Date: Thu, 29 Aug 2019 19:13:28 +0000 (UTC) From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r351611 - in stable: 11/contrib/wpa/hostapd 11/contrib/wpa/hs20/client 11/contrib/wpa/src/ap 11/contrib/wpa/src/common 11/contrib/wpa/src/crypto 11/contrib/wpa/src/drivers 11/contrib/wp... Message-ID: <201908291913.x7TJDSK8083970@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Thu Aug 29 19:13:27 2019 New Revision: 351611 URL: https://svnweb.freebsd.org/changeset/base/351611 Log: MFC r351397: MFV r346563: Update wpa 2.8 --> 2.9 hostapd: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching * added configuration of airtime policy * fixed FILS to and RSNE into (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * added support for regulatory WMM limitation (for ETSI) * added support for MACsec Key Agreement using IEEE 802.1X/PSK * added experimental support for EAP-TEAP server (RFC 7170) * added experimental support for EAP-TLS server with TLS v1.3 * added support for two server certificates/keys (RSA/ECC) * added AKMSuiteSelector into "STA <addr>" control interface data to determine with AKM was used for an association * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled * fixed an ECDH operation corner case with OpenSSL wpa_supplicant: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL Security: https://w1.fi/security/2019-6/\ sae-eap-pwd-side-channel-attack-update.txt Added: stable/11/contrib/wpa/src/ap/airtime_policy.c - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.c stable/11/contrib/wpa/src/ap/airtime_policy.h - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.h stable/11/contrib/wpa/src/ap/wpa_auth_kay.c - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.c stable/11/contrib/wpa/src/ap/wpa_auth_kay.h - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.h stable/11/contrib/wpa/src/common/dragonfly.c - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.c stable/11/contrib/wpa/src/common/dragonfly.h - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.h stable/11/contrib/wpa/src/drivers/driver_atheros.c - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_atheros.c stable/11/contrib/wpa/src/drivers/driver_hostap.c - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_hostap.c stable/11/contrib/wpa/src/drivers/nl80211_copy.h - copied unchanged from r351397, head/contrib/wpa/src/drivers/nl80211_copy.h stable/11/contrib/wpa/src/eap_common/eap_teap_common.c - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.c stable/11/contrib/wpa/src/eap_common/eap_teap_common.h - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.h stable/11/contrib/wpa/src/eap_peer/eap_teap.c - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap.c stable/11/contrib/wpa/src/eap_peer/eap_teap_pac.c - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.c stable/11/contrib/wpa/src/eap_peer/eap_teap_pac.h - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.h stable/11/contrib/wpa/src/eap_server/eap_server_teap.c - copied unchanged from r351397, head/contrib/wpa/src/eap_server/eap_server_teap.c Modified: stable/11/contrib/wpa/hostapd/ChangeLog stable/11/contrib/wpa/hostapd/config_file.c stable/11/contrib/wpa/hostapd/ctrl_iface.c stable/11/contrib/wpa/hostapd/defconfig stable/11/contrib/wpa/hostapd/eap_register.c stable/11/contrib/wpa/hostapd/hostapd.conf stable/11/contrib/wpa/hostapd/hostapd_cli.c stable/11/contrib/wpa/hostapd/main.c stable/11/contrib/wpa/hs20/client/osu_client.c stable/11/contrib/wpa/src/ap/accounting.c stable/11/contrib/wpa/src/ap/acs.c stable/11/contrib/wpa/src/ap/ap_config.c stable/11/contrib/wpa/src/ap/ap_config.h stable/11/contrib/wpa/src/ap/ap_drv_ops.c stable/11/contrib/wpa/src/ap/ap_drv_ops.h stable/11/contrib/wpa/src/ap/authsrv.c stable/11/contrib/wpa/src/ap/beacon.c stable/11/contrib/wpa/src/ap/ctrl_iface_ap.c stable/11/contrib/wpa/src/ap/dfs.c stable/11/contrib/wpa/src/ap/dpp_hostapd.c stable/11/contrib/wpa/src/ap/dpp_hostapd.h stable/11/contrib/wpa/src/ap/drv_callbacks.c stable/11/contrib/wpa/src/ap/gas_serv.c stable/11/contrib/wpa/src/ap/gas_serv.h stable/11/contrib/wpa/src/ap/hostapd.c stable/11/contrib/wpa/src/ap/hostapd.h stable/11/contrib/wpa/src/ap/hw_features.c stable/11/contrib/wpa/src/ap/ieee802_11.c stable/11/contrib/wpa/src/ap/ieee802_11.h stable/11/contrib/wpa/src/ap/ieee802_11_he.c stable/11/contrib/wpa/src/ap/ieee802_11_vht.c stable/11/contrib/wpa/src/ap/ieee802_1x.c stable/11/contrib/wpa/src/ap/ieee802_1x.h stable/11/contrib/wpa/src/ap/neighbor_db.c stable/11/contrib/wpa/src/ap/sta_info.c stable/11/contrib/wpa/src/ap/sta_info.h stable/11/contrib/wpa/src/ap/wmm.c stable/11/contrib/wpa/src/ap/wpa_auth.c stable/11/contrib/wpa/src/ap/wpa_auth.h stable/11/contrib/wpa/src/ap/wpa_auth_ft.c stable/11/contrib/wpa/src/ap/wpa_auth_glue.c stable/11/contrib/wpa/src/ap/wpa_auth_ie.c stable/11/contrib/wpa/src/common/dpp.c stable/11/contrib/wpa/src/common/dpp.h stable/11/contrib/wpa/src/common/hw_features_common.c stable/11/contrib/wpa/src/common/hw_features_common.h stable/11/contrib/wpa/src/common/ieee802_11_common.c stable/11/contrib/wpa/src/common/ieee802_11_common.h stable/11/contrib/wpa/src/common/ieee802_11_defs.h stable/11/contrib/wpa/src/common/qca-vendor.h stable/11/contrib/wpa/src/common/sae.c stable/11/contrib/wpa/src/common/sae.h stable/11/contrib/wpa/src/common/version.h stable/11/contrib/wpa/src/common/wpa_common.c stable/11/contrib/wpa/src/common/wpa_ctrl.h stable/11/contrib/wpa/src/crypto/aes_i.h stable/11/contrib/wpa/src/crypto/crypto.h stable/11/contrib/wpa/src/crypto/crypto_openssl.c stable/11/contrib/wpa/src/crypto/crypto_wolfssl.c stable/11/contrib/wpa/src/crypto/sha1-internal.c stable/11/contrib/wpa/src/crypto/sha1-prf.c stable/11/contrib/wpa/src/crypto/sha1-tlsprf.c stable/11/contrib/wpa/src/crypto/sha1-tprf.c stable/11/contrib/wpa/src/crypto/sha1.c stable/11/contrib/wpa/src/crypto/sha256-kdf.c stable/11/contrib/wpa/src/crypto/sha256-prf.c stable/11/contrib/wpa/src/crypto/sha256-tlsprf.c stable/11/contrib/wpa/src/crypto/sha256.h stable/11/contrib/wpa/src/crypto/sha384-kdf.c stable/11/contrib/wpa/src/crypto/sha384-prf.c stable/11/contrib/wpa/src/crypto/sha512-kdf.c stable/11/contrib/wpa/src/crypto/sha512-prf.c stable/11/contrib/wpa/src/crypto/tls.h stable/11/contrib/wpa/src/crypto/tls_openssl.c stable/11/contrib/wpa/src/crypto/tls_wolfssl.c stable/11/contrib/wpa/src/drivers/driver.h stable/11/contrib/wpa/src/drivers/driver_bsd.c stable/11/contrib/wpa/src/drivers/driver_common.c stable/11/contrib/wpa/src/drivers/driver_macsec_linux.c stable/11/contrib/wpa/src/drivers/driver_macsec_qca.c stable/11/contrib/wpa/src/drivers/driver_ndis.c stable/11/contrib/wpa/src/drivers/driver_nl80211.h stable/11/contrib/wpa/src/drivers/driver_nl80211_capa.c stable/11/contrib/wpa/src/drivers/driver_nl80211_event.c stable/11/contrib/wpa/src/drivers/driver_privsep.c stable/11/contrib/wpa/src/eap_common/eap_defs.h stable/11/contrib/wpa/src/eap_common/eap_pwd_common.c stable/11/contrib/wpa/src/eap_common/eap_sim_common.c stable/11/contrib/wpa/src/eap_common/eap_sim_common.h stable/11/contrib/wpa/src/eap_peer/eap.c stable/11/contrib/wpa/src/eap_peer/eap.h stable/11/contrib/wpa/src/eap_peer/eap_aka.c stable/11/contrib/wpa/src/eap_peer/eap_config.h stable/11/contrib/wpa/src/eap_peer/eap_eke.c stable/11/contrib/wpa/src/eap_peer/eap_leap.c stable/11/contrib/wpa/src/eap_peer/eap_methods.h stable/11/contrib/wpa/src/eap_peer/eap_peap.c stable/11/contrib/wpa/src/eap_peer/eap_pwd.c stable/11/contrib/wpa/src/eap_peer/eap_sim.c stable/11/contrib/wpa/src/eap_peer/eap_tls.c stable/11/contrib/wpa/src/eap_peer/eap_tls_common.c stable/11/contrib/wpa/src/eap_peer/eap_tls_common.h stable/11/contrib/wpa/src/eap_server/eap.h stable/11/contrib/wpa/src/eap_server/eap_i.h stable/11/contrib/wpa/src/eap_server/eap_methods.h stable/11/contrib/wpa/src/eap_server/eap_server.c stable/11/contrib/wpa/src/eap_server/eap_server_aka.c stable/11/contrib/wpa/src/eap_server/eap_server_pax.c stable/11/contrib/wpa/src/eap_server/eap_server_peap.c stable/11/contrib/wpa/src/eap_server/eap_server_pwd.c stable/11/contrib/wpa/src/eap_server/eap_server_sim.c stable/11/contrib/wpa/src/eap_server/eap_server_tls.c stable/11/contrib/wpa/src/eap_server/eap_server_tls_common.c stable/11/contrib/wpa/src/eap_server/eap_tls_common.h stable/11/contrib/wpa/src/eapol_auth/eapol_auth_sm.c stable/11/contrib/wpa/src/eapol_auth/eapol_auth_sm.h stable/11/contrib/wpa/src/eapol_supp/eapol_supp_sm.c stable/11/contrib/wpa/src/eapol_supp/eapol_supp_sm.h stable/11/contrib/wpa/src/p2p/p2p.c stable/11/contrib/wpa/src/p2p/p2p_go_neg.c stable/11/contrib/wpa/src/p2p/p2p_i.h stable/11/contrib/wpa/src/pae/ieee802_1x_kay.c stable/11/contrib/wpa/src/radius/radius_server.c stable/11/contrib/wpa/src/radius/radius_server.h stable/11/contrib/wpa/src/rsn_supp/wpa.c stable/11/contrib/wpa/src/rsn_supp/wpa.h stable/11/contrib/wpa/src/rsn_supp/wpa_ft.c stable/11/contrib/wpa/src/rsn_supp/wpa_i.h stable/11/contrib/wpa/src/tls/asn1.c stable/11/contrib/wpa/src/tls/libtommath.c stable/11/contrib/wpa/src/tls/x509v3.c stable/11/contrib/wpa/src/utils/common.c stable/11/contrib/wpa/src/utils/common.h stable/11/contrib/wpa/src/utils/trace.c stable/11/contrib/wpa/src/utils/wpa_debug.c stable/11/contrib/wpa/src/wps/wps.h stable/11/contrib/wpa/wpa_supplicant/Android.mk stable/11/contrib/wpa/wpa_supplicant/ChangeLog stable/11/contrib/wpa/wpa_supplicant/README-DPP stable/11/contrib/wpa/wpa_supplicant/ap.c stable/11/contrib/wpa/wpa_supplicant/ap.h stable/11/contrib/wpa/wpa_supplicant/bss.c stable/11/contrib/wpa/wpa_supplicant/config.c stable/11/contrib/wpa/wpa_supplicant/config.h stable/11/contrib/wpa/wpa_supplicant/config_file.c stable/11/contrib/wpa/wpa_supplicant/config_ssid.h stable/11/contrib/wpa/wpa_supplicant/ctrl_iface.c stable/11/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c stable/11/contrib/wpa/wpa_supplicant/defconfig stable/11/contrib/wpa/wpa_supplicant/dpp_supplicant.c stable/11/contrib/wpa/wpa_supplicant/dpp_supplicant.h stable/11/contrib/wpa/wpa_supplicant/driver_i.h stable/11/contrib/wpa/wpa_supplicant/eap_register.c stable/11/contrib/wpa/wpa_supplicant/eapol_test.c stable/11/contrib/wpa/wpa_supplicant/events.c stable/11/contrib/wpa/wpa_supplicant/ibss_rsn.c stable/11/contrib/wpa/wpa_supplicant/interworking.c stable/11/contrib/wpa/wpa_supplicant/mesh.c stable/11/contrib/wpa/wpa_supplicant/mesh_mpm.c stable/11/contrib/wpa/wpa_supplicant/notify.c stable/11/contrib/wpa/wpa_supplicant/notify.h stable/11/contrib/wpa/wpa_supplicant/op_classes.c stable/11/contrib/wpa/wpa_supplicant/p2p_supplicant.c stable/11/contrib/wpa/wpa_supplicant/preauth_test.c stable/11/contrib/wpa/wpa_supplicant/rrm.c stable/11/contrib/wpa/wpa_supplicant/sme.c stable/11/contrib/wpa/wpa_supplicant/wnm_sta.c stable/11/contrib/wpa/wpa_supplicant/wpa_cli.c stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.conf stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h stable/11/contrib/wpa/wpa_supplicant/wpas_glue.c Directory Properties: stable/11/ (props changed) Changes in other areas also in this revision: Added: stable/12/contrib/wpa/src/ap/airtime_policy.c - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.c stable/12/contrib/wpa/src/ap/airtime_policy.h - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.h stable/12/contrib/wpa/src/ap/wpa_auth_kay.c - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.c stable/12/contrib/wpa/src/ap/wpa_auth_kay.h - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.h stable/12/contrib/wpa/src/common/dragonfly.c - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.c stable/12/contrib/wpa/src/common/dragonfly.h - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.h stable/12/contrib/wpa/src/drivers/driver_atheros.c - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_atheros.c stable/12/contrib/wpa/src/drivers/driver_hostap.c - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_hostap.c stable/12/contrib/wpa/src/drivers/nl80211_copy.h - copied unchanged from r351397, head/contrib/wpa/src/drivers/nl80211_copy.h stable/12/contrib/wpa/src/eap_common/eap_teap_common.c - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.c stable/12/contrib/wpa/src/eap_common/eap_teap_common.h - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.h stable/12/contrib/wpa/src/eap_peer/eap_teap.c - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap.c stable/12/contrib/wpa/src/eap_peer/eap_teap_pac.c - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.c stable/12/contrib/wpa/src/eap_peer/eap_teap_pac.h - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.h stable/12/contrib/wpa/src/eap_server/eap_server_teap.c - copied unchanged from r351397, head/contrib/wpa/src/eap_server/eap_server_teap.c Modified: stable/12/contrib/wpa/hostapd/ChangeLog stable/12/contrib/wpa/hostapd/config_file.c stable/12/contrib/wpa/hostapd/ctrl_iface.c stable/12/contrib/wpa/hostapd/defconfig stable/12/contrib/wpa/hostapd/eap_register.c stable/12/contrib/wpa/hostapd/hostapd.conf stable/12/contrib/wpa/hostapd/hostapd_cli.c stable/12/contrib/wpa/hostapd/main.c stable/12/contrib/wpa/hs20/client/osu_client.c stable/12/contrib/wpa/src/ap/accounting.c stable/12/contrib/wpa/src/ap/acs.c stable/12/contrib/wpa/src/ap/ap_config.c stable/12/contrib/wpa/src/ap/ap_config.h stable/12/contrib/wpa/src/ap/ap_drv_ops.c stable/12/contrib/wpa/src/ap/ap_drv_ops.h stable/12/contrib/wpa/src/ap/authsrv.c stable/12/contrib/wpa/src/ap/beacon.c stable/12/contrib/wpa/src/ap/ctrl_iface_ap.c stable/12/contrib/wpa/src/ap/dfs.c stable/12/contrib/wpa/src/ap/dpp_hostapd.c stable/12/contrib/wpa/src/ap/dpp_hostapd.h stable/12/contrib/wpa/src/ap/drv_callbacks.c stable/12/contrib/wpa/src/ap/gas_serv.c stable/12/contrib/wpa/src/ap/gas_serv.h stable/12/contrib/wpa/src/ap/hostapd.c stable/12/contrib/wpa/src/ap/hostapd.h stable/12/contrib/wpa/src/ap/hw_features.c stable/12/contrib/wpa/src/ap/ieee802_11.c stable/12/contrib/wpa/src/ap/ieee802_11.h stable/12/contrib/wpa/src/ap/ieee802_11_he.c stable/12/contrib/wpa/src/ap/ieee802_11_vht.c stable/12/contrib/wpa/src/ap/ieee802_1x.c stable/12/contrib/wpa/src/ap/ieee802_1x.h stable/12/contrib/wpa/src/ap/neighbor_db.c stable/12/contrib/wpa/src/ap/sta_info.c stable/12/contrib/wpa/src/ap/sta_info.h stable/12/contrib/wpa/src/ap/wmm.c stable/12/contrib/wpa/src/ap/wpa_auth.c stable/12/contrib/wpa/src/ap/wpa_auth.h stable/12/contrib/wpa/src/ap/wpa_auth_ft.c stable/12/contrib/wpa/src/ap/wpa_auth_glue.c stable/12/contrib/wpa/src/ap/wpa_auth_ie.c stable/12/contrib/wpa/src/common/dpp.c stable/12/contrib/wpa/src/common/dpp.h stable/12/contrib/wpa/src/common/hw_features_common.c stable/12/contrib/wpa/src/common/hw_features_common.h stable/12/contrib/wpa/src/common/ieee802_11_common.c stable/12/contrib/wpa/src/common/ieee802_11_common.h stable/12/contrib/wpa/src/common/ieee802_11_defs.h stable/12/contrib/wpa/src/common/qca-vendor.h stable/12/contrib/wpa/src/common/sae.c stable/12/contrib/wpa/src/common/sae.h stable/12/contrib/wpa/src/common/version.h stable/12/contrib/wpa/src/common/wpa_common.c stable/12/contrib/wpa/src/common/wpa_ctrl.h stable/12/contrib/wpa/src/crypto/aes_i.h stable/12/contrib/wpa/src/crypto/crypto.h stable/12/contrib/wpa/src/crypto/crypto_openssl.c stable/12/contrib/wpa/src/crypto/crypto_wolfssl.c stable/12/contrib/wpa/src/crypto/sha1-internal.c stable/12/contrib/wpa/src/crypto/sha1-prf.c stable/12/contrib/wpa/src/crypto/sha1-tlsprf.c stable/12/contrib/wpa/src/crypto/sha1-tprf.c stable/12/contrib/wpa/src/crypto/sha1.c stable/12/contrib/wpa/src/crypto/sha256-kdf.c stable/12/contrib/wpa/src/crypto/sha256-prf.c stable/12/contrib/wpa/src/crypto/sha256-tlsprf.c stable/12/contrib/wpa/src/crypto/sha256.h stable/12/contrib/wpa/src/crypto/sha384-kdf.c stable/12/contrib/wpa/src/crypto/sha384-prf.c stable/12/contrib/wpa/src/crypto/sha512-kdf.c stable/12/contrib/wpa/src/crypto/sha512-prf.c stable/12/contrib/wpa/src/crypto/tls.h stable/12/contrib/wpa/src/crypto/tls_openssl.c stable/12/contrib/wpa/src/crypto/tls_wolfssl.c stable/12/contrib/wpa/src/drivers/driver.h stable/12/contrib/wpa/src/drivers/driver_bsd.c stable/12/contrib/wpa/src/drivers/driver_common.c stable/12/contrib/wpa/src/drivers/driver_macsec_linux.c stable/12/contrib/wpa/src/drivers/driver_macsec_qca.c stable/12/contrib/wpa/src/drivers/driver_ndis.c stable/12/contrib/wpa/src/drivers/driver_nl80211.h stable/12/contrib/wpa/src/drivers/driver_nl80211_capa.c stable/12/contrib/wpa/src/drivers/driver_nl80211_event.c stable/12/contrib/wpa/src/drivers/driver_privsep.c stable/12/contrib/wpa/src/eap_common/eap_defs.h stable/12/contrib/wpa/src/eap_common/eap_pwd_common.c stable/12/contrib/wpa/src/eap_common/eap_sim_common.c stable/12/contrib/wpa/src/eap_common/eap_sim_common.h stable/12/contrib/wpa/src/eap_peer/eap.c stable/12/contrib/wpa/src/eap_peer/eap.h stable/12/contrib/wpa/src/eap_peer/eap_aka.c stable/12/contrib/wpa/src/eap_peer/eap_config.h stable/12/contrib/wpa/src/eap_peer/eap_eke.c stable/12/contrib/wpa/src/eap_peer/eap_leap.c stable/12/contrib/wpa/src/eap_peer/eap_methods.h stable/12/contrib/wpa/src/eap_peer/eap_peap.c stable/12/contrib/wpa/src/eap_peer/eap_pwd.c stable/12/contrib/wpa/src/eap_peer/eap_sim.c stable/12/contrib/wpa/src/eap_peer/eap_tls.c stable/12/contrib/wpa/src/eap_peer/eap_tls_common.c stable/12/contrib/wpa/src/eap_peer/eap_tls_common.h stable/12/contrib/wpa/src/eap_server/eap.h stable/12/contrib/wpa/src/eap_server/eap_i.h stable/12/contrib/wpa/src/eap_server/eap_methods.h stable/12/contrib/wpa/src/eap_server/eap_server.c stable/12/contrib/wpa/src/eap_server/eap_server_aka.c stable/12/contrib/wpa/src/eap_server/eap_server_pax.c stable/12/contrib/wpa/src/eap_server/eap_server_peap.c stable/12/contrib/wpa/src/eap_server/eap_server_pwd.c stable/12/contrib/wpa/src/eap_server/eap_server_sim.c stable/12/contrib/wpa/src/eap_server/eap_server_tls.c stable/12/contrib/wpa/src/eap_server/eap_server_tls_common.c stable/12/contrib/wpa/src/eap_server/eap_tls_common.h stable/12/contrib/wpa/src/eapol_auth/eapol_auth_sm.c stable/12/contrib/wpa/src/eapol_auth/eapol_auth_sm.h stable/12/contrib/wpa/src/eapol_supp/eapol_supp_sm.c stable/12/contrib/wpa/src/eapol_supp/eapol_supp_sm.h stable/12/contrib/wpa/src/p2p/p2p.c stable/12/contrib/wpa/src/p2p/p2p_go_neg.c stable/12/contrib/wpa/src/p2p/p2p_i.h stable/12/contrib/wpa/src/pae/ieee802_1x_kay.c stable/12/contrib/wpa/src/radius/radius_server.c stable/12/contrib/wpa/src/radius/radius_server.h stable/12/contrib/wpa/src/rsn_supp/wpa.c stable/12/contrib/wpa/src/rsn_supp/wpa.h stable/12/contrib/wpa/src/rsn_supp/wpa_ft.c stable/12/contrib/wpa/src/rsn_supp/wpa_i.h stable/12/contrib/wpa/src/tls/asn1.c stable/12/contrib/wpa/src/tls/libtommath.c stable/12/contrib/wpa/src/tls/x509v3.c stable/12/contrib/wpa/src/utils/common.c stable/12/contrib/wpa/src/utils/common.h stable/12/contrib/wpa/src/utils/trace.c stable/12/contrib/wpa/src/utils/wpa_debug.c stable/12/contrib/wpa/src/wps/wps.h stable/12/contrib/wpa/wpa_supplicant/Android.mk stable/12/contrib/wpa/wpa_supplicant/ChangeLog stable/12/contrib/wpa/wpa_supplicant/README-DPP stable/12/contrib/wpa/wpa_supplicant/ap.c stable/12/contrib/wpa/wpa_supplicant/ap.h stable/12/contrib/wpa/wpa_supplicant/bss.c stable/12/contrib/wpa/wpa_supplicant/config.c stable/12/contrib/wpa/wpa_supplicant/config.h stable/12/contrib/wpa/wpa_supplicant/config_file.c stable/12/contrib/wpa/wpa_supplicant/config_ssid.h stable/12/contrib/wpa/wpa_supplicant/ctrl_iface.c stable/12/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c stable/12/contrib/wpa/wpa_supplicant/defconfig stable/12/contrib/wpa/wpa_supplicant/dpp_supplicant.c stable/12/contrib/wpa/wpa_supplicant/dpp_supplicant.h stable/12/contrib/wpa/wpa_supplicant/driver_i.h stable/12/contrib/wpa/wpa_supplicant/eap_register.c stable/12/contrib/wpa/wpa_supplicant/eapol_test.c stable/12/contrib/wpa/wpa_supplicant/events.c stable/12/contrib/wpa/wpa_supplicant/ibss_rsn.c stable/12/contrib/wpa/wpa_supplicant/interworking.c stable/12/contrib/wpa/wpa_supplicant/mesh.c stable/12/contrib/wpa/wpa_supplicant/mesh_mpm.c stable/12/contrib/wpa/wpa_supplicant/notify.c stable/12/contrib/wpa/wpa_supplicant/notify.h stable/12/contrib/wpa/wpa_supplicant/op_classes.c stable/12/contrib/wpa/wpa_supplicant/p2p_supplicant.c stable/12/contrib/wpa/wpa_supplicant/preauth_test.c stable/12/contrib/wpa/wpa_supplicant/rrm.c stable/12/contrib/wpa/wpa_supplicant/sme.c stable/12/contrib/wpa/wpa_supplicant/wnm_sta.c stable/12/contrib/wpa/wpa_supplicant/wpa_cli.c stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant.c stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant.conf stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h stable/12/contrib/wpa/wpa_supplicant/wpas_glue.c Directory Properties: stable/12/ (props changed) Modified: stable/11/contrib/wpa/hostapd/ChangeLog ============================================================================== --- stable/11/contrib/wpa/hostapd/ChangeLog Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/ChangeLog Thu Aug 29 19:13:27 2019 (r351611) @@ -1,5 +1,29 @@ ChangeLog for hostapd +2019-08-07 - v2.9 + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + * added configuration of airtime policy + * fixed FILS to and RSNE into (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * added support for regulatory WMM limitation (for ETSI) + * added support for MACsec Key Agreement using IEEE 802.1X/PSK + * added experimental support for EAP-TEAP server (RFC 7170) + * added experimental support for EAP-TLS server with TLS v1.3 + * added support for two server certificates/keys (RSA/ECC) + * added AKMSuiteSelector into "STA <addr>" control interface data to + determine with AKM was used for an association + * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and + fast reauthentication use to be disabled + * fixed an ECDH operation corner case with OpenSSL + 2019-04-21 - v2.8 * SAE changes - added support for SAE Password Identifier Modified: stable/11/contrib/wpa/hostapd/config_file.c ============================================================================== --- stable/11/contrib/wpa/hostapd/config_file.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/config_file.c Thu Aug 29 19:13:27 2019 (r351611) @@ -24,14 +24,6 @@ #include "config_file.h" -#ifndef CONFIG_NO_RADIUS -#ifdef EAP_SERVER -static struct hostapd_radius_attr * -hostapd_parse_radius_attr(const char *value); -#endif /* EAP_SERVER */ -#endif /* CONFIG_NO_RADIUS */ - - #ifndef CONFIG_NO_VLAN static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss, const char *fname) @@ -660,76 +652,7 @@ hostapd_config_read_radius_addr(struct hostapd_radius_ } -static struct hostapd_radius_attr * -hostapd_parse_radius_attr(const char *value) -{ - const char *pos; - char syntax; - struct hostapd_radius_attr *attr; - size_t len; - attr = os_zalloc(sizeof(*attr)); - if (attr == NULL) - return NULL; - - attr->type = atoi(value); - - pos = os_strchr(value, ':'); - if (pos == NULL) { - attr->val = wpabuf_alloc(1); - if (attr->val == NULL) { - os_free(attr); - return NULL; - } - wpabuf_put_u8(attr->val, 0); - return attr; - } - - pos++; - if (pos[0] == '\0' || pos[1] != ':') { - os_free(attr); - return NULL; - } - syntax = *pos++; - pos++; - - switch (syntax) { - case 's': - attr->val = wpabuf_alloc_copy(pos, os_strlen(pos)); - break; - case 'x': - len = os_strlen(pos); - if (len & 1) - break; - len /= 2; - attr->val = wpabuf_alloc(len); - if (attr->val == NULL) - break; - if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) { - wpabuf_free(attr->val); - os_free(attr); - return NULL; - } - break; - case 'd': - attr->val = wpabuf_alloc(4); - if (attr->val) - wpabuf_put_be32(attr->val, atoi(pos)); - break; - default: - os_free(attr); - return NULL; - } - - if (attr->val == NULL) { - os_free(attr); - return NULL; - } - - return attr; -} - - static int hostapd_parse_das_client(struct hostapd_bss_config *bss, char *val) { char *secret; @@ -2313,6 +2236,42 @@ static unsigned int parse_tls_flags(const char *val) #endif /* EAP_SERVER */ +#ifdef CONFIG_AIRTIME_POLICY +static int add_airtime_weight(struct hostapd_bss_config *bss, char *value) +{ + struct airtime_sta_weight *wt; + char *pos, *next; + + wt = os_zalloc(sizeof(*wt)); + if (!wt) + return -1; + + /* 02:01:02:03:04:05 10 */ + pos = value; + next = os_strchr(pos, ' '); + if (next) + *next++ = '\0'; + if (!next || hwaddr_aton(pos, wt->addr)) { + wpa_printf(MSG_ERROR, "Invalid station address: '%s'", pos); + os_free(wt); + return -1; + } + + pos = next; + wt->weight = atoi(pos); + if (!wt->weight) { + wpa_printf(MSG_ERROR, "Invalid weight: '%s'", pos); + os_free(wt); + return -1; + } + + wt->next = bss->airtime_weight_list; + bss->airtime_weight_list = wt; + return 0; +} +#endif /* CONFIG_AIRTIME_POLICY */ + + #ifdef CONFIG_SAE static int parse_sae_password(struct hostapd_bss_config *bss, const char *val) { @@ -2376,6 +2335,36 @@ fail: #endif /* CONFIG_SAE */ +#ifdef CONFIG_DPP2 +static int hostapd_dpp_controller_parse(struct hostapd_bss_config *bss, + const char *pos) +{ + struct dpp_controller_conf *conf; + char *val; + + conf = os_zalloc(sizeof(*conf)); + if (!conf) + return -1; + val = get_param(pos, "ipaddr="); + if (!val || hostapd_parse_ip_addr(val, &conf->ipaddr)) + goto fail; + os_free(val); + val = get_param(pos, "pkhash="); + if (!val || os_strlen(val) != 2 * SHA256_MAC_LEN || + hexstr2bin(val, conf->pkhash, SHA256_MAC_LEN) < 0) + goto fail; + os_free(val); + conf->next = bss->dpp_controller; + bss->dpp_controller = conf; + return 0; +fail: + os_free(val); + os_free(conf); + return -1; +} +#endif /* CONFIG_DPP2 */ + + static int hostapd_config_fill(struct hostapd_config *conf, struct hostapd_bss_config *bss, const char *buf, char *pos, int line) @@ -2496,7 +2485,11 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "eapol_version") == 0) { int eapol_version = atoi(pos); +#ifdef CONFIG_MACSEC + if (eapol_version < 1 || eapol_version > 3) { +#else /* CONFIG_MACSEC */ if (eapol_version < 1 || eapol_version > 2) { +#endif /* CONFIG_MACSEC */ wpa_printf(MSG_ERROR, "Line %d: invalid EAPOL version (%d): '%s'.", line, eapol_version, pos); @@ -2519,12 +2512,21 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "server_cert") == 0) { os_free(bss->server_cert); bss->server_cert = os_strdup(pos); + } else if (os_strcmp(buf, "server_cert2") == 0) { + os_free(bss->server_cert2); + bss->server_cert2 = os_strdup(pos); } else if (os_strcmp(buf, "private_key") == 0) { os_free(bss->private_key); bss->private_key = os_strdup(pos); + } else if (os_strcmp(buf, "private_key2") == 0) { + os_free(bss->private_key2); + bss->private_key2 = os_strdup(pos); } else if (os_strcmp(buf, "private_key_passwd") == 0) { os_free(bss->private_key_passwd); bss->private_key_passwd = os_strdup(pos); + } else if (os_strcmp(buf, "private_key_passwd2") == 0) { + os_free(bss->private_key_passwd2); + bss->private_key_passwd2 = os_strdup(pos); } else if (os_strcmp(buf, "check_cert_subject") == 0) { if (!pos[0]) { wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'", @@ -2605,6 +2607,20 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "pac_key_refresh_time") == 0) { bss->pac_key_refresh_time = atoi(pos); #endif /* EAP_SERVER_FAST */ +#ifdef EAP_SERVER_TEAP + } else if (os_strcmp(buf, "eap_teap_auth") == 0) { + int val = atoi(pos); + + if (val < 0 || val > 1) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid eap_teap_auth value", + line); + return 1; + } + bss->eap_teap_auth = val; + } else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) { + bss->eap_teap_pac_no_inner = atoi(pos); +#endif /* EAP_SERVER_TEAP */ #ifdef EAP_SERVER_SIM } else if (os_strcmp(buf, "eap_sim_db") == 0) { os_free(bss->eap_sim_db); @@ -2613,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config * bss->eap_sim_db_timeout = atoi(pos); } else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) { bss->eap_sim_aka_result_ind = atoi(pos); + } else if (os_strcmp(buf, "eap_sim_id") == 0) { + bss->eap_sim_id = atoi(pos); #endif /* EAP_SERVER_SIM */ #ifdef EAP_SERVER_TNC } else if (os_strcmp(buf, "tnc") == 0) { @@ -2816,6 +2834,9 @@ static int hostapd_config_fill(struct hostapd_config * a = a->next; a->next = attr; } + } else if (os_strcmp(buf, "radius_req_attr_sqlite") == 0) { + os_free(bss->radius_req_attr_sqlite); + bss->radius_req_attr_sqlite = os_strdup(pos); } else if (os_strcmp(buf, "radius_das_port") == 0) { bss->radius_das_port = atoi(pos); } else if (os_strcmp(buf, "radius_das_client") == 0) { @@ -3442,6 +3463,8 @@ static int hostapd_config_fill(struct hostapd_config * conf->he_op.he_twt_required = atoi(pos); } else if (os_strcmp(buf, "he_rts_threshold") == 0) { conf->he_op.he_rts_threshold = atoi(pos); + } else if (os_strcmp(buf, "he_basic_mcs_nss_set") == 0) { + conf->he_op.he_basic_mcs_nss_set = atoi(pos); } else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) { conf->he_mu_edca.he_qos_info |= set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT); @@ -3526,6 +3549,20 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) { conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] = atoi(pos) & 0xff; + } else if (os_strcmp(buf, "he_spr_sr_control") == 0) { + conf->spr.sr_control = atoi(pos) & 0xff; + } else if (os_strcmp(buf, "he_spr_non_srg_obss_pd_max_offset") == 0) { + conf->spr.non_srg_obss_pd_max_offset = atoi(pos); + } else if (os_strcmp(buf, "he_spr_srg_obss_pd_min_offset") == 0) { + conf->spr.srg_obss_pd_min_offset = atoi(pos); + } else if (os_strcmp(buf, "he_spr_srg_obss_pd_max_offset") == 0) { + conf->spr.srg_obss_pd_max_offset = atoi(pos); + } else if (os_strcmp(buf, "he_oper_chwidth") == 0) { + conf->he_oper_chwidth = atoi(pos); + } else if (os_strcmp(buf, "he_oper_centr_freq_seg0_idx") == 0) { + conf->he_oper_centr_freq_seg0_idx = atoi(pos); + } else if (os_strcmp(buf, "he_oper_centr_freq_seg1_idx") == 0) { + conf->he_oper_centr_freq_seg1_idx = atoi(pos); #endif /* CONFIG_IEEE80211AX */ } else if (os_strcmp(buf, "max_listen_interval") == 0) { bss->max_listen_interval = atoi(pos); @@ -4298,6 +4335,11 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "dpp_csign") == 0) { if (parse_wpabuf_hex(line, buf, &bss->dpp_csign, pos)) return 1; +#ifdef CONFIG_DPP2 + } else if (os_strcmp(buf, "dpp_controller") == 0) { + if (hostapd_dpp_controller_parse(bss, pos)) + return 1; +#endif /* CONFIG_DPP2 */ #endif /* CONFIG_DPP */ #ifdef CONFIG_OWE } else if (os_strcmp(buf, "owe_transition_bssid") == 0) { @@ -4349,6 +4391,121 @@ static int hostapd_config_fill(struct hostapd_config * conf->rssi_reject_assoc_timeout = atoi(pos); } else if (os_strcmp(buf, "pbss") == 0) { bss->pbss = atoi(pos); +#ifdef CONFIG_AIRTIME_POLICY + } else if (os_strcmp(buf, "airtime_mode") == 0) { + int val = atoi(pos); + + if (val < 0 || val > AIRTIME_MODE_MAX) { + wpa_printf(MSG_ERROR, "Line %d: Unknown airtime_mode", + line); + return 1; + } + conf->airtime_mode = val; + } else if (os_strcmp(buf, "airtime_update_interval") == 0) { + conf->airtime_update_interval = atoi(pos); + } else if (os_strcmp(buf, "airtime_bss_weight") == 0) { + bss->airtime_weight = atoi(pos); + } else if (os_strcmp(buf, "airtime_bss_limit") == 0) { + int val = atoi(pos); + + if (val < 0 || val > 1) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid airtime_bss_limit (must be 0 or 1)", + line); + return 1; + } + bss->airtime_limit = val; + } else if (os_strcmp(buf, "airtime_sta_weight") == 0) { + if (add_airtime_weight(bss, pos) < 0) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid airtime weight '%s'", + line, pos); + return 1; + } +#endif /* CONFIG_AIRTIME_POLICY */ +#ifdef CONFIG_MACSEC + } else if (os_strcmp(buf, "macsec_policy") == 0) { + int macsec_policy = atoi(pos); + + if (macsec_policy < 0 || macsec_policy > 1) { + wpa_printf(MSG_ERROR, + "Line %d: invalid macsec_policy (%d): '%s'.", + line, macsec_policy, pos); + return 1; + } + bss->macsec_policy = macsec_policy; + } else if (os_strcmp(buf, "macsec_integ_only") == 0) { + int macsec_integ_only = atoi(pos); + + if (macsec_integ_only < 0 || macsec_integ_only > 1) { + wpa_printf(MSG_ERROR, + "Line %d: invalid macsec_integ_only (%d): '%s'.", + line, macsec_integ_only, pos); + return 1; + } + bss->macsec_integ_only = macsec_integ_only; + } else if (os_strcmp(buf, "macsec_replay_protect") == 0) { + int macsec_replay_protect = atoi(pos); + + if (macsec_replay_protect < 0 || macsec_replay_protect > 1) { + wpa_printf(MSG_ERROR, + "Line %d: invalid macsec_replay_protect (%d): '%s'.", + line, macsec_replay_protect, pos); + return 1; + } + bss->macsec_replay_protect = macsec_replay_protect; + } else if (os_strcmp(buf, "macsec_replay_window") == 0) { + bss->macsec_replay_window = atoi(pos); + } else if (os_strcmp(buf, "macsec_port") == 0) { + int macsec_port = atoi(pos); + + if (macsec_port < 1 || macsec_port > 65534) { + wpa_printf(MSG_ERROR, + "Line %d: invalid macsec_port (%d): '%s'.", + line, macsec_port, pos); + return 1; + } + bss->macsec_port = macsec_port; + } else if (os_strcmp(buf, "mka_priority") == 0) { + int mka_priority = atoi(pos); + + if (mka_priority < 0 || mka_priority > 255) { + wpa_printf(MSG_ERROR, + "Line %d: invalid mka_priority (%d): '%s'.", + line, mka_priority, pos); + return 1; + } + bss->mka_priority = mka_priority; + } else if (os_strcmp(buf, "mka_cak") == 0) { + size_t len = os_strlen(pos); + + if (len > 2 * MACSEC_CAK_MAX_LEN || + (len != 2 * 16 && len != 2 * 32) || + hexstr2bin(pos, bss->mka_cak, len / 2)) { + wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.", + line, pos); + return 1; + } + bss->mka_cak_len = len / 2; + bss->mka_psk_set |= MKA_PSK_SET_CAK; + } else if (os_strcmp(buf, "mka_ckn") == 0) { + size_t len = os_strlen(pos); + + if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */ + len < 2 || /* too short */ + len % 2 != 0 /* not an integral number of bytes */) { + wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.", + line, pos); + return 1; + } + bss->mka_ckn_len = len / 2; + if (hexstr2bin(pos, bss->mka_ckn, bss->mka_ckn_len)) { + wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.", + line, pos); + return -1; + } + bss->mka_psk_set |= MKA_PSK_SET_CKN; +#endif /* CONFIG_MACSEC */ } else { wpa_printf(MSG_ERROR, "Line %d: unknown configuration item '%s'", Modified: stable/11/contrib/wpa/hostapd/ctrl_iface.c ============================================================================== --- stable/11/contrib/wpa/hostapd/ctrl_iface.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/ctrl_iface.c Thu Aug 29 19:13:27 2019 (r351611) @@ -1830,26 +1830,40 @@ static void hostapd_data_test_rx(void *ctx, const u8 * struct iphdr ip; const u8 *pos; unsigned int i; + char extra[30]; - if (len != HWSIM_PACKETLEN) + if (len < sizeof(*eth) + sizeof(ip) || len > HWSIM_PACKETLEN) { + wpa_printf(MSG_DEBUG, + "test data: RX - ignore unexpected length %d", + (int) len); return; + } eth = (const struct ether_header *) buf; os_memcpy(&ip, eth + 1, sizeof(ip)); pos = &buf[sizeof(*eth) + sizeof(ip)]; if (ip.ihl != 5 || ip.version != 4 || - ntohs(ip.tot_len) != HWSIM_IP_LEN) + ntohs(ip.tot_len) > HWSIM_IP_LEN) { + wpa_printf(MSG_DEBUG, + "test data: RX - ignore unexpect IP header"); return; + } - for (i = 0; i < HWSIM_IP_LEN - sizeof(ip); i++) { - if (*pos != (u8) i) + for (i = 0; i < ntohs(ip.tot_len) - sizeof(ip); i++) { + if (*pos != (u8) i) { + wpa_printf(MSG_DEBUG, + "test data: RX - ignore mismatching payload"); return; + } pos++; } - wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR, - MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost)); + extra[0] = '\0'; + if (ntohs(ip.tot_len) != HWSIM_IP_LEN) + os_snprintf(extra, sizeof(extra), " len=%d", ntohs(ip.tot_len)); + wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR "%s", + MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost), extra); } @@ -1894,7 +1908,7 @@ static int hostapd_ctrl_iface_data_test_config(struct static int hostapd_ctrl_iface_data_test_tx(struct hostapd_data *hapd, char *cmd) { u8 dst[ETH_ALEN], src[ETH_ALEN]; - char *pos; + char *pos, *pos2; int used; long int val; u8 tos; @@ -1903,11 +1917,12 @@ static int hostapd_ctrl_iface_data_test_tx(struct host struct iphdr *ip; u8 *dpos; unsigned int i; + size_t send_len = HWSIM_IP_LEN; if (hapd->l2_test == NULL) return -1; - /* format: <dst> <src> <tos> */ + /* format: <dst> <src> <tos> [len=<length>] */ pos = cmd; used = hwaddr_aton2(pos, dst); @@ -1921,11 +1936,19 @@ static int hostapd_ctrl_iface_data_test_tx(struct host return -1; pos += used; - val = strtol(pos, NULL, 0); + val = strtol(pos, &pos2, 0); if (val < 0 || val > 0xff) return -1; tos = val; + pos = os_strstr(pos2, " len="); + if (pos) { + i = atoi(pos + 5); + if (i < sizeof(*ip) || i > HWSIM_IP_LEN) + return -1; + send_len = i; + } + eth = (struct ether_header *) &buf[2]; os_memcpy(eth->ether_dhost, dst, ETH_ALEN); os_memcpy(eth->ether_shost, src, ETH_ALEN); @@ -1936,17 +1959,17 @@ static int hostapd_ctrl_iface_data_test_tx(struct host ip->version = 4; ip->ttl = 64; ip->tos = tos; - ip->tot_len = htons(HWSIM_IP_LEN); + ip->tot_len = htons(send_len); ip->protocol = 1; ip->saddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 1); ip->daddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 2); ip->check = ipv4_hdr_checksum(ip, sizeof(*ip)); dpos = (u8 *) (ip + 1); - for (i = 0; i < HWSIM_IP_LEN - sizeof(*ip); i++) + for (i = 0; i < send_len - sizeof(*ip); i++) *dpos++ = i; if (l2_packet_send(hapd->l2_test, dst, ETHERTYPE_IP, &buf[2], - HWSIM_PACKETLEN) < 0) + sizeof(struct ether_header) + send_len) < 0) return -1; wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "test data: TX dst=" MACSTR Modified: stable/11/contrib/wpa/hostapd/defconfig ============================================================================== --- stable/11/contrib/wpa/hostapd/defconfig Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/defconfig Thu Aug 29 19:13:27 2019 (r351611) @@ -108,11 +108,18 @@ CONFIG_EAP_TTLS=y #CONFIG_EAP_GPSK_SHA256=y # EAP-FAST for the integrated EAP server -# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. #CONFIG_EAP_FAST=y +# EAP-TEAP for the integrated EAP server +# Note: The current EAP-TEAP implementation is experimental and should not be +# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number +# of conflicting statements and missing details and the implementation has +# vendor specific workarounds for those and as such, may not interoperate with +# any other implementation. This should not be used for anything else than +# experimentation and interoperability testing until those issues has been +# resolved. +#CONFIG_EAP_TEAP=y + # Wi-Fi Protected Setup (WPS) #CONFIG_WPS=y # Enable UPnP support for external WPS Registrars @@ -375,6 +382,9 @@ CONFIG_IPV6=y # Opportunistic Wireless Encryption (OWE) # Experimental implementation of draft-harkins-owe-07.txt #CONFIG_OWE=y + +# Airtime policy support +#CONFIG_AIRTIME_POLICY=y # Override default value for the wpa_disable_eapol_key_retries configuration # parameter. See that parameter in hostapd.conf for more details. Modified: stable/11/contrib/wpa/hostapd/eap_register.c ============================================================================== --- stable/11/contrib/wpa/hostapd/eap_register.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/eap_register.c Thu Aug 29 19:13:27 2019 (r351611) @@ -121,6 +121,11 @@ int eap_server_register_methods(void) ret = eap_server_fast_register(); #endif /* EAP_SERVER_FAST */ +#ifdef EAP_SERVER_TEAP + if (ret == 0) + ret = eap_server_teap_register(); +#endif /* EAP_SERVER_TEAP */ + #ifdef EAP_SERVER_WSC if (ret == 0) ret = eap_server_wsc_register(); Modified: stable/11/contrib/wpa/hostapd/hostapd.conf ============================================================================== --- stable/11/contrib/wpa/hostapd/hostapd.conf Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/hostapd.conf Thu Aug 29 19:13:27 2019 (r351611) @@ -782,10 +782,8 @@ wmm_ac_vo_acm=0 # 1 = supported #he_mu_beamformer=1 -# he_bss_color: BSS color -# 0 = no BSS color (default) -# unsigned integer = BSS color -#he_bss_color=0 +# he_bss_color: BSS color (1-63) +#he_bss_color=1 #he_default_pe_duration: The duration of PE field in an HE PPDU in us # Possible values are 0 us (default), 4 us, 8 us, 12 us, and 16 us @@ -801,6 +799,17 @@ wmm_ac_vo_acm=0 # unsigned integer = duration in units of 16 us #he_rts_threshold=0 +# HE operating channel information; see matching vht_* parameters for details. +#he_oper_chwidth +#he_oper_centr_freq_seg0_idx +#he_oper_centr_freq_seg1_idx + +#he_basic_mcs_nss_set: Basic NSS/MCS set +# 16-bit combination of 2-bit values of Max HE-MCS For 1..8 SS; each 2-bit +# value having following meaning: +# 0 = HE-MCS 0-7, 1 = HE-MCS 0-9, 2 = HE-MCS 0-11, 3 = not supported +#he_basic_mcs_nss_set + #he_mu_edca_qos_info_param_count #he_mu_edca_qos_info_q_ack #he_mu_edca_qos_info_queue_request=1 @@ -825,6 +834,12 @@ wmm_ac_vo_acm=0 #he_mu_edca_ac_vo_ecwmax=15 #he_mu_edca_ac_vo_timer=255 +# Spatial Reuse Parameter Set +#he_spr_sr_control +#he_spr_non_srg_obss_pd_max_offset +#he_spr_srg_obss_pd_min_offset +#he_spr_srg_obss_pd_max_offset + ##### IEEE 802.1X-2004 related configuration ################################## # Require IEEE 802.1X authorization @@ -836,6 +851,8 @@ wmm_ac_vo_acm=0 # the new version number correctly (they seem to drop the frames completely). # In order to make hostapd interoperate with these clients, the version number # can be set to the older version (1) with this configuration value. +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. #eapol_version=2 # Optional displayable message sent with EAP Request-Identity. The first \0 @@ -879,6 +896,54 @@ eapol_key_index_workaround=0 # ERP is enabled (eap_server_erp=1). #erp_domain=example.com +##### MACsec ################################################################## + +# macsec_policy: IEEE 802.1X/MACsec options +# This determines how sessions are secured with MACsec (only for MACsec +# drivers). +# 0: MACsec not in use (default) +# 1: MACsec enabled - Should secure, accept key server's advice to +# determine whether to use a secure session or not. +# +# macsec_integ_only: IEEE 802.1X/MACsec transmit mode +# This setting applies only when MACsec is in use, i.e., +# - macsec_policy is enabled +# - the key server has decided to enable MACsec +# 0: Encrypt traffic (default) +# 1: Integrity only +# +# macsec_replay_protect: IEEE 802.1X/MACsec replay protection +# This setting applies only when MACsec is in use, i.e., +# - macsec_policy is enabled +# - the key server has decided to enable MACsec +# 0: Replay protection disabled (default) +# 1: Replay protection enabled +# +# macsec_replay_window: IEEE 802.1X/MACsec replay protection window +# This determines a window in which replay is tolerated, to allow receipt +# of frames that have been misordered by the network. +# This setting applies only when MACsec replay protection active, i.e., +# - macsec_replay_protect is enabled +# - the key server has decided to enable MACsec +# 0: No replay window, strict check (default) +# 1..2^32-1: number of packets that could be misordered +# +# macsec_port: IEEE 802.1X/MACsec port +# Port component of the SCI +# Range: 1-65534 (default: 1) +# +# mka_priority (Priority of MKA Actor) +# Range: 0..255 (default: 255) +# +# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode +# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. +# In this mode, instances of hostapd can act as MACsec peers. The peer +# with lower priority will become the key server and start distributing SAKs. +# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) +# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) +# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string +# (2..64 hex-digits) + ##### Integrated EAP server ################################################### # Optionally, hostapd can be configured to use an integrated EAP server @@ -912,6 +977,23 @@ eap_server=0 # Passphrase for private key #private_key_passwd=secret passphrase +# An alternative server certificate and private key can be configured with the +# following parameters (with values just like the parameters above without the +# '2' suffix). The ca_cert file (in PEM encoding) is used to add the trust roots +# for both server certificates and/or client certificates). +# +# The main use case for this alternative server certificate configuration is to +# enable both RSA and ECC public keys. The server will pick which one to use +# based on the client preferences for the cipher suite (in the TLS ClientHello +# message). It should be noted that number of deployed EAP peer implementations +# do not filter out the cipher suite list based on their local configuration and +# as such, configuration of alternative types of certificates on the server may +# result in interoperability issues. +#server_cert2=/etc/hostapd.server-ecc.pem +#private_key2=/etc/hostapd.server-ecc.prv +#private_key_passwd2=secret passphrase + + # Server identity # EAP methods that provide mechanism for authenticated server identity delivery # use this value. If not set, "hostapd" is used as a default. @@ -1109,10 +1191,27 @@ eap_server=0 # (or fewer) of the lifetime remains. #pac_key_refresh_time=86400 +# EAP-TEAP authentication type +# 0 = inner EAP (default) +# 1 = Basic-Password-Auth +#eap_teap_auth=0 + +# EAP-TEAP authentication behavior when using PAC +# 0 = perform inner authentication (default) +# 1 = skip inner authentication (inner EAP/Basic-Password-Auth) +#eap_teap_pac_no_inner=0 + # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND # (default: 0 = disabled). #eap_sim_aka_result_ind=1 +# EAP-SIM and EAP-AKA identity options +# 0 = do not use pseudonyms or fast reauthentication +# 1 = use pseudonyms, but not fast reauthentication +# 2 = do not use pseudonyms, but use fast reauthentication +# 3 = use pseudonyms and use fast reauthentication (default) +#eap_sim_id=3 + # Trusted Network Connect (TNC) # If enabled, TNC validation will be required before the peer is allowed to # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other @@ -1292,6 +1391,17 @@ own_ip_addr=127.0.0.1 # Operator-Name = "Operator" #radius_acct_req_attr=126:s:Operator +# If SQLite support is included, path to a database from which additional +# RADIUS request attributes are extracted based on the station MAC address. +# +# The schema for the radius_attributes table is: +# id | sta | reqtype | attr : multi-key (sta, reqtype) +# id = autonumber +# sta = station MAC address in `11:22:33:44:55:66` format. +# type = `auth` | `acct` | NULL (match any) +# attr = existing config file format, e.g. `126:s:Test Operator` +#radius_req_attr_sqlite=radius_attr.sqlite + # Dynamic Authorization Extensions (RFC 5176) # This mechanism can be used to allow dynamic changes to user session based on # commands from a RADIUS server (or some other disconnect client that has the @@ -2491,6 +2601,42 @@ own_ip_addr=127.0.0.1 # as a radio measurement even if the request doesn't contain a max age element # that allows sending of such data. Default: 0. #stationary_ap=0 + +##### Airtime policy configuration ########################################### + +# Set the airtime policy operating mode: +# 0 = disabled (default) +# 1 = static config +# 2 = per-BSS dynamic config +# 3 = per-BSS limit mode +#airtime_mode=0 + +# Interval (in milliseconds) to poll the kernel for updated station activity in +# dynamic and limit modes +#airtime_update_interval=200 + +# Static configuration of station weights (when airtime_mode=1). Kernel default +# weight is 256; set higher for larger airtime share, lower for smaller share. +# Each entry is a MAC address followed by a weight. +#airtime_sta_weight=02:01:02:03:04:05 256 +#airtime_sta_weight=02:01:02:03:04:06 512 + +# Per-BSS airtime weight. In multi-BSS mode, set for each BSS and hostapd will +# configure station weights to enforce the correct ratio between BSS weights +# depending on the number of active stations. The *ratios* between different +# BSSes is what's important, not the absolute numbers. +# Must be set for all BSSes if airtime_mode=2 or 3, has no effect otherwise. +#airtime_bss_weight=1 + +# Whether the current BSS should be limited (when airtime_mode=3). +# +# If set, the BSS weight ratio will be applied in the case where the current BSS +# would exceed the share defined by the BSS weight ratio. E.g., if two BSSes are +# set to the same weights, and one is set to limited, the limited BSS will get +# no more than half the available airtime, but if the non-limited BSS has more +# stations active, that *will* be allowed to exceed its half of the available +# airtime. +#airtime_bss_limit=1 ##### TESTING OPTIONS ######################################################### # Modified: stable/11/contrib/wpa/hostapd/hostapd_cli.c ============================================================================== --- stable/11/contrib/wpa/hostapd/hostapd_cli.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/hostapd_cli.c Thu Aug 29 19:13:27 2019 (r351611) @@ -1214,6 +1214,13 @@ static int hostapd_cli_cmd_disable(struct wpa_ctrl *ct } +static int hostapd_cli_cmd_update_beacon(struct wpa_ctrl *ctrl, int argc, + char *argv[]) +{ + return wpa_ctrl_command(ctrl, "UPDATE_BEACON"); +} + + static int hostapd_cli_cmd_vendor(struct wpa_ctrl *ctrl, int argc, char *argv[]) { char cmd[256]; @@ -1617,6 +1624,8 @@ static const struct hostapd_cli_cmd hostapd_cli_comman "= reload configuration for current interface" }, { "disable", hostapd_cli_cmd_disable, NULL, "= disable hostapd on current interface" }, + { "update_beacon", hostapd_cli_cmd_update_beacon, NULL, + "= update Beacon frame contents\n"}, { "erp_flush", hostapd_cli_cmd_erp_flush, NULL, "= drop all ERP keys"}, { "log_level", hostapd_cli_cmd_log_level, NULL, Modified: stable/11/contrib/wpa/hostapd/main.c ============================================================================== --- stable/11/contrib/wpa/hostapd/main.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hostapd/main.c Thu Aug 29 19:13:27 2019 (r351611) @@ -653,6 +653,9 @@ int main(int argc, char *argv[]) int start_ifaces_in_sync = 0; char **if_names = NULL; size_t if_names_size = 0; +#ifdef CONFIG_DPP + struct dpp_global_config dpp_conf; +#endif /* CONFIG_DPP */ if (os_program_init()) return -1; @@ -672,7 +675,9 @@ int main(int argc, char *argv[]) dl_list_init(&interfaces.eth_p_oui); #endif /* CONFIG_ETH_P_OUI */ #ifdef CONFIG_DPP - interfaces.dpp = dpp_global_init(); + os_memset(&dpp_conf, 0, sizeof(dpp_conf)); + /* TODO: dpp_conf.msg_ctx? */ + interfaces.dpp = dpp_global_init(&dpp_conf); if (!interfaces.dpp) return -1; #endif /* CONFIG_DPP */ Modified: stable/11/contrib/wpa/hs20/client/osu_client.c ============================================================================== --- stable/11/contrib/wpa/hs20/client/osu_client.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/hs20/client/osu_client.c Thu Aug 29 19:13:27 2019 (r351611) @@ -1588,6 +1588,7 @@ static void set_pps_cred_digital_cert(struct hs20_osu_ xml_node_t *node, const char *fqdn) { char buf[200], dir[200]; + int res; wpa_printf(MSG_INFO, "- Credential/DigitalCertificate"); @@ -1599,14 +1600,20 @@ static void set_pps_cred_digital_cert(struct hs20_osu_ wpa_printf(MSG_INFO, "Failed to set username"); } - snprintf(buf, sizeof(buf), "%s/SP/%s/client-cert.pem", dir, fqdn); + res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/client-cert.pem", dir, + fqdn); + if (os_snprintf_error(sizeof(buf), res)) + return; if (os_file_exists(buf)) { if (set_cred_quoted(ctx->ifname, id, "client_cert", buf) < 0) { wpa_printf(MSG_INFO, "Failed to set client_cert"); } } - snprintf(buf, sizeof(buf), "%s/SP/%s/client-key.pem", dir, fqdn); + res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/client-key.pem", dir, + fqdn); + if (os_snprintf_error(sizeof(buf), res)) + return; if (os_file_exists(buf)) { if (set_cred_quoted(ctx->ifname, id, "private_key", buf) < 0) { wpa_printf(MSG_INFO, "Failed to set private_key"); @@ -1620,6 +1627,7 @@ static void set_pps_cred_realm(struct hs20_osu_client { char *str = xml_node_get_text(ctx->xml, node); char buf[200], dir[200]; + int res; if (str == NULL) return; @@ -1634,7 +1642,9 @@ static void set_pps_cred_realm(struct hs20_osu_client if (getcwd(dir, sizeof(dir)) == NULL) return; - snprintf(buf, sizeof(buf), "%s/SP/%s/aaa-ca.pem", dir, fqdn); + res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/aaa-ca.pem", dir, fqdn); + if (os_snprintf_error(sizeof(buf), res)) + return; if (os_file_exists(buf)) { if (set_cred_quoted(ctx->ifname, id, "ca_cert", buf) < 0) { wpa_printf(MSG_INFO, "Failed to set CA cert"); @@ -2717,6 +2727,8 @@ static int cmd_pol_upd(struct hs20_osu_client *ctx, co if (!pps_fname) { char buf[256]; + int res; + wpa_printf(MSG_INFO, "Determining PPS file based on Home SP information"); if (address && os_strncmp(address, "fqdn=", 5) == 0) { wpa_printf(MSG_INFO, "Use requested FQDN from command line"); @@ -2737,8 +2749,13 @@ static int cmd_pol_upd(struct hs20_osu_client *ctx, co "SP/%s/pps.xml", ctx->fqdn); pps_fname = pps_fname_buf; - os_snprintf(ca_fname_buf, sizeof(ca_fname_buf), "SP/%s/ca.pem", - buf); + res = os_snprintf(ca_fname_buf, sizeof(ca_fname_buf), + "SP/%s/ca.pem", buf); + if (os_snprintf_error(sizeof(ca_fname_buf), res)) { + os_free(ctx->fqdn); + ctx->fqdn = NULL; + return -1; + } ca_fname = ca_fname_buf; } Modified: stable/11/contrib/wpa/src/ap/accounting.c ============================================================================== --- stable/11/contrib/wpa/src/ap/accounting.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/src/ap/accounting.c Thu Aug 29 19:13:27 2019 (r351611) @@ -97,6 +97,9 @@ static struct radius_msg * accounting_msg(struct hosta msg) < 0) goto fail; + if (sta && add_sqlite_radius_attr(hapd, sta, msg, 1) < 0) + goto fail; + if (sta) { for (i = 0; ; i++) { val = ieee802_1x_get_radius_class(sta->eapol_sm, &len, Modified: stable/11/contrib/wpa/src/ap/acs.c ============================================================================== --- stable/11/contrib/wpa/src/ap/acs.c Thu Aug 29 18:53:00 2019 (r351610) +++ stable/11/contrib/wpa/src/ap/acs.c Thu Aug 29 19:13:27 2019 (r351611) @@ -594,12 +594,12 @@ acs_find_ideal_chan(struct hostapd_iface *iface) iface->conf->secondary_channel) n_chans = 2; - if (iface->conf->ieee80211ac) { - switch (iface->conf->vht_oper_chwidth) { - case VHT_CHANWIDTH_80MHZ: + if (iface->conf->ieee80211ac || iface->conf->ieee80211ax) { + switch (hostapd_get_oper_chwidth(iface->conf)) { + case CHANWIDTH_80MHZ: n_chans = 4; break; - case VHT_CHANWIDTH_160MHZ: + case CHANWIDTH_160MHZ: n_chans = 8; break; } @@ -607,7 +607,7 @@ acs_find_ideal_chan(struct hostapd_iface *iface) bw = num_chan_to_bw(n_chans); - /* TODO: VHT80+80. Update acs_adjust_vht_center_freq() too. */ + /* TODO: VHT/HE80+80. Update acs_adjust_center_freq() too. */ wpa_printf(MSG_DEBUG, "ACS: Survey analysis for selected bandwidth %d MHz", bw); @@ -647,9 +647,9 @@ acs_find_ideal_chan(struct hostapd_iface *iface) } if (iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A && - iface->conf->ieee80211ac) { - if (iface->conf->vht_oper_chwidth == *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908291913.x7TJDSK8083970>