Date: Tue, 03 Sep 2019 14:07:43 -0000 From: Cy Schubert <cy@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r346591 - in head: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/drivers contrib/wpa/src/eap_c... Message-ID: <201904230352.x3N3qi4l074089@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cy Date: Tue Apr 23 03:52:43 2019 New Revision: 346591 URL: https://svnweb.freebsd.org/changeset/base/346591 Log: MFV r346563: Update wpa_supplicant/hostapd 2.7 --> 2.8 Upstream documents the following advisories: - https://w1.fi/security/2019-1/sae-side-channel-attacks.txt - https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt - https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt - https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt - https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\ with-unexpected-fragment.txt Relnotes: yes MFC after: 1 week (or less) Security: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499 Added: head/contrib/wpa/hostapd/README-MULTI-AP - copied unchanged from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP head/contrib/wpa/src/common/ocv.c - copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.c head/contrib/wpa/src/common/ocv.h - copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.h head/contrib/wpa/src/crypto/sha512.c - copied unchanged from r346563, vendor/wpa/dist/src/crypto/sha512.c head/contrib/wpa/src/utils/const_time.h - copied unchanged from r346563, vendor/wpa/dist/src/utils/const_time.h head/contrib/wpa/wpa_supplicant/README-DPP - copied unchanged from r346563, vendor/wpa/dist/wpa_supplicant/README-DPP Deleted: head/contrib/wpa/wpa_supplicant/dbus/dbus_old.c head/contrib/wpa/wpa_supplicant/dbus/dbus_old.h head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.c head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.h head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers_wps.c head/contrib/wpa/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in head/contrib/wpa/wpa_supplicant/examples/wpas-test.py Modified: head/contrib/wpa/CONTRIBUTIONS head/contrib/wpa/COPYING head/contrib/wpa/README head/contrib/wpa/hostapd/ChangeLog head/contrib/wpa/hostapd/README head/contrib/wpa/hostapd/config_file.c head/contrib/wpa/hostapd/ctrl_iface.c head/contrib/wpa/hostapd/defconfig head/contrib/wpa/hostapd/hostapd.conf head/contrib/wpa/hostapd/hostapd.wpa_psk head/contrib/wpa/hostapd/hostapd_cli.c head/contrib/wpa/hostapd/main.c head/contrib/wpa/hostapd/wps-ap-nfc.py head/contrib/wpa/hs20/client/Makefile head/contrib/wpa/hs20/client/est.c head/contrib/wpa/hs20/client/osu_client.c head/contrib/wpa/src/ap/acs.c head/contrib/wpa/src/ap/ap_config.c head/contrib/wpa/src/ap/ap_config.h head/contrib/wpa/src/ap/ap_drv_ops.h head/contrib/wpa/src/ap/authsrv.c head/contrib/wpa/src/ap/beacon.c head/contrib/wpa/src/ap/ctrl_iface_ap.c head/contrib/wpa/src/ap/dfs.c head/contrib/wpa/src/ap/dhcp_snoop.c head/contrib/wpa/src/ap/dpp_hostapd.c head/contrib/wpa/src/ap/dpp_hostapd.h head/contrib/wpa/src/ap/drv_callbacks.c head/contrib/wpa/src/ap/eap_user_db.c head/contrib/wpa/src/ap/fils_hlp.c head/contrib/wpa/src/ap/hostapd.c head/contrib/wpa/src/ap/hostapd.h head/contrib/wpa/src/ap/hs20.c head/contrib/wpa/src/ap/hw_features.c head/contrib/wpa/src/ap/ieee802_11.c head/contrib/wpa/src/ap/ieee802_11.h head/contrib/wpa/src/ap/ieee802_11_auth.c head/contrib/wpa/src/ap/ieee802_11_he.c head/contrib/wpa/src/ap/ieee802_11_shared.c head/contrib/wpa/src/ap/ieee802_11_vht.c head/contrib/wpa/src/ap/ieee802_1x.c head/contrib/wpa/src/ap/neighbor_db.c head/contrib/wpa/src/ap/neighbor_db.h head/contrib/wpa/src/ap/rrm.c head/contrib/wpa/src/ap/sta_info.c head/contrib/wpa/src/ap/sta_info.h head/contrib/wpa/src/ap/vlan_full.c head/contrib/wpa/src/ap/vlan_init.c head/contrib/wpa/src/ap/wnm_ap.c head/contrib/wpa/src/ap/wpa_auth.c head/contrib/wpa/src/ap/wpa_auth.h head/contrib/wpa/src/ap/wpa_auth_ft.c head/contrib/wpa/src/ap/wpa_auth_glue.c head/contrib/wpa/src/ap/wpa_auth_i.h head/contrib/wpa/src/ap/wpa_auth_ie.c head/contrib/wpa/src/ap/wpa_auth_ie.h head/contrib/wpa/src/ap/wps_hostapd.c head/contrib/wpa/src/common/common_module_tests.c head/contrib/wpa/src/common/defs.h head/contrib/wpa/src/common/dpp.c head/contrib/wpa/src/common/dpp.h head/contrib/wpa/src/common/hw_features_common.c head/contrib/wpa/src/common/hw_features_common.h head/contrib/wpa/src/common/ieee802_11_common.c head/contrib/wpa/src/common/ieee802_11_common.h head/contrib/wpa/src/common/ieee802_11_defs.h head/contrib/wpa/src/common/qca-vendor.h head/contrib/wpa/src/common/sae.c head/contrib/wpa/src/common/sae.h head/contrib/wpa/src/common/version.h head/contrib/wpa/src/common/wpa_common.c head/contrib/wpa/src/common/wpa_common.h head/contrib/wpa/src/common/wpa_ctrl.c head/contrib/wpa/src/crypto/aes-internal-enc.c head/contrib/wpa/src/crypto/crypto.h head/contrib/wpa/src/crypto/crypto_gnutls.c head/contrib/wpa/src/crypto/crypto_internal-modexp.c head/contrib/wpa/src/crypto/crypto_internal.c head/contrib/wpa/src/crypto/crypto_libtomcrypt.c head/contrib/wpa/src/crypto/crypto_linux.c head/contrib/wpa/src/crypto/crypto_nettle.c head/contrib/wpa/src/crypto/crypto_openssl.c head/contrib/wpa/src/crypto/crypto_wolfssl.c head/contrib/wpa/src/crypto/dh_groups.c head/contrib/wpa/src/crypto/md4-internal.c head/contrib/wpa/src/crypto/random.c head/contrib/wpa/src/crypto/sha1-tlsprf.c head/contrib/wpa/src/crypto/sha512-internal.c head/contrib/wpa/src/crypto/tls.h head/contrib/wpa/src/crypto/tls_gnutls.c head/contrib/wpa/src/crypto/tls_internal.c head/contrib/wpa/src/crypto/tls_none.c head/contrib/wpa/src/crypto/tls_openssl.c head/contrib/wpa/src/crypto/tls_wolfssl.c head/contrib/wpa/src/drivers/driver.h head/contrib/wpa/src/drivers/driver_bsd.c head/contrib/wpa/src/drivers/driver_common.c head/contrib/wpa/src/drivers/driver_macsec_linux.c head/contrib/wpa/src/drivers/driver_nl80211.h head/contrib/wpa/src/drivers/driver_nl80211_capa.c head/contrib/wpa/src/drivers/driver_nl80211_event.c head/contrib/wpa/src/drivers/driver_nl80211_scan.c head/contrib/wpa/src/drivers/driver_openbsd.c head/contrib/wpa/src/eap_common/eap_eke_common.c head/contrib/wpa/src/eap_common/eap_pwd_common.c head/contrib/wpa/src/eap_common/eap_pwd_common.h head/contrib/wpa/src/eap_common/eap_sake_common.c head/contrib/wpa/src/eap_common/eap_sake_common.h head/contrib/wpa/src/eap_peer/eap_config.h head/contrib/wpa/src/eap_peer/eap_fast.c head/contrib/wpa/src/eap_peer/eap_mschapv2.c head/contrib/wpa/src/eap_peer/eap_peap.c head/contrib/wpa/src/eap_peer/eap_pwd.c head/contrib/wpa/src/eap_peer/eap_sake.c head/contrib/wpa/src/eap_peer/eap_tls.c head/contrib/wpa/src/eap_peer/eap_tls_common.c head/contrib/wpa/src/eap_peer/eap_tls_common.h head/contrib/wpa/src/eap_peer/eap_ttls.c head/contrib/wpa/src/eap_peer/eap_wsc.c head/contrib/wpa/src/eap_server/eap.h head/contrib/wpa/src/eap_server/eap_i.h head/contrib/wpa/src/eap_server/eap_server.c head/contrib/wpa/src/eap_server/eap_server_aka.c head/contrib/wpa/src/eap_server/eap_server_gpsk.c head/contrib/wpa/src/eap_server/eap_server_mschapv2.c head/contrib/wpa/src/eap_server/eap_server_pax.c head/contrib/wpa/src/eap_server/eap_server_peap.c head/contrib/wpa/src/eap_server/eap_server_pwd.c head/contrib/wpa/src/eap_server/eap_server_sake.c head/contrib/wpa/src/eap_server/eap_server_sim.c head/contrib/wpa/src/eap_server/eap_server_tls.c head/contrib/wpa/src/eap_server/eap_server_tls_common.c head/contrib/wpa/src/eap_server/eap_server_ttls.c head/contrib/wpa/src/eap_server/eap_tls_common.h head/contrib/wpa/src/eapol_supp/eapol_supp_sm.c head/contrib/wpa/src/fst/fst.h head/contrib/wpa/src/p2p/p2p.c head/contrib/wpa/src/p2p/p2p.h head/contrib/wpa/src/p2p/p2p_build.c head/contrib/wpa/src/p2p/p2p_group.c head/contrib/wpa/src/p2p/p2p_i.h head/contrib/wpa/src/p2p/p2p_invitation.c head/contrib/wpa/src/p2p/p2p_utils.c head/contrib/wpa/src/pae/ieee802_1x_cp.c head/contrib/wpa/src/pae/ieee802_1x_cp.h head/contrib/wpa/src/pae/ieee802_1x_kay.c head/contrib/wpa/src/pae/ieee802_1x_kay.h head/contrib/wpa/src/pae/ieee802_1x_kay_i.h head/contrib/wpa/src/pae/ieee802_1x_key.c head/contrib/wpa/src/pae/ieee802_1x_key.h head/contrib/wpa/src/pae/ieee802_1x_secy_ops.c head/contrib/wpa/src/pae/ieee802_1x_secy_ops.h head/contrib/wpa/src/radius/radius_client.c head/contrib/wpa/src/radius/radius_server.c head/contrib/wpa/src/radius/radius_server.h head/contrib/wpa/src/rsn_supp/pmksa_cache.c head/contrib/wpa/src/rsn_supp/tdls.c head/contrib/wpa/src/rsn_supp/wpa.c head/contrib/wpa/src/rsn_supp/wpa.h head/contrib/wpa/src/rsn_supp/wpa_ft.c head/contrib/wpa/src/rsn_supp/wpa_i.h head/contrib/wpa/src/rsn_supp/wpa_ie.c head/contrib/wpa/src/rsn_supp/wpa_ie.h head/contrib/wpa/src/tls/asn1.c head/contrib/wpa/src/tls/bignum.c head/contrib/wpa/src/tls/tlsv1_client.c head/contrib/wpa/src/tls/tlsv1_client.h head/contrib/wpa/src/tls/tlsv1_client_read.c head/contrib/wpa/src/tls/tlsv1_client_write.c head/contrib/wpa/src/tls/tlsv1_server.c head/contrib/wpa/src/tls/tlsv1_server.h head/contrib/wpa/src/tls/tlsv1_server_i.h head/contrib/wpa/src/tls/tlsv1_server_read.c head/contrib/wpa/src/tls/tlsv1_server_write.c head/contrib/wpa/src/tls/x509v3.c head/contrib/wpa/src/utils/base64.c head/contrib/wpa/src/utils/browser.c head/contrib/wpa/src/utils/common.c head/contrib/wpa/src/utils/common.h head/contrib/wpa/src/utils/eloop.c head/contrib/wpa/src/utils/http_curl.c head/contrib/wpa/src/utils/json.c head/contrib/wpa/src/utils/list.h head/contrib/wpa/src/utils/os_internal.c head/contrib/wpa/src/utils/os_none.c head/contrib/wpa/src/utils/os_unix.c head/contrib/wpa/src/utils/utils_module_tests.c head/contrib/wpa/src/utils/wpa_debug.c head/contrib/wpa/src/wps/wps.c head/contrib/wpa/src/wps/wps.h head/contrib/wpa/src/wps/wps_attr_build.c head/contrib/wpa/src/wps/wps_attr_parse.c head/contrib/wpa/src/wps/wps_attr_parse.h head/contrib/wpa/src/wps/wps_common.c head/contrib/wpa/src/wps/wps_defs.h head/contrib/wpa/src/wps/wps_dev_attr.c head/contrib/wpa/src/wps/wps_dev_attr.h head/contrib/wpa/src/wps/wps_enrollee.c head/contrib/wpa/src/wps/wps_er.c head/contrib/wpa/src/wps/wps_i.h head/contrib/wpa/src/wps/wps_registrar.c head/contrib/wpa/src/wps/wps_upnp.c head/contrib/wpa/src/wps/wps_validate.c head/contrib/wpa/wpa_supplicant/Android.mk head/contrib/wpa/wpa_supplicant/ChangeLog head/contrib/wpa/wpa_supplicant/README head/contrib/wpa/wpa_supplicant/README-P2P head/contrib/wpa/wpa_supplicant/android.config head/contrib/wpa/wpa_supplicant/ap.c head/contrib/wpa/wpa_supplicant/bss.c head/contrib/wpa/wpa_supplicant/bss.h head/contrib/wpa/wpa_supplicant/config.c head/contrib/wpa/wpa_supplicant/config.h head/contrib/wpa/wpa_supplicant/config_file.c head/contrib/wpa/wpa_supplicant/config_ssid.h head/contrib/wpa/wpa_supplicant/ctrl_iface.c head/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c head/contrib/wpa/wpa_supplicant/dbus/Makefile head/contrib/wpa/wpa_supplicant/dbus/dbus-wpa_supplicant.conf head/contrib/wpa/wpa_supplicant/dbus/dbus_common.c head/contrib/wpa/wpa_supplicant/dbus/dbus_new.c head/contrib/wpa/wpa_supplicant/dbus/dbus_new.h head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.c head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.h head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.c head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.h head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_wps.c head/contrib/wpa/wpa_supplicant/defconfig head/contrib/wpa/wpa_supplicant/dpp_supplicant.c head/contrib/wpa/wpa_supplicant/dpp_supplicant.h head/contrib/wpa/wpa_supplicant/driver_i.h head/contrib/wpa/wpa_supplicant/eapol_test.c head/contrib/wpa/wpa_supplicant/eapol_test.py head/contrib/wpa/wpa_supplicant/events.c head/contrib/wpa/wpa_supplicant/examples/dbus-listen-preq.py head/contrib/wpa/wpa_supplicant/examples/dpp-qrcode.py head/contrib/wpa/wpa_supplicant/examples/p2p-nfc.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_connect.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_disconnect.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_find.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_flush.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_group_add.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_invite.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_listen.py head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_stop_find.py head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-getall.py head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-signals.py head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-wps.py head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new.py head/contrib/wpa/wpa_supplicant/examples/wps-nfc.py head/contrib/wpa/wpa_supplicant/gas_query.c head/contrib/wpa/wpa_supplicant/gas_query.h head/contrib/wpa/wpa_supplicant/hs20_supplicant.c head/contrib/wpa/wpa_supplicant/hs20_supplicant.h head/contrib/wpa/wpa_supplicant/ibss_rsn.c head/contrib/wpa/wpa_supplicant/interworking.c head/contrib/wpa/wpa_supplicant/main.c head/contrib/wpa/wpa_supplicant/mbo.c head/contrib/wpa/wpa_supplicant/mesh.c head/contrib/wpa/wpa_supplicant/mesh_mpm.c head/contrib/wpa/wpa_supplicant/mesh_rsn.c head/contrib/wpa/wpa_supplicant/notify.c head/contrib/wpa/wpa_supplicant/notify.h head/contrib/wpa/wpa_supplicant/op_classes.c head/contrib/wpa/wpa_supplicant/p2p_supplicant.c head/contrib/wpa/wpa_supplicant/p2p_supplicant.h head/contrib/wpa/wpa_supplicant/rrm.c head/contrib/wpa/wpa_supplicant/scan.c head/contrib/wpa/wpa_supplicant/sme.c head/contrib/wpa/wpa_supplicant/sme.h head/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.in head/contrib/wpa/wpa_supplicant/utils/log2pcap.py head/contrib/wpa/wpa_supplicant/wmm_ac.c head/contrib/wpa/wpa_supplicant/wnm_sta.c head/contrib/wpa/wpa_supplicant/wpa_cli.c head/contrib/wpa/wpa_supplicant/wpa_supplicant.c head/contrib/wpa/wpa_supplicant/wpa_supplicant.conf head/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h head/contrib/wpa/wpa_supplicant/wpas_glue.c head/contrib/wpa/wpa_supplicant/wpas_kay.c head/contrib/wpa/wpa_supplicant/wps_supplicant.c head/contrib/wpa/wpa_supplicant/wps_supplicant.h head/usr.sbin/wpa/Makefile.crypto Directory Properties: head/contrib/wpa/ (props changed) Modified: head/contrib/wpa/CONTRIBUTIONS ============================================================================== --- head/contrib/wpa/CONTRIBUTIONS Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/CONTRIBUTIONS Tue Apr 23 03:52:43 2019 (r346591) @@ -140,7 +140,7 @@ The license terms used for hostap.git files Modified BSD license (no advertisement clause): -Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. Redistribution and use in source and binary forms, with or without Modified: head/contrib/wpa/COPYING ============================================================================== --- head/contrib/wpa/COPYING Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/COPYING Tue Apr 23 03:52:43 2019 (r346591) @@ -1,7 +1,7 @@ wpa_supplicant and hostapd -------------------------- -Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. Modified: head/contrib/wpa/README ============================================================================== --- head/contrib/wpa/README Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/README Tue Apr 23 03:52:43 2019 (r346591) @@ -1,7 +1,7 @@ wpa_supplicant and hostapd -------------------------- -Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. These programs are licensed under the BSD license (the one with Modified: head/contrib/wpa/hostapd/ChangeLog ============================================================================== --- head/contrib/wpa/hostapd/ChangeLog Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/ChangeLog Tue Apr 23 03:52:43 2019 (r346591) @@ -1,5 +1,60 @@ ChangeLog for hostapd +2019-04-21 - v2.8 + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only group 19 + (i.e., disable groups 20, 21, 25, 26 from default configuration) and + disable all unsuitable groups completely based on REVmd changes + - improved anti-clogging token mechanism and SAE authentication + frame processing during heavy CPU load; this mitigates some issues + with potential DoS attacks trying to flood an AP with large number + of SAE messages + - added Finite Cyclic Group field in status code 77 responses + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + - fixed confirm message validation in error cases + [https://w1.fi/security/2019-3/] (CVE-2019-9496) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify peer scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * Hotspot 2.0 changes + - added support for release number 3 + - reject release 2 or newer association without PMF + * added support for RSN operating channel validation + (CONFIG_OCV=y and configuration parameter ocv=1) + * added Multi-AP protocol support + * added FTM responder configuration + * fixed build with LibreSSL + * added FT/RRB workaround for short Ethernet frame padding + * fixed KEK2 derivation for FILS+FT + * added RSSI-based association rejection from OCE + * extended beacon reporting functionality + * VLAN changes + - allow local VLAN management with remote RADIUS authentication + - add WPA/WPA2 passphrase/PSK -based VLAN assignment + * OpenSSL: allow systemwide policies to be overridden + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * fixed FT and SA Query Action frame with AP-MLME-in-driver cases + * OWE: allow Diffie-Hellman Parameter element to be included with DPP + in preparation for DPP protocol extension + * RADIUS server: started to accept ERP keyName-NAI as user identity + automatically without matching EAP database entry + * fixed PTK rekeying with FILS and FT + 2018-12-02 - v2.7 * fixed WPA packet number reuse with replayed messages and key reinstallation Modified: head/contrib/wpa/hostapd/README ============================================================================== --- head/contrib/wpa/hostapd/README Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/README Tue Apr 23 03:52:43 2019 (r346591) @@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WP Authenticator and RADIUS authentication server ================================================================ -Copyright (c) 2002-2018, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. This program is licensed under the BSD license (the one with Copied: head/contrib/wpa/hostapd/README-MULTI-AP (from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/contrib/wpa/hostapd/README-MULTI-AP Tue Apr 23 03:52:43 2019 (r346591, copy of r346563, vendor/wpa/dist/hostapd/README-MULTI-AP) @@ -0,0 +1,160 @@ +hostapd, wpa_supplicant and the Multi-AP Specification +====================================================== + +This document describes how hostapd and wpa_supplicant can be configured to +support the Multi-AP Specification. + +Introduction to Multi-AP +------------------------ + +The Wi-Fi Alliance Multi-AP Specification is the technical specification for +Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi AllianceĀ® certification program for +Multi-AP. It defines control protocols between Wi-FiĀ® access points (APs) to +join them into a network with centralized control and operation. It is targeted +only at routers (repeaters, gateways, ...), not at clients. Clients are not +involved at all in the protocols. + +Most of the Multi-AP specification falls outside of the scope of +hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items +summarized below. The rest of the protocol must be implemented by a separate +daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd, +e.g., to get a list of associated clients, but this can be done using the normal +hostapd interfaces. + +hostapd/wpa_supplicant needs to be configured specifically to support: +- the WPS onboarding process; +- configuring backhaul links. + +The text below refers to "Multi-AP Specification v1.0" [3]. + + +Fronthaul and backhaul links +---------------------------- + +In a Multi-AP network, the central controller can configure the BSSs on the +devices that are joined into the network. These are called fronthaul BSSs. +From the point of view of hostapd, there is nothing special about these +fronthaul BSSs. + +In addition to fronthaul BSSs, the controller can also configure backhaul +links. A backhaul link is a link between two access point devices, giving +internet access to access point devices that don't have a wired link. The +Multi-AP specification doesn't dictate this, but typically the backhaul link +will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the +wired Ethernet ports. + +A backhaul link must be treated specially by hostapd and wpa_supplicant. One +side of the backhaul link is configured through the Multi-AP protocol as the +"backhaul STA", i.e., the client side of the link. A backhaul STA is like any +station and is handled appropriately by wpa_supplicant, but two additional +features are required. It must send an additional information element in each +(Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it +must use 4-address mode for all frames sent over this link ([3], section 14). +Therefore, wpa_supplicant must be configured explicitly as the backhaul STA +role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block +or when configuring the network profile through the control interface. When +'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in +(Re)Association Request frame and verifies that it is included in the +(Re)Association Response frame. If it is not, association fails. If it is, +wpa_supplicant sets 4-address mode for this interface through a driver +callback. + +The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must +be handled specially by hostapd, because it must add an additional information +element in each (Re)Association Response frame, but only to stations that have +identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6). +This is important because it is possible to use the same BSS and SSID for +fronthaul and backhaul at the same time. The additional information element must +only be used for frames sent to a backhaul STA, not to a normal STA. Also, +frames sent to a backhaul STA must use 4-address mode, while frames sent to a +normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use +3-address mode. + +A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap' +configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3 +(simultaneous backhaul and fronthaul BSS). If this option is set, hostapd +parses the Multi-AP information element in the Association Request frame. If the +station is a backhaul STA and the BSS is configured as a backhaul BSS, +hostapd sets up 4-address mode. Since there may be multiple stations connected +simultaneously, and each of them has a different RA (receiver address), a VLAN +is created for each backhaul STA and it is automatically added to a bridge. +This is the same behavior as for WDS, and the relevant option ('bridge' or +'wds_bridge') applies here as well. + +If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate +without the Multi-AP information element will be denied. + +If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate +with the Multi-AP information element will be denied. That is also the only +difference with 'multi_ap' set to 0: in the latter case, the Multi-AP +information element is simply ignored. + +In summary, this is the end-to-end behavior for a backhaul BSS (i.e., +multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in +hostapd on AP). Note that point 1 means that hostapd must not be configured +with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for +that. + +1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing + Multi-AP specific). +2. STA sends Authentication frame (nothing Multi-AP specific). +3. AP sends Authentication frame (nothing Multi-AP specific). +4. STA sends Association Request frame with Multi-AP IE. +5. AP sends Association Response frame with Multi-AP IE. +6. STA and AP both use 4-address mode for Data frames. + + +WPS support +----------- + +WPS requires more special handling. WPS must only be advertised on fronthaul +BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only +BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS. +When a WPS M1 message has an additional subelement that indicates a request for +a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul +BSS credentials; instead, it should respond with the (potentially different) +backhaul BSS credentials. + +To support this, hostapd has the 'multi_ap_backhaul_ssid', +'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options. +When these are set on an BSS with WPS, they are used instead of the normal +credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only +WPA2-Personal is supported in the Multi-AP specification, so there is no need +to specify authentication or encryption options. For the backhaul credentials, +per-device PSK is not supported. + +If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to +specify the backhaul credentials, since the backhaul and fronthaul credentials +are identical. + +To enable the Multi-AP backhaul STA feature when it performs WPS, a new +parameter has been introduced to the WPS_PBC control interface call. When this +"multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the +Association Request frame and the M1 message. It then configures the new network +profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does +not follow the Multi-AP specification, wpa_supplicant will fail to associate. + +In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e., +multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2 +and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or +multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS +in hostapd on Registrar AP). + +1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP + specific). +2. Enrollee sends Authentication frame (nothing Multi-AP specific). +3. AP sends Authentication frame (nothing Multi-AP specific). +4. Enrollee sends Association Request frame with Multi-AP IE. +5. AP sends Association Response frame with Multi-AP IE. +6. Enrollee sends M1 with additional Multi-AP subelement. +7. AP sends M8 with backhaul instead of fronthaul credentials. +8. Enrollee sends Deauthentication frame. + + +References +---------- + +[1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh +[2] https://github.com/prplfoundation/prplMesh +[3] https://www.wi-fi.org/file/multi-ap-specification-v10 + (requires registration) Modified: head/contrib/wpa/hostapd/config_file.c ============================================================================== --- head/contrib/wpa/hostapd/config_file.c Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/config_file.c Tue Apr 23 03:52:43 2019 (r346591) @@ -37,7 +37,7 @@ static int hostapd_config_read_vlan_file(struct hostap const char *fname) { FILE *f; - char buf[128], *pos, *pos2; + char buf[128], *pos, *pos2, *pos3; int line = 0, vlan_id; struct hostapd_vlan *vlan; @@ -82,7 +82,10 @@ static int hostapd_config_read_vlan_file(struct hostap pos2 = pos; while (*pos2 != ' ' && *pos2 != '\t' && *pos2 != '\0') pos2++; - *pos2 = '\0'; + + if (*pos2 != '\0') + *(pos2++) = '\0'; + if (*pos == '\0' || os_strlen(pos) > IFNAMSIZ) { wpa_printf(MSG_ERROR, "Invalid VLAN ifname at line %d " "in '%s'", line, fname); @@ -90,6 +93,13 @@ static int hostapd_config_read_vlan_file(struct hostap return -1; } + while (*pos2 == ' ' || *pos2 == '\t') + pos2++; + pos3 = pos2; + while (*pos3 != ' ' && *pos3 != '\t' && *pos3 != '\0') + pos3++; + *pos3 = '\0'; + vlan = os_zalloc(sizeof(*vlan)); if (vlan == NULL) { wpa_printf(MSG_ERROR, "Out of memory while reading " @@ -102,6 +112,7 @@ static int hostapd_config_read_vlan_file(struct hostap vlan->vlan_desc.untagged = vlan_id; vlan->vlan_desc.notempty = !!vlan_id; os_strlcpy(vlan->ifname, pos, sizeof(vlan->ifname)); + os_strlcpy(vlan->bridge, pos2, sizeof(vlan->bridge)); vlan->next = bss->vlan; bss->vlan = vlan; } @@ -1368,6 +1379,30 @@ static int hostapd_config_vht_capab(struct hostapd_con #endif /* CONFIG_IEEE80211AC */ +#ifdef CONFIG_IEEE80211AX + +static u8 find_bit_offset(u8 val) +{ + u8 res = 0; + + for (; val; val >>= 1) { + if (val & 1) + break; + res++; + } + + return res; +} + + +static u8 set_he_cap(int val, u8 mask) +{ + return (u8) (mask & (val << find_bit_offset(mask))); +} + +#endif /* CONFIG_IEEE80211AX */ + + #ifdef CONFIG_INTERWORKING static int parse_roaming_consortium(struct hostapd_bss_config *bss, char *pos, int line) @@ -2254,10 +2289,16 @@ static unsigned int parse_tls_flags(const char *val) flags |= TLS_CONN_DISABLE_TIME_CHECKS; if (os_strstr(val, "[DISABLE-TLSv1.0]")) flags |= TLS_CONN_DISABLE_TLSv1_0; + if (os_strstr(val, "[ENABLE-TLSv1.0]")) + flags |= TLS_CONN_ENABLE_TLSv1_0; if (os_strstr(val, "[DISABLE-TLSv1.1]")) flags |= TLS_CONN_DISABLE_TLSv1_1; + if (os_strstr(val, "[ENABLE-TLSv1.1]")) + flags |= TLS_CONN_ENABLE_TLSv1_1; if (os_strstr(val, "[DISABLE-TLSv1.2]")) flags |= TLS_CONN_DISABLE_TLSv1_2; + if (os_strstr(val, "[ENABLE-TLSv1.2]")) + flags |= TLS_CONN_ENABLE_TLSv1_2; if (os_strstr(val, "[DISABLE-TLSv1.3]")) flags |= TLS_CONN_DISABLE_TLSv1_3; if (os_strstr(val, "[ENABLE-TLSv1.3]")) @@ -2292,6 +2333,14 @@ static int parse_sae_password(struct hostapd_bss_confi pos = pos2 + ETH_ALEN * 3 - 1; } + pos2 = os_strstr(pos, "|vlanid="); + if (pos2) { + if (!end) + end = pos2; + pos2 += 8; + pw->vlan_id = atoi(pos2); + } + pos2 = os_strstr(pos, "|id="); if (pos2) { if (!end) @@ -2476,8 +2525,22 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "private_key_passwd") == 0) { os_free(bss->private_key_passwd); bss->private_key_passwd = os_strdup(pos); + } else if (os_strcmp(buf, "check_cert_subject") == 0) { + if (!pos[0]) { + wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'", + line, pos); + return 1; + } + os_free(bss->check_cert_subject); + bss->check_cert_subject = os_strdup(pos); + if (!bss->check_cert_subject) + return 1; } else if (os_strcmp(buf, "check_crl") == 0) { bss->check_crl = atoi(pos); + } else if (os_strcmp(buf, "check_crl_strict") == 0) { + bss->check_crl_strict = atoi(pos); + } else if (os_strcmp(buf, "crl_reload_interval") == 0) { + bss->crl_reload_interval = atoi(pos); } else if (os_strcmp(buf, "tls_session_lifetime") == 0) { bss->tls_session_lifetime = atoi(pos); } else if (os_strcmp(buf, "tls_flags") == 0) { @@ -2494,6 +2557,9 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "openssl_ciphers") == 0) { os_free(bss->openssl_ciphers); bss->openssl_ciphers = os_strdup(pos); + } else if (os_strcmp(buf, "openssl_ecdh_curves") == 0) { + os_free(bss->openssl_ecdh_curves); + bss->openssl_ecdh_curves = os_strdup(pos); } else if (os_strcmp(buf, "fragment_size") == 0) { bss->fragment_size = atoi(pos); #ifdef EAP_SERVER_FAST @@ -3070,9 +3136,10 @@ static int hostapd_config_fill(struct hostapd_config * * cause problems with the current implementation. * Since it is unlikely that this small numbers are * useful in real life scenarios, do not allow beacon - * period to be set below 15 TU. */ - if (val < 15 || val > 65535) { - wpa_printf(MSG_ERROR, "Line %d: invalid beacon_int %d (expected 15..65535)", + * period to be set below 10 TU. */ + if (val < 10 || val > 65535) { + wpa_printf(MSG_ERROR, + "Line %d: invalid beacon_int %d (expected 10..65535)", line, val); return 1; } @@ -3148,7 +3215,7 @@ static int hostapd_config_fill(struct hostapd_config * line, val); return 1; } - conf->send_probe_response = val; + bss->send_probe_response = val; } else if (os_strcmp(buf, "supported_rates") == 0) { if (hostapd_parse_intlist(&conf->supported_rates, pos)) { wpa_printf(MSG_ERROR, "Line %d: invalid rate list", @@ -3316,6 +3383,12 @@ static int hostapd_config_fill(struct hostapd_config * return 1; } #endif /* CONFIG_IEEE80211W */ +#ifdef CONFIG_OCV + } else if (os_strcmp(buf, "ocv") == 0) { + bss->ocv = atoi(pos); + if (bss->ocv && !bss->ieee80211w) + bss->ieee80211w = 1; +#endif /* CONFIG_OCV */ #ifdef CONFIG_IEEE80211N } else if (os_strcmp(buf, "ieee80211n") == 0) { conf->ieee80211n = atoi(pos); @@ -3369,6 +3442,90 @@ static int hostapd_config_fill(struct hostapd_config * conf->he_op.he_twt_required = atoi(pos); } else if (os_strcmp(buf, "he_rts_threshold") == 0) { conf->he_op.he_rts_threshold = atoi(pos); + } else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) { + conf->he_mu_edca.he_qos_info |= + set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT); + } else if (os_strcmp(buf, "he_mu_edca_qos_info_q_ack") == 0) { + conf->he_mu_edca.he_qos_info |= + set_he_cap(atoi(pos), HE_QOS_INFO_Q_ACK); + } else if (os_strcmp(buf, "he_mu_edca_qos_info_queue_request") == 0) { + conf->he_mu_edca.he_qos_info |= + set_he_cap(atoi(pos), HE_QOS_INFO_QUEUE_REQUEST); + } else if (os_strcmp(buf, "he_mu_edca_qos_info_txop_request") == 0) { + conf->he_mu_edca.he_qos_info |= + set_he_cap(atoi(pos), HE_QOS_INFO_TXOP_REQUEST); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_aifsn") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_acm") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_aci") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmin") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmax") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX); + } else if (os_strcmp(buf, "he_mu_edca_ac_be_timer") == 0) { + conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_TIMER_IDX] = + atoi(pos) & 0xff; + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_aifsn") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN); + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_acm") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM); + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_aci") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI); + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmin") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN); + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmax") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX); + } else if (os_strcmp(buf, "he_mu_edca_ac_bk_timer") == 0) { + conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_TIMER_IDX] = + atoi(pos) & 0xff; + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_aifsn") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN); + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_acm") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM); + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_aci") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI); + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmin") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN); + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmax") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX); + } else if (os_strcmp(buf, "he_mu_edca_ac_vi_timer") == 0) { + conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_TIMER_IDX] = + atoi(pos) & 0xff; + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_aifsn") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN); + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_acm") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM); + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_aci") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI); + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmin") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN); + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmax") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |= + set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX); + } else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) { + conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] = + atoi(pos) & 0xff; #endif /* CONFIG_IEEE80211AX */ } else if (os_strcmp(buf, "max_listen_interval") == 0) { bss->max_listen_interval = atoi(pos); @@ -3466,6 +3623,8 @@ static int hostapd_config_fill(struct hostapd_config * } } else if (os_strcmp(buf, "wps_cred_processing") == 0) { bss->wps_cred_processing = atoi(pos); + } else if (os_strcmp(buf, "wps_cred_add_sae") == 0) { + bss->wps_cred_add_sae = atoi(pos); } else if (os_strcmp(buf, "ap_settings") == 0) { os_free(bss->ap_settings); bss->ap_settings = @@ -3475,6 +3634,56 @@ static int hostapd_config_fill(struct hostapd_config * line, pos); return 1; } + } else if (os_strcmp(buf, "multi_ap_backhaul_ssid") == 0) { + size_t slen; + char *str = wpa_config_parse_string(pos, &slen); + + if (!str || slen < 1 || slen > SSID_MAX_LEN) { + wpa_printf(MSG_ERROR, "Line %d: invalid SSID '%s'", + line, pos); + os_free(str); + return 1; + } + os_memcpy(bss->multi_ap_backhaul_ssid.ssid, str, slen); + bss->multi_ap_backhaul_ssid.ssid_len = slen; + bss->multi_ap_backhaul_ssid.ssid_set = 1; + os_free(str); + } else if (os_strcmp(buf, "multi_ap_backhaul_wpa_passphrase") == 0) { + int len = os_strlen(pos); + + if (len < 8 || len > 63) { + wpa_printf(MSG_ERROR, + "Line %d: invalid WPA passphrase length %d (expected 8..63)", + line, len); + return 1; + } + os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase); + bss->multi_ap_backhaul_ssid.wpa_passphrase = os_strdup(pos); + if (bss->multi_ap_backhaul_ssid.wpa_passphrase) { + hostapd_config_clear_wpa_psk( + &bss->multi_ap_backhaul_ssid.wpa_psk); + bss->multi_ap_backhaul_ssid.wpa_passphrase_set = 1; + } + } else if (os_strcmp(buf, "multi_ap_backhaul_wpa_psk") == 0) { + hostapd_config_clear_wpa_psk( + &bss->multi_ap_backhaul_ssid.wpa_psk); + bss->multi_ap_backhaul_ssid.wpa_psk = + os_zalloc(sizeof(struct hostapd_wpa_psk)); + if (!bss->multi_ap_backhaul_ssid.wpa_psk) + return 1; + if (hexstr2bin(pos, bss->multi_ap_backhaul_ssid.wpa_psk->psk, + PMK_LEN) || + pos[PMK_LEN * 2] != '\0') { + wpa_printf(MSG_ERROR, "Line %d: Invalid PSK '%s'.", + line, pos); + hostapd_config_clear_wpa_psk( + &bss->multi_ap_backhaul_ssid.wpa_psk); + return 1; + } + bss->multi_ap_backhaul_ssid.wpa_psk->group = 1; + os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase); + bss->multi_ap_backhaul_ssid.wpa_passphrase = NULL; + bss->multi_ap_backhaul_ssid.wpa_psk_set = 1; } else if (os_strcmp(buf, "upnp_iface") == 0) { os_free(bss->upnp_iface); bss->upnp_iface = os_strdup(pos); @@ -3717,6 +3926,16 @@ static int hostapd_config_fill(struct hostapd_config * #ifdef CONFIG_HS20 } else if (os_strcmp(buf, "hs20") == 0) { bss->hs20 = atoi(pos); + } else if (os_strcmp(buf, "hs20_release") == 0) { + int val = atoi(pos); + + if (val < 1 || val > (HS20_VERSION >> 4) + 1) { + wpa_printf(MSG_ERROR, + "Line %d: Unsupported hs20_release: %s", + line, pos); + return 1; + } + bss->hs20_release = val; } else if (os_strcmp(buf, "disable_dgaf") == 0) { bss->disable_dgaf = atoi(pos); } else if (os_strcmp(buf, "na_mcast_to_ucast") == 0) { @@ -3807,6 +4026,9 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "hs20_t_c_server_url") == 0) { os_free(bss->t_c_server_url); bss->t_c_server_url = os_strdup(pos); + } else if (os_strcmp(buf, "hs20_sim_provisioning_url") == 0) { + os_free(bss->hs20_sim_provisioning_url); + bss->hs20_sim_provisioning_url = os_strdup(pos); #endif /* CONFIG_HS20 */ #ifdef CONFIG_MBO } else if (os_strcmp(buf, "mbo") == 0) { @@ -4111,6 +4333,22 @@ static int hostapd_config_fill(struct hostapd_config * } else if (os_strcmp(buf, "coloc_intf_reporting") == 0) { bss->coloc_intf_reporting = atoi(pos); #endif /* CONFIG_OWE */ + } else if (os_strcmp(buf, "multi_ap") == 0) { + int val = atoi(pos); + + if (val < 0 || val > 3) { + wpa_printf(MSG_ERROR, "Line %d: Invalid multi_ap '%s'", + line, buf); + return -1; + } + + bss->multi_ap = val; + } else if (os_strcmp(buf, "rssi_reject_assoc_rssi") == 0) { + conf->rssi_reject_assoc_rssi = atoi(pos); + } else if (os_strcmp(buf, "rssi_reject_assoc_timeout") == 0) { + conf->rssi_reject_assoc_timeout = atoi(pos); + } else if (os_strcmp(buf, "pbss") == 0) { + bss->pbss = atoi(pos); } else { wpa_printf(MSG_ERROR, "Line %d: unknown configuration item '%s'", Modified: head/contrib/wpa/hostapd/ctrl_iface.c ============================================================================== --- head/contrib/wpa/hostapd/ctrl_iface.c Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/ctrl_iface.c Tue Apr 23 03:52:43 2019 (r346591) @@ -883,7 +883,7 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostap /* TODO: TSF configurable/learnable */ bss_term_dur[0] = 4; /* Subelement ID */ bss_term_dur[1] = 10; /* Length */ - os_memset(bss_term_dur, 2, 8); + os_memset(&bss_term_dur[2], 0, 8); end = os_strchr(pos, ','); if (end == NULL) { wpa_printf(MSG_DEBUG, "Invalid bss_term data"); @@ -1488,6 +1488,63 @@ static int hostapd_ctrl_iface_disable(struct hostapd_i } +static int +hostapd_ctrl_iface_kick_mismatch_psk_sta_iter(struct hostapd_data *hapd, + struct sta_info *sta, void *ctx) +{ + struct hostapd_wpa_psk *psk; + const u8 *pmk; + int pmk_len; + int pmk_match; + int sta_match; + int bss_match; + int reason; + + pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len); + + for (psk = hapd->conf->ssid.wpa_psk; pmk && psk; psk = psk->next) { + pmk_match = PMK_LEN == pmk_len && + os_memcmp(psk->psk, pmk, pmk_len) == 0; + sta_match = psk->group == 0 && + os_memcmp(sta->addr, psk->addr, ETH_ALEN) == 0; + bss_match = psk->group == 1; + + if (pmk_match && (sta_match || bss_match)) + return 0; + } + + wpa_printf(MSG_INFO, "STA " MACSTR + " PSK/passphrase no longer valid - disconnect", + MAC2STR(sta->addr)); + reason = WLAN_REASON_PREV_AUTH_NOT_VALID; + hostapd_drv_sta_deauth(hapd, sta->addr, reason); + ap_sta_deauthenticate(hapd, sta, reason); + + return 0; +} + + +static int hostapd_ctrl_iface_reload_wpa_psk(struct hostapd_data *hapd) +{ + struct hostapd_bss_config *conf = hapd->conf; + int err; + + hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk); + + err = hostapd_setup_wpa_psk(conf); + if (err < 0) { + wpa_printf(MSG_ERROR, "Reloading WPA-PSK passwords failed: %d", + err); + return -1; + } + + ap_for_each_sta(hapd, hostapd_ctrl_iface_kick_mismatch_psk_sta_iter, + NULL); + + return 0; +} + + #ifdef CONFIG_TESTING_OPTIONS static int hostapd_ctrl_iface_radar(struct hostapd_data *hapd, char *cmd) @@ -2826,6 +2883,34 @@ static int hostapd_ctrl_iface_acl_add_mac(struct mac_a } +static int hostapd_ctrl_iface_get_capability(struct hostapd_data *hapd, + const char *field, char *buf, + size_t buflen) +{ + wpa_printf(MSG_DEBUG, "CTRL_IFACE: GET_CAPABILITY '%s'", field); + +#ifdef CONFIG_DPP + if (os_strcmp(field, "dpp") == 0) { + int res; + +#ifdef CONFIG_DPP2 + res = os_snprintf(buf, buflen, "DPP=2"); +#else /* CONFIG_DPP2 */ + res = os_snprintf(buf, buflen, "DPP=1"); +#endif /* CONFIG_DPP2 */ + if (os_snprintf_error(buflen, res)) + return -1; + return res; + } +#endif /* CONFIG_DPP */ + + wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown GET_CAPABILITY field '%s'", + field); + + return -1; +} + + static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, char *buf, char *reply, int reply_size, @@ -3013,6 +3098,9 @@ static int hostapd_ctrl_iface_receive_process(struct h } else if (os_strncmp(buf, "ENABLE", 6) == 0) { if (hostapd_ctrl_iface_enable(hapd->iface)) reply_len = -1; + } else if (os_strcmp(buf, "RELOAD_WPA_PSK") == 0) { + if (hostapd_ctrl_iface_reload_wpa_psk(hapd)) + reply_len = -1; } else if (os_strncmp(buf, "RELOAD", 6) == 0) { if (hostapd_ctrl_iface_reload(hapd->iface)) reply_len = -1; @@ -3182,7 +3270,7 @@ static int hostapd_ctrl_iface_receive_process(struct h reply_len = -1; } } else if (os_strncmp(buf, "DPP_BOOTSTRAP_GEN ", 18) == 0) { - res = hostapd_dpp_bootstrap_gen(hapd, buf + 18); + res = dpp_bootstrap_gen(hapd->iface->interfaces->dpp, buf + 18); if (res < 0) { reply_len = -1; } else { @@ -3191,12 +3279,14 @@ static int hostapd_ctrl_iface_receive_process(struct h reply_len = -1; } } else if (os_strncmp(buf, "DPP_BOOTSTRAP_REMOVE ", 21) == 0) { - if (hostapd_dpp_bootstrap_remove(hapd, buf + 21) < 0) + if (dpp_bootstrap_remove(hapd->iface->interfaces->dpp, + buf + 21) < 0) reply_len = -1; } else if (os_strncmp(buf, "DPP_BOOTSTRAP_GET_URI ", 22) == 0) { const char *uri; - uri = hostapd_dpp_bootstrap_get_uri(hapd, atoi(buf + 22)); + uri = dpp_bootstrap_get_uri(hapd->iface->interfaces->dpp, + atoi(buf + 22)); if (!uri) { reply_len = -1; } else { @@ -3205,8 +3295,9 @@ static int hostapd_ctrl_iface_receive_process(struct h reply_len = -1; } } else if (os_strncmp(buf, "DPP_BOOTSTRAP_INFO ", 19) == 0) { - reply_len = hostapd_dpp_bootstrap_info(hapd, atoi(buf + 19), - reply, reply_size); + reply_len = dpp_bootstrap_info(hapd->iface->interfaces->dpp, + atoi(buf + 19), + reply, reply_size); } else if (os_strncmp(buf, "DPP_AUTH_INIT ", 14) == 0) { if (hostapd_dpp_auth_init(hapd, buf + 13) < 0) reply_len = -1; @@ -3217,7 +3308,8 @@ static int hostapd_ctrl_iface_receive_process(struct h hostapd_dpp_stop(hapd); hostapd_dpp_listen_stop(hapd); } else if (os_strncmp(buf, "DPP_CONFIGURATOR_ADD", 20) == 0) { - res = hostapd_dpp_configurator_add(hapd, buf + 20); + res = dpp_configurator_add(hapd->iface->interfaces->dpp, + buf + 20); if (res < 0) { reply_len = -1; } else { @@ -3226,15 +3318,17 @@ static int hostapd_ctrl_iface_receive_process(struct h reply_len = -1; } } else if (os_strncmp(buf, "DPP_CONFIGURATOR_REMOVE ", 24) == 0) { - if (hostapd_dpp_configurator_remove(hapd, buf + 24) < 0) + if (dpp_configurator_remove(hapd->iface->interfaces->dpp, + buf + 24) < 0) reply_len = -1; } else if (os_strncmp(buf, "DPP_CONFIGURATOR_SIGN ", 22) == 0) { - if (hostapd_dpp_configurator_sign(hapd, buf + 22) < 0) + if (hostapd_dpp_configurator_sign(hapd, buf + 21) < 0) reply_len = -1; } else if (os_strncmp(buf, "DPP_CONFIGURATOR_GET_KEY ", 25) == 0) { - reply_len = hostapd_dpp_configurator_get_key(hapd, - atoi(buf + 25), - reply, reply_size); + reply_len = dpp_configurator_get_key_id( + hapd->iface->interfaces->dpp, + atoi(buf + 25), + reply, reply_size); } else if (os_strncmp(buf, "DPP_PKEX_ADD ", 13) == 0) { res = hostapd_dpp_pkex_add(hapd, buf + 12); if (res < 0) { @@ -3253,6 +3347,9 @@ static int hostapd_ctrl_iface_receive_process(struct h if (radius_server_dac_request(hapd->radius_srv, buf + 12) < 0) reply_len = -1; #endif /* RADIUS_SERVER */ + } else if (os_strncmp(buf, "GET_CAPABILITY ", 15) == 0) { + reply_len = hostapd_ctrl_iface_get_capability( + hapd, buf + 15, reply, reply_size); } else { os_memcpy(reply, "UNKNOWN COMMAND\n", 16); reply_len = 16; @@ -3506,18 +3603,18 @@ fail: } if (hapd->conf->ctrl_interface_gid_set && - chown(hapd->conf->ctrl_interface, -1, - hapd->conf->ctrl_interface_gid) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s", + lchown(hapd->conf->ctrl_interface, -1, + hapd->conf->ctrl_interface_gid) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s", strerror(errno)); return -1; } if (!hapd->conf->ctrl_interface_gid_set && hapd->iface->interfaces->ctrl_iface_group && - chown(hapd->conf->ctrl_interface, -1, - hapd->iface->interfaces->ctrl_iface_group) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s", + lchown(hapd->conf->ctrl_interface, -1, + hapd->iface->interfaces->ctrl_iface_group) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s", strerror(errno)); return -1; } @@ -3590,16 +3687,16 @@ fail: } if (hapd->conf->ctrl_interface_gid_set && - chown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s", + lchown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s", strerror(errno)); goto fail; } if (!hapd->conf->ctrl_interface_gid_set && hapd->iface->interfaces->ctrl_iface_group && - chown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s", + lchown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s", strerror(errno)); goto fail; } @@ -3733,7 +3830,7 @@ static void hostapd_ctrl_iface_flush(struct hapd_inter #endif /* CONFIG_TESTING_OPTIONS */ #ifdef CONFIG_DPP - hostapd_dpp_deinit_global(interfaces); + dpp_global_clear(interfaces->dpp); #endif /* CONFIG_DPP */ } @@ -4273,9 +4370,9 @@ fail: goto fail; } } else if (interface->ctrl_iface_group && - chown(interface->global_iface_path, -1, - interface->ctrl_iface_group) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s", + lchown(interface->global_iface_path, -1, + interface->ctrl_iface_group) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s", strerror(errno)); goto fail; } @@ -4332,8 +4429,8 @@ fail: } if (interface->ctrl_iface_group && - chown(fname, -1, interface->ctrl_iface_group) < 0) { - wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s", + lchown(fname, -1, interface->ctrl_iface_group) < 0) { + wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s", strerror(errno)); goto fail; } Modified: head/contrib/wpa/hostapd/defconfig ============================================================================== --- head/contrib/wpa/hostapd/defconfig Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/defconfig Tue Apr 23 03:52:43 2019 (r346591) @@ -53,6 +53,9 @@ CONFIG_RSN_PREAUTH=y # IEEE 802.11w (management frame protection) CONFIG_IEEE80211W=y +# Support Operating Channel Validation +#CONFIG_OCV=y + # Integrated EAP server CONFIG_EAP=y @@ -249,6 +252,11 @@ CONFIG_IPV6=y # requirements described above. #CONFIG_NO_RANDOM_POOL=y +# Should we attempt to use the getrandom(2) call that provides more reliable +# yet secure randomness source than /dev/random on Linux 3.17 and newer. +# Requires glibc 2.25 to build, falls back to /dev/random if unavailable. +#CONFIG_GETRANDOM=y + # Should we use poll instead of select? Select is used by default. #CONFIG_ELOOP_POLL=y @@ -356,8 +364,6 @@ CONFIG_IPV6=y #CONFIG_TAXONOMY=y # Fast Initial Link Setup (FILS) (IEEE 802.11ai) -# Note: This is an experimental and not yet complete implementation. This -# should not be enabled for production use. #CONFIG_FILS=y # FILS shared key authentication with PFS #CONFIG_FILS_SK_PFS=y Modified: head/contrib/wpa/hostapd/hostapd.conf ============================================================================== --- head/contrib/wpa/hostapd/hostapd.conf Tue Apr 23 03:19:03 2019 (r346590) +++ head/contrib/wpa/hostapd/hostapd.conf Tue Apr 23 03:52:43 2019 (r346591) @@ -438,6 +438,13 @@ wmm_ac_vo_txop_limit=47 wmm_ac_vo_acm=0 # Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 +# Enable Multi-AP functionality +# 0 = disabled (default) +# 1 = AP support backhaul BSS +# 2 = AP support fronthaul BSS +# 3 = AP supports both backhaul BSS and fronthaul BSS +#multi_ap=0 + # Static WEP key configuration # # The key number to use when transmitting. @@ -794,6 +801,30 @@ wmm_ac_vo_acm=0 # unsigned integer = duration in units of 16 us #he_rts_threshold=0 +#he_mu_edca_qos_info_param_count +#he_mu_edca_qos_info_q_ack +#he_mu_edca_qos_info_queue_request=1 +#he_mu_edca_qos_info_txop_request +#he_mu_edca_ac_be_aifsn=0 +#he_mu_edca_ac_be_ecwmin=15 +#he_mu_edca_ac_be_ecwmax=15 +#he_mu_edca_ac_be_timer=255 +#he_mu_edca_ac_bk_aifsn=0 +#he_mu_edca_ac_bk_aci=1 +#he_mu_edca_ac_bk_ecwmin=15 +#he_mu_edca_ac_bk_ecwmax=15 +#he_mu_edca_ac_bk_timer=255 *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201904230352.x3N3qi4l074089>