> dragonfly is kinda screwed.
>
> While we could pre-install it like we do git, the plain fact of the
> matter is that the program is so absolutely essential these days
> to being able to get a network up and running on a new user box that I
> just don't want there to be any possibility that it is not there.
We're doing an awful jobs at keeping such an essential s/w up to date
then. I think adding hostapd and wpa_supplicant to nrelease would be
fine since it guarantees that the packages will be installed and
probably cached.
How is DF getting installed on a port-less machine anyway?
USB-connected CDROM drive? I assume a dports package could be pulled in
via the same mechanism if necessary.
> So our only choice is to either keep it as part of the base build, or
> to build it from dports as part of the buildworld/installworld (and not
> as part of the nrelease build). And that has its own problems.
I spent several hours bring security/wpa_supplicant back to ports (I
brought in net/hostapd earlier). I converted everything into dozens of
options. The ones that are "on" are enabled by default in our base, the
ones that are "off" are not really available via base.
http://www.freshports.org/security/wpa_supplicant/
===> Configuration options are available for wpa_supplicant-2.3:
DEBUG_FILE=off: Support for writing debug log to a file
DEBUG_SYSLOG=on: Send debug messages to syslog instead of stdout
DELAYED_MIC=off: Mitigate TKIP attack, random delay on MIC errors
HS20=on: Hotspot 2.0
HT_OVERRIDES=off: Disable HT/HT40, mask MCS rates, etc
IEEE80211AC=off: Very High Throughput, AP mode (IEEE 802.11ac)
IEEE80211N=off: High Throughput, AP mode (IEEE 802.11n)
IEEE80211R=on: Fast BSS Transition (IEEE 802.11r-2008)
IEEE80211W=off: Management Frame Protection (IEEE 802.11w)
INTERWORKING=on: Improve ext. network interworking (IEEE 802.11u)
NO_ROAMING=off: Disable roaming
P2P=off: Peer-to-Peer support
PKCS12=on: PKCS#12 (PFS) support
PRIVSEP=on: Privilege separation
SMARTCARD=on: Private key on smartcard support
TDLS=off: Tunneled Direct Link Setup
TLSV12=off: Build with TLS v1.2 instead of TLS v1.0
VHT_OVERRIDES=off: Disable VHT, mask MCS rates, etc
WPS=on: Wi-Fi Protected Setup
WPS_ER=off: Enable WPS External Registrar
WPS_NFC=off: Near Field Communication (NFC) configuration
WPS_NOREG=off: Disable open network credentials when registrar
====> Driver options: you have to choose at least one of them
BSD=on: BSD net80211 interface
WIRED=on: Wired ethernet interface
NDIS=on: Windows NDIS interface
TEST=off: Development testing interface
NONE=off: The 'no driver' interface, e.g. WPS ER only
====> Extensible Authentication Protocols: you have to choose at least
one of them
TLS=on: Transport Layer Security
PEAP=on: Protected Extensible Authentication Protocol
TTLS=on: Tunneled Transport Layer Security
MD5=on: MD5 hash (deprecated, no key generation)
MSCHAPv2=on: Microsoft CHAP version 2 (RFC 2759)
GTC=on: Generic Token Card
LEAP=on: Lightweight Extensible Authentication Protocol
OTP=on: One-Time Password
PSK=on: Pre-Shared key
FAST=off: Flexible Authentication via Secure Tunneling
SIM=off: Subscriber Identity Module
PWD=off: Shared password (RFC 5931)
PAX=off: Password Authenticated Exchange
AKA=off: Autentication and Key Agreement (UMTS)
AKA_PRIME=off: AKA Prime variant (RFC 5448)
SAKE=off: Shared-Secret Authentication & Key Establishment
GPSK=off: Generalized Pre-Shared Key
TNC=off: Trusted Network Connect
IKEv2=off: Internet Key Exchange version 2
EKE=off: Encrypted Key Exchange
I also brought in the conversion to pidfiles from FreeBSD ("convert to
using pidfile... This prevents multiple wpa_supplicants running at the
same time causing problems w/ wifi not working.")
Fixes like that could be quickly added to the port and made available
immediately. Base versions are always much less agile and WPA
Supplicant has been getting new releases every 4 months.
At least adding this port makes the update of WPA_SUPPLICANT in base a
little bit easier since the log tells us which object files are needed,
but the CFLAGS are invisible and thus still tedious. I've already spent
too much time on vendor/WPA_SUPPLICANT, so I'm not going to mess with it
any more since the port is available. Somebody else will have tend to
those branches if a version later than 2.1 is desired in base.
John
More information about the Users
mailing list