From owner-svn-src-all@freebsd.org Tue May 14 22:59:35 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65F00159B78B; Tue, 14 May 2019 22:59:35 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 042D688C0B; Tue, 14 May 2019 22:59:35 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DB4C527995; Tue, 14 May 2019 22:59:34 +0000 (UTC) (envelope-from gordon@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x4EMxYE9048271; Tue, 14 May 2019 22:59:34 GMT (envelope-from gordon@FreeBSD.org) Received: (from gordon@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x4EMxXZ8048261; Tue, 14 May 2019 22:59:33 GMT (envelope-from gordon@FreeBSD.org) Message-Id: <201905142259.x4EMxXZ8048261@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: gordon set sender to gordon@FreeBSD.org using -f From: Gordon Tetlow Date: Tue, 14 May 2019 22:59:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r347588 - in releng/11.2: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/patches contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/dr... X-SVN-Group: releng X-SVN-Commit-Author: gordon X-SVN-Commit-Paths: in releng/11.2: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/patches contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/drivers contrib/wpa/src/eap... X-SVN-Commit-Revision: 347588 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 042D688C0B X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.98)[-0.976,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 May 2019 22:59:35 -0000 Author: gordon Date: Tue May 14 22:59:32 2019 New Revision: 347588 URL: https://svnweb.freebsd.org/changeset/base/347588 Log: Update hostapd/wpa_supplicant to 2.8 to fix multiple vulnerabilities. Approved by: so Security: FreeBSD-SA-19:03.wpa Security: CVE-2019-9494 Security: CVE-2019-9495 Security: CVE-2019-9496 Security: CVE-2019-9497 Security: CVE-2019-9498 Security: CVE-2019-9499 Security: CVE-2019-11555 Added: releng/11.2/contrib/wpa/hostapd/README-MULTI-AP releng/11.2/contrib/wpa/src/ap/dpp_hostapd.c releng/11.2/contrib/wpa/src/ap/dpp_hostapd.h releng/11.2/contrib/wpa/src/ap/eth_p_oui.c releng/11.2/contrib/wpa/src/ap/eth_p_oui.h releng/11.2/contrib/wpa/src/ap/fils_hlp.c releng/11.2/contrib/wpa/src/ap/fils_hlp.h releng/11.2/contrib/wpa/src/ap/gas_query_ap.c releng/11.2/contrib/wpa/src/ap/gas_query_ap.h releng/11.2/contrib/wpa/src/ap/ieee802_11_he.c releng/11.2/contrib/wpa/src/ap/mbo_ap.c releng/11.2/contrib/wpa/src/ap/mbo_ap.h releng/11.2/contrib/wpa/src/ap/neighbor_db.c releng/11.2/contrib/wpa/src/ap/neighbor_db.h releng/11.2/contrib/wpa/src/ap/rrm.c releng/11.2/contrib/wpa/src/ap/rrm.h releng/11.2/contrib/wpa/src/ap/taxonomy.c releng/11.2/contrib/wpa/src/ap/taxonomy.h releng/11.2/contrib/wpa/src/ap/vlan.c releng/11.2/contrib/wpa/src/ap/vlan.h releng/11.2/contrib/wpa/src/ap/vlan_full.c releng/11.2/contrib/wpa/src/ap/vlan_ifconfig.c releng/11.2/contrib/wpa/src/ap/vlan_ioctl.c releng/11.2/contrib/wpa/src/common/cli.c releng/11.2/contrib/wpa/src/common/cli.h releng/11.2/contrib/wpa/src/common/ctrl_iface_common.c releng/11.2/contrib/wpa/src/common/ctrl_iface_common.h releng/11.2/contrib/wpa/src/common/dhcp.h releng/11.2/contrib/wpa/src/common/dpp.c releng/11.2/contrib/wpa/src/common/dpp.h releng/11.2/contrib/wpa/src/common/gas_server.c releng/11.2/contrib/wpa/src/common/gas_server.h releng/11.2/contrib/wpa/src/common/ocv.c releng/11.2/contrib/wpa/src/common/ocv.h releng/11.2/contrib/wpa/src/crypto/crypto_linux.c releng/11.2/contrib/wpa/src/crypto/crypto_nettle.c releng/11.2/contrib/wpa/src/crypto/crypto_wolfssl.c releng/11.2/contrib/wpa/src/crypto/fips_prf_wolfssl.c releng/11.2/contrib/wpa/src/crypto/sha384-internal.c releng/11.2/contrib/wpa/src/crypto/sha384-kdf.c releng/11.2/contrib/wpa/src/crypto/sha384.c releng/11.2/contrib/wpa/src/crypto/sha384_i.h releng/11.2/contrib/wpa/src/crypto/sha512-internal.c releng/11.2/contrib/wpa/src/crypto/sha512-kdf.c releng/11.2/contrib/wpa/src/crypto/sha512-prf.c releng/11.2/contrib/wpa/src/crypto/sha512.c releng/11.2/contrib/wpa/src/crypto/sha512.h releng/11.2/contrib/wpa/src/crypto/sha512_i.h releng/11.2/contrib/wpa/src/crypto/tls_openssl.h releng/11.2/contrib/wpa/src/crypto/tls_openssl_ocsp.c releng/11.2/contrib/wpa/src/crypto/tls_wolfssl.c releng/11.2/contrib/wpa/src/drivers/driver_macsec_linux.c releng/11.2/contrib/wpa/src/drivers/driver_wired_common.c releng/11.2/contrib/wpa/src/drivers/driver_wired_common.h releng/11.2/contrib/wpa/src/tls/tlsv1_client_ocsp.c releng/11.2/contrib/wpa/src/utils/const_time.h releng/11.2/contrib/wpa/src/utils/crc32.c releng/11.2/contrib/wpa/src/utils/crc32.h releng/11.2/contrib/wpa/src/utils/json.c releng/11.2/contrib/wpa/src/utils/json.h releng/11.2/contrib/wpa/src/utils/module_tests.h releng/11.2/contrib/wpa/wpa_supplicant/Android.mk releng/11.2/contrib/wpa/wpa_supplicant/README-DPP releng/11.2/contrib/wpa/wpa_supplicant/README-Windows.txt releng/11.2/contrib/wpa/wpa_supplicant/android.config releng/11.2/contrib/wpa/wpa_supplicant/binder/ releng/11.2/contrib/wpa/wpa_supplicant/binder/.clang-format releng/11.2/contrib/wpa/wpa_supplicant/binder/binder.cpp releng/11.2/contrib/wpa/wpa_supplicant/binder/binder.h releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_constants.cpp releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_constants.h releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_i.h releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_manager.cpp releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_manager.h releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/ releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/ releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/ releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/IIface.aidl releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/ISupplicant.aidl releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/ISupplicantCallbacks.aidl releng/11.2/contrib/wpa/wpa_supplicant/binder/iface.cpp releng/11.2/contrib/wpa/wpa_supplicant/binder/iface.h releng/11.2/contrib/wpa/wpa_supplicant/binder/supplicant.cpp releng/11.2/contrib/wpa/wpa_supplicant/binder/supplicant.h releng/11.2/contrib/wpa/wpa_supplicant/dpp_supplicant.c releng/11.2/contrib/wpa/wpa_supplicant/dpp_supplicant.h releng/11.2/contrib/wpa/wpa_supplicant/examples/dpp-qrcode.py releng/11.2/contrib/wpa/wpa_supplicant/libwpa_test.c releng/11.2/contrib/wpa/wpa_supplicant/mbo.c releng/11.2/contrib/wpa/wpa_supplicant/op_classes.c releng/11.2/contrib/wpa/wpa_supplicant/rrm.c releng/11.2/contrib/wpa/wpa_supplicant/systemd/ releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.arg.in releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.in releng/11.2/contrib/wpa/wpa_supplicant/vs2005/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/eapol_test/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/eapol_test/eapol_test.vcproj releng/11.2/contrib/wpa/wpa_supplicant/vs2005/win_if_list/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/win_if_list/win_if_list.vcproj releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_cli/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_cli/wpa_cli.vcproj releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_passphrase/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_passphrase/wpa_passphrase.vcproj releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant.sln releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant/wpa_supplicant.vcproj releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpasvc/ releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpasvc/wpasvc.vcproj Deleted: releng/11.2/contrib/wpa/patches/ releng/11.2/contrib/wpa/src/ap/peerkey_auth.c releng/11.2/contrib/wpa/src/rsn_supp/peerkey.c releng/11.2/contrib/wpa/src/rsn_supp/peerkey.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers_wps.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-test.py releng/11.2/contrib/wpa/wpa_supplicant/tests/ Modified: releng/11.2/contrib/wpa/CONTRIBUTIONS releng/11.2/contrib/wpa/COPYING releng/11.2/contrib/wpa/README releng/11.2/contrib/wpa/hostapd/ChangeLog releng/11.2/contrib/wpa/hostapd/README releng/11.2/contrib/wpa/hostapd/config_file.c releng/11.2/contrib/wpa/hostapd/config_file.h releng/11.2/contrib/wpa/hostapd/ctrl_iface.c releng/11.2/contrib/wpa/hostapd/defconfig releng/11.2/contrib/wpa/hostapd/hapd_module_tests.c releng/11.2/contrib/wpa/hostapd/hlr_auc_gw.c releng/11.2/contrib/wpa/hostapd/hostapd.conf releng/11.2/contrib/wpa/hostapd/hostapd.eap_user_sqlite releng/11.2/contrib/wpa/hostapd/hostapd.wpa_psk releng/11.2/contrib/wpa/hostapd/hostapd_cli.c releng/11.2/contrib/wpa/hostapd/main.c releng/11.2/contrib/wpa/hostapd/wps-ap-nfc.py releng/11.2/contrib/wpa/hs20/client/Android.mk releng/11.2/contrib/wpa/hs20/client/Makefile releng/11.2/contrib/wpa/hs20/client/est.c releng/11.2/contrib/wpa/hs20/client/oma_dm_client.c releng/11.2/contrib/wpa/hs20/client/osu_client.c releng/11.2/contrib/wpa/hs20/client/osu_client.h releng/11.2/contrib/wpa/src/ap/accounting.c releng/11.2/contrib/wpa/src/ap/accounting.h releng/11.2/contrib/wpa/src/ap/acs.c releng/11.2/contrib/wpa/src/ap/acs.h releng/11.2/contrib/wpa/src/ap/ap_config.c releng/11.2/contrib/wpa/src/ap/ap_config.h releng/11.2/contrib/wpa/src/ap/ap_drv_ops.c releng/11.2/contrib/wpa/src/ap/ap_drv_ops.h releng/11.2/contrib/wpa/src/ap/ap_mlme.c releng/11.2/contrib/wpa/src/ap/authsrv.c releng/11.2/contrib/wpa/src/ap/beacon.c releng/11.2/contrib/wpa/src/ap/beacon.h releng/11.2/contrib/wpa/src/ap/bss_load.c releng/11.2/contrib/wpa/src/ap/ctrl_iface_ap.c releng/11.2/contrib/wpa/src/ap/ctrl_iface_ap.h releng/11.2/contrib/wpa/src/ap/dfs.c releng/11.2/contrib/wpa/src/ap/dfs.h releng/11.2/contrib/wpa/src/ap/dhcp_snoop.c releng/11.2/contrib/wpa/src/ap/drv_callbacks.c releng/11.2/contrib/wpa/src/ap/eap_user_db.c releng/11.2/contrib/wpa/src/ap/gas_serv.c releng/11.2/contrib/wpa/src/ap/gas_serv.h releng/11.2/contrib/wpa/src/ap/hostapd.c releng/11.2/contrib/wpa/src/ap/hostapd.h releng/11.2/contrib/wpa/src/ap/hs20.c releng/11.2/contrib/wpa/src/ap/hs20.h releng/11.2/contrib/wpa/src/ap/hw_features.c releng/11.2/contrib/wpa/src/ap/iapp.c releng/11.2/contrib/wpa/src/ap/ieee802_11.c releng/11.2/contrib/wpa/src/ap/ieee802_11.h releng/11.2/contrib/wpa/src/ap/ieee802_11_auth.c releng/11.2/contrib/wpa/src/ap/ieee802_11_auth.h releng/11.2/contrib/wpa/src/ap/ieee802_11_ht.c releng/11.2/contrib/wpa/src/ap/ieee802_11_shared.c releng/11.2/contrib/wpa/src/ap/ieee802_11_vht.c releng/11.2/contrib/wpa/src/ap/ieee802_1x.c releng/11.2/contrib/wpa/src/ap/ieee802_1x.h releng/11.2/contrib/wpa/src/ap/ndisc_snoop.c releng/11.2/contrib/wpa/src/ap/pmksa_cache_auth.c releng/11.2/contrib/wpa/src/ap/pmksa_cache_auth.h releng/11.2/contrib/wpa/src/ap/sta_info.c releng/11.2/contrib/wpa/src/ap/sta_info.h releng/11.2/contrib/wpa/src/ap/tkip_countermeasures.c releng/11.2/contrib/wpa/src/ap/vlan_init.c releng/11.2/contrib/wpa/src/ap/vlan_init.h releng/11.2/contrib/wpa/src/ap/vlan_util.c releng/11.2/contrib/wpa/src/ap/vlan_util.h releng/11.2/contrib/wpa/src/ap/wmm.c releng/11.2/contrib/wpa/src/ap/wnm_ap.c releng/11.2/contrib/wpa/src/ap/wnm_ap.h releng/11.2/contrib/wpa/src/ap/wpa_auth.c releng/11.2/contrib/wpa/src/ap/wpa_auth.h releng/11.2/contrib/wpa/src/ap/wpa_auth_ft.c releng/11.2/contrib/wpa/src/ap/wpa_auth_glue.c releng/11.2/contrib/wpa/src/ap/wpa_auth_i.h releng/11.2/contrib/wpa/src/ap/wpa_auth_ie.c releng/11.2/contrib/wpa/src/ap/wpa_auth_ie.h releng/11.2/contrib/wpa/src/ap/wps_hostapd.c releng/11.2/contrib/wpa/src/common/common_module_tests.c releng/11.2/contrib/wpa/src/common/defs.h releng/11.2/contrib/wpa/src/common/eapol_common.h releng/11.2/contrib/wpa/src/common/gas.c releng/11.2/contrib/wpa/src/common/gas.h releng/11.2/contrib/wpa/src/common/hw_features_common.c releng/11.2/contrib/wpa/src/common/hw_features_common.h releng/11.2/contrib/wpa/src/common/ieee802_11_common.c releng/11.2/contrib/wpa/src/common/ieee802_11_common.h releng/11.2/contrib/wpa/src/common/ieee802_11_defs.h releng/11.2/contrib/wpa/src/common/ieee802_1x_defs.h releng/11.2/contrib/wpa/src/common/privsep_commands.h releng/11.2/contrib/wpa/src/common/qca-vendor.h releng/11.2/contrib/wpa/src/common/sae.c releng/11.2/contrib/wpa/src/common/sae.h releng/11.2/contrib/wpa/src/common/version.h releng/11.2/contrib/wpa/src/common/wpa_common.c releng/11.2/contrib/wpa/src/common/wpa_common.h releng/11.2/contrib/wpa/src/common/wpa_ctrl.c releng/11.2/contrib/wpa/src/common/wpa_ctrl.h releng/11.2/contrib/wpa/src/common/wpa_helpers.c releng/11.2/contrib/wpa/src/crypto/aes-cbc.c releng/11.2/contrib/wpa/src/crypto/aes-ctr.c releng/11.2/contrib/wpa/src/crypto/aes-internal-dec.c releng/11.2/contrib/wpa/src/crypto/aes-internal-enc.c releng/11.2/contrib/wpa/src/crypto/aes-omac1.c releng/11.2/contrib/wpa/src/crypto/aes-siv.c releng/11.2/contrib/wpa/src/crypto/aes.h releng/11.2/contrib/wpa/src/crypto/aes_siv.h releng/11.2/contrib/wpa/src/crypto/aes_wrap.h releng/11.2/contrib/wpa/src/crypto/crypto.h releng/11.2/contrib/wpa/src/crypto/crypto_gnutls.c releng/11.2/contrib/wpa/src/crypto/crypto_internal-modexp.c releng/11.2/contrib/wpa/src/crypto/crypto_internal.c releng/11.2/contrib/wpa/src/crypto/crypto_libtomcrypt.c releng/11.2/contrib/wpa/src/crypto/crypto_module_tests.c releng/11.2/contrib/wpa/src/crypto/crypto_none.c releng/11.2/contrib/wpa/src/crypto/crypto_openssl.c releng/11.2/contrib/wpa/src/crypto/des-internal.c releng/11.2/contrib/wpa/src/crypto/dh_group5.c releng/11.2/contrib/wpa/src/crypto/dh_groups.c releng/11.2/contrib/wpa/src/crypto/fips_prf_openssl.c releng/11.2/contrib/wpa/src/crypto/md4-internal.c releng/11.2/contrib/wpa/src/crypto/md5-internal.c releng/11.2/contrib/wpa/src/crypto/ms_funcs.c releng/11.2/contrib/wpa/src/crypto/ms_funcs.h releng/11.2/contrib/wpa/src/crypto/random.c releng/11.2/contrib/wpa/src/crypto/sha1-internal.c releng/11.2/contrib/wpa/src/crypto/sha1-tlsprf.c releng/11.2/contrib/wpa/src/crypto/sha256-internal.c releng/11.2/contrib/wpa/src/crypto/sha256-kdf.c releng/11.2/contrib/wpa/src/crypto/sha256-prf.c releng/11.2/contrib/wpa/src/crypto/sha256.h releng/11.2/contrib/wpa/src/crypto/sha384-prf.c releng/11.2/contrib/wpa/src/crypto/sha384.h releng/11.2/contrib/wpa/src/crypto/tls.h releng/11.2/contrib/wpa/src/crypto/tls_gnutls.c releng/11.2/contrib/wpa/src/crypto/tls_internal.c releng/11.2/contrib/wpa/src/crypto/tls_none.c releng/11.2/contrib/wpa/src/crypto/tls_openssl.c releng/11.2/contrib/wpa/src/drivers/driver.h releng/11.2/contrib/wpa/src/drivers/driver_bsd.c releng/11.2/contrib/wpa/src/drivers/driver_common.c releng/11.2/contrib/wpa/src/drivers/driver_macsec_qca.c releng/11.2/contrib/wpa/src/drivers/driver_ndis.c releng/11.2/contrib/wpa/src/drivers/driver_nl80211.h releng/11.2/contrib/wpa/src/drivers/driver_nl80211_capa.c releng/11.2/contrib/wpa/src/drivers/driver_nl80211_event.c releng/11.2/contrib/wpa/src/drivers/driver_nl80211_monitor.c releng/11.2/contrib/wpa/src/drivers/driver_nl80211_scan.c releng/11.2/contrib/wpa/src/drivers/driver_openbsd.c releng/11.2/contrib/wpa/src/drivers/driver_privsep.c releng/11.2/contrib/wpa/src/drivers/driver_wired.c releng/11.2/contrib/wpa/src/drivers/drivers.c releng/11.2/contrib/wpa/src/eap_common/eap_eke_common.c releng/11.2/contrib/wpa/src/eap_common/eap_fast_common.c releng/11.2/contrib/wpa/src/eap_common/eap_fast_common.h releng/11.2/contrib/wpa/src/eap_common/eap_gpsk_common.c releng/11.2/contrib/wpa/src/eap_common/eap_pax_common.c releng/11.2/contrib/wpa/src/eap_common/eap_pwd_common.c releng/11.2/contrib/wpa/src/eap_common/eap_pwd_common.h releng/11.2/contrib/wpa/src/eap_common/eap_sake_common.c releng/11.2/contrib/wpa/src/eap_common/eap_sake_common.h releng/11.2/contrib/wpa/src/eap_common/eap_sim_common.c releng/11.2/contrib/wpa/src/eap_common/ikev2_common.c releng/11.2/contrib/wpa/src/eap_peer/eap.c releng/11.2/contrib/wpa/src/eap_peer/eap.h releng/11.2/contrib/wpa/src/eap_peer/eap_aka.c releng/11.2/contrib/wpa/src/eap_peer/eap_config.h releng/11.2/contrib/wpa/src/eap_peer/eap_eke.c releng/11.2/contrib/wpa/src/eap_peer/eap_fast.c releng/11.2/contrib/wpa/src/eap_peer/eap_fast_pac.c releng/11.2/contrib/wpa/src/eap_peer/eap_gpsk.c releng/11.2/contrib/wpa/src/eap_peer/eap_gtc.c releng/11.2/contrib/wpa/src/eap_peer/eap_i.h releng/11.2/contrib/wpa/src/eap_peer/eap_ikev2.c releng/11.2/contrib/wpa/src/eap_peer/eap_leap.c releng/11.2/contrib/wpa/src/eap_peer/eap_md5.c releng/11.2/contrib/wpa/src/eap_peer/eap_methods.c releng/11.2/contrib/wpa/src/eap_peer/eap_methods.h releng/11.2/contrib/wpa/src/eap_peer/eap_mschapv2.c releng/11.2/contrib/wpa/src/eap_peer/eap_otp.c releng/11.2/contrib/wpa/src/eap_peer/eap_pax.c releng/11.2/contrib/wpa/src/eap_peer/eap_peap.c releng/11.2/contrib/wpa/src/eap_peer/eap_proxy.h releng/11.2/contrib/wpa/src/eap_peer/eap_proxy_dummy.c releng/11.2/contrib/wpa/src/eap_peer/eap_psk.c releng/11.2/contrib/wpa/src/eap_peer/eap_pwd.c releng/11.2/contrib/wpa/src/eap_peer/eap_sake.c releng/11.2/contrib/wpa/src/eap_peer/eap_sim.c releng/11.2/contrib/wpa/src/eap_peer/eap_tls.c releng/11.2/contrib/wpa/src/eap_peer/eap_tls_common.c releng/11.2/contrib/wpa/src/eap_peer/eap_tls_common.h releng/11.2/contrib/wpa/src/eap_peer/eap_tnc.c releng/11.2/contrib/wpa/src/eap_peer/eap_ttls.c releng/11.2/contrib/wpa/src/eap_peer/eap_vendor_test.c releng/11.2/contrib/wpa/src/eap_peer/eap_wsc.c releng/11.2/contrib/wpa/src/eap_peer/ikev2.c releng/11.2/contrib/wpa/src/eap_peer/tncc.c releng/11.2/contrib/wpa/src/eap_server/eap.h releng/11.2/contrib/wpa/src/eap_server/eap_i.h releng/11.2/contrib/wpa/src/eap_server/eap_methods.h releng/11.2/contrib/wpa/src/eap_server/eap_server.c releng/11.2/contrib/wpa/src/eap_server/eap_server_aka.c releng/11.2/contrib/wpa/src/eap_server/eap_server_eke.c releng/11.2/contrib/wpa/src/eap_server/eap_server_fast.c releng/11.2/contrib/wpa/src/eap_server/eap_server_gpsk.c releng/11.2/contrib/wpa/src/eap_server/eap_server_gtc.c releng/11.2/contrib/wpa/src/eap_server/eap_server_identity.c releng/11.2/contrib/wpa/src/eap_server/eap_server_ikev2.c releng/11.2/contrib/wpa/src/eap_server/eap_server_md5.c releng/11.2/contrib/wpa/src/eap_server/eap_server_methods.c releng/11.2/contrib/wpa/src/eap_server/eap_server_mschapv2.c releng/11.2/contrib/wpa/src/eap_server/eap_server_pax.c releng/11.2/contrib/wpa/src/eap_server/eap_server_peap.c releng/11.2/contrib/wpa/src/eap_server/eap_server_psk.c releng/11.2/contrib/wpa/src/eap_server/eap_server_pwd.c releng/11.2/contrib/wpa/src/eap_server/eap_server_sake.c releng/11.2/contrib/wpa/src/eap_server/eap_server_sim.c releng/11.2/contrib/wpa/src/eap_server/eap_server_tls.c releng/11.2/contrib/wpa/src/eap_server/eap_server_tls_common.c releng/11.2/contrib/wpa/src/eap_server/eap_server_tnc.c releng/11.2/contrib/wpa/src/eap_server/eap_server_ttls.c releng/11.2/contrib/wpa/src/eap_server/eap_server_vendor_test.c releng/11.2/contrib/wpa/src/eap_server/eap_server_wsc.c releng/11.2/contrib/wpa/src/eap_server/eap_sim_db.c releng/11.2/contrib/wpa/src/eap_server/eap_sim_db.h releng/11.2/contrib/wpa/src/eap_server/eap_tls_common.h releng/11.2/contrib/wpa/src/eap_server/ikev2.c releng/11.2/contrib/wpa/src/eap_server/tncs.c releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm.c releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm.h releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm_i.h releng/11.2/contrib/wpa/src/eapol_supp/eapol_supp_sm.c releng/11.2/contrib/wpa/src/eapol_supp/eapol_supp_sm.h releng/11.2/contrib/wpa/src/fst/fst.c releng/11.2/contrib/wpa/src/fst/fst.h releng/11.2/contrib/wpa/src/fst/fst_ctrl_aux.c releng/11.2/contrib/wpa/src/fst/fst_ctrl_aux.h releng/11.2/contrib/wpa/src/fst/fst_ctrl_iface.c releng/11.2/contrib/wpa/src/fst/fst_defs.h releng/11.2/contrib/wpa/src/fst/fst_group.c releng/11.2/contrib/wpa/src/fst/fst_group.h releng/11.2/contrib/wpa/src/fst/fst_iface.c releng/11.2/contrib/wpa/src/fst/fst_iface.h releng/11.2/contrib/wpa/src/fst/fst_session.c releng/11.2/contrib/wpa/src/l2_packet/l2_packet.h releng/11.2/contrib/wpa/src/l2_packet/l2_packet_privsep.c releng/11.2/contrib/wpa/src/p2p/p2p.c releng/11.2/contrib/wpa/src/p2p/p2p.h releng/11.2/contrib/wpa/src/p2p/p2p_build.c releng/11.2/contrib/wpa/src/p2p/p2p_go_neg.c releng/11.2/contrib/wpa/src/p2p/p2p_group.c releng/11.2/contrib/wpa/src/p2p/p2p_i.h releng/11.2/contrib/wpa/src/p2p/p2p_invitation.c releng/11.2/contrib/wpa/src/p2p/p2p_parse.c releng/11.2/contrib/wpa/src/p2p/p2p_pd.c releng/11.2/contrib/wpa/src/p2p/p2p_sd.c releng/11.2/contrib/wpa/src/p2p/p2p_utils.c releng/11.2/contrib/wpa/src/pae/ieee802_1x_cp.c releng/11.2/contrib/wpa/src/pae/ieee802_1x_cp.h releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay.c releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay.h releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay_i.h releng/11.2/contrib/wpa/src/pae/ieee802_1x_key.c releng/11.2/contrib/wpa/src/pae/ieee802_1x_key.h releng/11.2/contrib/wpa/src/pae/ieee802_1x_secy_ops.c releng/11.2/contrib/wpa/src/pae/ieee802_1x_secy_ops.h releng/11.2/contrib/wpa/src/radius/radius.c releng/11.2/contrib/wpa/src/radius/radius.h releng/11.2/contrib/wpa/src/radius/radius_client.c releng/11.2/contrib/wpa/src/radius/radius_client.h releng/11.2/contrib/wpa/src/radius/radius_das.c releng/11.2/contrib/wpa/src/radius/radius_das.h releng/11.2/contrib/wpa/src/radius/radius_server.c releng/11.2/contrib/wpa/src/radius/radius_server.h releng/11.2/contrib/wpa/src/rsn_supp/pmksa_cache.c releng/11.2/contrib/wpa/src/rsn_supp/pmksa_cache.h releng/11.2/contrib/wpa/src/rsn_supp/preauth.c releng/11.2/contrib/wpa/src/rsn_supp/preauth.h releng/11.2/contrib/wpa/src/rsn_supp/tdls.c releng/11.2/contrib/wpa/src/rsn_supp/wpa.c releng/11.2/contrib/wpa/src/rsn_supp/wpa.h releng/11.2/contrib/wpa/src/rsn_supp/wpa_ft.c releng/11.2/contrib/wpa/src/rsn_supp/wpa_i.h releng/11.2/contrib/wpa/src/rsn_supp/wpa_ie.c releng/11.2/contrib/wpa/src/rsn_supp/wpa_ie.h releng/11.2/contrib/wpa/src/tls/asn1.c releng/11.2/contrib/wpa/src/tls/asn1.h releng/11.2/contrib/wpa/src/tls/bignum.c releng/11.2/contrib/wpa/src/tls/libtommath.c releng/11.2/contrib/wpa/src/tls/pkcs5.c releng/11.2/contrib/wpa/src/tls/rsa.c releng/11.2/contrib/wpa/src/tls/tlsv1_client.c releng/11.2/contrib/wpa/src/tls/tlsv1_client.h releng/11.2/contrib/wpa/src/tls/tlsv1_client_i.h releng/11.2/contrib/wpa/src/tls/tlsv1_client_read.c releng/11.2/contrib/wpa/src/tls/tlsv1_client_write.c releng/11.2/contrib/wpa/src/tls/tlsv1_common.c releng/11.2/contrib/wpa/src/tls/tlsv1_common.h releng/11.2/contrib/wpa/src/tls/tlsv1_cred.c releng/11.2/contrib/wpa/src/tls/tlsv1_cred.h releng/11.2/contrib/wpa/src/tls/tlsv1_server.c releng/11.2/contrib/wpa/src/tls/tlsv1_server.h releng/11.2/contrib/wpa/src/tls/tlsv1_server_i.h releng/11.2/contrib/wpa/src/tls/tlsv1_server_read.c releng/11.2/contrib/wpa/src/tls/tlsv1_server_write.c releng/11.2/contrib/wpa/src/tls/x509v3.c releng/11.2/contrib/wpa/src/tls/x509v3.h releng/11.2/contrib/wpa/src/utils/base64.c releng/11.2/contrib/wpa/src/utils/base64.h releng/11.2/contrib/wpa/src/utils/browser-android.c releng/11.2/contrib/wpa/src/utils/browser-wpadebug.c releng/11.2/contrib/wpa/src/utils/browser.c releng/11.2/contrib/wpa/src/utils/common.c releng/11.2/contrib/wpa/src/utils/common.h releng/11.2/contrib/wpa/src/utils/edit_simple.c releng/11.2/contrib/wpa/src/utils/eloop.c releng/11.2/contrib/wpa/src/utils/eloop.h releng/11.2/contrib/wpa/src/utils/eloop_win.c releng/11.2/contrib/wpa/src/utils/ext_password.c releng/11.2/contrib/wpa/src/utils/ext_password_i.h releng/11.2/contrib/wpa/src/utils/http_curl.c releng/11.2/contrib/wpa/src/utils/list.h releng/11.2/contrib/wpa/src/utils/os.h releng/11.2/contrib/wpa/src/utils/os_internal.c releng/11.2/contrib/wpa/src/utils/os_none.c releng/11.2/contrib/wpa/src/utils/os_unix.c releng/11.2/contrib/wpa/src/utils/os_win32.c releng/11.2/contrib/wpa/src/utils/pcsc_funcs.c releng/11.2/contrib/wpa/src/utils/platform.h releng/11.2/contrib/wpa/src/utils/radiotap.c releng/11.2/contrib/wpa/src/utils/radiotap.h releng/11.2/contrib/wpa/src/utils/radiotap_iter.h releng/11.2/contrib/wpa/src/utils/trace.c releng/11.2/contrib/wpa/src/utils/trace.h releng/11.2/contrib/wpa/src/utils/utils_module_tests.c releng/11.2/contrib/wpa/src/utils/uuid.c releng/11.2/contrib/wpa/src/utils/uuid.h releng/11.2/contrib/wpa/src/utils/wpa_debug.c releng/11.2/contrib/wpa/src/utils/wpa_debug.h releng/11.2/contrib/wpa/src/utils/wpabuf.c releng/11.2/contrib/wpa/src/utils/wpabuf.h releng/11.2/contrib/wpa/src/utils/xml-utils.c releng/11.2/contrib/wpa/src/utils/xml_libxml2.c releng/11.2/contrib/wpa/src/wps/wps.c releng/11.2/contrib/wpa/src/wps/wps.h releng/11.2/contrib/wpa/src/wps/wps_attr_build.c releng/11.2/contrib/wpa/src/wps/wps_attr_parse.c releng/11.2/contrib/wpa/src/wps/wps_attr_parse.h releng/11.2/contrib/wpa/src/wps/wps_attr_process.c releng/11.2/contrib/wpa/src/wps/wps_common.c releng/11.2/contrib/wpa/src/wps/wps_defs.h releng/11.2/contrib/wpa/src/wps/wps_dev_attr.c releng/11.2/contrib/wpa/src/wps/wps_dev_attr.h releng/11.2/contrib/wpa/src/wps/wps_enrollee.c releng/11.2/contrib/wpa/src/wps/wps_er.c releng/11.2/contrib/wpa/src/wps/wps_i.h releng/11.2/contrib/wpa/src/wps/wps_module_tests.c releng/11.2/contrib/wpa/src/wps/wps_registrar.c releng/11.2/contrib/wpa/src/wps/wps_upnp.c releng/11.2/contrib/wpa/src/wps/wps_upnp.h releng/11.2/contrib/wpa/src/wps/wps_upnp_i.h releng/11.2/contrib/wpa/src/wps/wps_upnp_ssdp.c releng/11.2/contrib/wpa/src/wps/wps_upnp_web.c releng/11.2/contrib/wpa/src/wps/wps_validate.c releng/11.2/contrib/wpa/wpa_supplicant/ChangeLog releng/11.2/contrib/wpa/wpa_supplicant/README releng/11.2/contrib/wpa/wpa_supplicant/README-HS20 releng/11.2/contrib/wpa/wpa_supplicant/README-P2P releng/11.2/contrib/wpa/wpa_supplicant/ap.c releng/11.2/contrib/wpa/wpa_supplicant/ap.h releng/11.2/contrib/wpa/wpa_supplicant/autoscan.c releng/11.2/contrib/wpa/wpa_supplicant/autoscan.h releng/11.2/contrib/wpa/wpa_supplicant/bgscan.c releng/11.2/contrib/wpa/wpa_supplicant/bgscan.h releng/11.2/contrib/wpa/wpa_supplicant/bgscan_learn.c releng/11.2/contrib/wpa/wpa_supplicant/bgscan_simple.c releng/11.2/contrib/wpa/wpa_supplicant/bss.c releng/11.2/contrib/wpa/wpa_supplicant/bss.h releng/11.2/contrib/wpa/wpa_supplicant/config.c releng/11.2/contrib/wpa/wpa_supplicant/config.h releng/11.2/contrib/wpa/wpa_supplicant/config_file.c releng/11.2/contrib/wpa/wpa_supplicant/config_ssid.h releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface.c releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_named_pipe.c releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_udp.c releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/Makefile releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus-wpa_supplicant.conf releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_common.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_common_i.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_dict_helpers.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_dict_helpers.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_wps.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.h releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_introspect.c releng/11.2/contrib/wpa/wpa_supplicant/defconfig releng/11.2/contrib/wpa/wpa_supplicant/driver_i.h releng/11.2/contrib/wpa/wpa_supplicant/eapol_test.c releng/11.2/contrib/wpa/wpa_supplicant/eapol_test.py releng/11.2/contrib/wpa/wpa_supplicant/events.c releng/11.2/contrib/wpa/wpa_supplicant/examples/dbus-listen-preq.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p-nfc.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_connect.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_disconnect.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_find.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_flush.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_group_add.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_invite.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_listen.py releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_stop_find.py releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-getall.py releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-signals.py releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-wps.py releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new.py releng/11.2/contrib/wpa/wpa_supplicant/examples/wps-ap-cli releng/11.2/contrib/wpa/wpa_supplicant/examples/wps-nfc.py releng/11.2/contrib/wpa/wpa_supplicant/gas_query.c releng/11.2/contrib/wpa/wpa_supplicant/gas_query.h releng/11.2/contrib/wpa/wpa_supplicant/hs20_supplicant.c releng/11.2/contrib/wpa/wpa_supplicant/hs20_supplicant.h releng/11.2/contrib/wpa/wpa_supplicant/ibss_rsn.c releng/11.2/contrib/wpa/wpa_supplicant/ibss_rsn.h releng/11.2/contrib/wpa/wpa_supplicant/interworking.c releng/11.2/contrib/wpa/wpa_supplicant/interworking.h releng/11.2/contrib/wpa/wpa_supplicant/main.c releng/11.2/contrib/wpa/wpa_supplicant/mesh.c releng/11.2/contrib/wpa/wpa_supplicant/mesh.h releng/11.2/contrib/wpa/wpa_supplicant/mesh_mpm.c releng/11.2/contrib/wpa/wpa_supplicant/mesh_mpm.h releng/11.2/contrib/wpa/wpa_supplicant/mesh_rsn.c releng/11.2/contrib/wpa/wpa_supplicant/mesh_rsn.h releng/11.2/contrib/wpa/wpa_supplicant/notify.c releng/11.2/contrib/wpa/wpa_supplicant/notify.h releng/11.2/contrib/wpa/wpa_supplicant/offchannel.c releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant.c releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant.h releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant_sd.c releng/11.2/contrib/wpa/wpa_supplicant/preauth_test.c releng/11.2/contrib/wpa/wpa_supplicant/scan.c releng/11.2/contrib/wpa/wpa_supplicant/scan.h releng/11.2/contrib/wpa/wpa_supplicant/sme.c releng/11.2/contrib/wpa/wpa_supplicant/sme.h releng/11.2/contrib/wpa/wpa_supplicant/utils/log2pcap.py releng/11.2/contrib/wpa/wpa_supplicant/wifi_display.c releng/11.2/contrib/wpa/wpa_supplicant/wmm_ac.c releng/11.2/contrib/wpa/wpa_supplicant/wmm_ac.h releng/11.2/contrib/wpa/wpa_supplicant/wnm_sta.c releng/11.2/contrib/wpa/wpa_supplicant/wnm_sta.h releng/11.2/contrib/wpa/wpa_supplicant/wpa_cli.c releng/11.2/contrib/wpa/wpa_supplicant/wpa_passphrase.c releng/11.2/contrib/wpa/wpa_supplicant/wpa_priv.c releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant.c releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant.conf releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant_template.conf releng/11.2/contrib/wpa/wpa_supplicant/wpas_glue.c releng/11.2/contrib/wpa/wpa_supplicant/wpas_kay.c releng/11.2/contrib/wpa/wpa_supplicant/wpas_kay.h releng/11.2/contrib/wpa/wpa_supplicant/wpas_module_tests.c releng/11.2/contrib/wpa/wpa_supplicant/wps_supplicant.c releng/11.2/contrib/wpa/wpa_supplicant/wps_supplicant.h releng/11.2/usr.sbin/wpa/Makefile.crypto releng/11.2/usr.sbin/wpa/Makefile.inc releng/11.2/usr.sbin/wpa/hostapd/Makefile releng/11.2/usr.sbin/wpa/hostapd_cli/Makefile releng/11.2/usr.sbin/wpa/wpa_cli/Makefile releng/11.2/usr.sbin/wpa/wpa_supplicant/Makefile Modified: releng/11.2/contrib/wpa/CONTRIBUTIONS ============================================================================== --- releng/11.2/contrib/wpa/CONTRIBUTIONS Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/CONTRIBUTIONS Tue May 14 22:59:32 2019 (r347588) @@ -29,6 +29,34 @@ using your real name. Pseudonyms or anonymous contribu unfortunately be accepted. +The preferred method of submitting the contribution to the project is by +email to the hostap mailing list: +hostap@lists.infradead.org +Note that the list may require subscription before accepting message +without moderation. You can subscribe to the list at this address: +http://lists.infradead.org/mailman/listinfo/hostap + +The message should contain an inlined patch against the current +development branch (i.e., the master branch of +git://w1.fi/hostap.git). Please make sure the software you use for +sending the patch does not corrupt whitespace. If that cannot be fixed +for some reason, it is better to include an attached version of the +patch file than just send a whitespace damaged version in the message +body. + +The patches should be separate logical changes rather than doing +everything in a single patch. In other words, please keep cleanup, new +features, and bug fixes all in their own patches. Each patch needs a +commit log that describes the changes (what the changes fix, what +functionality is added, why the changes are useful, etc.). + +Please try to follow the coding style used in the project. + +In general, the best way of generating a suitable formatted patch file +is by committing the changes to a cloned git repository and using git +format-patch. The patch can then be sent, e.g., with git send-email. + + History of license and contributions terms ------------------------------------------ @@ -112,7 +140,7 @@ The license terms used for hostap.git files Modified BSD license (no advertisement clause): -Copyright (c) 2002-2015, Jouni Malinen and contributors +Copyright (c) 2002-2019, Jouni Malinen and contributors All Rights Reserved. Redistribution and use in source and binary forms, with or without Modified: releng/11.2/contrib/wpa/COPYING ============================================================================== --- releng/11.2/contrib/wpa/COPYING Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/COPYING Tue May 14 22:59:32 2019 (r347588) @@ -1,7 +1,7 @@ wpa_supplicant and hostapd -------------------------- -Copyright (c) 2002-2015, Jouni Malinen and contributors +Copyright (c) 2002-2019, Jouni Malinen and contributors All Rights Reserved. Modified: releng/11.2/contrib/wpa/README ============================================================================== --- releng/11.2/contrib/wpa/README Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/README Tue May 14 22:59:32 2019 (r347588) @@ -1,7 +1,7 @@ wpa_supplicant and hostapd -------------------------- -Copyright (c) 2002-2015, Jouni Malinen and contributors +Copyright (c) 2002-2019, Jouni Malinen and contributors All Rights Reserved. These programs are licensed under the BSD license (the one with Modified: releng/11.2/contrib/wpa/hostapd/ChangeLog ============================================================================== --- releng/11.2/contrib/wpa/hostapd/ChangeLog Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/hostapd/ChangeLog Tue May 14 22:59:32 2019 (r347588) @@ -1,5 +1,188 @@ ChangeLog for hostapd +2019-04-21 - v2.8 + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only group 19 + (i.e., disable groups 20, 21, 25, 26 from default configuration) and + disable all unsuitable groups completely based on REVmd changes + - improved anti-clogging token mechanism and SAE authentication + frame processing during heavy CPU load; this mitigates some issues + with potential DoS attacks trying to flood an AP with large number + of SAE messages + - added Finite Cyclic Group field in status code 77 responses + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + - fixed confirm message validation in error cases + [https://w1.fi/security/2019-3/] (CVE-2019-9496) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify peer scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * Hotspot 2.0 changes + - added support for release number 3 + - reject release 2 or newer association without PMF + * added support for RSN operating channel validation + (CONFIG_OCV=y and configuration parameter ocv=1) + * added Multi-AP protocol support + * added FTM responder configuration + * fixed build with LibreSSL + * added FT/RRB workaround for short Ethernet frame padding + * fixed KEK2 derivation for FILS+FT + * added RSSI-based association rejection from OCE + * extended beacon reporting functionality + * VLAN changes + - allow local VLAN management with remote RADIUS authentication + - add WPA/WPA2 passphrase/PSK -based VLAN assignment + * OpenSSL: allow systemwide policies to be overridden + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * fixed FT and SA Query Action frame with AP-MLME-in-driver cases + * OWE: allow Diffie-Hellman Parameter element to be included with DPP + in preparation for DPP protocol extension + * RADIUS server: started to accept ERP keyName-NAI as user identity + automatically without matching EAP database entry + * fixed PTK rekeying with FILS and FT + +2018-12-02 - v2.7 + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [http://w1.fi/security/2017-1/] (CVE-2017-13082) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * FT: + - added local generation of PMK-R0/PMK-R1 for FT-PSK + (ft_psk_generate_local=1) + - replaced inter-AP protocol with a cleaner design that is more + easily extensible; this breaks backward compatibility and requires + all APs in the ESS to be updated at the same time to maintain FT + functionality + - added support for wildcard R0KH/R1KH + - replaced r0_key_lifetime (minutes) parameter with + ft_r0_key_lifetime (seconds) + - fixed wpa_psk_file use for FT-PSK + - fixed FT-SAE PMKID matching + - added expiration to PMK-R0 and PMK-R1 cache + - added IEEE VLAN support (including tagged VLANs) + - added support for SHA384 based AKM + * SAE + - fixed some PMKSA caching cases with SAE + - added support for configuring SAE password separately of the + WPA2 PSK/passphrase + - added option to require MFP for SAE associations + (sae_require_pmf=1) + - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection + for SAE; + note: this is not backwards compatible, i.e., both the AP and + station side implementations will need to be update at the same + time to maintain interoperability + - added support for Password Identifier + * hostapd_cli: added support for command history and completion + * added support for requesting beacon report + * large number of other fixes, cleanup, and extensions + * added option to configure EAPOL-Key retry limits + (wpa_group_update_count and wpa_pairwise_update_count) + * removed all PeerKey functionality + * fixed nl80211 AP mode configuration regression with Linux 4.15 and + newer + * added support for using wolfSSL cryptographic library + * fixed some 20/40 MHz coexistence cases where the BSS could drop to + 20 MHz even when 40 MHz would be allowed + * Hotspot 2.0 + - added support for setting Venue URL ANQP-element (venue_url) + - added support for advertising Hotspot 2.0 operator icons + - added support for Roaming Consortium Selection element + - added support for Terms and Conditions + - added support for OSEN connection in a shared RSN BSS + * added support for using OpenSSL 1.1.1 + * added EAP-pwd server support for salted passwords + +2016-10-02 - v2.6 + * fixed EAP-pwd last fragment validation + [http://w1.fi/security/2015-7/] (CVE-2015-5314) + * fixed WPS configuration update vulnerability with malformed passphrase + [http://w1.fi/security/2016-1/] (CVE-2016-4476) + * extended channel switch support for VHT bandwidth changes + * added support for configuring new ANQP-elements with + anqp_elem=: + * fixed Suite B 192-bit AKM to use proper PMK length + (note: this makes old releases incompatible with the fixed behavior) + * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response + frame sending for not-associated STAs if max_num_sta limit has been + reached + * added option (-S as command line argument) to request all interfaces + to be started at the same time + * modified rts_threshold and fragm_threshold configuration parameters + to allow -1 to be used to disable RTS/fragmentation + * EAP-pwd: added support for Brainpool Elliptic Curves + (with OpenSSL 1.0.2 and newer) + * fixed EAPOL reauthentication after FT protocol run + * fixed FTIE generation for 4-way handshake after FT protocol run + * fixed and improved various FST operations + * TLS server + - support SHA384 and SHA512 hashes + - support TLS v1.2 signature algorithm with SHA384 and SHA512 + - support PKCS #5 v2.0 PBES2 + - support PKCS #5 with PKCS #12 style key decryption + - minimal support for PKCS #12 + - support OCSP stapling (including ocsp_multi) + * added support for OpenSSL 1.1 API changes + - drop support for OpenSSL 0.9.8 + - drop support for OpenSSL 1.0.0 + * EAP-PEAP: support fast-connect crypto binding + * RADIUS + - fix Called-Station-Id to not escape SSID + - add Event-Timestamp to all Accounting-Request packets + - add Acct-Session-Id to Accounting-On/Off + - add Acct-Multi-Session-Id ton Access-Request packets + - add Service-Type (= Frames) + - allow server to provide PSK instead of passphrase for WPA-PSK + Tunnel_password case + - update full message for interim accounting updates + - add Acct-Delay-Time into Accounting messages + - add require_message_authenticator configuration option to require + CoA/Disconnect-Request packets to be authenticated + * started to postpone WNM-Notification frame sending by 100 ms so that + the STA has some more time to configure the key before this frame is + received after the 4-way handshake + * VHT: added interoperability workaround for 80+80 and 160 MHz channels + * extended VLAN support (per-STA vif, etc.) + * fixed PMKID derivation with SAE + * nl80211 + - added support for full station state operations + - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use + unencrypted EAPOL frames + * added initial MBO support; number of extensions to WNM BSS Transition + Management + * added initial functionality for location related operations + * added assocresp_elements parameter to allow vendor specific elements + to be added into (Re)Association Response frames + * improved Public Action frame addressing + - use Address 3 = wildcard BSSID in GAS response if a query from an + unassociated STA used that address + - fix TX status processing for Address 3 = wildcard BSSID + - add gas_address3 configuration parameter to control Address 3 + behavior + * added command line parameter -i to override interface parameter in + hostapd.conf + * added command completion support to hostapd_cli + * added passive client taxonomy determination (CONFIG_TAXONOMY=y + compile option and "SIGNATURE " control interface command) + * number of small fixes + 2015-09-27 - v2.5 * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding [http://w1.fi/security/2015-2/] (CVE-2015-4141) Modified: releng/11.2/contrib/wpa/hostapd/README ============================================================================== --- releng/11.2/contrib/wpa/hostapd/README Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/hostapd/README Tue May 14 22:59:32 2019 (r347588) @@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WP Authenticator and RADIUS authentication server ================================================================ -Copyright (c) 2002-2015, Jouni Malinen and contributors +Copyright (c) 2002-2019, Jouni Malinen and contributors All Rights Reserved. This program is licensed under the BSD license (the one with @@ -70,7 +70,7 @@ Requirements Current hardware/software requirements: - drivers: Host AP driver for Prism2/2.5/3. - (http://hostap.epitest.fi/) + (http://w1.fi/hostap-driver.html) Please note that station firmware version needs to be 1.7.0 or newer to work in WPA mode. @@ -81,8 +81,7 @@ Current hardware/software requirements: Any wired Ethernet driver for wired IEEE 802.1X authentication (experimental code) - FreeBSD -current (with some kernel mods that have not yet been - committed when hostapd v0.3.0 was released) + FreeBSD -current BSD net80211 layer (e.g., Atheros driver) @@ -186,24 +185,14 @@ Authenticator and RADIUS encapsulation between the Aut the Authentication Server. Other than this, the functionality is similar to the case with the co-located Authentication Server. -Authentication Server and Supplicant ------------------------------------- +Authentication Server +--------------------- Any RADIUS server supporting EAP should be usable as an IEEE 802.1X Authentication Server with hostapd Authenticator. FreeRADIUS (http://www.freeradius.org/) has been successfully tested with hostapd -Authenticator and both Xsupplicant (http://www.open1x.org) and Windows -XP Supplicants. EAP/TLS was used with Xsupplicant and -EAP/MD5-Challenge with Windows XP. +Authenticator. -http://www.missl.cs.umd.edu/wireless/eaptls/ has useful information -about using EAP/TLS with FreeRADIUS and Xsupplicant (just replace -Cisco access point with Host AP driver, hostapd daemon, and a Prism2 -card ;-). http://www.freeradius.org/doc/EAP-MD5.html has information -about using EAP/MD5 with FreeRADIUS, including instructions for WinXP -configuration. http://www.denobula.com/EAPTLS.pdf has a HOWTO on -EAP/TLS use with WinXP Supplicant. - Automatic WEP key configuration ------------------------------- @@ -243,16 +232,15 @@ networks that require some kind of security. Task grou of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked to address the flaws of the base standard and has in practice completed its work in May 2004. The IEEE 802.11i amendment to the IEEE -802.11 standard was approved in June 2004 and this amendment is likely -to be published in July 2004. +802.11 standard was approved in June 2004 and this amendment was +published in July 2004. Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the IEEE 802.11i work (draft 3.0) to define a subset of the security enhancements that can be implemented with existing wlan hardware. This is called Wi-Fi Protected Access (WPA). This has now become a mandatory component of interoperability testing and certification done -by Wi-Fi Alliance. Wi-Fi provides information about WPA at its web -site (http://www.wi-fi.org/OpenSection/protected_access.asp). +by Wi-Fi Alliance. IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm for protecting wireless networks. WEP uses RC4 with 40-bit keys, Added: releng/11.2/contrib/wpa/hostapd/README-MULTI-AP ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/11.2/contrib/wpa/hostapd/README-MULTI-AP Tue May 14 22:59:32 2019 (r347588) @@ -0,0 +1,160 @@ +hostapd, wpa_supplicant and the Multi-AP Specification +====================================================== + +This document describes how hostapd and wpa_supplicant can be configured to +support the Multi-AP Specification. + +Introduction to Multi-AP +------------------------ + +The Wi-Fi Alliance Multi-AP Specification is the technical specification for +Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi AllianceĀ® certification program for +Multi-AP. It defines control protocols between Wi-FiĀ® access points (APs) to +join them into a network with centralized control and operation. It is targeted +only at routers (repeaters, gateways, ...), not at clients. Clients are not +involved at all in the protocols. + +Most of the Multi-AP specification falls outside of the scope of +hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items +summarized below. The rest of the protocol must be implemented by a separate +daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd, +e.g., to get a list of associated clients, but this can be done using the normal +hostapd interfaces. + +hostapd/wpa_supplicant needs to be configured specifically to support: +- the WPS onboarding process; +- configuring backhaul links. + +The text below refers to "Multi-AP Specification v1.0" [3]. + + +Fronthaul and backhaul links +---------------------------- + +In a Multi-AP network, the central controller can configure the BSSs on the +devices that are joined into the network. These are called fronthaul BSSs. +From the point of view of hostapd, there is nothing special about these +fronthaul BSSs. + +In addition to fronthaul BSSs, the controller can also configure backhaul +links. A backhaul link is a link between two access point devices, giving +internet access to access point devices that don't have a wired link. The +Multi-AP specification doesn't dictate this, but typically the backhaul link +will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the +wired Ethernet ports. + +A backhaul link must be treated specially by hostapd and wpa_supplicant. One +side of the backhaul link is configured through the Multi-AP protocol as the +"backhaul STA", i.e., the client side of the link. A backhaul STA is like any +station and is handled appropriately by wpa_supplicant, but two additional +features are required. It must send an additional information element in each +(Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it +must use 4-address mode for all frames sent over this link ([3], section 14). +Therefore, wpa_supplicant must be configured explicitly as the backhaul STA +role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block +or when configuring the network profile through the control interface. When +'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in +(Re)Association Request frame and verifies that it is included in the +(Re)Association Response frame. If it is not, association fails. If it is, +wpa_supplicant sets 4-address mode for this interface through a driver +callback. + +The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must +be handled specially by hostapd, because it must add an additional information +element in each (Re)Association Response frame, but only to stations that have +identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6). +This is important because it is possible to use the same BSS and SSID for +fronthaul and backhaul at the same time. The additional information element must +only be used for frames sent to a backhaul STA, not to a normal STA. Also, +frames sent to a backhaul STA must use 4-address mode, while frames sent to a +normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use +3-address mode. + +A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap' +configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3 +(simultaneous backhaul and fronthaul BSS). If this option is set, hostapd +parses the Multi-AP information element in the Association Request frame. If the +station is a backhaul STA and the BSS is configured as a backhaul BSS, +hostapd sets up 4-address mode. Since there may be multiple stations connected +simultaneously, and each of them has a different RA (receiver address), a VLAN +is created for each backhaul STA and it is automatically added to a bridge. +This is the same behavior as for WDS, and the relevant option ('bridge' or +'wds_bridge') applies here as well. + +If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate +without the Multi-AP information element will be denied. + +If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate +with the Multi-AP information element will be denied. That is also the only +difference with 'multi_ap' set to 0: in the latter case, the Multi-AP +information element is simply ignored. + +In summary, this is the end-to-end behavior for a backhaul BSS (i.e., +multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in +hostapd on AP). Note that point 1 means that hostapd must not be configured +with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for +that. + +1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing + Multi-AP specific). +2. STA sends Authentication frame (nothing Multi-AP specific). +3. AP sends Authentication frame (nothing Multi-AP specific). +4. STA sends Association Request frame with Multi-AP IE. +5. AP sends Association Response frame with Multi-AP IE. +6. STA and AP both use 4-address mode for Data frames. + + +WPS support +----------- + +WPS requires more special handling. WPS must only be advertised on fronthaul +BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only +BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS. +When a WPS M1 message has an additional subelement that indicates a request for +a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul +BSS credentials; instead, it should respond with the (potentially different) +backhaul BSS credentials. + +To support this, hostapd has the 'multi_ap_backhaul_ssid', +'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options. +When these are set on an BSS with WPS, they are used instead of the normal +credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only +WPA2-Personal is supported in the Multi-AP specification, so there is no need +to specify authentication or encryption options. For the backhaul credentials, +per-device PSK is not supported. + +If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to +specify the backhaul credentials, since the backhaul and fronthaul credentials +are identical. + +To enable the Multi-AP backhaul STA feature when it performs WPS, a new +parameter has been introduced to the WPS_PBC control interface call. When this +"multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the +Association Request frame and the M1 message. It then configures the new network +profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does +not follow the Multi-AP specification, wpa_supplicant will fail to associate. + +In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e., +multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2 +and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or +multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS +in hostapd on Registrar AP). + +1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP + specific). +2. Enrollee sends Authentication frame (nothing Multi-AP specific). +3. AP sends Authentication frame (nothing Multi-AP specific). +4. Enrollee sends Association Request frame with Multi-AP IE. +5. AP sends Association Response frame with Multi-AP IE. +6. Enrollee sends M1 with additional Multi-AP subelement. +7. AP sends M8 with backhaul instead of fronthaul credentials. +8. Enrollee sends Deauthentication frame. + + +References +---------- + +[1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh +[2] https://github.com/prplfoundation/prplMesh +[3] https://www.wi-fi.org/file/multi-ap-specification-v10 + (requires registration) Modified: releng/11.2/contrib/wpa/hostapd/config_file.c ============================================================================== --- releng/11.2/contrib/wpa/hostapd/config_file.c Tue May 14 22:57:29 2019 (r347587) +++ releng/11.2/contrib/wpa/hostapd/config_file.c Tue May 14 22:59:32 2019 (r347588) @@ -1,6 +1,6 @@ /* * hostapd / Configuration file parser - * Copyright (c) 2003-2015, Jouni Malinen + * Copyright (c) 2003-2018, Jouni Malinen * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -14,6 +14,8 @@ #include "utils/common.h" #include "utils/uuid.h" #include "common/ieee802_11_defs.h" +#include "crypto/sha256.h" +#include "crypto/tls.h" #include "drivers/driver.h" #include "eap_server/eap.h" #include "radius/radius_client.h" @@ -35,7 +37,7 @@ static int hostapd_config_read_vlan_file(struct hostap const char *fname) { FILE *f; - char buf[128], *pos, *pos2; + char buf[128], *pos, *pos2, *pos3; int line = 0, vlan_id; struct hostapd_vlan *vlan; @@ -80,7 +82,10 @@ static int hostapd_config_read_vlan_file(struct hostap pos2 = pos; while (*pos2 != ' ' && *pos2 != '\t' && *pos2 != '\0') pos2++; - *pos2 = '\0'; + + if (*pos2 != '\0') + *(pos2++) = '\0'; + if (*pos == '\0' || os_strlen(pos) > IFNAMSIZ) { wpa_printf(MSG_ERROR, "Invalid VLAN ifname at line %d " "in '%s'", line, fname); @@ -88,6 +93,13 @@ static int hostapd_config_read_vlan_file(struct hostap return -1; } + while (*pos2 == ' ' || *pos2 == '\t') + pos2++; + pos3 = pos2; + while (*pos3 != ' ' && *pos3 != '\t' && *pos3 != '\0') + pos3++; + *pos3 = '\0'; + vlan = os_zalloc(sizeof(*vlan)); if (vlan == NULL) { wpa_printf(MSG_ERROR, "Out of memory while reading " @@ -97,7 +109,10 @@ static int hostapd_config_read_vlan_file(struct hostap } vlan->vlan_id = vlan_id; + vlan->vlan_desc.untagged = vlan_id; + vlan->vlan_desc.notempty = !!vlan_id; os_strlcpy(vlan->ifname, pos, sizeof(vlan->ifname)); + os_strlcpy(vlan->bridge, pos2, sizeof(vlan->bridge)); vlan->next = bss->vlan; bss->vlan = vlan; } @@ -109,7 +124,7 @@ static int hostapd_config_read_vlan_file(struct hostap #endif /* CONFIG_NO_VLAN */ -static int hostapd_acl_comp(const void *a, const void *b) +int hostapd_acl_comp(const void *a, const void *b) { const struct mac_acl_entry *aa = a; const struct mac_acl_entry *bb = b; @@ -117,6 +132,44 @@ static int hostapd_acl_comp(const void *a, const void } +int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num, + int vlan_id, const u8 *addr) +{ + struct mac_acl_entry *newacl; + + newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl)); + if (!newacl) { + wpa_printf(MSG_ERROR, "MAC list reallocation failed"); + return -1; + } + + *acl = newacl; + os_memcpy((*acl)[*num].addr, addr, ETH_ALEN); + os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id)); + (*acl)[*num].vlan_id.untagged = vlan_id; + (*acl)[*num].vlan_id.notempty = !!vlan_id; + (*num)++; + + return 0; +} + + +void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num, + const u8 *addr) +{ + int i = 0; + + while (i < *num) { + if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == 0) { + os_remove_in_array(*acl, *num, sizeof(**acl), i); + (*num)--; + } else { + i++; + } + } +} + + static int hostapd_config_read_maclist(const char *fname, struct mac_acl_entry **acl, int *num) { @@ -124,12 +177,8 @@ static int hostapd_config_read_maclist(const char *fna char buf[128], *pos; int line = 0; u8 addr[ETH_ALEN]; - struct mac_acl_entry *newacl; int vlan_id; - if (!fname) - return 0; - f = fopen(fname, "r"); if (!f) { wpa_printf(MSG_ERROR, "MAC list file '%s' not found.", fname); @@ -137,7 +186,7 @@ static int hostapd_config_read_maclist(const char *fna } while (fgets(buf, sizeof(buf), f)) { - int i, rem = 0; + int rem = 0; line++; @@ -167,16 +216,7 @@ static int hostapd_config_read_maclist(const char *fna } if (rem) { - i = 0; - while (i < *num) { - if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == - 0) { - os_remove_in_array(*acl, *num, - sizeof(**acl), i); - (*num)--; - } else - i++; - } + hostapd_remove_acl_mac(acl, num, addr); continue; } vlan_id = 0; @@ -188,28 +228,78 @@ static int hostapd_config_read_maclist(const char *fna if (*pos != '\0') vlan_id = atoi(pos); - newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl)); - if (newacl == NULL) { - wpa_printf(MSG_ERROR, "MAC list reallocation failed"); + if (hostapd_add_acl_maclist(acl, num, vlan_id, addr) < 0) { fclose(f); return -1; } - - *acl = newacl; - os_memcpy((*acl)[*num].addr, addr, ETH_ALEN); - (*acl)[*num].vlan_id = vlan_id; - (*num)++; } fclose(f); - qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp); + if (*acl) + qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp); return 0; } #ifdef EAP_SERVER + +static int hostapd_config_eap_user_salted(struct hostapd_eap_user *user, + const char *hash, size_t len, + char **pos, int line, + const char *fname) +{ + char *pos2 = *pos; + + while (*pos2 != '\0' && *pos2 != ' ' && *pos2 != '\t' && *pos2 != '#') + pos2++; + + if (pos2 - *pos < (int) (2 * (len + 1))) { /* at least 1 byte of salt */ + wpa_printf(MSG_ERROR, + "Invalid salted %s hash on line %d in '%s'", + hash, line, fname); + return -1; + } + + user->password = os_malloc(len); + if (!user->password) { + wpa_printf(MSG_ERROR, + "Failed to allocate memory for salted %s hash", + hash); + return -1; + } + + if (hexstr2bin(*pos, user->password, len) < 0) { + wpa_printf(MSG_ERROR, + "Invalid salted password on line %d in '%s'", + line, fname); + return -1; + } + user->password_len = len; + *pos += 2 * len; + + user->salt_len = (pos2 - *pos) / 2; + user->salt = os_malloc(user->salt_len); + if (!user->salt) { + wpa_printf(MSG_ERROR, + "Failed to allocate memory for salted %s hash", + hash); + return -1; + } + + if (hexstr2bin(*pos, user->salt, user->salt_len) < 0) { + wpa_printf(MSG_ERROR, + "Invalid salt for password on line %d in '%s'", + line, fname); + return -1; + } + + *pos = pos2; + return 0; +} + + static int hostapd_config_read_eap_user(const char *fname, struct hostapd_bss_config *conf) { @@ -218,9 +308,6 @@ static int hostapd_config_read_eap_user(const char *fn int line = 0, ret = 0, num_methods; struct hostapd_eap_user *user = NULL, *tail = NULL, *new_user = NULL; - if (!fname) - return 0; - if (os_strncmp(fname, "sqlite:", 7) == 0) { #ifdef CONFIG_SQLITE os_free(conf->eap_user_sqlite); @@ -307,13 +394,12 @@ static int hostapd_config_read_eap_user(const char *fn goto failed; } - user->identity = os_malloc(pos - start); + user->identity = os_memdup(start, pos - start); if (user->identity == NULL) { wpa_printf(MSG_ERROR, "Failed to allocate " "memory for EAP identity"); goto failed; } - os_memcpy(user->identity, start, pos - start); user->identity_len = pos - start; if (pos[0] == '"' && pos[1] == '*') { @@ -431,13 +517,12 @@ static int hostapd_config_read_eap_user(const char *fn goto failed; } - user->password = os_malloc(pos - start); + user->password = os_memdup(start, pos - start); if (user->password == NULL) { wpa_printf(MSG_ERROR, "Failed to allocate " "memory for EAP password"); goto failed; } - os_memcpy(user->password, start, pos - start); user->password_len = pos - start; pos++; @@ -466,6 +551,24 @@ static int hostapd_config_read_eap_user(const char *fn user->password_len = 16; user->password_hash = 1; pos = pos2; + } else if (os_strncmp(pos, "ssha1:", 6) == 0) { + pos += 6; + if (hostapd_config_eap_user_salted(user, "sha1", 20, + &pos, + line, fname) < 0) + goto failed; + } else if (os_strncmp(pos, "ssha256:", 8) == 0) { + pos += 8; + if (hostapd_config_eap_user_salted(user, "sha256", 32, + &pos, + line, fname) < 0) + goto failed; + } else if (os_strncmp(pos, "ssha512:", 8) == 0) { + pos += 8; + if (hostapd_config_eap_user_salted(user, "sha512", 64, + &pos, + line, fname) < 0) + goto failed; } else { pos2 = pos; while (*pos2 != '\0' && *pos2 != ' ' && @@ -517,19 +620,15 @@ static int hostapd_config_read_eap_user(const char *fn fclose(f); if (ret == 0) { - user = conf->eap_user; - while (user) { - struct hostapd_eap_user *prev; - - prev = user; - user = user->next; - hostapd_config_free_eap_user(prev); - } + hostapd_config_free_eap_users(conf->eap_user); conf->eap_user = new_user; + } else { + hostapd_config_free_eap_users(new_user); } return ret; } + #endif /* EAP_SERVER */ @@ -631,8 +730,7 @@ hostapd_parse_radius_attr(const char *value) } -static int hostapd_parse_das_client(struct hostapd_bss_config *bss, - const char *val) +static int hostapd_parse_das_client(struct hostapd_bss_config *bss, char *val) { char *secret; @@ -640,7 +738,7 @@ static int hostapd_parse_das_client(struct hostapd_bss if (secret == NULL) return -1; - secret++; + *secret++ = '\0'; if (hostapd_parse_ip_addr(val, &bss->radius_das_client_addr)) return -1; @@ -680,12 +778,16 @@ static int hostapd_config_parse_key_mgmt(int line, con val |= WPA_KEY_MGMT_PSK; else if (os_strcmp(start, "WPA-EAP") == 0) val |= WPA_KEY_MGMT_IEEE8021X; -#ifdef CONFIG_IEEE80211R +#ifdef CONFIG_IEEE80211R_AP else if (os_strcmp(start, "FT-PSK") == 0) val |= WPA_KEY_MGMT_FT_PSK; else if (os_strcmp(start, "FT-EAP") == 0) val |= WPA_KEY_MGMT_FT_IEEE8021X; -#endif /* CONFIG_IEEE80211R */ +#ifdef CONFIG_SHA384 + else if (os_strcmp(start, "FT-EAP-SHA384") == 0) + val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ +#endif /* CONFIG_IEEE80211R_AP */ #ifdef CONFIG_IEEE80211W else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) val |= WPA_KEY_MGMT_PSK_SHA256; @@ -706,6 +808,30 @@ static int hostapd_config_parse_key_mgmt(int line, con else if (os_strcmp(start, "WPA-EAP-SUITE-B-192") == 0) val |= WPA_KEY_MGMT_IEEE8021X_SUITE_B_192; #endif /* CONFIG_SUITEB192 */ +#ifdef CONFIG_FILS + else if (os_strcmp(start, "FILS-SHA256") == 0) + val |= WPA_KEY_MGMT_FILS_SHA256; + else if (os_strcmp(start, "FILS-SHA384") == 0) + val |= WPA_KEY_MGMT_FILS_SHA384; +#ifdef CONFIG_IEEE80211R_AP + else if (os_strcmp(start, "FT-FILS-SHA256") == 0) + val |= WPA_KEY_MGMT_FT_FILS_SHA256; + else if (os_strcmp(start, "FT-FILS-SHA384") == 0) + val |= WPA_KEY_MGMT_FT_FILS_SHA384; +#endif /* CONFIG_IEEE80211R_AP */ +#endif /* CONFIG_FILS */ +#ifdef CONFIG_OWE + else if (os_strcmp(start, "OWE") == 0) + val |= WPA_KEY_MGMT_OWE; +#endif /* CONFIG_OWE */ +#ifdef CONFIG_DPP + else if (os_strcmp(start, "DPP") == 0) + val |= WPA_KEY_MGMT_DPP; +#endif /* CONFIG_DPP */ +#ifdef CONFIG_HS20 + else if (os_strcmp(start, "OSEN") == 0) + val |= WPA_KEY_MGMT_OSEN; +#endif /* CONFIG_HS20 */ else { wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'", line, start); @@ -751,17 +877,34 @@ static int hostapd_config_read_wep(struct hostapd_wep_ { size_t len = os_strlen(val); - if (keyidx < 0 || keyidx > 3 || wep->key[keyidx] != NULL) + if (keyidx < 0 || keyidx > 3) return -1; + if (len == 0) { + int i, set = 0; + + bin_clear_free(wep->key[keyidx], wep->len[keyidx]); + wep->key[keyidx] = NULL; + wep->len[keyidx] = 0; + for (i = 0; i < NUM_WEP_KEYS; i++) { + if (wep->key[i]) + set++; + } + if (!set) + wep->keys_set = 0; + return 0; + } + + if (wep->key[keyidx] != NULL) + return -1; + if (val[0] == '"') { if (len < 2 || val[len - 1] != '"') return -1; len -= 2; - wep->key[keyidx] = os_malloc(len); + wep->key[keyidx] = os_memdup(val + 1, len); if (wep->key[keyidx] == NULL) return -1; - os_memcpy(wep->key[keyidx], val + 1, len); wep->len[keyidx] = len; } else { if (len & 1) @@ -974,7 +1117,27 @@ static int hostapd_config_tx_queue(struct hostapd_conf } -#ifdef CONFIG_IEEE80211R +#ifdef CONFIG_IEEE80211R_AP + +static int rkh_derive_key(const char *pos, u8 *key, size_t key_len) +{ + u8 oldkey[16]; + int ret; + + if (!hexstr2bin(pos, key, key_len)) + return 0; + + /* Try to use old short key for backwards compatibility */ + if (hexstr2bin(pos, oldkey, sizeof(oldkey))) + return -1; + + ret = hmac_sha256_kdf(oldkey, sizeof(oldkey), "FT OLDKEY", NULL, 0, + key, key_len); + os_memset(oldkey, 0, sizeof(oldkey)); + return ret; +} + + static int add_r0kh(struct hostapd_bss_config *bss, char *value) { struct ft_remote_r0kh *r0kh; @@ -1008,7 +1171,7 @@ static int add_r0kh(struct hostapd_bss_config *bss, ch os_memcpy(r0kh->id, pos, r0kh->id_len); pos = next; - if (hexstr2bin(pos, r0kh->key, sizeof(r0kh->key))) { + if (rkh_derive_key(pos, r0kh->key, sizeof(r0kh->key)) < 0) { wpa_printf(MSG_ERROR, "Invalid R0KH key: '%s'", pos); os_free(r0kh); return -1; @@ -1053,7 +1216,7 @@ static int add_r1kh(struct hostapd_bss_config *bss, ch } pos = next; - if (hexstr2bin(pos, r1kh->key, sizeof(r1kh->key))) { + if (rkh_derive_key(pos, r1kh->key, sizeof(r1kh->key)) < 0) { wpa_printf(MSG_ERROR, "Invalid R1KH key: '%s'", pos); os_free(r1kh); return -1; @@ -1064,7 +1227,7 @@ static int add_r1kh(struct hostapd_bss_config *bss, ch return 0; } -#endif /* CONFIG_IEEE80211R */ +#endif /* CONFIG_IEEE80211R_AP */ #ifdef CONFIG_IEEE80211N @@ -1081,6 +1244,12 @@ static int hostapd_config_ht_capab(struct hostapd_conf *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***