Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Aug 2019 19:13:28 +0000 (UTC)
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r351611 - in stable: 11/contrib/wpa/hostapd 11/contrib/wpa/hs20/client 11/contrib/wpa/src/ap 11/contrib/wpa/src/common 11/contrib/wpa/src/crypto 11/contrib/wpa/src/drivers 11/contrib/wp...
Message-ID:  <201908291913.x7TJDSK8083970@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cy
Date: Thu Aug 29 19:13:27 2019
New Revision: 351611
URL: https://svnweb.freebsd.org/changeset/base/351611

Log:
  MFC r351397:
  
  MFV r346563:
  
  Update wpa 2.8 --> 2.9
  
  hostapd:
  * SAE changes
    - disable use of groups using Brainpool curves
    - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * EAP-pwd changes
    - disable use of groups using Brainpool curves
    - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * fixed FT-EAP initial mobility domain association using PMKSA caching
  * added configuration of airtime policy
  * fixed FILS to and RSNE into (Re)Association Response frames
  * fixed DPP bootstrapping URI parser of channel list
  * added support for regulatory WMM limitation (for ETSI)
  * added support for MACsec Key Agreement using IEEE 802.1X/PSK
  * added experimental support for EAP-TEAP server (RFC 7170)
  * added experimental support for EAP-TLS server with TLS v1.3
  * added support for two server certificates/keys (RSA/ECC)
  * added AKMSuiteSelector into "STA <addr>" control interface data to
    determine with AKM was used for an association
  * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
    fast reauthentication use to be disabled
  * fixed an ECDH operation corner case with OpenSSL
  
  wpa_supplicant:
  * SAE changes
    - disable use of groups using Brainpool curves
    - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * EAP-pwd changes
    - disable use of groups using Brainpool curves
    - allow the set of groups to be configured (eap_pwd_groups)
    - improved protection against side channel attacks
    [https://w1.fi/security/2019-6/]
  * fixed FT-EAP initial mobility domain association using PMKSA caching
    (disabled by default for backwards compatibility; can be enabled
    with ft_eap_pmksa_caching=1)
  * fixed a regression in OpenSSL 1.1+ engine loading
  * added validation of RSNE in (Re)Association Response frames
  * fixed DPP bootstrapping URI parser of channel list
  * extended EAP-SIM/AKA fast re-authentication to allow use with FILS
  * extended ca_cert_blob to support PEM format
  * improved robustness of P2P Action frame scheduling
  * added support for EAP-SIM/AKA using anonymous@realm identity
  * fixed Hotspot 2.0 credential selection based on roaming consortium
    to ignore credentials without a specific EAP method
  * added experimental support for EAP-TEAP peer (RFC 7170)
  * added experimental support for EAP-TLS peer with TLS v1.3
  * fixed a regression in WMM parameter configuration for a TDLS peer
  * fixed a regression in operation with drivers that offload 802.1X
    4-way handshake
  * fixed an ECDH operation corner case with OpenSSL
  
  Security:       https://w1.fi/security/2019-6/\
                  sae-eap-pwd-side-channel-attack-update.txt

Added:
  stable/11/contrib/wpa/src/ap/airtime_policy.c
     - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.c
  stable/11/contrib/wpa/src/ap/airtime_policy.h
     - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.h
  stable/11/contrib/wpa/src/ap/wpa_auth_kay.c
     - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.c
  stable/11/contrib/wpa/src/ap/wpa_auth_kay.h
     - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.h
  stable/11/contrib/wpa/src/common/dragonfly.c
     - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.c
  stable/11/contrib/wpa/src/common/dragonfly.h
     - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.h
  stable/11/contrib/wpa/src/drivers/driver_atheros.c
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_atheros.c
  stable/11/contrib/wpa/src/drivers/driver_hostap.c
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_hostap.c
  stable/11/contrib/wpa/src/drivers/nl80211_copy.h
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/nl80211_copy.h
  stable/11/contrib/wpa/src/eap_common/eap_teap_common.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.c
  stable/11/contrib/wpa/src/eap_common/eap_teap_common.h
     - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.h
  stable/11/contrib/wpa/src/eap_peer/eap_teap.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap.c
  stable/11/contrib/wpa/src/eap_peer/eap_teap_pac.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.c
  stable/11/contrib/wpa/src/eap_peer/eap_teap_pac.h
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.h
  stable/11/contrib/wpa/src/eap_server/eap_server_teap.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_server/eap_server_teap.c
Modified:
  stable/11/contrib/wpa/hostapd/ChangeLog
  stable/11/contrib/wpa/hostapd/config_file.c
  stable/11/contrib/wpa/hostapd/ctrl_iface.c
  stable/11/contrib/wpa/hostapd/defconfig
  stable/11/contrib/wpa/hostapd/eap_register.c
  stable/11/contrib/wpa/hostapd/hostapd.conf
  stable/11/contrib/wpa/hostapd/hostapd_cli.c
  stable/11/contrib/wpa/hostapd/main.c
  stable/11/contrib/wpa/hs20/client/osu_client.c
  stable/11/contrib/wpa/src/ap/accounting.c
  stable/11/contrib/wpa/src/ap/acs.c
  stable/11/contrib/wpa/src/ap/ap_config.c
  stable/11/contrib/wpa/src/ap/ap_config.h
  stable/11/contrib/wpa/src/ap/ap_drv_ops.c
  stable/11/contrib/wpa/src/ap/ap_drv_ops.h
  stable/11/contrib/wpa/src/ap/authsrv.c
  stable/11/contrib/wpa/src/ap/beacon.c
  stable/11/contrib/wpa/src/ap/ctrl_iface_ap.c
  stable/11/contrib/wpa/src/ap/dfs.c
  stable/11/contrib/wpa/src/ap/dpp_hostapd.c
  stable/11/contrib/wpa/src/ap/dpp_hostapd.h
  stable/11/contrib/wpa/src/ap/drv_callbacks.c
  stable/11/contrib/wpa/src/ap/gas_serv.c
  stable/11/contrib/wpa/src/ap/gas_serv.h
  stable/11/contrib/wpa/src/ap/hostapd.c
  stable/11/contrib/wpa/src/ap/hostapd.h
  stable/11/contrib/wpa/src/ap/hw_features.c
  stable/11/contrib/wpa/src/ap/ieee802_11.c
  stable/11/contrib/wpa/src/ap/ieee802_11.h
  stable/11/contrib/wpa/src/ap/ieee802_11_he.c
  stable/11/contrib/wpa/src/ap/ieee802_11_vht.c
  stable/11/contrib/wpa/src/ap/ieee802_1x.c
  stable/11/contrib/wpa/src/ap/ieee802_1x.h
  stable/11/contrib/wpa/src/ap/neighbor_db.c
  stable/11/contrib/wpa/src/ap/sta_info.c
  stable/11/contrib/wpa/src/ap/sta_info.h
  stable/11/contrib/wpa/src/ap/wmm.c
  stable/11/contrib/wpa/src/ap/wpa_auth.c
  stable/11/contrib/wpa/src/ap/wpa_auth.h
  stable/11/contrib/wpa/src/ap/wpa_auth_ft.c
  stable/11/contrib/wpa/src/ap/wpa_auth_glue.c
  stable/11/contrib/wpa/src/ap/wpa_auth_ie.c
  stable/11/contrib/wpa/src/common/dpp.c
  stable/11/contrib/wpa/src/common/dpp.h
  stable/11/contrib/wpa/src/common/hw_features_common.c
  stable/11/contrib/wpa/src/common/hw_features_common.h
  stable/11/contrib/wpa/src/common/ieee802_11_common.c
  stable/11/contrib/wpa/src/common/ieee802_11_common.h
  stable/11/contrib/wpa/src/common/ieee802_11_defs.h
  stable/11/contrib/wpa/src/common/qca-vendor.h
  stable/11/contrib/wpa/src/common/sae.c
  stable/11/contrib/wpa/src/common/sae.h
  stable/11/contrib/wpa/src/common/version.h
  stable/11/contrib/wpa/src/common/wpa_common.c
  stable/11/contrib/wpa/src/common/wpa_ctrl.h
  stable/11/contrib/wpa/src/crypto/aes_i.h
  stable/11/contrib/wpa/src/crypto/crypto.h
  stable/11/contrib/wpa/src/crypto/crypto_openssl.c
  stable/11/contrib/wpa/src/crypto/crypto_wolfssl.c
  stable/11/contrib/wpa/src/crypto/sha1-internal.c
  stable/11/contrib/wpa/src/crypto/sha1-prf.c
  stable/11/contrib/wpa/src/crypto/sha1-tlsprf.c
  stable/11/contrib/wpa/src/crypto/sha1-tprf.c
  stable/11/contrib/wpa/src/crypto/sha1.c
  stable/11/contrib/wpa/src/crypto/sha256-kdf.c
  stable/11/contrib/wpa/src/crypto/sha256-prf.c
  stable/11/contrib/wpa/src/crypto/sha256-tlsprf.c
  stable/11/contrib/wpa/src/crypto/sha256.h
  stable/11/contrib/wpa/src/crypto/sha384-kdf.c
  stable/11/contrib/wpa/src/crypto/sha384-prf.c
  stable/11/contrib/wpa/src/crypto/sha512-kdf.c
  stable/11/contrib/wpa/src/crypto/sha512-prf.c
  stable/11/contrib/wpa/src/crypto/tls.h
  stable/11/contrib/wpa/src/crypto/tls_openssl.c
  stable/11/contrib/wpa/src/crypto/tls_wolfssl.c
  stable/11/contrib/wpa/src/drivers/driver.h
  stable/11/contrib/wpa/src/drivers/driver_bsd.c
  stable/11/contrib/wpa/src/drivers/driver_common.c
  stable/11/contrib/wpa/src/drivers/driver_macsec_linux.c
  stable/11/contrib/wpa/src/drivers/driver_macsec_qca.c
  stable/11/contrib/wpa/src/drivers/driver_ndis.c
  stable/11/contrib/wpa/src/drivers/driver_nl80211.h
  stable/11/contrib/wpa/src/drivers/driver_nl80211_capa.c
  stable/11/contrib/wpa/src/drivers/driver_nl80211_event.c
  stable/11/contrib/wpa/src/drivers/driver_privsep.c
  stable/11/contrib/wpa/src/eap_common/eap_defs.h
  stable/11/contrib/wpa/src/eap_common/eap_pwd_common.c
  stable/11/contrib/wpa/src/eap_common/eap_sim_common.c
  stable/11/contrib/wpa/src/eap_common/eap_sim_common.h
  stable/11/contrib/wpa/src/eap_peer/eap.c
  stable/11/contrib/wpa/src/eap_peer/eap.h
  stable/11/contrib/wpa/src/eap_peer/eap_aka.c
  stable/11/contrib/wpa/src/eap_peer/eap_config.h
  stable/11/contrib/wpa/src/eap_peer/eap_eke.c
  stable/11/contrib/wpa/src/eap_peer/eap_leap.c
  stable/11/contrib/wpa/src/eap_peer/eap_methods.h
  stable/11/contrib/wpa/src/eap_peer/eap_peap.c
  stable/11/contrib/wpa/src/eap_peer/eap_pwd.c
  stable/11/contrib/wpa/src/eap_peer/eap_sim.c
  stable/11/contrib/wpa/src/eap_peer/eap_tls.c
  stable/11/contrib/wpa/src/eap_peer/eap_tls_common.c
  stable/11/contrib/wpa/src/eap_peer/eap_tls_common.h
  stable/11/contrib/wpa/src/eap_server/eap.h
  stable/11/contrib/wpa/src/eap_server/eap_i.h
  stable/11/contrib/wpa/src/eap_server/eap_methods.h
  stable/11/contrib/wpa/src/eap_server/eap_server.c
  stable/11/contrib/wpa/src/eap_server/eap_server_aka.c
  stable/11/contrib/wpa/src/eap_server/eap_server_pax.c
  stable/11/contrib/wpa/src/eap_server/eap_server_peap.c
  stable/11/contrib/wpa/src/eap_server/eap_server_pwd.c
  stable/11/contrib/wpa/src/eap_server/eap_server_sim.c
  stable/11/contrib/wpa/src/eap_server/eap_server_tls.c
  stable/11/contrib/wpa/src/eap_server/eap_server_tls_common.c
  stable/11/contrib/wpa/src/eap_server/eap_tls_common.h
  stable/11/contrib/wpa/src/eapol_auth/eapol_auth_sm.c
  stable/11/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
  stable/11/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
  stable/11/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
  stable/11/contrib/wpa/src/p2p/p2p.c
  stable/11/contrib/wpa/src/p2p/p2p_go_neg.c
  stable/11/contrib/wpa/src/p2p/p2p_i.h
  stable/11/contrib/wpa/src/pae/ieee802_1x_kay.c
  stable/11/contrib/wpa/src/radius/radius_server.c
  stable/11/contrib/wpa/src/radius/radius_server.h
  stable/11/contrib/wpa/src/rsn_supp/wpa.c
  stable/11/contrib/wpa/src/rsn_supp/wpa.h
  stable/11/contrib/wpa/src/rsn_supp/wpa_ft.c
  stable/11/contrib/wpa/src/rsn_supp/wpa_i.h
  stable/11/contrib/wpa/src/tls/asn1.c
  stable/11/contrib/wpa/src/tls/libtommath.c
  stable/11/contrib/wpa/src/tls/x509v3.c
  stable/11/contrib/wpa/src/utils/common.c
  stable/11/contrib/wpa/src/utils/common.h
  stable/11/contrib/wpa/src/utils/trace.c
  stable/11/contrib/wpa/src/utils/wpa_debug.c
  stable/11/contrib/wpa/src/wps/wps.h
  stable/11/contrib/wpa/wpa_supplicant/Android.mk
  stable/11/contrib/wpa/wpa_supplicant/ChangeLog
  stable/11/contrib/wpa/wpa_supplicant/README-DPP
  stable/11/contrib/wpa/wpa_supplicant/ap.c
  stable/11/contrib/wpa/wpa_supplicant/ap.h
  stable/11/contrib/wpa/wpa_supplicant/bss.c
  stable/11/contrib/wpa/wpa_supplicant/config.c
  stable/11/contrib/wpa/wpa_supplicant/config.h
  stable/11/contrib/wpa/wpa_supplicant/config_file.c
  stable/11/contrib/wpa/wpa_supplicant/config_ssid.h
  stable/11/contrib/wpa/wpa_supplicant/ctrl_iface.c
  stable/11/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c
  stable/11/contrib/wpa/wpa_supplicant/defconfig
  stable/11/contrib/wpa/wpa_supplicant/dpp_supplicant.c
  stable/11/contrib/wpa/wpa_supplicant/dpp_supplicant.h
  stable/11/contrib/wpa/wpa_supplicant/driver_i.h
  stable/11/contrib/wpa/wpa_supplicant/eap_register.c
  stable/11/contrib/wpa/wpa_supplicant/eapol_test.c
  stable/11/contrib/wpa/wpa_supplicant/events.c
  stable/11/contrib/wpa/wpa_supplicant/ibss_rsn.c
  stable/11/contrib/wpa/wpa_supplicant/interworking.c
  stable/11/contrib/wpa/wpa_supplicant/mesh.c
  stable/11/contrib/wpa/wpa_supplicant/mesh_mpm.c
  stable/11/contrib/wpa/wpa_supplicant/notify.c
  stable/11/contrib/wpa/wpa_supplicant/notify.h
  stable/11/contrib/wpa/wpa_supplicant/op_classes.c
  stable/11/contrib/wpa/wpa_supplicant/p2p_supplicant.c
  stable/11/contrib/wpa/wpa_supplicant/preauth_test.c
  stable/11/contrib/wpa/wpa_supplicant/rrm.c
  stable/11/contrib/wpa/wpa_supplicant/sme.c
  stable/11/contrib/wpa/wpa_supplicant/wnm_sta.c
  stable/11/contrib/wpa/wpa_supplicant/wpa_cli.c
  stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.c
  stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant.conf
  stable/11/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
  stable/11/contrib/wpa/wpa_supplicant/wpas_glue.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Added:
  stable/12/contrib/wpa/src/ap/airtime_policy.c
     - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.c
  stable/12/contrib/wpa/src/ap/airtime_policy.h
     - copied unchanged from r351397, head/contrib/wpa/src/ap/airtime_policy.h
  stable/12/contrib/wpa/src/ap/wpa_auth_kay.c
     - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.c
  stable/12/contrib/wpa/src/ap/wpa_auth_kay.h
     - copied unchanged from r351397, head/contrib/wpa/src/ap/wpa_auth_kay.h
  stable/12/contrib/wpa/src/common/dragonfly.c
     - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.c
  stable/12/contrib/wpa/src/common/dragonfly.h
     - copied unchanged from r351397, head/contrib/wpa/src/common/dragonfly.h
  stable/12/contrib/wpa/src/drivers/driver_atheros.c
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_atheros.c
  stable/12/contrib/wpa/src/drivers/driver_hostap.c
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/driver_hostap.c
  stable/12/contrib/wpa/src/drivers/nl80211_copy.h
     - copied unchanged from r351397, head/contrib/wpa/src/drivers/nl80211_copy.h
  stable/12/contrib/wpa/src/eap_common/eap_teap_common.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.c
  stable/12/contrib/wpa/src/eap_common/eap_teap_common.h
     - copied unchanged from r351397, head/contrib/wpa/src/eap_common/eap_teap_common.h
  stable/12/contrib/wpa/src/eap_peer/eap_teap.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap.c
  stable/12/contrib/wpa/src/eap_peer/eap_teap_pac.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.c
  stable/12/contrib/wpa/src/eap_peer/eap_teap_pac.h
     - copied unchanged from r351397, head/contrib/wpa/src/eap_peer/eap_teap_pac.h
  stable/12/contrib/wpa/src/eap_server/eap_server_teap.c
     - copied unchanged from r351397, head/contrib/wpa/src/eap_server/eap_server_teap.c
Modified:
  stable/12/contrib/wpa/hostapd/ChangeLog
  stable/12/contrib/wpa/hostapd/config_file.c
  stable/12/contrib/wpa/hostapd/ctrl_iface.c
  stable/12/contrib/wpa/hostapd/defconfig
  stable/12/contrib/wpa/hostapd/eap_register.c
  stable/12/contrib/wpa/hostapd/hostapd.conf
  stable/12/contrib/wpa/hostapd/hostapd_cli.c
  stable/12/contrib/wpa/hostapd/main.c
  stable/12/contrib/wpa/hs20/client/osu_client.c
  stable/12/contrib/wpa/src/ap/accounting.c
  stable/12/contrib/wpa/src/ap/acs.c
  stable/12/contrib/wpa/src/ap/ap_config.c
  stable/12/contrib/wpa/src/ap/ap_config.h
  stable/12/contrib/wpa/src/ap/ap_drv_ops.c
  stable/12/contrib/wpa/src/ap/ap_drv_ops.h
  stable/12/contrib/wpa/src/ap/authsrv.c
  stable/12/contrib/wpa/src/ap/beacon.c
  stable/12/contrib/wpa/src/ap/ctrl_iface_ap.c
  stable/12/contrib/wpa/src/ap/dfs.c
  stable/12/contrib/wpa/src/ap/dpp_hostapd.c
  stable/12/contrib/wpa/src/ap/dpp_hostapd.h
  stable/12/contrib/wpa/src/ap/drv_callbacks.c
  stable/12/contrib/wpa/src/ap/gas_serv.c
  stable/12/contrib/wpa/src/ap/gas_serv.h
  stable/12/contrib/wpa/src/ap/hostapd.c
  stable/12/contrib/wpa/src/ap/hostapd.h
  stable/12/contrib/wpa/src/ap/hw_features.c
  stable/12/contrib/wpa/src/ap/ieee802_11.c
  stable/12/contrib/wpa/src/ap/ieee802_11.h
  stable/12/contrib/wpa/src/ap/ieee802_11_he.c
  stable/12/contrib/wpa/src/ap/ieee802_11_vht.c
  stable/12/contrib/wpa/src/ap/ieee802_1x.c
  stable/12/contrib/wpa/src/ap/ieee802_1x.h
  stable/12/contrib/wpa/src/ap/neighbor_db.c
  stable/12/contrib/wpa/src/ap/sta_info.c
  stable/12/contrib/wpa/src/ap/sta_info.h
  stable/12/contrib/wpa/src/ap/wmm.c
  stable/12/contrib/wpa/src/ap/wpa_auth.c
  stable/12/contrib/wpa/src/ap/wpa_auth.h
  stable/12/contrib/wpa/src/ap/wpa_auth_ft.c
  stable/12/contrib/wpa/src/ap/wpa_auth_glue.c
  stable/12/contrib/wpa/src/ap/wpa_auth_ie.c
  stable/12/contrib/wpa/src/common/dpp.c
  stable/12/contrib/wpa/src/common/dpp.h
  stable/12/contrib/wpa/src/common/hw_features_common.c
  stable/12/contrib/wpa/src/common/hw_features_common.h
  stable/12/contrib/wpa/src/common/ieee802_11_common.c
  stable/12/contrib/wpa/src/common/ieee802_11_common.h
  stable/12/contrib/wpa/src/common/ieee802_11_defs.h
  stable/12/contrib/wpa/src/common/qca-vendor.h
  stable/12/contrib/wpa/src/common/sae.c
  stable/12/contrib/wpa/src/common/sae.h
  stable/12/contrib/wpa/src/common/version.h
  stable/12/contrib/wpa/src/common/wpa_common.c
  stable/12/contrib/wpa/src/common/wpa_ctrl.h
  stable/12/contrib/wpa/src/crypto/aes_i.h
  stable/12/contrib/wpa/src/crypto/crypto.h
  stable/12/contrib/wpa/src/crypto/crypto_openssl.c
  stable/12/contrib/wpa/src/crypto/crypto_wolfssl.c
  stable/12/contrib/wpa/src/crypto/sha1-internal.c
  stable/12/contrib/wpa/src/crypto/sha1-prf.c
  stable/12/contrib/wpa/src/crypto/sha1-tlsprf.c
  stable/12/contrib/wpa/src/crypto/sha1-tprf.c
  stable/12/contrib/wpa/src/crypto/sha1.c
  stable/12/contrib/wpa/src/crypto/sha256-kdf.c
  stable/12/contrib/wpa/src/crypto/sha256-prf.c
  stable/12/contrib/wpa/src/crypto/sha256-tlsprf.c
  stable/12/contrib/wpa/src/crypto/sha256.h
  stable/12/contrib/wpa/src/crypto/sha384-kdf.c
  stable/12/contrib/wpa/src/crypto/sha384-prf.c
  stable/12/contrib/wpa/src/crypto/sha512-kdf.c
  stable/12/contrib/wpa/src/crypto/sha512-prf.c
  stable/12/contrib/wpa/src/crypto/tls.h
  stable/12/contrib/wpa/src/crypto/tls_openssl.c
  stable/12/contrib/wpa/src/crypto/tls_wolfssl.c
  stable/12/contrib/wpa/src/drivers/driver.h
  stable/12/contrib/wpa/src/drivers/driver_bsd.c
  stable/12/contrib/wpa/src/drivers/driver_common.c
  stable/12/contrib/wpa/src/drivers/driver_macsec_linux.c
  stable/12/contrib/wpa/src/drivers/driver_macsec_qca.c
  stable/12/contrib/wpa/src/drivers/driver_ndis.c
  stable/12/contrib/wpa/src/drivers/driver_nl80211.h
  stable/12/contrib/wpa/src/drivers/driver_nl80211_capa.c
  stable/12/contrib/wpa/src/drivers/driver_nl80211_event.c
  stable/12/contrib/wpa/src/drivers/driver_privsep.c
  stable/12/contrib/wpa/src/eap_common/eap_defs.h
  stable/12/contrib/wpa/src/eap_common/eap_pwd_common.c
  stable/12/contrib/wpa/src/eap_common/eap_sim_common.c
  stable/12/contrib/wpa/src/eap_common/eap_sim_common.h
  stable/12/contrib/wpa/src/eap_peer/eap.c
  stable/12/contrib/wpa/src/eap_peer/eap.h
  stable/12/contrib/wpa/src/eap_peer/eap_aka.c
  stable/12/contrib/wpa/src/eap_peer/eap_config.h
  stable/12/contrib/wpa/src/eap_peer/eap_eke.c
  stable/12/contrib/wpa/src/eap_peer/eap_leap.c
  stable/12/contrib/wpa/src/eap_peer/eap_methods.h
  stable/12/contrib/wpa/src/eap_peer/eap_peap.c
  stable/12/contrib/wpa/src/eap_peer/eap_pwd.c
  stable/12/contrib/wpa/src/eap_peer/eap_sim.c
  stable/12/contrib/wpa/src/eap_peer/eap_tls.c
  stable/12/contrib/wpa/src/eap_peer/eap_tls_common.c
  stable/12/contrib/wpa/src/eap_peer/eap_tls_common.h
  stable/12/contrib/wpa/src/eap_server/eap.h
  stable/12/contrib/wpa/src/eap_server/eap_i.h
  stable/12/contrib/wpa/src/eap_server/eap_methods.h
  stable/12/contrib/wpa/src/eap_server/eap_server.c
  stable/12/contrib/wpa/src/eap_server/eap_server_aka.c
  stable/12/contrib/wpa/src/eap_server/eap_server_pax.c
  stable/12/contrib/wpa/src/eap_server/eap_server_peap.c
  stable/12/contrib/wpa/src/eap_server/eap_server_pwd.c
  stable/12/contrib/wpa/src/eap_server/eap_server_sim.c
  stable/12/contrib/wpa/src/eap_server/eap_server_tls.c
  stable/12/contrib/wpa/src/eap_server/eap_server_tls_common.c
  stable/12/contrib/wpa/src/eap_server/eap_tls_common.h
  stable/12/contrib/wpa/src/eapol_auth/eapol_auth_sm.c
  stable/12/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
  stable/12/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
  stable/12/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
  stable/12/contrib/wpa/src/p2p/p2p.c
  stable/12/contrib/wpa/src/p2p/p2p_go_neg.c
  stable/12/contrib/wpa/src/p2p/p2p_i.h
  stable/12/contrib/wpa/src/pae/ieee802_1x_kay.c
  stable/12/contrib/wpa/src/radius/radius_server.c
  stable/12/contrib/wpa/src/radius/radius_server.h
  stable/12/contrib/wpa/src/rsn_supp/wpa.c
  stable/12/contrib/wpa/src/rsn_supp/wpa.h
  stable/12/contrib/wpa/src/rsn_supp/wpa_ft.c
  stable/12/contrib/wpa/src/rsn_supp/wpa_i.h
  stable/12/contrib/wpa/src/tls/asn1.c
  stable/12/contrib/wpa/src/tls/libtommath.c
  stable/12/contrib/wpa/src/tls/x509v3.c
  stable/12/contrib/wpa/src/utils/common.c
  stable/12/contrib/wpa/src/utils/common.h
  stable/12/contrib/wpa/src/utils/trace.c
  stable/12/contrib/wpa/src/utils/wpa_debug.c
  stable/12/contrib/wpa/src/wps/wps.h
  stable/12/contrib/wpa/wpa_supplicant/Android.mk
  stable/12/contrib/wpa/wpa_supplicant/ChangeLog
  stable/12/contrib/wpa/wpa_supplicant/README-DPP
  stable/12/contrib/wpa/wpa_supplicant/ap.c
  stable/12/contrib/wpa/wpa_supplicant/ap.h
  stable/12/contrib/wpa/wpa_supplicant/bss.c
  stable/12/contrib/wpa/wpa_supplicant/config.c
  stable/12/contrib/wpa/wpa_supplicant/config.h
  stable/12/contrib/wpa/wpa_supplicant/config_file.c
  stable/12/contrib/wpa/wpa_supplicant/config_ssid.h
  stable/12/contrib/wpa/wpa_supplicant/ctrl_iface.c
  stable/12/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c
  stable/12/contrib/wpa/wpa_supplicant/defconfig
  stable/12/contrib/wpa/wpa_supplicant/dpp_supplicant.c
  stable/12/contrib/wpa/wpa_supplicant/dpp_supplicant.h
  stable/12/contrib/wpa/wpa_supplicant/driver_i.h
  stable/12/contrib/wpa/wpa_supplicant/eap_register.c
  stable/12/contrib/wpa/wpa_supplicant/eapol_test.c
  stable/12/contrib/wpa/wpa_supplicant/events.c
  stable/12/contrib/wpa/wpa_supplicant/ibss_rsn.c
  stable/12/contrib/wpa/wpa_supplicant/interworking.c
  stable/12/contrib/wpa/wpa_supplicant/mesh.c
  stable/12/contrib/wpa/wpa_supplicant/mesh_mpm.c
  stable/12/contrib/wpa/wpa_supplicant/notify.c
  stable/12/contrib/wpa/wpa_supplicant/notify.h
  stable/12/contrib/wpa/wpa_supplicant/op_classes.c
  stable/12/contrib/wpa/wpa_supplicant/p2p_supplicant.c
  stable/12/contrib/wpa/wpa_supplicant/preauth_test.c
  stable/12/contrib/wpa/wpa_supplicant/rrm.c
  stable/12/contrib/wpa/wpa_supplicant/sme.c
  stable/12/contrib/wpa/wpa_supplicant/wnm_sta.c
  stable/12/contrib/wpa/wpa_supplicant/wpa_cli.c
  stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant.c
  stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant.conf
  stable/12/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
  stable/12/contrib/wpa/wpa_supplicant/wpas_glue.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/11/contrib/wpa/hostapd/ChangeLog
==============================================================================
--- stable/11/contrib/wpa/hostapd/ChangeLog	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/ChangeLog	Thu Aug 29 19:13:27 2019	(r351611)
@@ -1,5 +1,29 @@
 ChangeLog for hostapd
 
+2019-08-07 - v2.9
+	* SAE changes
+	  - disable use of groups using Brainpool curves
+	  - improved protection against side channel attacks
+	  [https://w1.fi/security/2019-6/]
+	* EAP-pwd changes
+	  - disable use of groups using Brainpool curves
+	  - improved protection against side channel attacks
+	  [https://w1.fi/security/2019-6/]
+	* fixed FT-EAP initial mobility domain association using PMKSA caching
+	* added configuration of airtime policy
+	* fixed FILS to and RSNE into (Re)Association Response frames
+	* fixed DPP bootstrapping URI parser of channel list
+	* added support for regulatory WMM limitation (for ETSI)
+	* added support for MACsec Key Agreement using IEEE 802.1X/PSK
+	* added experimental support for EAP-TEAP server (RFC 7170)
+	* added experimental support for EAP-TLS server with TLS v1.3
+	* added support for two server certificates/keys (RSA/ECC)
+	* added AKMSuiteSelector into "STA <addr>" control interface data to
+	  determine with AKM was used for an association
+	* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
+	  fast reauthentication use to be disabled
+	* fixed an ECDH operation corner case with OpenSSL
+
 2019-04-21 - v2.8
 	* SAE changes
 	  - added support for SAE Password Identifier

Modified: stable/11/contrib/wpa/hostapd/config_file.c
==============================================================================
--- stable/11/contrib/wpa/hostapd/config_file.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/config_file.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -24,14 +24,6 @@
 #include "config_file.h"
 
 
-#ifndef CONFIG_NO_RADIUS
-#ifdef EAP_SERVER
-static struct hostapd_radius_attr *
-hostapd_parse_radius_attr(const char *value);
-#endif /* EAP_SERVER */
-#endif /* CONFIG_NO_RADIUS */
-
-
 #ifndef CONFIG_NO_VLAN
 static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss,
 					 const char *fname)
@@ -660,76 +652,7 @@ hostapd_config_read_radius_addr(struct hostapd_radius_
 }
 
 
-static struct hostapd_radius_attr *
-hostapd_parse_radius_attr(const char *value)
-{
-	const char *pos;
-	char syntax;
-	struct hostapd_radius_attr *attr;
-	size_t len;
 
-	attr = os_zalloc(sizeof(*attr));
-	if (attr == NULL)
-		return NULL;
-
-	attr->type = atoi(value);
-
-	pos = os_strchr(value, ':');
-	if (pos == NULL) {
-		attr->val = wpabuf_alloc(1);
-		if (attr->val == NULL) {
-			os_free(attr);
-			return NULL;
-		}
-		wpabuf_put_u8(attr->val, 0);
-		return attr;
-	}
-
-	pos++;
-	if (pos[0] == '\0' || pos[1] != ':') {
-		os_free(attr);
-		return NULL;
-	}
-	syntax = *pos++;
-	pos++;
-
-	switch (syntax) {
-	case 's':
-		attr->val = wpabuf_alloc_copy(pos, os_strlen(pos));
-		break;
-	case 'x':
-		len = os_strlen(pos);
-		if (len & 1)
-			break;
-		len /= 2;
-		attr->val = wpabuf_alloc(len);
-		if (attr->val == NULL)
-			break;
-		if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) {
-			wpabuf_free(attr->val);
-			os_free(attr);
-			return NULL;
-		}
-		break;
-	case 'd':
-		attr->val = wpabuf_alloc(4);
-		if (attr->val)
-			wpabuf_put_be32(attr->val, atoi(pos));
-		break;
-	default:
-		os_free(attr);
-		return NULL;
-	}
-
-	if (attr->val == NULL) {
-		os_free(attr);
-		return NULL;
-	}
-
-	return attr;
-}
-
-
 static int hostapd_parse_das_client(struct hostapd_bss_config *bss, char *val)
 {
 	char *secret;
@@ -2313,6 +2236,42 @@ static unsigned int parse_tls_flags(const char *val)
 #endif /* EAP_SERVER */
 
 
+#ifdef CONFIG_AIRTIME_POLICY
+static int add_airtime_weight(struct hostapd_bss_config *bss, char *value)
+{
+	struct airtime_sta_weight *wt;
+	char *pos, *next;
+
+	wt = os_zalloc(sizeof(*wt));
+	if (!wt)
+		return -1;
+
+	/* 02:01:02:03:04:05 10 */
+	pos = value;
+	next = os_strchr(pos, ' ');
+	if (next)
+		*next++ = '\0';
+	if (!next || hwaddr_aton(pos, wt->addr)) {
+		wpa_printf(MSG_ERROR, "Invalid station address: '%s'", pos);
+		os_free(wt);
+		return -1;
+	}
+
+	pos = next;
+	wt->weight = atoi(pos);
+	if (!wt->weight) {
+		wpa_printf(MSG_ERROR, "Invalid weight: '%s'", pos);
+		os_free(wt);
+		return -1;
+	}
+
+	wt->next = bss->airtime_weight_list;
+	bss->airtime_weight_list = wt;
+	return 0;
+}
+#endif /* CONFIG_AIRTIME_POLICY */
+
+
 #ifdef CONFIG_SAE
 static int parse_sae_password(struct hostapd_bss_config *bss, const char *val)
 {
@@ -2376,6 +2335,36 @@ fail:
 #endif /* CONFIG_SAE */
 
 
+#ifdef CONFIG_DPP2
+static int hostapd_dpp_controller_parse(struct hostapd_bss_config *bss,
+					const char *pos)
+{
+	struct dpp_controller_conf *conf;
+	char *val;
+
+	conf = os_zalloc(sizeof(*conf));
+	if (!conf)
+		return -1;
+	val = get_param(pos, "ipaddr=");
+	if (!val || hostapd_parse_ip_addr(val, &conf->ipaddr))
+		goto fail;
+	os_free(val);
+	val = get_param(pos, "pkhash=");
+	if (!val || os_strlen(val) != 2 * SHA256_MAC_LEN ||
+	    hexstr2bin(val, conf->pkhash, SHA256_MAC_LEN) < 0)
+		goto fail;
+	os_free(val);
+	conf->next = bss->dpp_controller;
+	bss->dpp_controller = conf;
+	return 0;
+fail:
+	os_free(val);
+	os_free(conf);
+	return -1;
+}
+#endif /* CONFIG_DPP2 */
+
+
 static int hostapd_config_fill(struct hostapd_config *conf,
 			       struct hostapd_bss_config *bss,
 			       const char *buf, char *pos, int line)
@@ -2496,7 +2485,11 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "eapol_version") == 0) {
 		int eapol_version = atoi(pos);
 
+#ifdef CONFIG_MACSEC
+		if (eapol_version < 1 || eapol_version > 3) {
+#else /* CONFIG_MACSEC */
 		if (eapol_version < 1 || eapol_version > 2) {
+#endif /* CONFIG_MACSEC */
 			wpa_printf(MSG_ERROR,
 				   "Line %d: invalid EAPOL version (%d): '%s'.",
 				   line, eapol_version, pos);
@@ -2519,12 +2512,21 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "server_cert") == 0) {
 		os_free(bss->server_cert);
 		bss->server_cert = os_strdup(pos);
+	} else if (os_strcmp(buf, "server_cert2") == 0) {
+		os_free(bss->server_cert2);
+		bss->server_cert2 = os_strdup(pos);
 	} else if (os_strcmp(buf, "private_key") == 0) {
 		os_free(bss->private_key);
 		bss->private_key = os_strdup(pos);
+	} else if (os_strcmp(buf, "private_key2") == 0) {
+		os_free(bss->private_key2);
+		bss->private_key2 = os_strdup(pos);
 	} else if (os_strcmp(buf, "private_key_passwd") == 0) {
 		os_free(bss->private_key_passwd);
 		bss->private_key_passwd = os_strdup(pos);
+	} else if (os_strcmp(buf, "private_key_passwd2") == 0) {
+		os_free(bss->private_key_passwd2);
+		bss->private_key_passwd2 = os_strdup(pos);
 	} else if (os_strcmp(buf, "check_cert_subject") == 0) {
 		if (!pos[0]) {
 			wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'",
@@ -2605,6 +2607,20 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
 		bss->pac_key_refresh_time = atoi(pos);
 #endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+	} else if (os_strcmp(buf, "eap_teap_auth") == 0) {
+		int val = atoi(pos);
+
+		if (val < 0 || val > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: Invalid eap_teap_auth value",
+				   line);
+			return 1;
+		}
+		bss->eap_teap_auth = val;
+	} else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) {
+		bss->eap_teap_pac_no_inner = atoi(pos);
+#endif /* EAP_SERVER_TEAP */
 #ifdef EAP_SERVER_SIM
 	} else if (os_strcmp(buf, "eap_sim_db") == 0) {
 		os_free(bss->eap_sim_db);
@@ -2613,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *
 		bss->eap_sim_db_timeout = atoi(pos);
 	} else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) {
 		bss->eap_sim_aka_result_ind = atoi(pos);
+	} else if (os_strcmp(buf, "eap_sim_id") == 0) {
+		bss->eap_sim_id = atoi(pos);
 #endif /* EAP_SERVER_SIM */
 #ifdef EAP_SERVER_TNC
 	} else if (os_strcmp(buf, "tnc") == 0) {
@@ -2816,6 +2834,9 @@ static int hostapd_config_fill(struct hostapd_config *
 				a = a->next;
 			a->next = attr;
 		}
+	} else if (os_strcmp(buf, "radius_req_attr_sqlite") == 0) {
+		os_free(bss->radius_req_attr_sqlite);
+		bss->radius_req_attr_sqlite = os_strdup(pos);
 	} else if (os_strcmp(buf, "radius_das_port") == 0) {
 		bss->radius_das_port = atoi(pos);
 	} else if (os_strcmp(buf, "radius_das_client") == 0) {
@@ -3442,6 +3463,8 @@ static int hostapd_config_fill(struct hostapd_config *
 		conf->he_op.he_twt_required = atoi(pos);
 	} else if (os_strcmp(buf, "he_rts_threshold") == 0) {
 		conf->he_op.he_rts_threshold = atoi(pos);
+	} else if (os_strcmp(buf, "he_basic_mcs_nss_set") == 0) {
+		conf->he_op.he_basic_mcs_nss_set = atoi(pos);
 	} else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) {
 		conf->he_mu_edca.he_qos_info |=
 			set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT);
@@ -3526,6 +3549,20 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) {
 		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] =
 			atoi(pos) & 0xff;
+	} else if (os_strcmp(buf, "he_spr_sr_control") == 0) {
+		conf->spr.sr_control = atoi(pos) & 0xff;
+	} else if (os_strcmp(buf, "he_spr_non_srg_obss_pd_max_offset") == 0) {
+		conf->spr.non_srg_obss_pd_max_offset = atoi(pos);
+	} else if (os_strcmp(buf, "he_spr_srg_obss_pd_min_offset") == 0) {
+		conf->spr.srg_obss_pd_min_offset = atoi(pos);
+	} else if (os_strcmp(buf, "he_spr_srg_obss_pd_max_offset") == 0) {
+		conf->spr.srg_obss_pd_max_offset = atoi(pos);
+	} else if (os_strcmp(buf, "he_oper_chwidth") == 0) {
+		conf->he_oper_chwidth = atoi(pos);
+	} else if (os_strcmp(buf, "he_oper_centr_freq_seg0_idx") == 0) {
+		conf->he_oper_centr_freq_seg0_idx = atoi(pos);
+	} else if (os_strcmp(buf, "he_oper_centr_freq_seg1_idx") == 0) {
+		conf->he_oper_centr_freq_seg1_idx = atoi(pos);
 #endif /* CONFIG_IEEE80211AX */
 	} else if (os_strcmp(buf, "max_listen_interval") == 0) {
 		bss->max_listen_interval = atoi(pos);
@@ -4298,6 +4335,11 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "dpp_csign") == 0) {
 		if (parse_wpabuf_hex(line, buf, &bss->dpp_csign, pos))
 			return 1;
+#ifdef CONFIG_DPP2
+	} else if (os_strcmp(buf, "dpp_controller") == 0) {
+		if (hostapd_dpp_controller_parse(bss, pos))
+			return 1;
+#endif /* CONFIG_DPP2 */
 #endif /* CONFIG_DPP */
 #ifdef CONFIG_OWE
 	} else if (os_strcmp(buf, "owe_transition_bssid") == 0) {
@@ -4349,6 +4391,121 @@ static int hostapd_config_fill(struct hostapd_config *
 		conf->rssi_reject_assoc_timeout = atoi(pos);
 	} else if (os_strcmp(buf, "pbss") == 0) {
 		bss->pbss = atoi(pos);
+#ifdef CONFIG_AIRTIME_POLICY
+	} else if (os_strcmp(buf, "airtime_mode") == 0) {
+		int val = atoi(pos);
+
+		if (val < 0 || val > AIRTIME_MODE_MAX) {
+			wpa_printf(MSG_ERROR, "Line %d: Unknown airtime_mode",
+				   line);
+			return 1;
+		}
+		conf->airtime_mode = val;
+	} else if (os_strcmp(buf, "airtime_update_interval") == 0) {
+		conf->airtime_update_interval = atoi(pos);
+	} else if (os_strcmp(buf, "airtime_bss_weight") == 0) {
+		bss->airtime_weight = atoi(pos);
+	} else if (os_strcmp(buf, "airtime_bss_limit") == 0) {
+		int val = atoi(pos);
+
+		if (val < 0 || val > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: Invalid airtime_bss_limit (must be 0 or 1)",
+				   line);
+			return 1;
+		}
+		bss->airtime_limit = val;
+	} else if (os_strcmp(buf, "airtime_sta_weight") == 0) {
+		if (add_airtime_weight(bss, pos) < 0) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: Invalid airtime weight '%s'",
+				   line, pos);
+			return 1;
+		}
+#endif /* CONFIG_AIRTIME_POLICY */
+#ifdef CONFIG_MACSEC
+	} else if (os_strcmp(buf, "macsec_policy") == 0) {
+		int macsec_policy = atoi(pos);
+
+		if (macsec_policy < 0 || macsec_policy > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_policy (%d): '%s'.",
+				   line, macsec_policy, pos);
+			return 1;
+		}
+		bss->macsec_policy = macsec_policy;
+	} else if (os_strcmp(buf, "macsec_integ_only") == 0) {
+		int macsec_integ_only = atoi(pos);
+
+		if (macsec_integ_only < 0 || macsec_integ_only > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_integ_only (%d): '%s'.",
+				   line, macsec_integ_only, pos);
+			return 1;
+		}
+		bss->macsec_integ_only = macsec_integ_only;
+	} else if (os_strcmp(buf, "macsec_replay_protect") == 0) {
+		int macsec_replay_protect = atoi(pos);
+
+		if (macsec_replay_protect < 0 || macsec_replay_protect > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_replay_protect (%d): '%s'.",
+				   line, macsec_replay_protect, pos);
+			return 1;
+		}
+		bss->macsec_replay_protect = macsec_replay_protect;
+	} else if (os_strcmp(buf, "macsec_replay_window") == 0) {
+		bss->macsec_replay_window = atoi(pos);
+	} else if (os_strcmp(buf, "macsec_port") == 0) {
+		int macsec_port = atoi(pos);
+
+		if (macsec_port < 1 || macsec_port > 65534) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_port (%d): '%s'.",
+				   line, macsec_port, pos);
+			return 1;
+		}
+		bss->macsec_port = macsec_port;
+	} else if (os_strcmp(buf, "mka_priority") == 0) {
+		int mka_priority = atoi(pos);
+
+		if (mka_priority < 0 || mka_priority > 255) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid mka_priority (%d): '%s'.",
+				   line, mka_priority, pos);
+			return 1;
+		}
+		bss->mka_priority = mka_priority;
+	} else if (os_strcmp(buf, "mka_cak") == 0) {
+		size_t len = os_strlen(pos);
+
+		if (len > 2 * MACSEC_CAK_MAX_LEN ||
+		    (len != 2 * 16 && len != 2 * 32) ||
+		    hexstr2bin(pos, bss->mka_cak, len / 2)) {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
+				   line, pos);
+			return 1;
+		}
+		bss->mka_cak_len = len / 2;
+		bss->mka_psk_set |= MKA_PSK_SET_CAK;
+	} else if (os_strcmp(buf, "mka_ckn") == 0) {
+		size_t len = os_strlen(pos);
+
+		if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
+		    len < 2 || /* too short */
+		    len % 2 != 0 /* not an integral number of bytes */) {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+				   line, pos);
+			return 1;
+		}
+		bss->mka_ckn_len = len / 2;
+		if (hexstr2bin(pos, bss->mka_ckn, bss->mka_ckn_len)) {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+				   line, pos);
+			return -1;
+		}
+		bss->mka_psk_set |= MKA_PSK_SET_CKN;
+#endif /* CONFIG_MACSEC */
 	} else {
 		wpa_printf(MSG_ERROR,
 			   "Line %d: unknown configuration item '%s'",

Modified: stable/11/contrib/wpa/hostapd/ctrl_iface.c
==============================================================================
--- stable/11/contrib/wpa/hostapd/ctrl_iface.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/ctrl_iface.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -1830,26 +1830,40 @@ static void hostapd_data_test_rx(void *ctx, const u8 *
 	struct iphdr ip;
 	const u8 *pos;
 	unsigned int i;
+	char extra[30];
 
-	if (len != HWSIM_PACKETLEN)
+	if (len < sizeof(*eth) + sizeof(ip) || len > HWSIM_PACKETLEN) {
+		wpa_printf(MSG_DEBUG,
+			   "test data: RX - ignore unexpected length %d",
+			   (int) len);
 		return;
+	}
 
 	eth = (const struct ether_header *) buf;
 	os_memcpy(&ip, eth + 1, sizeof(ip));
 	pos = &buf[sizeof(*eth) + sizeof(ip)];
 
 	if (ip.ihl != 5 || ip.version != 4 ||
-	    ntohs(ip.tot_len) != HWSIM_IP_LEN)
+	    ntohs(ip.tot_len) > HWSIM_IP_LEN) {
+		wpa_printf(MSG_DEBUG,
+			   "test data: RX - ignore unexpect IP header");
 		return;
+	}
 
-	for (i = 0; i < HWSIM_IP_LEN - sizeof(ip); i++) {
-		if (*pos != (u8) i)
+	for (i = 0; i < ntohs(ip.tot_len) - sizeof(ip); i++) {
+		if (*pos != (u8) i) {
+			wpa_printf(MSG_DEBUG,
+				   "test data: RX - ignore mismatching payload");
 			return;
+		}
 		pos++;
 	}
 
-	wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR,
-		MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost));
+	extra[0] = '\0';
+	if (ntohs(ip.tot_len) != HWSIM_IP_LEN)
+		os_snprintf(extra, sizeof(extra), " len=%d", ntohs(ip.tot_len));
+	wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR "%s",
+		MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost), extra);
 }
 
 
@@ -1894,7 +1908,7 @@ static int hostapd_ctrl_iface_data_test_config(struct 
 static int hostapd_ctrl_iface_data_test_tx(struct hostapd_data *hapd, char *cmd)
 {
 	u8 dst[ETH_ALEN], src[ETH_ALEN];
-	char *pos;
+	char *pos, *pos2;
 	int used;
 	long int val;
 	u8 tos;
@@ -1903,11 +1917,12 @@ static int hostapd_ctrl_iface_data_test_tx(struct host
 	struct iphdr *ip;
 	u8 *dpos;
 	unsigned int i;
+	size_t send_len = HWSIM_IP_LEN;
 
 	if (hapd->l2_test == NULL)
 		return -1;
 
-	/* format: <dst> <src> <tos> */
+	/* format: <dst> <src> <tos> [len=<length>] */
 
 	pos = cmd;
 	used = hwaddr_aton2(pos, dst);
@@ -1921,11 +1936,19 @@ static int hostapd_ctrl_iface_data_test_tx(struct host
 		return -1;
 	pos += used;
 
-	val = strtol(pos, NULL, 0);
+	val = strtol(pos, &pos2, 0);
 	if (val < 0 || val > 0xff)
 		return -1;
 	tos = val;
 
+	pos = os_strstr(pos2, " len=");
+	if (pos) {
+		i = atoi(pos + 5);
+		if (i < sizeof(*ip) || i > HWSIM_IP_LEN)
+			return -1;
+		send_len = i;
+	}
+
 	eth = (struct ether_header *) &buf[2];
 	os_memcpy(eth->ether_dhost, dst, ETH_ALEN);
 	os_memcpy(eth->ether_shost, src, ETH_ALEN);
@@ -1936,17 +1959,17 @@ static int hostapd_ctrl_iface_data_test_tx(struct host
 	ip->version = 4;
 	ip->ttl = 64;
 	ip->tos = tos;
-	ip->tot_len = htons(HWSIM_IP_LEN);
+	ip->tot_len = htons(send_len);
 	ip->protocol = 1;
 	ip->saddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 1);
 	ip->daddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 2);
 	ip->check = ipv4_hdr_checksum(ip, sizeof(*ip));
 	dpos = (u8 *) (ip + 1);
-	for (i = 0; i < HWSIM_IP_LEN - sizeof(*ip); i++)
+	for (i = 0; i < send_len - sizeof(*ip); i++)
 		*dpos++ = i;
 
 	if (l2_packet_send(hapd->l2_test, dst, ETHERTYPE_IP, &buf[2],
-			   HWSIM_PACKETLEN) < 0)
+			   sizeof(struct ether_header) + send_len) < 0)
 		return -1;
 
 	wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "test data: TX dst=" MACSTR

Modified: stable/11/contrib/wpa/hostapd/defconfig
==============================================================================
--- stable/11/contrib/wpa/hostapd/defconfig	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/defconfig	Thu Aug 29 19:13:27 2019	(r351611)
@@ -108,11 +108,18 @@ CONFIG_EAP_TTLS=y
 #CONFIG_EAP_GPSK_SHA256=y
 
 # EAP-FAST for the integrated EAP server
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
 #CONFIG_EAP_FAST=y
 
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
 # Wi-Fi Protected Setup (WPS)
 #CONFIG_WPS=y
 # Enable UPnP support for external WPS Registrars
@@ -375,6 +382,9 @@ CONFIG_IPV6=y
 # Opportunistic Wireless Encryption (OWE)
 # Experimental implementation of draft-harkins-owe-07.txt
 #CONFIG_OWE=y
+
+# Airtime policy support
+#CONFIG_AIRTIME_POLICY=y
 
 # Override default value for the wpa_disable_eapol_key_retries configuration
 # parameter. See that parameter in hostapd.conf for more details.

Modified: stable/11/contrib/wpa/hostapd/eap_register.c
==============================================================================
--- stable/11/contrib/wpa/hostapd/eap_register.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/eap_register.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -121,6 +121,11 @@ int eap_server_register_methods(void)
 		ret = eap_server_fast_register();
 #endif /* EAP_SERVER_FAST */
 
+#ifdef EAP_SERVER_TEAP
+	if (ret == 0)
+		ret = eap_server_teap_register();
+#endif /* EAP_SERVER_TEAP */
+
 #ifdef EAP_SERVER_WSC
 	if (ret == 0)
 		ret = eap_server_wsc_register();

Modified: stable/11/contrib/wpa/hostapd/hostapd.conf
==============================================================================
--- stable/11/contrib/wpa/hostapd/hostapd.conf	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/hostapd.conf	Thu Aug 29 19:13:27 2019	(r351611)
@@ -782,10 +782,8 @@ wmm_ac_vo_acm=0
 # 1 = supported
 #he_mu_beamformer=1
 
-# he_bss_color: BSS color
-# 0 = no BSS color (default)
-# unsigned integer = BSS color
-#he_bss_color=0
+# he_bss_color: BSS color (1-63)
+#he_bss_color=1
 
 #he_default_pe_duration: The duration of PE field in an HE PPDU in us
 # Possible values are 0 us (default), 4 us, 8 us, 12 us, and 16 us
@@ -801,6 +799,17 @@ wmm_ac_vo_acm=0
 # unsigned integer = duration in units of 16 us
 #he_rts_threshold=0
 
+# HE operating channel information; see matching vht_* parameters for details.
+#he_oper_chwidth
+#he_oper_centr_freq_seg0_idx
+#he_oper_centr_freq_seg1_idx
+
+#he_basic_mcs_nss_set: Basic NSS/MCS set
+# 16-bit combination of 2-bit values of Max HE-MCS For 1..8 SS; each 2-bit
+# value having following meaning:
+# 0 = HE-MCS 0-7, 1 = HE-MCS 0-9, 2 = HE-MCS 0-11, 3 = not supported
+#he_basic_mcs_nss_set
+
 #he_mu_edca_qos_info_param_count
 #he_mu_edca_qos_info_q_ack
 #he_mu_edca_qos_info_queue_request=1
@@ -825,6 +834,12 @@ wmm_ac_vo_acm=0
 #he_mu_edca_ac_vo_ecwmax=15
 #he_mu_edca_ac_vo_timer=255
 
+# Spatial Reuse Parameter Set
+#he_spr_sr_control
+#he_spr_non_srg_obss_pd_max_offset
+#he_spr_srg_obss_pd_min_offset
+#he_spr_srg_obss_pd_max_offset
+
 ##### IEEE 802.1X-2004 related configuration ##################################
 
 # Require IEEE 802.1X authorization
@@ -836,6 +851,8 @@ wmm_ac_vo_acm=0
 # the new version number correctly (they seem to drop the frames completely).
 # In order to make hostapd interoperate with these clients, the version number
 # can be set to the older version (1) with this configuration value.
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
 #eapol_version=2
 
 # Optional displayable message sent with EAP Request-Identity. The first \0
@@ -879,6 +896,54 @@ eapol_key_index_workaround=0
 # ERP is enabled (eap_server_erp=1).
 #erp_domain=example.com
 
+##### MACsec ##################################################################
+
+# macsec_policy: IEEE 802.1X/MACsec options
+# This determines how sessions are secured with MACsec (only for MACsec
+# drivers).
+# 0: MACsec not in use (default)
+# 1: MACsec enabled - Should secure, accept key server's advice to
+#    determine whether to use a secure session or not.
+#
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+# This setting applies only when MACsec is in use, i.e.,
+#  - macsec_policy is enabled
+#  - the key server has decided to enable MACsec
+# 0: Encrypt traffic (default)
+# 1: Integrity only
+#
+# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
+# This setting applies only when MACsec is in use, i.e.,
+#  - macsec_policy is enabled
+#  - the key server has decided to enable MACsec
+# 0: Replay protection disabled (default)
+# 1: Replay protection enabled
+#
+# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
+# This determines a window in which replay is tolerated, to allow receipt
+# of frames that have been misordered by the network.
+# This setting applies only when MACsec replay protection active, i.e.,
+#  - macsec_replay_protect is enabled
+#  - the key server has decided to enable MACsec
+# 0: No replay window, strict check (default)
+# 1..2^32-1: number of packets that could be misordered
+#
+# macsec_port: IEEE 802.1X/MACsec port
+# Port component of the SCI
+# Range: 1-65534 (default: 1)
+#
+# mka_priority (Priority of MKA Actor)
+# Range: 0..255 (default: 255)
+#
+# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
+# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
+# In this mode, instances of hostapd can act as MACsec peers. The peer
+# with lower priority will become the key server and start distributing SAKs.
+# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
+# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
+# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
+# (2..64 hex-digits)
+
 ##### Integrated EAP server ###################################################
 
 # Optionally, hostapd can be configured to use an integrated EAP server
@@ -912,6 +977,23 @@ eap_server=0
 # Passphrase for private key
 #private_key_passwd=secret passphrase
 
+# An alternative server certificate and private key can be configured with the
+# following parameters (with values just like the parameters above without the
+# '2' suffix). The ca_cert file (in PEM encoding) is used to add the trust roots
+# for both server certificates and/or client certificates).
+#
+# The main use case for this alternative server certificate configuration is to
+# enable both RSA and ECC public keys. The server will pick which one to use
+# based on the client preferences for the cipher suite (in the TLS ClientHello
+# message). It should be noted that number of deployed EAP peer implementations
+# do not filter out the cipher suite list based on their local configuration and
+# as such, configuration of alternative types of certificates on the server may
+# result in interoperability issues.
+#server_cert2=/etc/hostapd.server-ecc.pem
+#private_key2=/etc/hostapd.server-ecc.prv
+#private_key_passwd2=secret passphrase
+
+
 # Server identity
 # EAP methods that provide mechanism for authenticated server identity delivery
 # use this value. If not set, "hostapd" is used as a default.
@@ -1109,10 +1191,27 @@ eap_server=0
 # (or fewer) of the lifetime remains.
 #pac_key_refresh_time=86400
 
+# EAP-TEAP authentication type
+# 0 = inner EAP (default)
+# 1 = Basic-Password-Auth
+#eap_teap_auth=0
+
+# EAP-TEAP authentication behavior when using PAC
+# 0 = perform inner authentication (default)
+# 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
+#eap_teap_pac_no_inner=0
+
 # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
 # (default: 0 = disabled).
 #eap_sim_aka_result_ind=1
 
+# EAP-SIM and EAP-AKA identity options
+# 0 = do not use pseudonyms or fast reauthentication
+# 1 = use pseudonyms, but not fast reauthentication
+# 2 = do not use pseudonyms, but use fast reauthentication
+# 3 = use pseudonyms and use fast reauthentication (default)
+#eap_sim_id=3
+
 # Trusted Network Connect (TNC)
 # If enabled, TNC validation will be required before the peer is allowed to
 # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
@@ -1292,6 +1391,17 @@ own_ip_addr=127.0.0.1
 # Operator-Name = "Operator"
 #radius_acct_req_attr=126:s:Operator
 
+# If SQLite support is included, path to a database from which additional
+# RADIUS request attributes are extracted based on the station MAC address.
+#
+# The schema for the radius_attributes table is:
+# id | sta | reqtype | attr   :   multi-key (sta, reqtype)
+# id   = autonumber
+# sta  = station MAC address in `11:22:33:44:55:66` format.
+# type = `auth` | `acct` | NULL (match any)
+# attr = existing config file format, e.g. `126:s:Test Operator`
+#radius_req_attr_sqlite=radius_attr.sqlite
+
 # Dynamic Authorization Extensions (RFC 5176)
 # This mechanism can be used to allow dynamic changes to user session based on
 # commands from a RADIUS server (or some other disconnect client that has the
@@ -2491,6 +2601,42 @@ own_ip_addr=127.0.0.1
 # as a radio measurement even if the request doesn't contain a max age element
 # that allows sending of such data. Default: 0.
 #stationary_ap=0
+
+##### Airtime policy configuration ###########################################
+
+# Set the airtime policy operating mode:
+# 0 = disabled (default)
+# 1 = static config
+# 2 = per-BSS dynamic config
+# 3 = per-BSS limit mode
+#airtime_mode=0
+
+# Interval (in milliseconds) to poll the kernel for updated station activity in
+# dynamic and limit modes
+#airtime_update_interval=200
+
+# Static configuration of station weights (when airtime_mode=1). Kernel default
+# weight is 256; set higher for larger airtime share, lower for smaller share.
+# Each entry is a MAC address followed by a weight.
+#airtime_sta_weight=02:01:02:03:04:05 256
+#airtime_sta_weight=02:01:02:03:04:06 512
+
+# Per-BSS airtime weight. In multi-BSS mode, set for each BSS and hostapd will
+# configure station weights to enforce the correct ratio between BSS weights
+# depending on the number of active stations. The *ratios* between different
+# BSSes is what's important, not the absolute numbers.
+# Must be set for all BSSes if airtime_mode=2 or 3, has no effect otherwise.
+#airtime_bss_weight=1
+
+# Whether the current BSS should be limited (when airtime_mode=3).
+#
+# If set, the BSS weight ratio will be applied in the case where the current BSS
+# would exceed the share defined by the BSS weight ratio. E.g., if two BSSes are
+# set to the same weights, and one is set to limited, the limited BSS will get
+# no more than half the available airtime, but if the non-limited BSS has more
+# stations active, that *will* be allowed to exceed its half of the available
+# airtime.
+#airtime_bss_limit=1
 
 ##### TESTING OPTIONS #########################################################
 #

Modified: stable/11/contrib/wpa/hostapd/hostapd_cli.c
==============================================================================
--- stable/11/contrib/wpa/hostapd/hostapd_cli.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/hostapd_cli.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -1214,6 +1214,13 @@ static int hostapd_cli_cmd_disable(struct wpa_ctrl *ct
 }
 
 
+static int hostapd_cli_cmd_update_beacon(struct wpa_ctrl *ctrl, int argc,
+				      char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "UPDATE_BEACON");
+}
+
+
 static int hostapd_cli_cmd_vendor(struct wpa_ctrl *ctrl, int argc, char *argv[])
 {
 	char cmd[256];
@@ -1617,6 +1624,8 @@ static const struct hostapd_cli_cmd hostapd_cli_comman
 	  "= reload configuration for current interface" },
 	{ "disable", hostapd_cli_cmd_disable, NULL,
 	  "= disable hostapd on current interface" },
+	{ "update_beacon", hostapd_cli_cmd_update_beacon, NULL,
+	  "= update Beacon frame contents\n"},
 	{ "erp_flush", hostapd_cli_cmd_erp_flush, NULL,
 	  "= drop all ERP keys"},
 	{ "log_level", hostapd_cli_cmd_log_level, NULL,

Modified: stable/11/contrib/wpa/hostapd/main.c
==============================================================================
--- stable/11/contrib/wpa/hostapd/main.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hostapd/main.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -653,6 +653,9 @@ int main(int argc, char *argv[])
 	int start_ifaces_in_sync = 0;
 	char **if_names = NULL;
 	size_t if_names_size = 0;
+#ifdef CONFIG_DPP
+	struct dpp_global_config dpp_conf;
+#endif /* CONFIG_DPP */
 
 	if (os_program_init())
 		return -1;
@@ -672,7 +675,9 @@ int main(int argc, char *argv[])
 	dl_list_init(&interfaces.eth_p_oui);
 #endif /* CONFIG_ETH_P_OUI */
 #ifdef CONFIG_DPP
-	interfaces.dpp = dpp_global_init();
+	os_memset(&dpp_conf, 0, sizeof(dpp_conf));
+	/* TODO: dpp_conf.msg_ctx? */
+	interfaces.dpp = dpp_global_init(&dpp_conf);
 	if (!interfaces.dpp)
 		return -1;
 #endif /* CONFIG_DPP */

Modified: stable/11/contrib/wpa/hs20/client/osu_client.c
==============================================================================
--- stable/11/contrib/wpa/hs20/client/osu_client.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/hs20/client/osu_client.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -1588,6 +1588,7 @@ static void set_pps_cred_digital_cert(struct hs20_osu_
 				      xml_node_t *node, const char *fqdn)
 {
 	char buf[200], dir[200];
+	int res;
 
 	wpa_printf(MSG_INFO, "- Credential/DigitalCertificate");
 
@@ -1599,14 +1600,20 @@ static void set_pps_cred_digital_cert(struct hs20_osu_
 		wpa_printf(MSG_INFO, "Failed to set username");
 	}
 
-	snprintf(buf, sizeof(buf), "%s/SP/%s/client-cert.pem", dir, fqdn);
+	res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/client-cert.pem", dir,
+			  fqdn);
+	if (os_snprintf_error(sizeof(buf), res))
+		return;
 	if (os_file_exists(buf)) {
 		if (set_cred_quoted(ctx->ifname, id, "client_cert", buf) < 0) {
 			wpa_printf(MSG_INFO, "Failed to set client_cert");
 		}
 	}
 
-	snprintf(buf, sizeof(buf), "%s/SP/%s/client-key.pem", dir, fqdn);
+	res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/client-key.pem", dir,
+			  fqdn);
+	if (os_snprintf_error(sizeof(buf), res))
+		return;
 	if (os_file_exists(buf)) {
 		if (set_cred_quoted(ctx->ifname, id, "private_key", buf) < 0) {
 			wpa_printf(MSG_INFO, "Failed to set private_key");
@@ -1620,6 +1627,7 @@ static void set_pps_cred_realm(struct hs20_osu_client 
 {
 	char *str = xml_node_get_text(ctx->xml, node);
 	char buf[200], dir[200];
+	int res;
 
 	if (str == NULL)
 		return;
@@ -1634,7 +1642,9 @@ static void set_pps_cred_realm(struct hs20_osu_client 
 
 	if (getcwd(dir, sizeof(dir)) == NULL)
 		return;
-	snprintf(buf, sizeof(buf), "%s/SP/%s/aaa-ca.pem", dir, fqdn);
+	res = os_snprintf(buf, sizeof(buf), "%s/SP/%s/aaa-ca.pem", dir, fqdn);
+	if (os_snprintf_error(sizeof(buf), res))
+		return;
 	if (os_file_exists(buf)) {
 		if (set_cred_quoted(ctx->ifname, id, "ca_cert", buf) < 0) {
 			wpa_printf(MSG_INFO, "Failed to set CA cert");
@@ -2717,6 +2727,8 @@ static int cmd_pol_upd(struct hs20_osu_client *ctx, co
 
 	if (!pps_fname) {
 		char buf[256];
+		int res;
+
 		wpa_printf(MSG_INFO, "Determining PPS file based on Home SP information");
 		if (address && os_strncmp(address, "fqdn=", 5) == 0) {
 			wpa_printf(MSG_INFO, "Use requested FQDN from command line");
@@ -2737,8 +2749,13 @@ static int cmd_pol_upd(struct hs20_osu_client *ctx, co
 			    "SP/%s/pps.xml", ctx->fqdn);
 		pps_fname = pps_fname_buf;
 
-		os_snprintf(ca_fname_buf, sizeof(ca_fname_buf), "SP/%s/ca.pem",
-			    buf);
+		res = os_snprintf(ca_fname_buf, sizeof(ca_fname_buf),
+				  "SP/%s/ca.pem", buf);
+		if (os_snprintf_error(sizeof(ca_fname_buf), res)) {
+			os_free(ctx->fqdn);
+			ctx->fqdn = NULL;
+			return -1;
+		}
 		ca_fname = ca_fname_buf;
 	}
 

Modified: stable/11/contrib/wpa/src/ap/accounting.c
==============================================================================
--- stable/11/contrib/wpa/src/ap/accounting.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/src/ap/accounting.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -97,6 +97,9 @@ static struct radius_msg * accounting_msg(struct hosta
 				   msg) < 0)
 		goto fail;
 
+	if (sta && add_sqlite_radius_attr(hapd, sta, msg, 1) < 0)
+		goto fail;
+
 	if (sta) {
 		for (i = 0; ; i++) {
 			val = ieee802_1x_get_radius_class(sta->eapol_sm, &len,

Modified: stable/11/contrib/wpa/src/ap/acs.c
==============================================================================
--- stable/11/contrib/wpa/src/ap/acs.c	Thu Aug 29 18:53:00 2019	(r351610)
+++ stable/11/contrib/wpa/src/ap/acs.c	Thu Aug 29 19:13:27 2019	(r351611)
@@ -594,12 +594,12 @@ acs_find_ideal_chan(struct hostapd_iface *iface)
 	    iface->conf->secondary_channel)
 		n_chans = 2;
 
-	if (iface->conf->ieee80211ac) {
-		switch (iface->conf->vht_oper_chwidth) {
-		case VHT_CHANWIDTH_80MHZ:
+	if (iface->conf->ieee80211ac || iface->conf->ieee80211ax) {
+		switch (hostapd_get_oper_chwidth(iface->conf)) {
+		case CHANWIDTH_80MHZ:
 			n_chans = 4;
 			break;
-		case VHT_CHANWIDTH_160MHZ:
+		case CHANWIDTH_160MHZ:
 			n_chans = 8;
 			break;
 		}
@@ -607,7 +607,7 @@ acs_find_ideal_chan(struct hostapd_iface *iface)
 
 	bw = num_chan_to_bw(n_chans);
 
-	/* TODO: VHT80+80. Update acs_adjust_vht_center_freq() too. */
+	/* TODO: VHT/HE80+80. Update acs_adjust_center_freq() too. */
 
 	wpa_printf(MSG_DEBUG,
 		   "ACS: Survey analysis for selected bandwidth %d MHz", bw);
@@ -647,9 +647,9 @@ acs_find_ideal_chan(struct hostapd_iface *iface)
 		}
 
 		if (iface->current_mode->mode == HOSTAPD_MODE_IEEE80211A &&
-		    iface->conf->ieee80211ac) {
-			if (iface->conf->vht_oper_chwidth ==

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908291913.x7TJDSK8083970>