Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 03 Sep 2019 14:07:43 -0000
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r346591 - in head: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/drivers contrib/wpa/src/eap_c...
Message-ID:  <201904230352.x3N3qi4l074089@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cy
Date: Tue Apr 23 03:52:43 2019
New Revision: 346591
URL: https://svnweb.freebsd.org/changeset/base/346591

Log:
  MFV r346563:
  
  Update wpa_supplicant/hostapd 2.7 --> 2.8
  
  Upstream documents the following advisories:
  
  - https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
  - https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
  - https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
  - https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
  - https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\
    with-unexpected-fragment.txt
  
  Relnotes:	yes
  MFC after:	1 week (or less)
  Security:	CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496,
  		CVE-2019-9497, CVE-2019-9498, CVE-2019-9499

Added:
  head/contrib/wpa/hostapd/README-MULTI-AP
     - copied unchanged from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP
  head/contrib/wpa/src/common/ocv.c
     - copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.c
  head/contrib/wpa/src/common/ocv.h
     - copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.h
  head/contrib/wpa/src/crypto/sha512.c
     - copied unchanged from r346563, vendor/wpa/dist/src/crypto/sha512.c
  head/contrib/wpa/src/utils/const_time.h
     - copied unchanged from r346563, vendor/wpa/dist/src/utils/const_time.h
  head/contrib/wpa/wpa_supplicant/README-DPP
     - copied unchanged from r346563, vendor/wpa/dist/wpa_supplicant/README-DPP
Deleted:
  head/contrib/wpa/wpa_supplicant/dbus/dbus_old.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_old.h
  head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.h
  head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers_wps.c
  head/contrib/wpa/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
  head/contrib/wpa/wpa_supplicant/examples/wpas-test.py
Modified:
  head/contrib/wpa/CONTRIBUTIONS
  head/contrib/wpa/COPYING
  head/contrib/wpa/README
  head/contrib/wpa/hostapd/ChangeLog
  head/contrib/wpa/hostapd/README
  head/contrib/wpa/hostapd/config_file.c
  head/contrib/wpa/hostapd/ctrl_iface.c
  head/contrib/wpa/hostapd/defconfig
  head/contrib/wpa/hostapd/hostapd.conf
  head/contrib/wpa/hostapd/hostapd.wpa_psk
  head/contrib/wpa/hostapd/hostapd_cli.c
  head/contrib/wpa/hostapd/main.c
  head/contrib/wpa/hostapd/wps-ap-nfc.py
  head/contrib/wpa/hs20/client/Makefile
  head/contrib/wpa/hs20/client/est.c
  head/contrib/wpa/hs20/client/osu_client.c
  head/contrib/wpa/src/ap/acs.c
  head/contrib/wpa/src/ap/ap_config.c
  head/contrib/wpa/src/ap/ap_config.h
  head/contrib/wpa/src/ap/ap_drv_ops.h
  head/contrib/wpa/src/ap/authsrv.c
  head/contrib/wpa/src/ap/beacon.c
  head/contrib/wpa/src/ap/ctrl_iface_ap.c
  head/contrib/wpa/src/ap/dfs.c
  head/contrib/wpa/src/ap/dhcp_snoop.c
  head/contrib/wpa/src/ap/dpp_hostapd.c
  head/contrib/wpa/src/ap/dpp_hostapd.h
  head/contrib/wpa/src/ap/drv_callbacks.c
  head/contrib/wpa/src/ap/eap_user_db.c
  head/contrib/wpa/src/ap/fils_hlp.c
  head/contrib/wpa/src/ap/hostapd.c
  head/contrib/wpa/src/ap/hostapd.h
  head/contrib/wpa/src/ap/hs20.c
  head/contrib/wpa/src/ap/hw_features.c
  head/contrib/wpa/src/ap/ieee802_11.c
  head/contrib/wpa/src/ap/ieee802_11.h
  head/contrib/wpa/src/ap/ieee802_11_auth.c
  head/contrib/wpa/src/ap/ieee802_11_he.c
  head/contrib/wpa/src/ap/ieee802_11_shared.c
  head/contrib/wpa/src/ap/ieee802_11_vht.c
  head/contrib/wpa/src/ap/ieee802_1x.c
  head/contrib/wpa/src/ap/neighbor_db.c
  head/contrib/wpa/src/ap/neighbor_db.h
  head/contrib/wpa/src/ap/rrm.c
  head/contrib/wpa/src/ap/sta_info.c
  head/contrib/wpa/src/ap/sta_info.h
  head/contrib/wpa/src/ap/vlan_full.c
  head/contrib/wpa/src/ap/vlan_init.c
  head/contrib/wpa/src/ap/wnm_ap.c
  head/contrib/wpa/src/ap/wpa_auth.c
  head/contrib/wpa/src/ap/wpa_auth.h
  head/contrib/wpa/src/ap/wpa_auth_ft.c
  head/contrib/wpa/src/ap/wpa_auth_glue.c
  head/contrib/wpa/src/ap/wpa_auth_i.h
  head/contrib/wpa/src/ap/wpa_auth_ie.c
  head/contrib/wpa/src/ap/wpa_auth_ie.h
  head/contrib/wpa/src/ap/wps_hostapd.c
  head/contrib/wpa/src/common/common_module_tests.c
  head/contrib/wpa/src/common/defs.h
  head/contrib/wpa/src/common/dpp.c
  head/contrib/wpa/src/common/dpp.h
  head/contrib/wpa/src/common/hw_features_common.c
  head/contrib/wpa/src/common/hw_features_common.h
  head/contrib/wpa/src/common/ieee802_11_common.c
  head/contrib/wpa/src/common/ieee802_11_common.h
  head/contrib/wpa/src/common/ieee802_11_defs.h
  head/contrib/wpa/src/common/qca-vendor.h
  head/contrib/wpa/src/common/sae.c
  head/contrib/wpa/src/common/sae.h
  head/contrib/wpa/src/common/version.h
  head/contrib/wpa/src/common/wpa_common.c
  head/contrib/wpa/src/common/wpa_common.h
  head/contrib/wpa/src/common/wpa_ctrl.c
  head/contrib/wpa/src/crypto/aes-internal-enc.c
  head/contrib/wpa/src/crypto/crypto.h
  head/contrib/wpa/src/crypto/crypto_gnutls.c
  head/contrib/wpa/src/crypto/crypto_internal-modexp.c
  head/contrib/wpa/src/crypto/crypto_internal.c
  head/contrib/wpa/src/crypto/crypto_libtomcrypt.c
  head/contrib/wpa/src/crypto/crypto_linux.c
  head/contrib/wpa/src/crypto/crypto_nettle.c
  head/contrib/wpa/src/crypto/crypto_openssl.c
  head/contrib/wpa/src/crypto/crypto_wolfssl.c
  head/contrib/wpa/src/crypto/dh_groups.c
  head/contrib/wpa/src/crypto/md4-internal.c
  head/contrib/wpa/src/crypto/random.c
  head/contrib/wpa/src/crypto/sha1-tlsprf.c
  head/contrib/wpa/src/crypto/sha512-internal.c
  head/contrib/wpa/src/crypto/tls.h
  head/contrib/wpa/src/crypto/tls_gnutls.c
  head/contrib/wpa/src/crypto/tls_internal.c
  head/contrib/wpa/src/crypto/tls_none.c
  head/contrib/wpa/src/crypto/tls_openssl.c
  head/contrib/wpa/src/crypto/tls_wolfssl.c
  head/contrib/wpa/src/drivers/driver.h
  head/contrib/wpa/src/drivers/driver_bsd.c
  head/contrib/wpa/src/drivers/driver_common.c
  head/contrib/wpa/src/drivers/driver_macsec_linux.c
  head/contrib/wpa/src/drivers/driver_nl80211.h
  head/contrib/wpa/src/drivers/driver_nl80211_capa.c
  head/contrib/wpa/src/drivers/driver_nl80211_event.c
  head/contrib/wpa/src/drivers/driver_nl80211_scan.c
  head/contrib/wpa/src/drivers/driver_openbsd.c
  head/contrib/wpa/src/eap_common/eap_eke_common.c
  head/contrib/wpa/src/eap_common/eap_pwd_common.c
  head/contrib/wpa/src/eap_common/eap_pwd_common.h
  head/contrib/wpa/src/eap_common/eap_sake_common.c
  head/contrib/wpa/src/eap_common/eap_sake_common.h
  head/contrib/wpa/src/eap_peer/eap_config.h
  head/contrib/wpa/src/eap_peer/eap_fast.c
  head/contrib/wpa/src/eap_peer/eap_mschapv2.c
  head/contrib/wpa/src/eap_peer/eap_peap.c
  head/contrib/wpa/src/eap_peer/eap_pwd.c
  head/contrib/wpa/src/eap_peer/eap_sake.c
  head/contrib/wpa/src/eap_peer/eap_tls.c
  head/contrib/wpa/src/eap_peer/eap_tls_common.c
  head/contrib/wpa/src/eap_peer/eap_tls_common.h
  head/contrib/wpa/src/eap_peer/eap_ttls.c
  head/contrib/wpa/src/eap_peer/eap_wsc.c
  head/contrib/wpa/src/eap_server/eap.h
  head/contrib/wpa/src/eap_server/eap_i.h
  head/contrib/wpa/src/eap_server/eap_server.c
  head/contrib/wpa/src/eap_server/eap_server_aka.c
  head/contrib/wpa/src/eap_server/eap_server_gpsk.c
  head/contrib/wpa/src/eap_server/eap_server_mschapv2.c
  head/contrib/wpa/src/eap_server/eap_server_pax.c
  head/contrib/wpa/src/eap_server/eap_server_peap.c
  head/contrib/wpa/src/eap_server/eap_server_pwd.c
  head/contrib/wpa/src/eap_server/eap_server_sake.c
  head/contrib/wpa/src/eap_server/eap_server_sim.c
  head/contrib/wpa/src/eap_server/eap_server_tls.c
  head/contrib/wpa/src/eap_server/eap_server_tls_common.c
  head/contrib/wpa/src/eap_server/eap_server_ttls.c
  head/contrib/wpa/src/eap_server/eap_tls_common.h
  head/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
  head/contrib/wpa/src/fst/fst.h
  head/contrib/wpa/src/p2p/p2p.c
  head/contrib/wpa/src/p2p/p2p.h
  head/contrib/wpa/src/p2p/p2p_build.c
  head/contrib/wpa/src/p2p/p2p_group.c
  head/contrib/wpa/src/p2p/p2p_i.h
  head/contrib/wpa/src/p2p/p2p_invitation.c
  head/contrib/wpa/src/p2p/p2p_utils.c
  head/contrib/wpa/src/pae/ieee802_1x_cp.c
  head/contrib/wpa/src/pae/ieee802_1x_cp.h
  head/contrib/wpa/src/pae/ieee802_1x_kay.c
  head/contrib/wpa/src/pae/ieee802_1x_kay.h
  head/contrib/wpa/src/pae/ieee802_1x_kay_i.h
  head/contrib/wpa/src/pae/ieee802_1x_key.c
  head/contrib/wpa/src/pae/ieee802_1x_key.h
  head/contrib/wpa/src/pae/ieee802_1x_secy_ops.c
  head/contrib/wpa/src/pae/ieee802_1x_secy_ops.h
  head/contrib/wpa/src/radius/radius_client.c
  head/contrib/wpa/src/radius/radius_server.c
  head/contrib/wpa/src/radius/radius_server.h
  head/contrib/wpa/src/rsn_supp/pmksa_cache.c
  head/contrib/wpa/src/rsn_supp/tdls.c
  head/contrib/wpa/src/rsn_supp/wpa.c
  head/contrib/wpa/src/rsn_supp/wpa.h
  head/contrib/wpa/src/rsn_supp/wpa_ft.c
  head/contrib/wpa/src/rsn_supp/wpa_i.h
  head/contrib/wpa/src/rsn_supp/wpa_ie.c
  head/contrib/wpa/src/rsn_supp/wpa_ie.h
  head/contrib/wpa/src/tls/asn1.c
  head/contrib/wpa/src/tls/bignum.c
  head/contrib/wpa/src/tls/tlsv1_client.c
  head/contrib/wpa/src/tls/tlsv1_client.h
  head/contrib/wpa/src/tls/tlsv1_client_read.c
  head/contrib/wpa/src/tls/tlsv1_client_write.c
  head/contrib/wpa/src/tls/tlsv1_server.c
  head/contrib/wpa/src/tls/tlsv1_server.h
  head/contrib/wpa/src/tls/tlsv1_server_i.h
  head/contrib/wpa/src/tls/tlsv1_server_read.c
  head/contrib/wpa/src/tls/tlsv1_server_write.c
  head/contrib/wpa/src/tls/x509v3.c
  head/contrib/wpa/src/utils/base64.c
  head/contrib/wpa/src/utils/browser.c
  head/contrib/wpa/src/utils/common.c
  head/contrib/wpa/src/utils/common.h
  head/contrib/wpa/src/utils/eloop.c
  head/contrib/wpa/src/utils/http_curl.c
  head/contrib/wpa/src/utils/json.c
  head/contrib/wpa/src/utils/list.h
  head/contrib/wpa/src/utils/os_internal.c
  head/contrib/wpa/src/utils/os_none.c
  head/contrib/wpa/src/utils/os_unix.c
  head/contrib/wpa/src/utils/utils_module_tests.c
  head/contrib/wpa/src/utils/wpa_debug.c
  head/contrib/wpa/src/wps/wps.c
  head/contrib/wpa/src/wps/wps.h
  head/contrib/wpa/src/wps/wps_attr_build.c
  head/contrib/wpa/src/wps/wps_attr_parse.c
  head/contrib/wpa/src/wps/wps_attr_parse.h
  head/contrib/wpa/src/wps/wps_common.c
  head/contrib/wpa/src/wps/wps_defs.h
  head/contrib/wpa/src/wps/wps_dev_attr.c
  head/contrib/wpa/src/wps/wps_dev_attr.h
  head/contrib/wpa/src/wps/wps_enrollee.c
  head/contrib/wpa/src/wps/wps_er.c
  head/contrib/wpa/src/wps/wps_i.h
  head/contrib/wpa/src/wps/wps_registrar.c
  head/contrib/wpa/src/wps/wps_upnp.c
  head/contrib/wpa/src/wps/wps_validate.c
  head/contrib/wpa/wpa_supplicant/Android.mk
  head/contrib/wpa/wpa_supplicant/ChangeLog
  head/contrib/wpa/wpa_supplicant/README
  head/contrib/wpa/wpa_supplicant/README-P2P
  head/contrib/wpa/wpa_supplicant/android.config
  head/contrib/wpa/wpa_supplicant/ap.c
  head/contrib/wpa/wpa_supplicant/bss.c
  head/contrib/wpa/wpa_supplicant/bss.h
  head/contrib/wpa/wpa_supplicant/config.c
  head/contrib/wpa/wpa_supplicant/config.h
  head/contrib/wpa/wpa_supplicant/config_file.c
  head/contrib/wpa/wpa_supplicant/config_ssid.h
  head/contrib/wpa/wpa_supplicant/ctrl_iface.c
  head/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c
  head/contrib/wpa/wpa_supplicant/dbus/Makefile
  head/contrib/wpa/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
  head/contrib/wpa/wpa_supplicant/dbus/dbus_common.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new.h
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.h
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.h
  head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_wps.c
  head/contrib/wpa/wpa_supplicant/defconfig
  head/contrib/wpa/wpa_supplicant/dpp_supplicant.c
  head/contrib/wpa/wpa_supplicant/dpp_supplicant.h
  head/contrib/wpa/wpa_supplicant/driver_i.h
  head/contrib/wpa/wpa_supplicant/eapol_test.c
  head/contrib/wpa/wpa_supplicant/eapol_test.py
  head/contrib/wpa/wpa_supplicant/events.c
  head/contrib/wpa/wpa_supplicant/examples/dbus-listen-preq.py
  head/contrib/wpa/wpa_supplicant/examples/dpp-qrcode.py
  head/contrib/wpa/wpa_supplicant/examples/p2p-nfc.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_connect.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_disconnect.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_find.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_flush.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_group_add.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_invite.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_listen.py
  head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_stop_find.py
  head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-getall.py
  head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-signals.py
  head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-wps.py
  head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new.py
  head/contrib/wpa/wpa_supplicant/examples/wps-nfc.py
  head/contrib/wpa/wpa_supplicant/gas_query.c
  head/contrib/wpa/wpa_supplicant/gas_query.h
  head/contrib/wpa/wpa_supplicant/hs20_supplicant.c
  head/contrib/wpa/wpa_supplicant/hs20_supplicant.h
  head/contrib/wpa/wpa_supplicant/ibss_rsn.c
  head/contrib/wpa/wpa_supplicant/interworking.c
  head/contrib/wpa/wpa_supplicant/main.c
  head/contrib/wpa/wpa_supplicant/mbo.c
  head/contrib/wpa/wpa_supplicant/mesh.c
  head/contrib/wpa/wpa_supplicant/mesh_mpm.c
  head/contrib/wpa/wpa_supplicant/mesh_rsn.c
  head/contrib/wpa/wpa_supplicant/notify.c
  head/contrib/wpa/wpa_supplicant/notify.h
  head/contrib/wpa/wpa_supplicant/op_classes.c
  head/contrib/wpa/wpa_supplicant/p2p_supplicant.c
  head/contrib/wpa/wpa_supplicant/p2p_supplicant.h
  head/contrib/wpa/wpa_supplicant/rrm.c
  head/contrib/wpa/wpa_supplicant/scan.c
  head/contrib/wpa/wpa_supplicant/sme.c
  head/contrib/wpa/wpa_supplicant/sme.h
  head/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.in
  head/contrib/wpa/wpa_supplicant/utils/log2pcap.py
  head/contrib/wpa/wpa_supplicant/wmm_ac.c
  head/contrib/wpa/wpa_supplicant/wnm_sta.c
  head/contrib/wpa/wpa_supplicant/wpa_cli.c
  head/contrib/wpa/wpa_supplicant/wpa_supplicant.c
  head/contrib/wpa/wpa_supplicant/wpa_supplicant.conf
  head/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
  head/contrib/wpa/wpa_supplicant/wpas_glue.c
  head/contrib/wpa/wpa_supplicant/wpas_kay.c
  head/contrib/wpa/wpa_supplicant/wps_supplicant.c
  head/contrib/wpa/wpa_supplicant/wps_supplicant.h
  head/usr.sbin/wpa/Makefile.crypto
Directory Properties:
  head/contrib/wpa/   (props changed)

Modified: head/contrib/wpa/CONTRIBUTIONS
==============================================================================
--- head/contrib/wpa/CONTRIBUTIONS	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/CONTRIBUTIONS	Tue Apr 23 03:52:43 2019	(r346591)
@@ -140,7 +140,7 @@ The license terms used for hostap.git files
 
 Modified BSD license (no advertisement clause):
 
-Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 Redistribution and use in source and binary forms, with or without

Modified: head/contrib/wpa/COPYING
==============================================================================
--- head/contrib/wpa/COPYING	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/COPYING	Tue Apr 23 03:52:43 2019	(r346591)
@@ -1,7 +1,7 @@
 wpa_supplicant and hostapd
 --------------------------
 
-Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 

Modified: head/contrib/wpa/README
==============================================================================
--- head/contrib/wpa/README	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/README	Tue Apr 23 03:52:43 2019	(r346591)
@@ -1,7 +1,7 @@
 wpa_supplicant and hostapd
 --------------------------
 
-Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 These programs are licensed under the BSD license (the one with

Modified: head/contrib/wpa/hostapd/ChangeLog
==============================================================================
--- head/contrib/wpa/hostapd/ChangeLog	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/ChangeLog	Tue Apr 23 03:52:43 2019	(r346591)
@@ -1,5 +1,60 @@
 ChangeLog for hostapd
 
+2019-04-21 - v2.8
+	* SAE changes
+	  - added support for SAE Password Identifier
+	  - changed default configuration to enable only group 19
+	    (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+	    disable all unsuitable groups completely based on REVmd changes
+	  - improved anti-clogging token mechanism and SAE authentication
+	    frame processing during heavy CPU load; this mitigates some issues
+	    with potential DoS attacks trying to flood an AP with large number
+	    of SAE messages
+	  - added Finite Cyclic Group field in status code 77 responses
+	  - reject use of unsuitable groups based on new implementation guidance
+	    in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+	    groups with prime >= 256)
+	  - minimize timing and memory use differences in PWE derivation
+	    [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+	  - fixed confirm message validation in error cases
+	    [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+	* EAP-pwd changes
+	  - minimize timing and memory use differences in PWE derivation
+	    [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+	  - verify peer scalar/element
+	    [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+	  - fix message reassembly issue with unexpected fragment
+	    [https://w1.fi/security/2019-5/]
+	  - enforce rand,mask generation rules more strictly
+	  - fix a memory leak in PWE derivation
+	  - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+	    27)
+	* Hotspot 2.0 changes
+	  - added support for release number 3
+	  - reject release 2 or newer association without PMF
+	* added support for RSN operating channel validation
+	  (CONFIG_OCV=y and configuration parameter ocv=1)
+	* added Multi-AP protocol support
+	* added FTM responder configuration
+	* fixed build with LibreSSL
+	* added FT/RRB workaround for short Ethernet frame padding
+	* fixed KEK2 derivation for FILS+FT
+	* added RSSI-based association rejection from OCE
+	* extended beacon reporting functionality
+	* VLAN changes
+	  - allow local VLAN management with remote RADIUS authentication
+	  - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+	* OpenSSL: allow systemwide policies to be overridden
+	* extended PEAP to derive EMSK to enable use with ERP/FILS
+	* extended WPS to allow SAE configuration to be added automatically
+	  for PSK (wps_cred_add_sae=1)
+	* fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+	* OWE: allow Diffie-Hellman Parameter element to be included with DPP
+	  in preparation for DPP protocol extension
+	* RADIUS server: started to accept ERP keyName-NAI as user identity
+	  automatically without matching EAP database entry
+	* fixed PTK rekeying with FILS and FT
+
 2018-12-02 - v2.7
 	* fixed WPA packet number reuse with replayed messages and key
 	  reinstallation

Modified: head/contrib/wpa/hostapd/README
==============================================================================
--- head/contrib/wpa/hostapd/README	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/README	Tue Apr 23 03:52:43 2019	(r346591)
@@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WP
 	  Authenticator and RADIUS authentication server
 ================================================================
 
-Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 This program is licensed under the BSD license (the one with

Copied: head/contrib/wpa/hostapd/README-MULTI-AP (from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/contrib/wpa/hostapd/README-MULTI-AP	Tue Apr 23 03:52:43 2019	(r346591, copy of r346563, vendor/wpa/dist/hostapd/README-MULTI-AP)
@@ -0,0 +1,160 @@
+hostapd, wpa_supplicant and the Multi-AP Specification
+======================================================
+
+This document describes how hostapd and wpa_supplicant can be configured to
+support the Multi-AP Specification.
+
+Introduction to Multi-AP
+------------------------
+
+The Wi-Fi Alliance Multi-AP Specification is the technical specification for
+Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi AllianceĀ® certification program for
+Multi-AP. It defines control protocols between Wi-FiĀ® access points (APs) to
+join them into a network with centralized control and operation. It is targeted
+only at routers (repeaters, gateways, ...), not at clients. Clients are not
+involved at all in the protocols.
+
+Most of the Multi-AP specification falls outside of the scope of
+hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items
+summarized below. The rest of the protocol must be implemented by a separate
+daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd,
+e.g., to get a list of associated clients, but this can be done using the normal
+hostapd interfaces.
+
+hostapd/wpa_supplicant needs to be configured specifically to support:
+- the WPS onboarding process;
+- configuring backhaul links.
+
+The text below refers to "Multi-AP Specification v1.0" [3].
+
+
+Fronthaul and backhaul links
+----------------------------
+
+In a Multi-AP network, the central controller can configure the BSSs on the
+devices that are joined into the network. These are called fronthaul BSSs.
+From the point of view of hostapd, there is nothing special about these
+fronthaul BSSs.
+
+In addition to fronthaul BSSs, the controller can also configure backhaul
+links. A backhaul link is a link between two access point devices, giving
+internet access to access point devices that don't have a wired link. The
+Multi-AP specification doesn't dictate this, but typically the backhaul link
+will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the
+wired Ethernet ports.
+
+A backhaul link must be treated specially by hostapd and wpa_supplicant. One
+side of the backhaul link is configured through the Multi-AP protocol as the
+"backhaul STA", i.e., the client side of the link. A backhaul STA is like any
+station and is handled appropriately by wpa_supplicant, but two additional
+features are required. It must send an additional information element in each
+(Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it
+must use 4-address mode for all frames sent over this link ([3], section 14).
+Therefore, wpa_supplicant must be configured explicitly as the backhaul STA
+role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block
+or when configuring the network profile through the control interface. When
+'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in
+(Re)Association Request frame and verifies that it is included in the
+(Re)Association Response frame. If it is not, association fails. If it is,
+wpa_supplicant sets 4-address mode for this interface through a driver
+callback.
+
+The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must
+be handled specially by hostapd, because it must add an additional information
+element in each (Re)Association Response frame, but only to stations that have
+identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6).
+This is important because it is possible to use the same BSS and SSID for
+fronthaul and backhaul at the same time. The additional information element must
+only be used for frames sent to a backhaul STA, not to a normal STA. Also,
+frames sent to a backhaul STA must use 4-address mode, while frames sent to a
+normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use
+3-address mode.
+
+A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap'
+configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3
+(simultaneous backhaul and fronthaul BSS). If this option is set, hostapd
+parses the Multi-AP information element in the Association Request frame. If the
+station is a backhaul STA and the BSS is configured as a backhaul BSS,
+hostapd sets up 4-address mode. Since there may be multiple stations connected
+simultaneously, and each of them has a different RA (receiver address), a VLAN
+is created for each backhaul STA and it is automatically added to a bridge.
+This is the same behavior as for WDS, and the relevant option ('bridge' or
+'wds_bridge') applies here as well.
+
+If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate
+without the Multi-AP information element will be denied.
+
+If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate
+with the Multi-AP information element will be denied. That is also the only
+difference with 'multi_ap' set to 0: in the latter case, the Multi-AP
+information element is simply ignored.
+
+In summary, this is the end-to-end behavior for a backhaul BSS (i.e.,
+multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in
+hostapd on AP). Note that point 1 means that hostapd must not be configured
+with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for
+that.
+
+1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing
+   Multi-AP specific).
+2. STA sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. STA sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. STA and AP both use 4-address mode for Data frames.
+
+
+WPS support
+-----------
+
+WPS requires more special handling. WPS must only be advertised on fronthaul
+BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only
+BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS.
+When a WPS M1 message has an additional subelement that indicates a request for
+a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul
+BSS credentials; instead, it should respond with the (potentially different)
+backhaul BSS credentials.
+
+To support this, hostapd has the 'multi_ap_backhaul_ssid',
+'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options.
+When these are set on an BSS with WPS, they are used instead of the normal
+credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only
+WPA2-Personal is supported in the Multi-AP specification, so there is no need
+to specify authentication or encryption options. For the backhaul credentials,
+per-device PSK is not supported.
+
+If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to
+specify the backhaul credentials, since the backhaul and fronthaul credentials
+are identical.
+
+To enable the Multi-AP backhaul STA feature when it performs WPS, a new
+parameter has been introduced to the WPS_PBC control interface call. When this
+"multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the
+Association Request frame and the M1 message. It then configures the new network
+profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does
+not follow the Multi-AP specification, wpa_supplicant will fail to associate.
+
+In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e.,
+multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2
+and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or
+multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS
+in hostapd on Registrar AP).
+
+1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP
+   specific).
+2. Enrollee sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. Enrollee sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. Enrollee sends M1 with additional Multi-AP subelement.
+7. AP sends M8 with backhaul instead of fronthaul credentials.
+8. Enrollee sends Deauthentication frame.
+
+
+References
+----------
+
+[1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh
+[2] https://github.com/prplfoundation/prplMesh
+[3] https://www.wi-fi.org/file/multi-ap-specification-v10
+    (requires registration)

Modified: head/contrib/wpa/hostapd/config_file.c
==============================================================================
--- head/contrib/wpa/hostapd/config_file.c	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/config_file.c	Tue Apr 23 03:52:43 2019	(r346591)
@@ -37,7 +37,7 @@ static int hostapd_config_read_vlan_file(struct hostap
 					 const char *fname)
 {
 	FILE *f;
-	char buf[128], *pos, *pos2;
+	char buf[128], *pos, *pos2, *pos3;
 	int line = 0, vlan_id;
 	struct hostapd_vlan *vlan;
 
@@ -82,7 +82,10 @@ static int hostapd_config_read_vlan_file(struct hostap
 		pos2 = pos;
 		while (*pos2 != ' ' && *pos2 != '\t' && *pos2 != '\0')
 			pos2++;
-		*pos2 = '\0';
+
+		if (*pos2 != '\0')
+			*(pos2++) = '\0';
+
 		if (*pos == '\0' || os_strlen(pos) > IFNAMSIZ) {
 			wpa_printf(MSG_ERROR, "Invalid VLAN ifname at line %d "
 				   "in '%s'", line, fname);
@@ -90,6 +93,13 @@ static int hostapd_config_read_vlan_file(struct hostap
 			return -1;
 		}
 
+		while (*pos2 == ' ' || *pos2 == '\t')
+			pos2++;
+		pos3 = pos2;
+		while (*pos3 != ' ' && *pos3 != '\t' && *pos3 != '\0')
+			pos3++;
+		*pos3 = '\0';
+
 		vlan = os_zalloc(sizeof(*vlan));
 		if (vlan == NULL) {
 			wpa_printf(MSG_ERROR, "Out of memory while reading "
@@ -102,6 +112,7 @@ static int hostapd_config_read_vlan_file(struct hostap
 		vlan->vlan_desc.untagged = vlan_id;
 		vlan->vlan_desc.notempty = !!vlan_id;
 		os_strlcpy(vlan->ifname, pos, sizeof(vlan->ifname));
+		os_strlcpy(vlan->bridge, pos2, sizeof(vlan->bridge));
 		vlan->next = bss->vlan;
 		bss->vlan = vlan;
 	}
@@ -1368,6 +1379,30 @@ static int hostapd_config_vht_capab(struct hostapd_con
 #endif /* CONFIG_IEEE80211AC */
 
 
+#ifdef CONFIG_IEEE80211AX
+
+static u8 find_bit_offset(u8 val)
+{
+	u8 res = 0;
+
+	for (; val; val >>= 1) {
+		if (val & 1)
+			break;
+		res++;
+	}
+
+	return res;
+}
+
+
+static u8 set_he_cap(int val, u8 mask)
+{
+	return (u8) (mask & (val << find_bit_offset(mask)));
+}
+
+#endif /* CONFIG_IEEE80211AX */
+
+
 #ifdef CONFIG_INTERWORKING
 static int parse_roaming_consortium(struct hostapd_bss_config *bss, char *pos,
 				    int line)
@@ -2254,10 +2289,16 @@ static unsigned int parse_tls_flags(const char *val)
 		flags |= TLS_CONN_DISABLE_TIME_CHECKS;
 	if (os_strstr(val, "[DISABLE-TLSv1.0]"))
 		flags |= TLS_CONN_DISABLE_TLSv1_0;
+	if (os_strstr(val, "[ENABLE-TLSv1.0]"))
+		flags |= TLS_CONN_ENABLE_TLSv1_0;
 	if (os_strstr(val, "[DISABLE-TLSv1.1]"))
 		flags |= TLS_CONN_DISABLE_TLSv1_1;
+	if (os_strstr(val, "[ENABLE-TLSv1.1]"))
+		flags |= TLS_CONN_ENABLE_TLSv1_1;
 	if (os_strstr(val, "[DISABLE-TLSv1.2]"))
 		flags |= TLS_CONN_DISABLE_TLSv1_2;
+	if (os_strstr(val, "[ENABLE-TLSv1.2]"))
+		flags |= TLS_CONN_ENABLE_TLSv1_2;
 	if (os_strstr(val, "[DISABLE-TLSv1.3]"))
 		flags |= TLS_CONN_DISABLE_TLSv1_3;
 	if (os_strstr(val, "[ENABLE-TLSv1.3]"))
@@ -2292,6 +2333,14 @@ static int parse_sae_password(struct hostapd_bss_confi
 		pos = pos2 + ETH_ALEN * 3 - 1;
 	}
 
+	pos2 = os_strstr(pos, "|vlanid=");
+	if (pos2) {
+		if (!end)
+			end = pos2;
+		pos2 += 8;
+		pw->vlan_id = atoi(pos2);
+	}
+
 	pos2 = os_strstr(pos, "|id=");
 	if (pos2) {
 		if (!end)
@@ -2476,8 +2525,22 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "private_key_passwd") == 0) {
 		os_free(bss->private_key_passwd);
 		bss->private_key_passwd = os_strdup(pos);
+	} else if (os_strcmp(buf, "check_cert_subject") == 0) {
+		if (!pos[0]) {
+			wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'",
+				   line, pos);
+			return 1;
+		}
+		os_free(bss->check_cert_subject);
+		bss->check_cert_subject = os_strdup(pos);
+		if (!bss->check_cert_subject)
+			return 1;
 	} else if (os_strcmp(buf, "check_crl") == 0) {
 		bss->check_crl = atoi(pos);
+	} else if (os_strcmp(buf, "check_crl_strict") == 0) {
+		bss->check_crl_strict = atoi(pos);
+	} else if (os_strcmp(buf, "crl_reload_interval") == 0) {
+		bss->crl_reload_interval = atoi(pos);
 	} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
 		bss->tls_session_lifetime = atoi(pos);
 	} else if (os_strcmp(buf, "tls_flags") == 0) {
@@ -2494,6 +2557,9 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "openssl_ciphers") == 0) {
 		os_free(bss->openssl_ciphers);
 		bss->openssl_ciphers = os_strdup(pos);
+	} else if (os_strcmp(buf, "openssl_ecdh_curves") == 0) {
+		os_free(bss->openssl_ecdh_curves);
+		bss->openssl_ecdh_curves = os_strdup(pos);
 	} else if (os_strcmp(buf, "fragment_size") == 0) {
 		bss->fragment_size = atoi(pos);
 #ifdef EAP_SERVER_FAST
@@ -3070,9 +3136,10 @@ static int hostapd_config_fill(struct hostapd_config *
 		 * cause problems with the current implementation.
 		 * Since it is unlikely that this small numbers are
 		 * useful in real life scenarios, do not allow beacon
-		 * period to be set below 15 TU. */
-		if (val < 15 || val > 65535) {
-			wpa_printf(MSG_ERROR, "Line %d: invalid beacon_int %d (expected 15..65535)",
+		 * period to be set below 10 TU. */
+		if (val < 10 || val > 65535) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid beacon_int %d (expected 10..65535)",
 				   line, val);
 			return 1;
 		}
@@ -3148,7 +3215,7 @@ static int hostapd_config_fill(struct hostapd_config *
 				   line, val);
 			return 1;
 		}
-		conf->send_probe_response = val;
+		bss->send_probe_response = val;
 	} else if (os_strcmp(buf, "supported_rates") == 0) {
 		if (hostapd_parse_intlist(&conf->supported_rates, pos)) {
 			wpa_printf(MSG_ERROR, "Line %d: invalid rate list",
@@ -3316,6 +3383,12 @@ static int hostapd_config_fill(struct hostapd_config *
 			return 1;
 		}
 #endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+	} else if (os_strcmp(buf, "ocv") == 0) {
+		bss->ocv = atoi(pos);
+		if (bss->ocv && !bss->ieee80211w)
+			bss->ieee80211w = 1;
+#endif /* CONFIG_OCV */
 #ifdef CONFIG_IEEE80211N
 	} else if (os_strcmp(buf, "ieee80211n") == 0) {
 		conf->ieee80211n = atoi(pos);
@@ -3369,6 +3442,90 @@ static int hostapd_config_fill(struct hostapd_config *
 		conf->he_op.he_twt_required = atoi(pos);
 	} else if (os_strcmp(buf, "he_rts_threshold") == 0) {
 		conf->he_op.he_rts_threshold = atoi(pos);
+	} else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) {
+		conf->he_mu_edca.he_qos_info |=
+			set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT);
+	} else if (os_strcmp(buf, "he_mu_edca_qos_info_q_ack") == 0) {
+		conf->he_mu_edca.he_qos_info |=
+			set_he_cap(atoi(pos), HE_QOS_INFO_Q_ACK);
+	} else if (os_strcmp(buf, "he_mu_edca_qos_info_queue_request") == 0) {
+		conf->he_mu_edca.he_qos_info |=
+			set_he_cap(atoi(pos), HE_QOS_INFO_QUEUE_REQUEST);
+	} else if (os_strcmp(buf, "he_mu_edca_qos_info_txop_request") == 0) {
+		conf->he_mu_edca.he_qos_info |=
+			set_he_cap(atoi(pos), HE_QOS_INFO_TXOP_REQUEST);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_aifsn") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_acm") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_aci") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmin") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmax") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_be_timer") == 0) {
+		conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_TIMER_IDX] =
+			atoi(pos) & 0xff;
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_aifsn") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_acm") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_aci") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmin") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmax") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_bk_timer") == 0) {
+		conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_TIMER_IDX] =
+			atoi(pos) & 0xff;
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_aifsn") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_acm") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_aci") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmin") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmax") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vi_timer") == 0) {
+		conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_TIMER_IDX] =
+			atoi(pos) & 0xff;
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_aifsn") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_acm") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_aci") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmin") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmax") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |=
+			set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+	} else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) {
+		conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] =
+			atoi(pos) & 0xff;
 #endif /* CONFIG_IEEE80211AX */
 	} else if (os_strcmp(buf, "max_listen_interval") == 0) {
 		bss->max_listen_interval = atoi(pos);
@@ -3466,6 +3623,8 @@ static int hostapd_config_fill(struct hostapd_config *
 		}
 	} else if (os_strcmp(buf, "wps_cred_processing") == 0) {
 		bss->wps_cred_processing = atoi(pos);
+	} else if (os_strcmp(buf, "wps_cred_add_sae") == 0) {
+		bss->wps_cred_add_sae = atoi(pos);
 	} else if (os_strcmp(buf, "ap_settings") == 0) {
 		os_free(bss->ap_settings);
 		bss->ap_settings =
@@ -3475,6 +3634,56 @@ static int hostapd_config_fill(struct hostapd_config *
 				   line, pos);
 			return 1;
 		}
+	} else if (os_strcmp(buf, "multi_ap_backhaul_ssid") == 0) {
+		size_t slen;
+		char *str = wpa_config_parse_string(pos, &slen);
+
+		if (!str || slen < 1 || slen > SSID_MAX_LEN) {
+			wpa_printf(MSG_ERROR, "Line %d: invalid SSID '%s'",
+				   line, pos);
+			os_free(str);
+			return 1;
+		}
+		os_memcpy(bss->multi_ap_backhaul_ssid.ssid, str, slen);
+		bss->multi_ap_backhaul_ssid.ssid_len = slen;
+		bss->multi_ap_backhaul_ssid.ssid_set = 1;
+		os_free(str);
+	} else if (os_strcmp(buf, "multi_ap_backhaul_wpa_passphrase") == 0) {
+		int len = os_strlen(pos);
+
+		if (len < 8 || len > 63) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid WPA passphrase length %d (expected 8..63)",
+				   line, len);
+			return 1;
+		}
+		os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase);
+		bss->multi_ap_backhaul_ssid.wpa_passphrase = os_strdup(pos);
+		if (bss->multi_ap_backhaul_ssid.wpa_passphrase) {
+			hostapd_config_clear_wpa_psk(
+				&bss->multi_ap_backhaul_ssid.wpa_psk);
+			bss->multi_ap_backhaul_ssid.wpa_passphrase_set = 1;
+		}
+	} else if (os_strcmp(buf, "multi_ap_backhaul_wpa_psk") == 0) {
+		hostapd_config_clear_wpa_psk(
+			&bss->multi_ap_backhaul_ssid.wpa_psk);
+		bss->multi_ap_backhaul_ssid.wpa_psk =
+			os_zalloc(sizeof(struct hostapd_wpa_psk));
+		if (!bss->multi_ap_backhaul_ssid.wpa_psk)
+			return 1;
+		if (hexstr2bin(pos, bss->multi_ap_backhaul_ssid.wpa_psk->psk,
+			       PMK_LEN) ||
+		    pos[PMK_LEN * 2] != '\0') {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid PSK '%s'.",
+				   line, pos);
+			hostapd_config_clear_wpa_psk(
+				&bss->multi_ap_backhaul_ssid.wpa_psk);
+			return 1;
+		}
+		bss->multi_ap_backhaul_ssid.wpa_psk->group = 1;
+		os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase);
+		bss->multi_ap_backhaul_ssid.wpa_passphrase = NULL;
+		bss->multi_ap_backhaul_ssid.wpa_psk_set = 1;
 	} else if (os_strcmp(buf, "upnp_iface") == 0) {
 		os_free(bss->upnp_iface);
 		bss->upnp_iface = os_strdup(pos);
@@ -3717,6 +3926,16 @@ static int hostapd_config_fill(struct hostapd_config *
 #ifdef CONFIG_HS20
 	} else if (os_strcmp(buf, "hs20") == 0) {
 		bss->hs20 = atoi(pos);
+	} else if (os_strcmp(buf, "hs20_release") == 0) {
+		int val = atoi(pos);
+
+		if (val < 1 || val > (HS20_VERSION >> 4) + 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: Unsupported hs20_release: %s",
+				   line, pos);
+			return 1;
+		}
+		bss->hs20_release = val;
 	} else if (os_strcmp(buf, "disable_dgaf") == 0) {
 		bss->disable_dgaf = atoi(pos);
 	} else if (os_strcmp(buf, "na_mcast_to_ucast") == 0) {
@@ -3807,6 +4026,9 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "hs20_t_c_server_url") == 0) {
 		os_free(bss->t_c_server_url);
 		bss->t_c_server_url = os_strdup(pos);
+	} else if (os_strcmp(buf, "hs20_sim_provisioning_url") == 0) {
+		os_free(bss->hs20_sim_provisioning_url);
+		bss->hs20_sim_provisioning_url = os_strdup(pos);
 #endif /* CONFIG_HS20 */
 #ifdef CONFIG_MBO
 	} else if (os_strcmp(buf, "mbo") == 0) {
@@ -4111,6 +4333,22 @@ static int hostapd_config_fill(struct hostapd_config *
 	} else if (os_strcmp(buf, "coloc_intf_reporting") == 0) {
 		bss->coloc_intf_reporting = atoi(pos);
 #endif /* CONFIG_OWE */
+	} else if (os_strcmp(buf, "multi_ap") == 0) {
+		int val = atoi(pos);
+
+		if (val < 0 || val > 3) {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid multi_ap '%s'",
+				   line, buf);
+			return -1;
+		}
+
+		bss->multi_ap = val;
+	} else if (os_strcmp(buf, "rssi_reject_assoc_rssi") == 0) {
+		conf->rssi_reject_assoc_rssi = atoi(pos);
+	} else if (os_strcmp(buf, "rssi_reject_assoc_timeout") == 0) {
+		conf->rssi_reject_assoc_timeout = atoi(pos);
+	} else if (os_strcmp(buf, "pbss") == 0) {
+		bss->pbss = atoi(pos);
 	} else {
 		wpa_printf(MSG_ERROR,
 			   "Line %d: unknown configuration item '%s'",

Modified: head/contrib/wpa/hostapd/ctrl_iface.c
==============================================================================
--- head/contrib/wpa/hostapd/ctrl_iface.c	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/ctrl_iface.c	Tue Apr 23 03:52:43 2019	(r346591)
@@ -883,7 +883,7 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostap
 		/* TODO: TSF configurable/learnable */
 		bss_term_dur[0] = 4; /* Subelement ID */
 		bss_term_dur[1] = 10; /* Length */
-		os_memset(bss_term_dur, 2, 8);
+		os_memset(&bss_term_dur[2], 0, 8);
 		end = os_strchr(pos, ',');
 		if (end == NULL) {
 			wpa_printf(MSG_DEBUG, "Invalid bss_term data");
@@ -1488,6 +1488,63 @@ static int hostapd_ctrl_iface_disable(struct hostapd_i
 }
 
 
+static int
+hostapd_ctrl_iface_kick_mismatch_psk_sta_iter(struct hostapd_data *hapd,
+					      struct sta_info *sta, void *ctx)
+{
+	struct hostapd_wpa_psk *psk;
+	const u8 *pmk;
+	int pmk_len;
+	int pmk_match;
+	int sta_match;
+	int bss_match;
+	int reason;
+
+	pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len);
+
+	for (psk = hapd->conf->ssid.wpa_psk; pmk && psk; psk = psk->next) {
+		pmk_match = PMK_LEN == pmk_len &&
+			os_memcmp(psk->psk, pmk, pmk_len) == 0;
+		sta_match = psk->group == 0 &&
+			os_memcmp(sta->addr, psk->addr, ETH_ALEN) == 0;
+		bss_match = psk->group == 1;
+
+		if (pmk_match && (sta_match || bss_match))
+			return 0;
+	}
+
+	wpa_printf(MSG_INFO, "STA " MACSTR
+		   " PSK/passphrase no longer valid - disconnect",
+		   MAC2STR(sta->addr));
+	reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
+	hostapd_drv_sta_deauth(hapd, sta->addr, reason);
+	ap_sta_deauthenticate(hapd, sta, reason);
+
+	return 0;
+}
+
+
+static int hostapd_ctrl_iface_reload_wpa_psk(struct hostapd_data *hapd)
+{
+	struct hostapd_bss_config *conf = hapd->conf;
+	int err;
+
+	hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
+
+	err = hostapd_setup_wpa_psk(conf);
+	if (err < 0) {
+		wpa_printf(MSG_ERROR, "Reloading WPA-PSK passwords failed: %d",
+			   err);
+		return -1;
+	}
+
+	ap_for_each_sta(hapd, hostapd_ctrl_iface_kick_mismatch_psk_sta_iter,
+			NULL);
+
+	return 0;
+}
+
+
 #ifdef CONFIG_TESTING_OPTIONS
 
 static int hostapd_ctrl_iface_radar(struct hostapd_data *hapd, char *cmd)
@@ -2826,6 +2883,34 @@ static int hostapd_ctrl_iface_acl_add_mac(struct mac_a
 }
 
 
+static int hostapd_ctrl_iface_get_capability(struct hostapd_data *hapd,
+					     const char *field, char *buf,
+					     size_t buflen)
+{
+	wpa_printf(MSG_DEBUG, "CTRL_IFACE: GET_CAPABILITY '%s'", field);
+
+#ifdef CONFIG_DPP
+	if (os_strcmp(field, "dpp") == 0) {
+		int res;
+
+#ifdef CONFIG_DPP2
+		res = os_snprintf(buf, buflen, "DPP=2");
+#else /* CONFIG_DPP2 */
+		res = os_snprintf(buf, buflen, "DPP=1");
+#endif /* CONFIG_DPP2 */
+		if (os_snprintf_error(buflen, res))
+			return -1;
+		return res;
+	}
+#endif /* CONFIG_DPP */
+
+	wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown GET_CAPABILITY field '%s'",
+		   field);
+
+	return -1;
+}
+
+
 static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 					      char *buf, char *reply,
 					      int reply_size,
@@ -3013,6 +3098,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
 	} else if (os_strncmp(buf, "ENABLE", 6) == 0) {
 		if (hostapd_ctrl_iface_enable(hapd->iface))
 			reply_len = -1;
+	} else if (os_strcmp(buf, "RELOAD_WPA_PSK") == 0) {
+		if (hostapd_ctrl_iface_reload_wpa_psk(hapd))
+			reply_len = -1;
 	} else if (os_strncmp(buf, "RELOAD", 6) == 0) {
 		if (hostapd_ctrl_iface_reload(hapd->iface))
 			reply_len = -1;
@@ -3182,7 +3270,7 @@ static int hostapd_ctrl_iface_receive_process(struct h
 				reply_len = -1;
 		}
 	} else if (os_strncmp(buf, "DPP_BOOTSTRAP_GEN ", 18) == 0) {
-		res = hostapd_dpp_bootstrap_gen(hapd, buf + 18);
+		res = dpp_bootstrap_gen(hapd->iface->interfaces->dpp, buf + 18);
 		if (res < 0) {
 			reply_len = -1;
 		} else {
@@ -3191,12 +3279,14 @@ static int hostapd_ctrl_iface_receive_process(struct h
 				reply_len = -1;
 		}
 	} else if (os_strncmp(buf, "DPP_BOOTSTRAP_REMOVE ", 21) == 0) {
-		if (hostapd_dpp_bootstrap_remove(hapd, buf + 21) < 0)
+		if (dpp_bootstrap_remove(hapd->iface->interfaces->dpp,
+					 buf + 21) < 0)
 			reply_len = -1;
 	} else if (os_strncmp(buf, "DPP_BOOTSTRAP_GET_URI ", 22) == 0) {
 		const char *uri;
 
-		uri = hostapd_dpp_bootstrap_get_uri(hapd, atoi(buf + 22));
+		uri = dpp_bootstrap_get_uri(hapd->iface->interfaces->dpp,
+					    atoi(buf + 22));
 		if (!uri) {
 			reply_len = -1;
 		} else {
@@ -3205,8 +3295,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
 				reply_len = -1;
 		}
 	} else if (os_strncmp(buf, "DPP_BOOTSTRAP_INFO ", 19) == 0) {
-		reply_len = hostapd_dpp_bootstrap_info(hapd, atoi(buf + 19),
-						       reply, reply_size);
+		reply_len = dpp_bootstrap_info(hapd->iface->interfaces->dpp,
+					       atoi(buf + 19),
+			reply, reply_size);
 	} else if (os_strncmp(buf, "DPP_AUTH_INIT ", 14) == 0) {
 		if (hostapd_dpp_auth_init(hapd, buf + 13) < 0)
 			reply_len = -1;
@@ -3217,7 +3308,8 @@ static int hostapd_ctrl_iface_receive_process(struct h
 		hostapd_dpp_stop(hapd);
 		hostapd_dpp_listen_stop(hapd);
 	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_ADD", 20) == 0) {
-		res = hostapd_dpp_configurator_add(hapd, buf + 20);
+		res = dpp_configurator_add(hapd->iface->interfaces->dpp,
+					   buf + 20);
 		if (res < 0) {
 			reply_len = -1;
 		} else {
@@ -3226,15 +3318,17 @@ static int hostapd_ctrl_iface_receive_process(struct h
 				reply_len = -1;
 		}
 	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_REMOVE ", 24) == 0) {
-		if (hostapd_dpp_configurator_remove(hapd, buf + 24) < 0)
+		if (dpp_configurator_remove(hapd->iface->interfaces->dpp,
+					    buf + 24) < 0)
 			reply_len = -1;
 	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_SIGN ", 22) == 0) {
-		if (hostapd_dpp_configurator_sign(hapd, buf + 22) < 0)
+		if (hostapd_dpp_configurator_sign(hapd, buf + 21) < 0)
 			reply_len = -1;
 	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_GET_KEY ", 25) == 0) {
-		reply_len = hostapd_dpp_configurator_get_key(hapd,
-							     atoi(buf + 25),
-							     reply, reply_size);
+		reply_len = dpp_configurator_get_key_id(
+			hapd->iface->interfaces->dpp,
+			atoi(buf + 25),
+			reply, reply_size);
 	} else if (os_strncmp(buf, "DPP_PKEX_ADD ", 13) == 0) {
 		res = hostapd_dpp_pkex_add(hapd, buf + 12);
 		if (res < 0) {
@@ -3253,6 +3347,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
 		if (radius_server_dac_request(hapd->radius_srv, buf + 12) < 0)
 			reply_len = -1;
 #endif /* RADIUS_SERVER */
+	} else if (os_strncmp(buf, "GET_CAPABILITY ", 15) == 0) {
+		reply_len = hostapd_ctrl_iface_get_capability(
+			hapd, buf + 15, reply, reply_size);
 	} else {
 		os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
 		reply_len = 16;
@@ -3506,18 +3603,18 @@ fail:
 	}
 
 	if (hapd->conf->ctrl_interface_gid_set &&
-	    chown(hapd->conf->ctrl_interface, -1,
-		  hapd->conf->ctrl_interface_gid) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+	    lchown(hapd->conf->ctrl_interface, -1,
+		   hapd->conf->ctrl_interface_gid) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
 			   strerror(errno));
 		return -1;
 	}
 
 	if (!hapd->conf->ctrl_interface_gid_set &&
 	    hapd->iface->interfaces->ctrl_iface_group &&
-	    chown(hapd->conf->ctrl_interface, -1,
-		  hapd->iface->interfaces->ctrl_iface_group) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+	    lchown(hapd->conf->ctrl_interface, -1,
+		   hapd->iface->interfaces->ctrl_iface_group) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
 			   strerror(errno));
 		return -1;
 	}
@@ -3590,16 +3687,16 @@ fail:
 	}
 
 	if (hapd->conf->ctrl_interface_gid_set &&
-	    chown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s",
+	    lchown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s",
 			   strerror(errno));
 		goto fail;
 	}
 
 	if (!hapd->conf->ctrl_interface_gid_set &&
 	    hapd->iface->interfaces->ctrl_iface_group &&
-	    chown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s",
+	    lchown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s",
 			   strerror(errno));
 		goto fail;
 	}
@@ -3733,7 +3830,7 @@ static void hostapd_ctrl_iface_flush(struct hapd_inter
 #endif /* CONFIG_TESTING_OPTIONS */
 
 #ifdef CONFIG_DPP
-	hostapd_dpp_deinit_global(interfaces);
+	dpp_global_clear(interfaces->dpp);
 #endif /* CONFIG_DPP */
 }
 
@@ -4273,9 +4370,9 @@ fail:
 			goto fail;
 		}
 	} else if (interface->ctrl_iface_group &&
-		   chown(interface->global_iface_path, -1,
-			 interface->ctrl_iface_group) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+		   lchown(interface->global_iface_path, -1,
+			  interface->ctrl_iface_group) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
 			   strerror(errno));
 		goto fail;
 	}
@@ -4332,8 +4429,8 @@ fail:
 	}
 
 	if (interface->ctrl_iface_group &&
-	    chown(fname, -1, interface->ctrl_iface_group) < 0) {
-		wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+	    lchown(fname, -1, interface->ctrl_iface_group) < 0) {
+		wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
 			   strerror(errno));
 		goto fail;
 	}

Modified: head/contrib/wpa/hostapd/defconfig
==============================================================================
--- head/contrib/wpa/hostapd/defconfig	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/defconfig	Tue Apr 23 03:52:43 2019	(r346591)
@@ -53,6 +53,9 @@ CONFIG_RSN_PREAUTH=y
 # IEEE 802.11w (management frame protection)
 CONFIG_IEEE80211W=y
 
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
 # Integrated EAP server
 CONFIG_EAP=y
 
@@ -249,6 +252,11 @@ CONFIG_IPV6=y
 # requirements described above.
 #CONFIG_NO_RANDOM_POOL=y
 
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+#CONFIG_GETRANDOM=y
+
 # Should we use poll instead of select? Select is used by default.
 #CONFIG_ELOOP_POLL=y
 
@@ -356,8 +364,6 @@ CONFIG_IPV6=y
 #CONFIG_TAXONOMY=y
 
 # Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-# Note: This is an experimental and not yet complete implementation. This
-# should not be enabled for production use.
 #CONFIG_FILS=y
 # FILS shared key authentication with PFS
 #CONFIG_FILS_SK_PFS=y

Modified: head/contrib/wpa/hostapd/hostapd.conf
==============================================================================
--- head/contrib/wpa/hostapd/hostapd.conf	Tue Apr 23 03:19:03 2019	(r346590)
+++ head/contrib/wpa/hostapd/hostapd.conf	Tue Apr 23 03:52:43 2019	(r346591)
@@ -438,6 +438,13 @@ wmm_ac_vo_txop_limit=47
 wmm_ac_vo_acm=0
 # Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
 
+# Enable Multi-AP functionality
+# 0 = disabled (default)
+# 1 = AP support backhaul BSS
+# 2 = AP support fronthaul BSS
+# 3 = AP supports both backhaul BSS and fronthaul BSS
+#multi_ap=0
+
 # Static WEP key configuration
 #
 # The key number to use when transmitting.
@@ -794,6 +801,30 @@ wmm_ac_vo_acm=0
 # unsigned integer = duration in units of 16 us
 #he_rts_threshold=0
 
+#he_mu_edca_qos_info_param_count
+#he_mu_edca_qos_info_q_ack
+#he_mu_edca_qos_info_queue_request=1
+#he_mu_edca_qos_info_txop_request
+#he_mu_edca_ac_be_aifsn=0
+#he_mu_edca_ac_be_ecwmin=15
+#he_mu_edca_ac_be_ecwmax=15
+#he_mu_edca_ac_be_timer=255
+#he_mu_edca_ac_bk_aifsn=0
+#he_mu_edca_ac_bk_aci=1
+#he_mu_edca_ac_bk_ecwmin=15
+#he_mu_edca_ac_bk_ecwmax=15
+#he_mu_edca_ac_bk_timer=255

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904230352.x3N3qi4l074089>