Date: Tue, 1 Oct 2024 04:29:32 GMT From: Cy Schubert <cy@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: aff29dd3641d - stable/14 - wpa: Import 2.11 Message-ID: <202410010429.4914TWZd039214@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=aff29dd3641d2ab3c67b82772f4b76ba3171e757 commit aff29dd3641d2ab3c67b82772f4b76ba3171e757 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-07-21 18:59:44 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-10-01 04:28:54 +0000 wpa: Import 2.11 Following is a changelog of new features and fixes to wpa: hostapd: * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * HE/IEEE 802.11ax/Wi-Fi 6 - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * SAE: add support for fetching the password from a RADIUS server * support OpenSSL 3.0 API changes * support background radar detection and CAC with some additional drivers * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) * EAP-SIM/AKA: support IMSI privacy * improve 4-way handshake operations - use Secure=1 in message 3 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * extend PASN support for secure ranging * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible * improved ACS to cover additional channel types/bandwidths * extended Multiple BSSID support * fix beacon protection with FT protocol (incorrect BIGTK was provided) * support unsynchronized service discovery (USD) * add preliminary support for RADIUS/TLS * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) * fix SAE H2E rejected groups validation to avoid downgrade attacks * use stricter validation for some RADIUS messages * a large number of other fixes, cleanup, and extensions wpa_supplicant: * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions Merge commit '6377230b3cf4f238dcd0dc2d76ff25943d3040e5' (cherry picked from commit a90b9d0159070121c221b966469c3e36d912bf82) --- contrib/wpa/CONTRIBUTIONS | 2 +- contrib/wpa/README | 2 +- contrib/wpa/hostapd/Android.mk | 28 +- contrib/wpa/hostapd/ChangeLog | 37 + contrib/wpa/hostapd/Makefile | 30 +- contrib/wpa/hostapd/README | 2 +- contrib/wpa/hostapd/android.config | 6 + contrib/wpa/hostapd/config_file.c | 481 +- contrib/wpa/hostapd/config_file.h | 7 +- contrib/wpa/hostapd/ctrl_iface.c | 1460 +++-- contrib/wpa/hostapd/defconfig | 21 +- contrib/wpa/hostapd/hostapd.conf | 356 +- contrib/wpa/hostapd/hostapd.eap_user | 4 +- contrib/wpa/hostapd/hostapd_cli.c | 217 +- contrib/wpa/hostapd/logwatch/hostapd | 65 - contrib/wpa/hostapd/main.c | 142 +- contrib/wpa/hs20/client/Android.mk | 10 + contrib/wpa/hs20/client/est.c | 37 +- contrib/wpa/hs20/client/osu_client.c | 115 +- contrib/wpa/hs20/client/spp_client.c | 1 - contrib/wpa/src/Makefile | 2 +- contrib/wpa/src/ap/acs.c | 568 +- contrib/wpa/src/ap/acs.h | 3 + contrib/wpa/src/ap/airtime_policy.c | 2 +- contrib/wpa/src/ap/ap_config.c | 205 +- contrib/wpa/src/ap/ap_config.h | 226 +- contrib/wpa/src/ap/ap_drv_ops.c | 359 +- contrib/wpa/src/ap/ap_drv_ops.h | 84 +- contrib/wpa/src/ap/ap_list.c | 6 +- contrib/wpa/src/ap/ap_mlme.c | 4 +- contrib/wpa/src/ap/authsrv.c | 94 + contrib/wpa/src/ap/beacon.c | 1212 +++- contrib/wpa/src/ap/beacon.h | 4 + contrib/wpa/src/ap/bss_load.c | 2 +- contrib/wpa/src/ap/comeback_token.c | 139 + contrib/wpa/src/ap/comeback_token.h | 21 + contrib/wpa/src/ap/ctrl_iface_ap.c | 599 +- contrib/wpa/src/ap/ctrl_iface_ap.h | 17 + contrib/wpa/src/ap/dfs.c | 608 +- contrib/wpa/src/ap/dpp_hostapd.c | 1417 ++++- contrib/wpa/src/ap/dpp_hostapd.h | 5 + contrib/wpa/src/ap/drv_callbacks.c | 881 ++- contrib/wpa/src/ap/fils_hlp.c | 10 +- contrib/wpa/src/ap/gas_query_ap.c | 10 +- contrib/wpa/src/ap/gas_serv.c | 11 +- contrib/wpa/src/ap/gas_serv.h | 2 +- contrib/wpa/src/ap/hostapd.c | 1441 ++++- contrib/wpa/src/ap/hostapd.h | 169 +- contrib/wpa/src/ap/hw_features.c | 233 +- contrib/wpa/src/ap/hw_features.h | 12 + contrib/wpa/src/ap/ieee802_11.c | 4030 ++++++++----- contrib/wpa/src/ap/ieee802_11.h | 83 +- contrib/wpa/src/ap/ieee802_11_auth.c | 162 +- contrib/wpa/src/ap/ieee802_11_auth.h | 5 +- contrib/wpa/src/ap/ieee802_11_eht.c | 1405 +++++ contrib/wpa/src/ap/ieee802_11_he.c | 87 +- contrib/wpa/src/ap/ieee802_11_ht.c | 5 +- contrib/wpa/src/ap/ieee802_11_shared.c | 215 +- contrib/wpa/src/ap/ieee802_11_vht.c | 32 +- contrib/wpa/src/ap/ieee802_1x.c | 233 +- contrib/wpa/src/ap/ieee802_1x.h | 2 +- contrib/wpa/src/ap/nan_usd_ap.c | 267 + contrib/wpa/src/ap/nan_usd_ap.h | 46 + contrib/wpa/src/ap/ndisc_snoop.c | 1 + contrib/wpa/src/ap/neighbor_db.c | 74 +- contrib/wpa/src/ap/neighbor_db.h | 1 + contrib/wpa/src/ap/pmksa_cache_auth.c | 32 +- contrib/wpa/src/ap/pmksa_cache_auth.h | 4 + contrib/wpa/src/ap/preauth_auth.c | 4 +- contrib/wpa/src/ap/rrm.c | 121 + contrib/wpa/src/ap/rrm.h | 2 + contrib/wpa/src/ap/sta_info.c | 469 +- contrib/wpa/src/ap/sta_info.h | 96 +- contrib/wpa/src/ap/utils.c | 14 +- contrib/wpa/src/ap/wmm.c | 7 - contrib/wpa/src/ap/wnm_ap.c | 216 +- contrib/wpa/src/ap/wpa_auth.c | 2459 ++++++-- contrib/wpa/src/ap/wpa_auth.h | 103 +- contrib/wpa/src/ap/wpa_auth_ft.c | 615 +- contrib/wpa/src/ap/wpa_auth_glue.c | 269 +- contrib/wpa/src/ap/wpa_auth_i.h | 47 +- contrib/wpa/src/ap/wpa_auth_ie.c | 95 +- contrib/wpa/src/ap/wpa_auth_kay.c | 45 +- contrib/wpa/src/ap/wps_hostapd.c | 5 +- contrib/wpa/src/ap/x_snoop.c | 5 + contrib/wpa/src/build.rules | 2 +- contrib/wpa/src/common/brcm_vendor.h | 8 +- contrib/wpa/src/common/common_module_tests.c | 2 +- contrib/wpa/src/common/defs.h | 67 +- contrib/wpa/src/common/dpp.c | 883 ++- contrib/wpa/src/common/dpp.h | 132 +- contrib/wpa/src/common/dpp_crypto.c | 239 +- contrib/wpa/src/common/dpp_i.h | 19 +- contrib/wpa/src/common/dpp_pkex.c | 59 +- contrib/wpa/src/common/dpp_reconfig.c | 18 +- contrib/wpa/src/common/dpp_tcp.c | 916 ++- contrib/wpa/src/common/dragonfly.c | 9 +- contrib/wpa/src/common/gas_server.c | 79 +- contrib/wpa/src/common/gas_server.h | 5 +- contrib/wpa/src/common/hw_features_common.c | 303 +- contrib/wpa/src/common/hw_features_common.h | 12 +- contrib/wpa/src/common/ieee802_11_common.c | 1090 +++- contrib/wpa/src/common/ieee802_11_common.h | 89 +- contrib/wpa/src/common/ieee802_11_defs.h | 722 ++- contrib/wpa/src/common/nan.h | 98 + contrib/wpa/src/common/nan_de.c | 1395 +++++ contrib/wpa/src/common/nan_de.h | 145 + contrib/wpa/src/common/ocv.c | 5 +- contrib/wpa/src/common/ptksa_cache.c | 74 +- contrib/wpa/src/common/ptksa_cache.h | 47 +- contrib/wpa/src/common/qca-vendor.h | 6323 +++++++++++++++++++- contrib/wpa/src/common/sae.c | 139 +- contrib/wpa/src/common/sae.h | 14 +- contrib/wpa/src/common/version.h | 2 +- contrib/wpa/src/common/wpa_common.c | 995 ++- contrib/wpa/src/common/wpa_common.h | 134 +- contrib/wpa/src/common/wpa_ctrl.c | 16 +- contrib/wpa/src/common/wpa_ctrl.h | 36 + contrib/wpa/src/crypto/crypto.h | 117 +- contrib/wpa/src/crypto/crypto_gnutls.c | 5 + contrib/wpa/src/crypto/crypto_internal.c | 5 + contrib/wpa/src/crypto/crypto_libtomcrypt.c | 5 + contrib/wpa/src/crypto/crypto_linux.c | 5 + contrib/wpa/src/crypto/crypto_module_tests.c | 281 + contrib/wpa/src/crypto/crypto_nettle.c | 5 + contrib/wpa/src/crypto/crypto_none.c | 5 + contrib/wpa/src/crypto/crypto_openssl.c | 2622 +++++++- contrib/wpa/src/crypto/crypto_wolfssl.c | 2043 ++++++- contrib/wpa/src/crypto/fips_prf_internal.c | 11 +- contrib/wpa/src/crypto/fips_prf_openssl.c | 15 + contrib/wpa/src/crypto/sha1-pbkdf2.c | 3 + contrib/wpa/src/crypto/sha256-internal.c | 3 - contrib/wpa/src/crypto/sha256.c | 21 +- contrib/wpa/src/crypto/sha384.c | 6 +- contrib/wpa/src/crypto/sha512-internal.c | 3 - contrib/wpa/src/crypto/sha512.c | 6 +- contrib/wpa/src/crypto/tls.h | 18 +- contrib/wpa/src/crypto/tls_gnutls.c | 1 + contrib/wpa/src/crypto/tls_internal.c | 11 +- contrib/wpa/src/crypto/tls_none.c | 1 + contrib/wpa/src/crypto/tls_openssl.c | 564 +- contrib/wpa/src/crypto/tls_openssl_ocsp.c | 26 +- contrib/wpa/src/crypto/tls_wolfssl.c | 284 +- contrib/wpa/src/drivers/driver.h | 964 ++- contrib/wpa/src/drivers/driver_atheros.c | 31 +- contrib/wpa/src/drivers/driver_bsd.c | 16 +- contrib/wpa/src/drivers/driver_common.c | 44 + contrib/wpa/src/drivers/driver_hostap.c | 20 +- contrib/wpa/src/drivers/driver_macsec_linux.c | 76 +- contrib/wpa/src/drivers/driver_macsec_qca.c | 4 +- contrib/wpa/src/drivers/driver_ndis.c | 8 +- contrib/wpa/src/drivers/driver_nl80211.c | 3443 ++++++++--- contrib/wpa/src/drivers/driver_nl80211.h | 113 +- contrib/wpa/src/drivers/driver_nl80211_capa.c | 354 +- contrib/wpa/src/drivers/driver_nl80211_event.c | 1291 +++- contrib/wpa/src/drivers/driver_nl80211_scan.c | 127 +- contrib/wpa/src/drivers/driver_roboswitch.c | 2 +- contrib/wpa/src/drivers/driver_wext.c | 11 +- contrib/wpa/src/drivers/driver_wired.c | 2 +- contrib/wpa/src/drivers/linux_ioctl.c | 11 +- contrib/wpa/src/drivers/ndis_events.c | 5 +- contrib/wpa/src/drivers/netlink.c | 6 +- contrib/wpa/src/drivers/nl80211_copy.h | 626 +- contrib/wpa/src/eap_common/eap_defs.h | 2 +- contrib/wpa/src/eap_common/eap_pwd_common.c | 23 +- contrib/wpa/src/eap_common/eap_sake_common.c | 19 +- contrib/wpa/src/eap_peer/eap.c | 44 + contrib/wpa/src/eap_peer/eap_aka.c | 198 +- contrib/wpa/src/eap_peer/eap_config.h | 46 +- contrib/wpa/src/eap_peer/eap_fast.c | 14 +- contrib/wpa/src/eap_peer/eap_i.h | 9 + contrib/wpa/src/eap_peer/eap_mschapv2.c | 30 +- contrib/wpa/src/eap_peer/eap_peap.c | 40 +- contrib/wpa/src/eap_peer/eap_pwd.c | 33 +- contrib/wpa/src/eap_peer/eap_sim.c | 202 +- contrib/wpa/src/eap_peer/eap_teap.c | 61 +- contrib/wpa/src/eap_peer/eap_tls.c | 15 +- contrib/wpa/src/eap_peer/eap_tls_common.c | 27 +- contrib/wpa/src/eap_peer/eap_tls_common.h | 5 + contrib/wpa/src/eap_peer/eap_ttls.c | 32 +- contrib/wpa/src/eap_peer/eap_wsc.c | 14 +- contrib/wpa/src/eap_server/eap.h | 12 + contrib/wpa/src/eap_server/eap_i.h | 7 + contrib/wpa/src/eap_server/eap_server_aka.c | 126 +- contrib/wpa/src/eap_server/eap_server_eke.c | 1 + contrib/wpa/src/eap_server/eap_server_fast.c | 14 +- contrib/wpa/src/eap_server/eap_server_mschapv2.c | 28 +- contrib/wpa/src/eap_server/eap_server_peap.c | 18 + contrib/wpa/src/eap_server/eap_server_pwd.c | 33 +- contrib/wpa/src/eap_server/eap_server_sim.c | 133 +- contrib/wpa/src/eap_server/eap_server_teap.c | 39 +- contrib/wpa/src/eap_server/eap_server_tls.c | 10 +- contrib/wpa/src/eap_server/eap_server_tls_common.c | 18 +- contrib/wpa/src/eap_server/eap_server_ttls.c | 3 +- contrib/wpa/src/eap_server/eap_tls_common.h | 2 + contrib/wpa/src/eapol_auth/eapol_auth_sm.c | 26 +- contrib/wpa/src/eapol_auth/eapol_auth_sm.h | 5 +- contrib/wpa/src/eapol_auth/eapol_auth_sm_i.h | 4 + contrib/wpa/src/eapol_supp/eapol_supp_sm.c | 17 +- contrib/wpa/src/eapol_supp/eapol_supp_sm.h | 18 +- contrib/wpa/src/fst/fst_group.c | 12 +- contrib/wpa/src/fst/fst_iface.c | 2 +- contrib/wpa/src/fst/fst_session.c | 6 +- contrib/wpa/src/l2_packet/l2_packet_freebsd.c | 9 +- contrib/wpa/src/l2_packet/l2_packet_linux.c | 4 +- contrib/wpa/src/p2p/p2p.c | 123 +- contrib/wpa/src/p2p/p2p.h | 12 +- contrib/wpa/src/p2p/p2p_build.c | 20 +- contrib/wpa/src/p2p/p2p_dev_disc.c | 10 +- contrib/wpa/src/p2p/p2p_go_neg.c | 121 +- contrib/wpa/src/p2p/p2p_group.c | 14 +- contrib/wpa/src/p2p/p2p_i.h | 19 +- contrib/wpa/src/p2p/p2p_invitation.c | 31 +- contrib/wpa/src/p2p/p2p_parse.c | 27 +- contrib/wpa/src/p2p/p2p_pd.c | 43 +- contrib/wpa/src/p2p/p2p_sd.c | 23 +- contrib/wpa/src/p2p/p2p_utils.c | 84 +- contrib/wpa/src/pae/ieee802_1x_cp.c | 15 +- contrib/wpa/src/pae/ieee802_1x_kay.c | 74 +- contrib/wpa/src/pae/ieee802_1x_kay.h | 5 +- contrib/wpa/src/pae/ieee802_1x_secy_ops.c | 20 + contrib/wpa/src/pae/ieee802_1x_secy_ops.h | 1 + contrib/wpa/src/pasn/Makefile | 16 + contrib/wpa/src/pasn/pasn_common.c | 232 + contrib/wpa/src/pasn/pasn_common.h | 228 + contrib/wpa/src/pasn/pasn_initiator.c | 1406 +++++ contrib/wpa/src/pasn/pasn_responder.c | 1032 ++++ contrib/wpa/src/radius/radius.c | 297 +- contrib/wpa/src/radius/radius.h | 35 +- contrib/wpa/src/radius/radius_client.c | 789 ++- contrib/wpa/src/radius/radius_client.h | 27 +- contrib/wpa/src/radius/radius_das.c | 10 + contrib/wpa/src/radius/radius_server.c | 15 + contrib/wpa/src/rsn_supp/pmksa_cache.c | 260 +- contrib/wpa/src/rsn_supp/pmksa_cache.h | 105 +- contrib/wpa/src/rsn_supp/preauth.c | 19 +- contrib/wpa/src/rsn_supp/tdls.c | 332 +- contrib/wpa/src/rsn_supp/wpa.c | 2190 +++++-- contrib/wpa/src/rsn_supp/wpa.h | 88 +- contrib/wpa/src/rsn_supp/wpa_ft.c | 328 +- contrib/wpa/src/rsn_supp/wpa_i.h | 65 +- contrib/wpa/src/rsn_supp/wpa_ie.c | 36 +- contrib/wpa/src/tls/libtommath.c | 8 - contrib/wpa/src/tls/pkcs1.c | 6 +- contrib/wpa/src/tls/tlsv1_client_read.c | 3 +- contrib/wpa/src/tls/tlsv1_common.c | 6 +- contrib/wpa/src/tls/tlsv1_common.h | 3 +- contrib/wpa/src/tls/tlsv1_server_write.c | 2 +- contrib/wpa/src/utils/browser.c | 10 + contrib/wpa/src/utils/common.c | 15 +- contrib/wpa/src/utils/common.h | 38 + contrib/wpa/src/utils/crc32.c | 2 +- contrib/wpa/src/utils/crc32.h | 2 +- contrib/wpa/src/utils/http-utils.h | 1 + contrib/wpa/src/utils/http_curl.c | 73 +- contrib/wpa/src/utils/ip_addr.c | 19 + contrib/wpa/src/utils/ip_addr.h | 2 + contrib/wpa/src/utils/os.h | 42 +- contrib/wpa/src/utils/os_unix.c | 195 +- contrib/wpa/src/utils/trace.c | 6 +- contrib/wpa/src/utils/wpa_debug.c | 10 +- contrib/wpa/src/utils/wpa_debug.h | 1 + contrib/wpa/src/utils/wpabuf.h | 6 + contrib/wpa/src/wps/ndef.c | 6 + contrib/wpa/src/wps/wps.c | 5 +- contrib/wpa/src/wps/wps.h | 5 + contrib/wpa/src/wps/wps_attr_parse.c | 13 +- contrib/wpa/src/wps/wps_enrollee.c | 6 +- contrib/wpa/src/wps/wps_er.c | 4 +- contrib/wpa/src/wps/wps_i.h | 1 + contrib/wpa/src/wps/wps_registrar.c | 15 +- contrib/wpa/wpa_supplicant/Android.mk | 228 +- contrib/wpa/wpa_supplicant/ChangeLog | 50 + contrib/wpa/wpa_supplicant/Makefile | 308 +- contrib/wpa/wpa_supplicant/README | 4 +- contrib/wpa/wpa_supplicant/README-HS20 | 33 +- contrib/wpa/wpa_supplicant/README-NAN-USD | 147 + contrib/wpa/wpa_supplicant/README-WPS | 24 +- contrib/wpa/wpa_supplicant/android.config | 15 + contrib/wpa/wpa_supplicant/ap.c | 293 +- contrib/wpa/wpa_supplicant/ap.h | 24 +- contrib/wpa/wpa_supplicant/bgscan.h | 2 +- contrib/wpa/wpa_supplicant/bgscan_learn.c | 10 +- contrib/wpa/wpa_supplicant/bgscan_simple.c | 64 +- contrib/wpa/wpa_supplicant/bss.c | 563 +- contrib/wpa/wpa_supplicant/bss.h | 29 + contrib/wpa/wpa_supplicant/bssid_ignore.c | 30 +- contrib/wpa/wpa_supplicant/config.c | 487 +- contrib/wpa/wpa_supplicant/config.h | 150 +- contrib/wpa/wpa_supplicant/config_file.c | 108 +- contrib/wpa/wpa_supplicant/config_none.c | 3 +- contrib/wpa/wpa_supplicant/config_ssid.h | 114 +- contrib/wpa/wpa_supplicant/config_winreg.c | 5 +- contrib/wpa/wpa_supplicant/ctrl_iface.c | 1707 +++++- contrib/wpa/wpa_supplicant/ctrl_iface.h | 2 + contrib/wpa/wpa_supplicant/ctrl_iface_unix.c | 3 + .../wpa/wpa_supplicant/dbus/dbus_dict_helpers.c | 100 + .../wpa/wpa_supplicant/dbus/dbus_dict_helpers.h | 9 + contrib/wpa/wpa_supplicant/dbus/dbus_new.c | 142 +- contrib/wpa/wpa_supplicant/dbus/dbus_new.h | 24 + .../wpa/wpa_supplicant/dbus/dbus_new_handlers.c | 784 ++- .../wpa/wpa_supplicant/dbus/dbus_new_handlers.h | 7 + .../wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 94 +- contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c | 209 +- contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.h | 5 + .../wpa/wpa_supplicant/dbus/dbus_new_introspect.c | 2 +- contrib/wpa/wpa_supplicant/defconfig | 53 + .../wpa_supplicant/doc/docbook/wpa_supplicant.sgml | 48 +- contrib/wpa/wpa_supplicant/dpp_supplicant.c | 2184 ++++++- contrib/wpa/wpa_supplicant/dpp_supplicant.h | 5 + contrib/wpa/wpa_supplicant/driver_i.h | 124 +- contrib/wpa/wpa_supplicant/eapol_test.c | 146 +- contrib/wpa/wpa_supplicant/events.c | 1741 +++++- contrib/wpa/wpa_supplicant/examples/dpp-nfc.py | 10 +- contrib/wpa/wpa_supplicant/gas_query.c | 56 +- contrib/wpa/wpa_supplicant/hs20_supplicant.c | 17 +- contrib/wpa/wpa_supplicant/ibss_rsn.c | 32 +- contrib/wpa/wpa_supplicant/ibss_rsn.h | 3 +- contrib/wpa/wpa_supplicant/interworking.c | 124 +- contrib/wpa/wpa_supplicant/main.c | 2 + contrib/wpa/wpa_supplicant/mbo.c | 25 +- contrib/wpa/wpa_supplicant/mesh.c | 16 +- contrib/wpa/wpa_supplicant/mesh_mpm.c | 74 +- contrib/wpa/wpa_supplicant/mesh_rsn.c | 27 +- contrib/wpa/wpa_supplicant/nan_usd.c | 513 ++ contrib/wpa/wpa_supplicant/nan_usd.h | 46 + contrib/wpa/wpa_supplicant/notify.c | 103 +- contrib/wpa/wpa_supplicant/notify.h | 14 +- contrib/wpa/wpa_supplicant/offchannel.c | 10 +- contrib/wpa/wpa_supplicant/op_classes.c | 150 +- contrib/wpa/wpa_supplicant/p2p_supplicant.c | 483 +- contrib/wpa/wpa_supplicant/p2p_supplicant.h | 13 +- contrib/wpa/wpa_supplicant/p2p_supplicant_sd.c | 14 +- contrib/wpa/wpa_supplicant/pasn_supplicant.c | 1712 ++---- contrib/wpa/wpa_supplicant/preauth_test.c | 8 +- contrib/wpa/wpa_supplicant/robust_av.c | 341 +- contrib/wpa/wpa_supplicant/rrm.c | 132 +- contrib/wpa/wpa_supplicant/scan.c | 774 ++- contrib/wpa/wpa_supplicant/scan.h | 30 +- contrib/wpa/wpa_supplicant/sme.c | 948 ++- contrib/wpa/wpa_supplicant/sme.h | 14 +- .../systemd/wpa_supplicant-nl80211.service.arg.in | 2 +- .../systemd/wpa_supplicant.service.arg.in | 2 +- contrib/wpa/wpa_supplicant/utils/log2pcap.py | 9 +- contrib/wpa/wpa_supplicant/wmm_ac.c | 6 +- contrib/wpa/wpa_supplicant/wnm_sta.c | 532 +- contrib/wpa/wpa_supplicant/wnm_sta.h | 30 +- contrib/wpa/wpa_supplicant/wpa_cli.c | 144 +- contrib/wpa/wpa_supplicant/wpa_passphrase.c | 25 +- contrib/wpa/wpa_supplicant/wpa_priv.c | 11 +- contrib/wpa/wpa_supplicant/wpa_supplicant.c | 1679 ++++-- contrib/wpa/wpa_supplicant/wpa_supplicant.conf | 109 +- contrib/wpa/wpa_supplicant/wpa_supplicant_i.h | 286 +- .../wpa_supplicant/wpa_supplicant_template.conf | 2 + contrib/wpa/wpa_supplicant/wpas_glue.c | 159 +- contrib/wpa/wpa_supplicant/wpas_glue.h | 2 + contrib/wpa/wpa_supplicant/wpas_kay.c | 53 +- contrib/wpa/wpa_supplicant/wpas_module_tests.c | 3 + contrib/wpa/wpa_supplicant/wps_supplicant.c | 166 +- contrib/wpa/wpa_supplicant/wps_supplicant.h | 13 + share/mk/src.libnames.mk | 4 + usr.sbin/wpa/Makefile.inc | 1 - usr.sbin/wpa/hostapd/Makefile | 3 +- usr.sbin/wpa/src/Makefile | 1 + usr.sbin/wpa/src/pasn/Makefile | 20 + usr.sbin/wpa/wpa_supplicant/Makefile | 2 +- 366 files changed, 66259 insertions(+), 12716 deletions(-) diff --git a/contrib/wpa/CONTRIBUTIONS b/contrib/wpa/CONTRIBUTIONS index b2064dc83443..6c8187cb190d 100644 --- a/contrib/wpa/CONTRIBUTIONS +++ b/contrib/wpa/CONTRIBUTIONS @@ -37,7 +37,7 @@ without moderation. You can subscribe to the list at this address: http://lists.infradead.org/mailman/listinfo/hostap The message should contain an inlined patch against the current -development branch (i.e., the master branch of +development branch (i.e., the main branch of git://w1.fi/hostap.git). Please make sure the software you use for sending the patch does not corrupt whitespace. If that cannot be fixed for some reason, it is better to include an attached version of the diff --git a/contrib/wpa/README b/contrib/wpa/README index 1470c4f23582..8392bb354fac 100644 --- a/contrib/wpa/README +++ b/contrib/wpa/README @@ -1,7 +1,7 @@ wpa_supplicant and hostapd -------------------------- -Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. These programs are licensed under the BSD license (the one with diff --git a/contrib/wpa/hostapd/Android.mk b/contrib/wpa/hostapd/Android.mk index bf26e41c6b23..573564d5b0de 100644 --- a/contrib/wpa/hostapd/Android.mk +++ b/contrib/wpa/hostapd/Android.mk @@ -154,6 +154,7 @@ OBJS += src/utils/crc32.c OBJS += src/common/ieee802_11_common.c OBJS += src/common/wpa_common.c OBJS += src/common/hw_features_common.c +OBJS += src/common/ptksa_cache.c OBJS += src/eapol_auth/eapol_auth_sm.c @@ -237,6 +238,8 @@ L_CFLAGS += -DCONFIG_OCV OBJS += src/common/ocv.c endif +NEED_AES_UNWRAP=y + ifdef CONFIG_IEEE80211R L_CFLAGS += -DCONFIG_IEEE80211R -DCONFIG_IEEE80211R_AP OBJS += src/ap/wpa_auth_ft.c @@ -256,6 +259,7 @@ L_CFLAGS += -DCONFIG_SAE OBJS += src/common/sae.c ifdef CONFIG_SAE_PK L_CFLAGS += -DCONFIG_SAE_PK +NEED_AES_SIV=y OBJS += src/common/sae_pk.c endif NEED_ECC=y @@ -294,6 +298,12 @@ ifdef CONFIG_IEEE80211AC L_CFLAGS += -DCONFIG_IEEE80211AC endif +ifdef CONFIG_IEEE80211BE +CONFIG_IEEE80211AX=y +L_CFLAGS += -DCONFIG_IEEE80211BE +OBJS += src/ap/ieee802_11_eht.c +endif + ifdef CONFIG_IEEE80211AX L_CFLAGS += -DCONFIG_IEEE80211AX endif @@ -572,6 +582,12 @@ L_CFLAGS += -DCONFIG_DPP3 endif endif +ifdef CONFIG_NAN_USD +OBJS += src/common/nan_de.c +OBJS += src/ap/nan_usd_ap.c +L_CFLAGS += -DCONFIG_NAN_USD +endif + ifdef CONFIG_PASN L_CFLAGS += -DCONFIG_PASN L_CFLAGS += -DCONFIG_PTKSA_CACHE @@ -579,7 +595,6 @@ NEED_HMAC_SHA256_KDF=y NEED_HMAC_SHA384_KDF=y NEED_SHA256=y NEED_SHA384=y -OBJS += src/common/ptksa_cache.c endif ifdef CONFIG_EAP_IKEV2 @@ -632,6 +647,11 @@ ifdef CHAP OBJS += src/eap_common/chap.c endif +ifdef CONFIG_RADIUS_TLS +TLS_FUNCS=y +L_CFLAGS += -DCONFIG_RADIUS_TLS +endif + ifdef TLS_FUNCS NEED_DES=y # Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS) @@ -653,6 +673,7 @@ L_CFLAGS += -DCONFIG_TLSV12 endif ifeq ($(CONFIG_TLS), openssl) +L_CFLAGS += -DCRYPTO_RSA_OAEP_SHA256 ifdef TLS_FUNCS OBJS += src/crypto/tls_openssl.c OBJS += src/crypto/tls_openssl_ocsp.c @@ -825,7 +846,9 @@ endif ifdef NEED_AES_ENCBLOCK AESOBJS += src/crypto/aes-encblock.c endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-omac1.c +endif ifdef NEED_AES_UNWRAP ifneq ($(CONFIG_TLS), openssl) NEED_AES_DEC=y @@ -1026,6 +1049,9 @@ endif ifdef NEED_AP_MLME OBJS += src/ap/wmm.c OBJS += src/ap/ap_list.c +OBJS += src/ap/comeback_token.c +OBJS += src/pasn/pasn_responder.c +OBJS += src/pasn/pasn_common.c OBJS += src/ap/ieee802_11.c OBJS += src/ap/hw_features.c OBJS += src/ap/dfs.c diff --git a/contrib/wpa/hostapd/ChangeLog b/contrib/wpa/hostapd/ChangeLog index 279298e4d4d4..1c8240d333c4 100644 --- a/contrib/wpa/hostapd/ChangeLog +++ b/contrib/wpa/hostapd/ChangeLog @@ -1,5 +1,42 @@ ChangeLog for hostapd +2024-07-20 - v2.11 + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * HE/IEEE 802.11ax/Wi-Fi 6 + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * SAE: add support for fetching the password from a RADIUS server + * support OpenSSL 3.0 API changes + * support background radar detection and CAC with some additional + drivers + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) + * EAP-SIM/AKA: support IMSI privacy + * improve 4-way handshake operations + - use Secure=1 in message 3 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * extend PASN support for secure ranging + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible + * improved ACS to cover additional channel types/bandwidths + * extended Multiple BSSID support + * fix beacon protection with FT protocol (incorrect BIGTK was provided) + * support unsynchronized service discovery (USD) + * add preliminary support for RADIUS/TLS + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * use stricter validation for some RADIUS messages + * a large number of other fixes, cleanup, and extensions + 2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks diff --git a/contrib/wpa/hostapd/Makefile b/contrib/wpa/hostapd/Makefile index e37c13b27a6e..ca4439234a11 100644 --- a/contrib/wpa/hostapd/Makefile +++ b/contrib/wpa/hostapd/Makefile @@ -84,6 +84,7 @@ OBJS += ../src/ap/beacon.o OBJS += ../src/ap/bss_load.o OBJS += ../src/ap/neighbor_db.o OBJS += ../src/ap/rrm.o +OBJS += ../src/common/ptksa_cache.o OBJS_c = hostapd_cli.o OBJS_c += ../src/common/wpa_ctrl.o @@ -167,7 +168,7 @@ OBJS += ../src/eapol_auth/eapol_auth_sm.o ifdef CONFIG_CODE_COVERAGE -CFLAGS += -O0 -fprofile-arcs -ftest-coverage +CFLAGS += -O0 -fprofile-arcs -ftest-coverage -U_FORTIFY_SOURCE LIBS += -lgcov LIBS_c += -lgcov LIBS_h += -lgcov @@ -276,6 +277,8 @@ CFLAGS += -DCONFIG_OCV OBJS += ../src/common/ocv.o endif +NEED_AES_UNWRAP=y + ifdef CONFIG_IEEE80211R CFLAGS += -DCONFIG_IEEE80211R -DCONFIG_IEEE80211R_AP OBJS += ../src/ap/wpa_auth_ft.o @@ -295,6 +298,7 @@ CFLAGS += -DCONFIG_SAE OBJS += ../src/common/sae.o ifdef CONFIG_SAE_PK CFLAGS += -DCONFIG_SAE_PK +NEED_AES_SIV=y OBJS += ../src/common/sae_pk.o endif NEED_ECC=y @@ -339,6 +343,12 @@ ifdef CONFIG_IEEE80211AC CFLAGS += -DCONFIG_IEEE80211AC endif +ifdef CONFIG_IEEE80211BE +CONFIG_IEEE80211AX=y +CFLAGS += -DCONFIG_IEEE80211BE +OBJS += ../src/ap/ieee802_11_eht.o +endif + ifdef CONFIG_IEEE80211AX CFLAGS += -DCONFIG_IEEE80211AX OBJS += ../src/ap/ieee802_11_he.o @@ -598,6 +608,12 @@ CFLAGS += -DCONFIG_DPP3 endif endif +ifdef CONFIG_NAN_USD +OBJS += ../src/common/nan_de.o +OBJS += ../src/ap/nan_usd_ap.o +CFLAGS += -DCONFIG_NAN_USD +endif + ifdef CONFIG_PASN CFLAGS += -DCONFIG_PASN CFLAGS += -DCONFIG_PTKSA_CACHE @@ -605,7 +621,6 @@ NEED_HMAC_SHA256_KDF=y NEED_HMAC_SHA384_KDF=y NEED_SHA256=y NEED_SHA384=y -OBJS += ../src/common/ptksa_cache.o endif ifdef CONFIG_EAP_IKEV2 @@ -667,6 +682,11 @@ ifdef CHAP OBJS += ../src/eap_common/chap.o endif +ifdef CONFIG_RADIUS_TLS +TLS_FUNCS=y +CFLAGS += -DCONFIG_RADIUS_TLS +endif + ifdef TLS_FUNCS NEED_DES=y # Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS) @@ -708,6 +728,7 @@ endif endif ifeq ($(CONFIG_TLS), openssl) +CFLAGS += -DCRYPTO_RSA_OAEP_SHA256 CONFIG_CRYPTO=openssl ifdef TLS_FUNCS OBJS += ../src/crypto/tls_openssl.o @@ -932,11 +953,13 @@ endif ifdef NEED_AES_ENCBLOCK AESOBJS += ../src/crypto/aes-encblock.o endif +ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), linux) ifneq ($(CONFIG_TLS), wolfssl) AESOBJS += ../src/crypto/aes-omac1.o endif endif +endif ifdef NEED_AES_UNWRAP ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), linux) @@ -1172,6 +1195,9 @@ endif ifdef NEED_AP_MLME OBJS += ../src/ap/wmm.o OBJS += ../src/ap/ap_list.o +OBJS += ../src/ap/comeback_token.o +OBJS += ../src/pasn/pasn_responder.o +OBJS += ../src/pasn/pasn_common.o OBJS += ../src/ap/ieee802_11.o OBJS += ../src/ap/hw_features.o OBJS += ../src/ap/dfs.o diff --git a/contrib/wpa/hostapd/README b/contrib/wpa/hostapd/README index 739c964d44d8..1a0248fce422 100644 --- a/contrib/wpa/hostapd/README +++ b/contrib/wpa/hostapd/README @@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator and RADIUS authentication server ================================================================ -Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. This program is licensed under the BSD license (the one with diff --git a/contrib/wpa/hostapd/android.config b/contrib/wpa/hostapd/android.config index c8b3afabef8d..522de87266d5 100644 --- a/contrib/wpa/hostapd/android.config +++ b/contrib/wpa/hostapd/android.config @@ -121,6 +121,9 @@ CONFIG_PKCS12=y # Build IPv6 support for RADIUS operations CONFIG_IPV6=y +# Include support fo RADIUS/TLS into the RADIUS client +#CONFIG_RADIUS_TLS=y + # IEEE Std 802.11r-2008 (Fast BSS Transition) #CONFIG_IEEE80211R=y @@ -212,3 +215,6 @@ CONFIG_NO_RANDOM_POOL=y # release under this optional build parameter. This functionality is subject to # be completely removed in a future release. CONFIG_WEP=y + +# Wi-Fi Aware unsynchronized service discovery (NAN USD) +#CONFIG_NAN_USD=y diff --git a/contrib/wpa/hostapd/config_file.c b/contrib/wpa/hostapd/config_file.c index b14728d1b507..3fb059770d49 100644 --- a/contrib/wpa/hostapd/config_file.c +++ b/contrib/wpa/hostapd/config_file.c @@ -1,6 +1,6 @@ /* * hostapd / Configuration file parser - * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi> + * Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi> * * This software may be distributed under the terms of the BSD license. * See README for more details. @@ -118,52 +118,6 @@ static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss, #endif /* CONFIG_NO_VLAN */ -int hostapd_acl_comp(const void *a, const void *b) -{ - const struct mac_acl_entry *aa = a; - const struct mac_acl_entry *bb = b; - return os_memcmp(aa->addr, bb->addr, sizeof(macaddr)); -} - - -int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num, - int vlan_id, const u8 *addr) -{ - struct mac_acl_entry *newacl; - - newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl)); - if (!newacl) { - wpa_printf(MSG_ERROR, "MAC list reallocation failed"); - return -1; - } - - *acl = newacl; - os_memcpy((*acl)[*num].addr, addr, ETH_ALEN); - os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id)); - (*acl)[*num].vlan_id.untagged = vlan_id; - (*acl)[*num].vlan_id.notempty = !!vlan_id; - (*num)++; - - return 0; -} - - -void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num, - const u8 *addr) -{ - int i = 0; - - while (i < *num) { - if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == 0) { - os_remove_in_array(*acl, *num, sizeof(**acl), i); - (*num)--; - } else { - i++; - } - } -} - - static int hostapd_config_read_maclist(const char *fname, struct mac_acl_entry **acl, int *num) { @@ -713,6 +667,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value) val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384; #endif /* CONFIG_SHA384 */ #endif /* CONFIG_IEEE80211R_AP */ +#ifdef CONFIG_SHA384 + else if (os_strcmp(start, "WPA-EAP-SHA384") == 0) + val |= WPA_KEY_MGMT_IEEE8021X_SHA384; +#endif /* CONFIG_SHA384 */ else if (os_strcmp(start, "WPA-PSK-SHA256") == 0) val |= WPA_KEY_MGMT_PSK_SHA256; else if (os_strcmp(start, "WPA-EAP-SHA256") == 0) @@ -720,8 +678,12 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value) #ifdef CONFIG_SAE else if (os_strcmp(start, "SAE") == 0) val |= WPA_KEY_MGMT_SAE; + else if (os_strcmp(start, "SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_SAE_EXT_KEY; else if (os_strcmp(start, "FT-SAE") == 0) val |= WPA_KEY_MGMT_FT_SAE; + else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0) + val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY; #endif /* CONFIG_SAE */ #ifdef CONFIG_SUITEB else if (os_strcmp(start, "WPA-EAP-SUITE-B") == 0) @@ -1058,6 +1020,78 @@ static int add_r1kh(struct hostapd_bss_config *bss, char *value) return 0; } + + +int hostapd_config_read_rxkh_file(struct hostapd_bss_config *conf, + const char *fname) +{ + FILE *f; + char buf[256], *pos; + int line = 0, errors = 0; + + if (!fname) + return 0; + + f = fopen(fname, "r"); + if (!f) { + wpa_printf(MSG_ERROR, "rxkh file '%s' not found.", fname); + return -1; + } + + while (fgets(buf, sizeof(buf), f)) { + line++; + + if (buf[0] == '#') + continue; + pos = buf; + while (*pos != '\0') { + if (*pos == '\n') { + *pos = '\0'; + break; + } + pos++; + } + if (buf[0] == '\0') + continue; + + pos = os_strchr(buf, '='); + if (!pos) { + wpa_printf(MSG_ERROR, "Line %d: Invalid line '%s'", + line, buf); + errors++; + continue; + } + *pos = '\0'; + pos++; + + if (os_strcmp(buf, "r0kh") == 0) { + if (add_r0kh(conf, pos) < 0) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid r0kh '%s'", + line, pos); + errors++; + } + } else if (os_strcmp(buf, "r1kh") == 0) { + if (add_r1kh(conf, pos) < 0) { + wpa_printf(MSG_ERROR, + "Line %d: Invalid r1kh '%s'", + line, pos); + errors++; + } + } + } + + fclose(f); + + if (errors) { + wpa_printf(MSG_ERROR, + "%d errors in configuring RxKHs from '%s'", + errors, fname); + return -1; + } + return 0; +} + #endif /* CONFIG_IEEE80211R_AP */ @@ -1644,6 +1678,8 @@ static int parse_anqp_elem(struct hostapd_bss_config *bss, char *buf, int line) return 0; } +#endif /* CONFIG_INTERWORKING */ + static int parse_qos_map_set(struct hostapd_bss_config *bss, char *buf, int line) @@ -1685,8 +1721,6 @@ static int parse_qos_map_set(struct hostapd_bss_config *bss, return 0; } -#endif /* CONFIG_INTERWORKING */ - #ifdef CONFIG_HS20 static int hs20_parse_conn_capab(struct hostapd_bss_config *bss, char *buf, @@ -2197,6 +2231,7 @@ static int add_airtime_weight(struct hostapd_bss_config *bss, char *value) *** 122364 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202410010429.4914TWZd039214>