svn commit: r346591 - in head: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/drivers contrib/wpa/src/eap_c...
Cy Schubert
cy at FreeBSD.org
Tue Apr 23 03:52:46 UTC 2019
Author: cy
Date: Tue Apr 23 03:52:43 2019
New Revision: 346591
URL: https://svnweb.freebsd.org/changeset/base/346591
Log:
MFV r346563:
Update wpa_supplicant/hostapd 2.7 --> 2.8
Upstream documents the following advisories:
- https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
- https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
- https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
- https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
- https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\
with-unexpected-fragment.txt
Relnotes: yes
MFC after: 1 week (or less)
Security: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496,
CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
Added:
head/contrib/wpa/hostapd/README-MULTI-AP
- copied unchanged from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP
head/contrib/wpa/src/common/ocv.c
- copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.c
head/contrib/wpa/src/common/ocv.h
- copied unchanged from r346563, vendor/wpa/dist/src/common/ocv.h
head/contrib/wpa/src/crypto/sha512.c
- copied unchanged from r346563, vendor/wpa/dist/src/crypto/sha512.c
head/contrib/wpa/src/utils/const_time.h
- copied unchanged from r346563, vendor/wpa/dist/src/utils/const_time.h
head/contrib/wpa/wpa_supplicant/README-DPP
- copied unchanged from r346563, vendor/wpa/dist/wpa_supplicant/README-DPP
Deleted:
head/contrib/wpa/wpa_supplicant/dbus/dbus_old.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_old.h
head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.h
head/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers_wps.c
head/contrib/wpa/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
head/contrib/wpa/wpa_supplicant/examples/wpas-test.py
Modified:
head/contrib/wpa/CONTRIBUTIONS
head/contrib/wpa/COPYING
head/contrib/wpa/README
head/contrib/wpa/hostapd/ChangeLog
head/contrib/wpa/hostapd/README
head/contrib/wpa/hostapd/config_file.c
head/contrib/wpa/hostapd/ctrl_iface.c
head/contrib/wpa/hostapd/defconfig
head/contrib/wpa/hostapd/hostapd.conf
head/contrib/wpa/hostapd/hostapd.wpa_psk
head/contrib/wpa/hostapd/hostapd_cli.c
head/contrib/wpa/hostapd/main.c
head/contrib/wpa/hostapd/wps-ap-nfc.py
head/contrib/wpa/hs20/client/Makefile
head/contrib/wpa/hs20/client/est.c
head/contrib/wpa/hs20/client/osu_client.c
head/contrib/wpa/src/ap/acs.c
head/contrib/wpa/src/ap/ap_config.c
head/contrib/wpa/src/ap/ap_config.h
head/contrib/wpa/src/ap/ap_drv_ops.h
head/contrib/wpa/src/ap/authsrv.c
head/contrib/wpa/src/ap/beacon.c
head/contrib/wpa/src/ap/ctrl_iface_ap.c
head/contrib/wpa/src/ap/dfs.c
head/contrib/wpa/src/ap/dhcp_snoop.c
head/contrib/wpa/src/ap/dpp_hostapd.c
head/contrib/wpa/src/ap/dpp_hostapd.h
head/contrib/wpa/src/ap/drv_callbacks.c
head/contrib/wpa/src/ap/eap_user_db.c
head/contrib/wpa/src/ap/fils_hlp.c
head/contrib/wpa/src/ap/hostapd.c
head/contrib/wpa/src/ap/hostapd.h
head/contrib/wpa/src/ap/hs20.c
head/contrib/wpa/src/ap/hw_features.c
head/contrib/wpa/src/ap/ieee802_11.c
head/contrib/wpa/src/ap/ieee802_11.h
head/contrib/wpa/src/ap/ieee802_11_auth.c
head/contrib/wpa/src/ap/ieee802_11_he.c
head/contrib/wpa/src/ap/ieee802_11_shared.c
head/contrib/wpa/src/ap/ieee802_11_vht.c
head/contrib/wpa/src/ap/ieee802_1x.c
head/contrib/wpa/src/ap/neighbor_db.c
head/contrib/wpa/src/ap/neighbor_db.h
head/contrib/wpa/src/ap/rrm.c
head/contrib/wpa/src/ap/sta_info.c
head/contrib/wpa/src/ap/sta_info.h
head/contrib/wpa/src/ap/vlan_full.c
head/contrib/wpa/src/ap/vlan_init.c
head/contrib/wpa/src/ap/wnm_ap.c
head/contrib/wpa/src/ap/wpa_auth.c
head/contrib/wpa/src/ap/wpa_auth.h
head/contrib/wpa/src/ap/wpa_auth_ft.c
head/contrib/wpa/src/ap/wpa_auth_glue.c
head/contrib/wpa/src/ap/wpa_auth_i.h
head/contrib/wpa/src/ap/wpa_auth_ie.c
head/contrib/wpa/src/ap/wpa_auth_ie.h
head/contrib/wpa/src/ap/wps_hostapd.c
head/contrib/wpa/src/common/common_module_tests.c
head/contrib/wpa/src/common/defs.h
head/contrib/wpa/src/common/dpp.c
head/contrib/wpa/src/common/dpp.h
head/contrib/wpa/src/common/hw_features_common.c
head/contrib/wpa/src/common/hw_features_common.h
head/contrib/wpa/src/common/ieee802_11_common.c
head/contrib/wpa/src/common/ieee802_11_common.h
head/contrib/wpa/src/common/ieee802_11_defs.h
head/contrib/wpa/src/common/qca-vendor.h
head/contrib/wpa/src/common/sae.c
head/contrib/wpa/src/common/sae.h
head/contrib/wpa/src/common/version.h
head/contrib/wpa/src/common/wpa_common.c
head/contrib/wpa/src/common/wpa_common.h
head/contrib/wpa/src/common/wpa_ctrl.c
head/contrib/wpa/src/crypto/aes-internal-enc.c
head/contrib/wpa/src/crypto/crypto.h
head/contrib/wpa/src/crypto/crypto_gnutls.c
head/contrib/wpa/src/crypto/crypto_internal-modexp.c
head/contrib/wpa/src/crypto/crypto_internal.c
head/contrib/wpa/src/crypto/crypto_libtomcrypt.c
head/contrib/wpa/src/crypto/crypto_linux.c
head/contrib/wpa/src/crypto/crypto_nettle.c
head/contrib/wpa/src/crypto/crypto_openssl.c
head/contrib/wpa/src/crypto/crypto_wolfssl.c
head/contrib/wpa/src/crypto/dh_groups.c
head/contrib/wpa/src/crypto/md4-internal.c
head/contrib/wpa/src/crypto/random.c
head/contrib/wpa/src/crypto/sha1-tlsprf.c
head/contrib/wpa/src/crypto/sha512-internal.c
head/contrib/wpa/src/crypto/tls.h
head/contrib/wpa/src/crypto/tls_gnutls.c
head/contrib/wpa/src/crypto/tls_internal.c
head/contrib/wpa/src/crypto/tls_none.c
head/contrib/wpa/src/crypto/tls_openssl.c
head/contrib/wpa/src/crypto/tls_wolfssl.c
head/contrib/wpa/src/drivers/driver.h
head/contrib/wpa/src/drivers/driver_bsd.c
head/contrib/wpa/src/drivers/driver_common.c
head/contrib/wpa/src/drivers/driver_macsec_linux.c
head/contrib/wpa/src/drivers/driver_nl80211.h
head/contrib/wpa/src/drivers/driver_nl80211_capa.c
head/contrib/wpa/src/drivers/driver_nl80211_event.c
head/contrib/wpa/src/drivers/driver_nl80211_scan.c
head/contrib/wpa/src/drivers/driver_openbsd.c
head/contrib/wpa/src/eap_common/eap_eke_common.c
head/contrib/wpa/src/eap_common/eap_pwd_common.c
head/contrib/wpa/src/eap_common/eap_pwd_common.h
head/contrib/wpa/src/eap_common/eap_sake_common.c
head/contrib/wpa/src/eap_common/eap_sake_common.h
head/contrib/wpa/src/eap_peer/eap_config.h
head/contrib/wpa/src/eap_peer/eap_fast.c
head/contrib/wpa/src/eap_peer/eap_mschapv2.c
head/contrib/wpa/src/eap_peer/eap_peap.c
head/contrib/wpa/src/eap_peer/eap_pwd.c
head/contrib/wpa/src/eap_peer/eap_sake.c
head/contrib/wpa/src/eap_peer/eap_tls.c
head/contrib/wpa/src/eap_peer/eap_tls_common.c
head/contrib/wpa/src/eap_peer/eap_tls_common.h
head/contrib/wpa/src/eap_peer/eap_ttls.c
head/contrib/wpa/src/eap_peer/eap_wsc.c
head/contrib/wpa/src/eap_server/eap.h
head/contrib/wpa/src/eap_server/eap_i.h
head/contrib/wpa/src/eap_server/eap_server.c
head/contrib/wpa/src/eap_server/eap_server_aka.c
head/contrib/wpa/src/eap_server/eap_server_gpsk.c
head/contrib/wpa/src/eap_server/eap_server_mschapv2.c
head/contrib/wpa/src/eap_server/eap_server_pax.c
head/contrib/wpa/src/eap_server/eap_server_peap.c
head/contrib/wpa/src/eap_server/eap_server_pwd.c
head/contrib/wpa/src/eap_server/eap_server_sake.c
head/contrib/wpa/src/eap_server/eap_server_sim.c
head/contrib/wpa/src/eap_server/eap_server_tls.c
head/contrib/wpa/src/eap_server/eap_server_tls_common.c
head/contrib/wpa/src/eap_server/eap_server_ttls.c
head/contrib/wpa/src/eap_server/eap_tls_common.h
head/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
head/contrib/wpa/src/fst/fst.h
head/contrib/wpa/src/p2p/p2p.c
head/contrib/wpa/src/p2p/p2p.h
head/contrib/wpa/src/p2p/p2p_build.c
head/contrib/wpa/src/p2p/p2p_group.c
head/contrib/wpa/src/p2p/p2p_i.h
head/contrib/wpa/src/p2p/p2p_invitation.c
head/contrib/wpa/src/p2p/p2p_utils.c
head/contrib/wpa/src/pae/ieee802_1x_cp.c
head/contrib/wpa/src/pae/ieee802_1x_cp.h
head/contrib/wpa/src/pae/ieee802_1x_kay.c
head/contrib/wpa/src/pae/ieee802_1x_kay.h
head/contrib/wpa/src/pae/ieee802_1x_kay_i.h
head/contrib/wpa/src/pae/ieee802_1x_key.c
head/contrib/wpa/src/pae/ieee802_1x_key.h
head/contrib/wpa/src/pae/ieee802_1x_secy_ops.c
head/contrib/wpa/src/pae/ieee802_1x_secy_ops.h
head/contrib/wpa/src/radius/radius_client.c
head/contrib/wpa/src/radius/radius_server.c
head/contrib/wpa/src/radius/radius_server.h
head/contrib/wpa/src/rsn_supp/pmksa_cache.c
head/contrib/wpa/src/rsn_supp/tdls.c
head/contrib/wpa/src/rsn_supp/wpa.c
head/contrib/wpa/src/rsn_supp/wpa.h
head/contrib/wpa/src/rsn_supp/wpa_ft.c
head/contrib/wpa/src/rsn_supp/wpa_i.h
head/contrib/wpa/src/rsn_supp/wpa_ie.c
head/contrib/wpa/src/rsn_supp/wpa_ie.h
head/contrib/wpa/src/tls/asn1.c
head/contrib/wpa/src/tls/bignum.c
head/contrib/wpa/src/tls/tlsv1_client.c
head/contrib/wpa/src/tls/tlsv1_client.h
head/contrib/wpa/src/tls/tlsv1_client_read.c
head/contrib/wpa/src/tls/tlsv1_client_write.c
head/contrib/wpa/src/tls/tlsv1_server.c
head/contrib/wpa/src/tls/tlsv1_server.h
head/contrib/wpa/src/tls/tlsv1_server_i.h
head/contrib/wpa/src/tls/tlsv1_server_read.c
head/contrib/wpa/src/tls/tlsv1_server_write.c
head/contrib/wpa/src/tls/x509v3.c
head/contrib/wpa/src/utils/base64.c
head/contrib/wpa/src/utils/browser.c
head/contrib/wpa/src/utils/common.c
head/contrib/wpa/src/utils/common.h
head/contrib/wpa/src/utils/eloop.c
head/contrib/wpa/src/utils/http_curl.c
head/contrib/wpa/src/utils/json.c
head/contrib/wpa/src/utils/list.h
head/contrib/wpa/src/utils/os_internal.c
head/contrib/wpa/src/utils/os_none.c
head/contrib/wpa/src/utils/os_unix.c
head/contrib/wpa/src/utils/utils_module_tests.c
head/contrib/wpa/src/utils/wpa_debug.c
head/contrib/wpa/src/wps/wps.c
head/contrib/wpa/src/wps/wps.h
head/contrib/wpa/src/wps/wps_attr_build.c
head/contrib/wpa/src/wps/wps_attr_parse.c
head/contrib/wpa/src/wps/wps_attr_parse.h
head/contrib/wpa/src/wps/wps_common.c
head/contrib/wpa/src/wps/wps_defs.h
head/contrib/wpa/src/wps/wps_dev_attr.c
head/contrib/wpa/src/wps/wps_dev_attr.h
head/contrib/wpa/src/wps/wps_enrollee.c
head/contrib/wpa/src/wps/wps_er.c
head/contrib/wpa/src/wps/wps_i.h
head/contrib/wpa/src/wps/wps_registrar.c
head/contrib/wpa/src/wps/wps_upnp.c
head/contrib/wpa/src/wps/wps_validate.c
head/contrib/wpa/wpa_supplicant/Android.mk
head/contrib/wpa/wpa_supplicant/ChangeLog
head/contrib/wpa/wpa_supplicant/README
head/contrib/wpa/wpa_supplicant/README-P2P
head/contrib/wpa/wpa_supplicant/android.config
head/contrib/wpa/wpa_supplicant/ap.c
head/contrib/wpa/wpa_supplicant/bss.c
head/contrib/wpa/wpa_supplicant/bss.h
head/contrib/wpa/wpa_supplicant/config.c
head/contrib/wpa/wpa_supplicant/config.h
head/contrib/wpa/wpa_supplicant/config_file.c
head/contrib/wpa/wpa_supplicant/config_ssid.h
head/contrib/wpa/wpa_supplicant/ctrl_iface.c
head/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c
head/contrib/wpa/wpa_supplicant/dbus/Makefile
head/contrib/wpa/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
head/contrib/wpa/wpa_supplicant/dbus/dbus_common.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_new.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_new.h
head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.h
head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.h
head/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_wps.c
head/contrib/wpa/wpa_supplicant/defconfig
head/contrib/wpa/wpa_supplicant/dpp_supplicant.c
head/contrib/wpa/wpa_supplicant/dpp_supplicant.h
head/contrib/wpa/wpa_supplicant/driver_i.h
head/contrib/wpa/wpa_supplicant/eapol_test.c
head/contrib/wpa/wpa_supplicant/eapol_test.py
head/contrib/wpa/wpa_supplicant/events.c
head/contrib/wpa/wpa_supplicant/examples/dbus-listen-preq.py
head/contrib/wpa/wpa_supplicant/examples/dpp-qrcode.py
head/contrib/wpa/wpa_supplicant/examples/p2p-nfc.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_connect.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_disconnect.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_find.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_flush.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_group_add.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_invite.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_listen.py
head/contrib/wpa/wpa_supplicant/examples/p2p/p2p_stop_find.py
head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-getall.py
head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-signals.py
head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-wps.py
head/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new.py
head/contrib/wpa/wpa_supplicant/examples/wps-nfc.py
head/contrib/wpa/wpa_supplicant/gas_query.c
head/contrib/wpa/wpa_supplicant/gas_query.h
head/contrib/wpa/wpa_supplicant/hs20_supplicant.c
head/contrib/wpa/wpa_supplicant/hs20_supplicant.h
head/contrib/wpa/wpa_supplicant/ibss_rsn.c
head/contrib/wpa/wpa_supplicant/interworking.c
head/contrib/wpa/wpa_supplicant/main.c
head/contrib/wpa/wpa_supplicant/mbo.c
head/contrib/wpa/wpa_supplicant/mesh.c
head/contrib/wpa/wpa_supplicant/mesh_mpm.c
head/contrib/wpa/wpa_supplicant/mesh_rsn.c
head/contrib/wpa/wpa_supplicant/notify.c
head/contrib/wpa/wpa_supplicant/notify.h
head/contrib/wpa/wpa_supplicant/op_classes.c
head/contrib/wpa/wpa_supplicant/p2p_supplicant.c
head/contrib/wpa/wpa_supplicant/p2p_supplicant.h
head/contrib/wpa/wpa_supplicant/rrm.c
head/contrib/wpa/wpa_supplicant/scan.c
head/contrib/wpa/wpa_supplicant/sme.c
head/contrib/wpa/wpa_supplicant/sme.h
head/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.in
head/contrib/wpa/wpa_supplicant/utils/log2pcap.py
head/contrib/wpa/wpa_supplicant/wmm_ac.c
head/contrib/wpa/wpa_supplicant/wnm_sta.c
head/contrib/wpa/wpa_supplicant/wpa_cli.c
head/contrib/wpa/wpa_supplicant/wpa_supplicant.c
head/contrib/wpa/wpa_supplicant/wpa_supplicant.conf
head/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
head/contrib/wpa/wpa_supplicant/wpas_glue.c
head/contrib/wpa/wpa_supplicant/wpas_kay.c
head/contrib/wpa/wpa_supplicant/wps_supplicant.c
head/contrib/wpa/wpa_supplicant/wps_supplicant.h
head/usr.sbin/wpa/Makefile.crypto
Directory Properties:
head/contrib/wpa/ (props changed)
Modified: head/contrib/wpa/CONTRIBUTIONS
==============================================================================
--- head/contrib/wpa/CONTRIBUTIONS Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/CONTRIBUTIONS Tue Apr 23 03:52:43 2019 (r346591)
@@ -140,7 +140,7 @@ The license terms used for hostap.git files
Modified BSD license (no advertisement clause):
-Copyright (c) 2002-2018, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
Modified: head/contrib/wpa/COPYING
==============================================================================
--- head/contrib/wpa/COPYING Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/COPYING Tue Apr 23 03:52:43 2019 (r346591)
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2018, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
Modified: head/contrib/wpa/README
==============================================================================
--- head/contrib/wpa/README Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/README Tue Apr 23 03:52:43 2019 (r346591)
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2018, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
These programs are licensed under the BSD license (the one with
Modified: head/contrib/wpa/hostapd/ChangeLog
==============================================================================
--- head/contrib/wpa/hostapd/ChangeLog Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/ChangeLog Tue Apr 23 03:52:43 2019 (r346591)
@@ -1,5 +1,60 @@
ChangeLog for hostapd
+2019-04-21 - v2.8
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only group 19
+ (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+ disable all unsuitable groups completely based on REVmd changes
+ - improved anti-clogging token mechanism and SAE authentication
+ frame processing during heavy CPU load; this mitigates some issues
+ with potential DoS attacks trying to flood an AP with large number
+ of SAE messages
+ - added Finite Cyclic Group field in status code 77 responses
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ - fixed confirm message validation in error cases
+ [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify peer scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * Hotspot 2.0 changes
+ - added support for release number 3
+ - reject release 2 or newer association without PMF
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and configuration parameter ocv=1)
+ * added Multi-AP protocol support
+ * added FTM responder configuration
+ * fixed build with LibreSSL
+ * added FT/RRB workaround for short Ethernet frame padding
+ * fixed KEK2 derivation for FILS+FT
+ * added RSSI-based association rejection from OCE
+ * extended beacon reporting functionality
+ * VLAN changes
+ - allow local VLAN management with remote RADIUS authentication
+ - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+ * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+ in preparation for DPP protocol extension
+ * RADIUS server: started to accept ERP keyName-NAI as user identity
+ automatically without matching EAP database entry
+ * fixed PTK rekeying with FILS and FT
+
2018-12-02 - v2.7
* fixed WPA packet number reuse with replayed messages and key
reinstallation
Modified: head/contrib/wpa/hostapd/README
==============================================================================
--- head/contrib/wpa/hostapd/README Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/README Tue Apr 23 03:52:43 2019 (r346591)
@@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WP
Authenticator and RADIUS authentication server
================================================================
-Copyright (c) 2002-2018, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
This program is licensed under the BSD license (the one with
Copied: head/contrib/wpa/hostapd/README-MULTI-AP (from r346563, vendor/wpa/dist/hostapd/README-MULTI-AP)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/contrib/wpa/hostapd/README-MULTI-AP Tue Apr 23 03:52:43 2019 (r346591, copy of r346563, vendor/wpa/dist/hostapd/README-MULTI-AP)
@@ -0,0 +1,160 @@
+hostapd, wpa_supplicant and the Multi-AP Specification
+======================================================
+
+This document describes how hostapd and wpa_supplicant can be configured to
+support the Multi-AP Specification.
+
+Introduction to Multi-AP
+------------------------
+
+The Wi-Fi Alliance Multi-AP Specification is the technical specification for
+Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi Alliance® certification program for
+Multi-AP. It defines control protocols between Wi-Fi® access points (APs) to
+join them into a network with centralized control and operation. It is targeted
+only at routers (repeaters, gateways, ...), not at clients. Clients are not
+involved at all in the protocols.
+
+Most of the Multi-AP specification falls outside of the scope of
+hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items
+summarized below. The rest of the protocol must be implemented by a separate
+daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd,
+e.g., to get a list of associated clients, but this can be done using the normal
+hostapd interfaces.
+
+hostapd/wpa_supplicant needs to be configured specifically to support:
+- the WPS onboarding process;
+- configuring backhaul links.
+
+The text below refers to "Multi-AP Specification v1.0" [3].
+
+
+Fronthaul and backhaul links
+----------------------------
+
+In a Multi-AP network, the central controller can configure the BSSs on the
+devices that are joined into the network. These are called fronthaul BSSs.
+From the point of view of hostapd, there is nothing special about these
+fronthaul BSSs.
+
+In addition to fronthaul BSSs, the controller can also configure backhaul
+links. A backhaul link is a link between two access point devices, giving
+internet access to access point devices that don't have a wired link. The
+Multi-AP specification doesn't dictate this, but typically the backhaul link
+will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the
+wired Ethernet ports.
+
+A backhaul link must be treated specially by hostapd and wpa_supplicant. One
+side of the backhaul link is configured through the Multi-AP protocol as the
+"backhaul STA", i.e., the client side of the link. A backhaul STA is like any
+station and is handled appropriately by wpa_supplicant, but two additional
+features are required. It must send an additional information element in each
+(Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it
+must use 4-address mode for all frames sent over this link ([3], section 14).
+Therefore, wpa_supplicant must be configured explicitly as the backhaul STA
+role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block
+or when configuring the network profile through the control interface. When
+'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in
+(Re)Association Request frame and verifies that it is included in the
+(Re)Association Response frame. If it is not, association fails. If it is,
+wpa_supplicant sets 4-address mode for this interface through a driver
+callback.
+
+The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must
+be handled specially by hostapd, because it must add an additional information
+element in each (Re)Association Response frame, but only to stations that have
+identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6).
+This is important because it is possible to use the same BSS and SSID for
+fronthaul and backhaul at the same time. The additional information element must
+only be used for frames sent to a backhaul STA, not to a normal STA. Also,
+frames sent to a backhaul STA must use 4-address mode, while frames sent to a
+normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use
+3-address mode.
+
+A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap'
+configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3
+(simultaneous backhaul and fronthaul BSS). If this option is set, hostapd
+parses the Multi-AP information element in the Association Request frame. If the
+station is a backhaul STA and the BSS is configured as a backhaul BSS,
+hostapd sets up 4-address mode. Since there may be multiple stations connected
+simultaneously, and each of them has a different RA (receiver address), a VLAN
+is created for each backhaul STA and it is automatically added to a bridge.
+This is the same behavior as for WDS, and the relevant option ('bridge' or
+'wds_bridge') applies here as well.
+
+If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate
+without the Multi-AP information element will be denied.
+
+If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate
+with the Multi-AP information element will be denied. That is also the only
+difference with 'multi_ap' set to 0: in the latter case, the Multi-AP
+information element is simply ignored.
+
+In summary, this is the end-to-end behavior for a backhaul BSS (i.e.,
+multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in
+hostapd on AP). Note that point 1 means that hostapd must not be configured
+with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for
+that.
+
+1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing
+ Multi-AP specific).
+2. STA sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. STA sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. STA and AP both use 4-address mode for Data frames.
+
+
+WPS support
+-----------
+
+WPS requires more special handling. WPS must only be advertised on fronthaul
+BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only
+BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS.
+When a WPS M1 message has an additional subelement that indicates a request for
+a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul
+BSS credentials; instead, it should respond with the (potentially different)
+backhaul BSS credentials.
+
+To support this, hostapd has the 'multi_ap_backhaul_ssid',
+'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options.
+When these are set on an BSS with WPS, they are used instead of the normal
+credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only
+WPA2-Personal is supported in the Multi-AP specification, so there is no need
+to specify authentication or encryption options. For the backhaul credentials,
+per-device PSK is not supported.
+
+If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to
+specify the backhaul credentials, since the backhaul and fronthaul credentials
+are identical.
+
+To enable the Multi-AP backhaul STA feature when it performs WPS, a new
+parameter has been introduced to the WPS_PBC control interface call. When this
+"multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the
+Association Request frame and the M1 message. It then configures the new network
+profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does
+not follow the Multi-AP specification, wpa_supplicant will fail to associate.
+
+In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e.,
+multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2
+and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or
+multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS
+in hostapd on Registrar AP).
+
+1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP
+ specific).
+2. Enrollee sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. Enrollee sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. Enrollee sends M1 with additional Multi-AP subelement.
+7. AP sends M8 with backhaul instead of fronthaul credentials.
+8. Enrollee sends Deauthentication frame.
+
+
+References
+----------
+
+[1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh
+[2] https://github.com/prplfoundation/prplMesh
+[3] https://www.wi-fi.org/file/multi-ap-specification-v10
+ (requires registration)
Modified: head/contrib/wpa/hostapd/config_file.c
==============================================================================
--- head/contrib/wpa/hostapd/config_file.c Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/config_file.c Tue Apr 23 03:52:43 2019 (r346591)
@@ -37,7 +37,7 @@ static int hostapd_config_read_vlan_file(struct hostap
const char *fname)
{
FILE *f;
- char buf[128], *pos, *pos2;
+ char buf[128], *pos, *pos2, *pos3;
int line = 0, vlan_id;
struct hostapd_vlan *vlan;
@@ -82,7 +82,10 @@ static int hostapd_config_read_vlan_file(struct hostap
pos2 = pos;
while (*pos2 != ' ' && *pos2 != '\t' && *pos2 != '\0')
pos2++;
- *pos2 = '\0';
+
+ if (*pos2 != '\0')
+ *(pos2++) = '\0';
+
if (*pos == '\0' || os_strlen(pos) > IFNAMSIZ) {
wpa_printf(MSG_ERROR, "Invalid VLAN ifname at line %d "
"in '%s'", line, fname);
@@ -90,6 +93,13 @@ static int hostapd_config_read_vlan_file(struct hostap
return -1;
}
+ while (*pos2 == ' ' || *pos2 == '\t')
+ pos2++;
+ pos3 = pos2;
+ while (*pos3 != ' ' && *pos3 != '\t' && *pos3 != '\0')
+ pos3++;
+ *pos3 = '\0';
+
vlan = os_zalloc(sizeof(*vlan));
if (vlan == NULL) {
wpa_printf(MSG_ERROR, "Out of memory while reading "
@@ -102,6 +112,7 @@ static int hostapd_config_read_vlan_file(struct hostap
vlan->vlan_desc.untagged = vlan_id;
vlan->vlan_desc.notempty = !!vlan_id;
os_strlcpy(vlan->ifname, pos, sizeof(vlan->ifname));
+ os_strlcpy(vlan->bridge, pos2, sizeof(vlan->bridge));
vlan->next = bss->vlan;
bss->vlan = vlan;
}
@@ -1368,6 +1379,30 @@ static int hostapd_config_vht_capab(struct hostapd_con
#endif /* CONFIG_IEEE80211AC */
+#ifdef CONFIG_IEEE80211AX
+
+static u8 find_bit_offset(u8 val)
+{
+ u8 res = 0;
+
+ for (; val; val >>= 1) {
+ if (val & 1)
+ break;
+ res++;
+ }
+
+ return res;
+}
+
+
+static u8 set_he_cap(int val, u8 mask)
+{
+ return (u8) (mask & (val << find_bit_offset(mask)));
+}
+
+#endif /* CONFIG_IEEE80211AX */
+
+
#ifdef CONFIG_INTERWORKING
static int parse_roaming_consortium(struct hostapd_bss_config *bss, char *pos,
int line)
@@ -2254,10 +2289,16 @@ static unsigned int parse_tls_flags(const char *val)
flags |= TLS_CONN_DISABLE_TIME_CHECKS;
if (os_strstr(val, "[DISABLE-TLSv1.0]"))
flags |= TLS_CONN_DISABLE_TLSv1_0;
+ if (os_strstr(val, "[ENABLE-TLSv1.0]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_0;
if (os_strstr(val, "[DISABLE-TLSv1.1]"))
flags |= TLS_CONN_DISABLE_TLSv1_1;
+ if (os_strstr(val, "[ENABLE-TLSv1.1]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_1;
if (os_strstr(val, "[DISABLE-TLSv1.2]"))
flags |= TLS_CONN_DISABLE_TLSv1_2;
+ if (os_strstr(val, "[ENABLE-TLSv1.2]"))
+ flags |= TLS_CONN_ENABLE_TLSv1_2;
if (os_strstr(val, "[DISABLE-TLSv1.3]"))
flags |= TLS_CONN_DISABLE_TLSv1_3;
if (os_strstr(val, "[ENABLE-TLSv1.3]"))
@@ -2292,6 +2333,14 @@ static int parse_sae_password(struct hostapd_bss_confi
pos = pos2 + ETH_ALEN * 3 - 1;
}
+ pos2 = os_strstr(pos, "|vlanid=");
+ if (pos2) {
+ if (!end)
+ end = pos2;
+ pos2 += 8;
+ pw->vlan_id = atoi(pos2);
+ }
+
pos2 = os_strstr(pos, "|id=");
if (pos2) {
if (!end)
@@ -2476,8 +2525,22 @@ static int hostapd_config_fill(struct hostapd_config *
} else if (os_strcmp(buf, "private_key_passwd") == 0) {
os_free(bss->private_key_passwd);
bss->private_key_passwd = os_strdup(pos);
+ } else if (os_strcmp(buf, "check_cert_subject") == 0) {
+ if (!pos[0]) {
+ wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'",
+ line, pos);
+ return 1;
+ }
+ os_free(bss->check_cert_subject);
+ bss->check_cert_subject = os_strdup(pos);
+ if (!bss->check_cert_subject)
+ return 1;
} else if (os_strcmp(buf, "check_crl") == 0) {
bss->check_crl = atoi(pos);
+ } else if (os_strcmp(buf, "check_crl_strict") == 0) {
+ bss->check_crl_strict = atoi(pos);
+ } else if (os_strcmp(buf, "crl_reload_interval") == 0) {
+ bss->crl_reload_interval = atoi(pos);
} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
bss->tls_session_lifetime = atoi(pos);
} else if (os_strcmp(buf, "tls_flags") == 0) {
@@ -2494,6 +2557,9 @@ static int hostapd_config_fill(struct hostapd_config *
} else if (os_strcmp(buf, "openssl_ciphers") == 0) {
os_free(bss->openssl_ciphers);
bss->openssl_ciphers = os_strdup(pos);
+ } else if (os_strcmp(buf, "openssl_ecdh_curves") == 0) {
+ os_free(bss->openssl_ecdh_curves);
+ bss->openssl_ecdh_curves = os_strdup(pos);
} else if (os_strcmp(buf, "fragment_size") == 0) {
bss->fragment_size = atoi(pos);
#ifdef EAP_SERVER_FAST
@@ -3070,9 +3136,10 @@ static int hostapd_config_fill(struct hostapd_config *
* cause problems with the current implementation.
* Since it is unlikely that this small numbers are
* useful in real life scenarios, do not allow beacon
- * period to be set below 15 TU. */
- if (val < 15 || val > 65535) {
- wpa_printf(MSG_ERROR, "Line %d: invalid beacon_int %d (expected 15..65535)",
+ * period to be set below 10 TU. */
+ if (val < 10 || val > 65535) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid beacon_int %d (expected 10..65535)",
line, val);
return 1;
}
@@ -3148,7 +3215,7 @@ static int hostapd_config_fill(struct hostapd_config *
line, val);
return 1;
}
- conf->send_probe_response = val;
+ bss->send_probe_response = val;
} else if (os_strcmp(buf, "supported_rates") == 0) {
if (hostapd_parse_intlist(&conf->supported_rates, pos)) {
wpa_printf(MSG_ERROR, "Line %d: invalid rate list",
@@ -3316,6 +3383,12 @@ static int hostapd_config_fill(struct hostapd_config *
return 1;
}
#endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_OCV
+ } else if (os_strcmp(buf, "ocv") == 0) {
+ bss->ocv = atoi(pos);
+ if (bss->ocv && !bss->ieee80211w)
+ bss->ieee80211w = 1;
+#endif /* CONFIG_OCV */
#ifdef CONFIG_IEEE80211N
} else if (os_strcmp(buf, "ieee80211n") == 0) {
conf->ieee80211n = atoi(pos);
@@ -3369,6 +3442,90 @@ static int hostapd_config_fill(struct hostapd_config *
conf->he_op.he_twt_required = atoi(pos);
} else if (os_strcmp(buf, "he_rts_threshold") == 0) {
conf->he_op.he_rts_threshold = atoi(pos);
+ } else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) {
+ conf->he_mu_edca.he_qos_info |=
+ set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT);
+ } else if (os_strcmp(buf, "he_mu_edca_qos_info_q_ack") == 0) {
+ conf->he_mu_edca.he_qos_info |=
+ set_he_cap(atoi(pos), HE_QOS_INFO_Q_ACK);
+ } else if (os_strcmp(buf, "he_mu_edca_qos_info_queue_request") == 0) {
+ conf->he_mu_edca.he_qos_info |=
+ set_he_cap(atoi(pos), HE_QOS_INFO_QUEUE_REQUEST);
+ } else if (os_strcmp(buf, "he_mu_edca_qos_info_txop_request") == 0) {
+ conf->he_mu_edca.he_qos_info |=
+ set_he_cap(atoi(pos), HE_QOS_INFO_TXOP_REQUEST);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_aifsn") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_acm") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_aci") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmin") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_ecwmax") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_be_timer") == 0) {
+ conf->he_mu_edca.he_mu_ac_be_param[HE_MU_AC_PARAM_TIMER_IDX] =
+ atoi(pos) & 0xff;
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_aifsn") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_acm") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_aci") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmin") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_ecwmax") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_bk_timer") == 0) {
+ conf->he_mu_edca.he_mu_ac_bk_param[HE_MU_AC_PARAM_TIMER_IDX] =
+ atoi(pos) & 0xff;
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_aifsn") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_acm") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_aci") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmin") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_ecwmax") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vi_timer") == 0) {
+ conf->he_mu_edca.he_mu_ac_vi_param[HE_MU_AC_PARAM_TIMER_IDX] =
+ atoi(pos) & 0xff;
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_aifsn") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_AIFSN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_acm") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACM);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_aci") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ACI_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ACI);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmin") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMIN);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_ecwmax") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_ECW_IDX] |=
+ set_he_cap(atoi(pos), HE_MU_AC_PARAM_ECWMAX);
+ } else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) {
+ conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] =
+ atoi(pos) & 0xff;
#endif /* CONFIG_IEEE80211AX */
} else if (os_strcmp(buf, "max_listen_interval") == 0) {
bss->max_listen_interval = atoi(pos);
@@ -3466,6 +3623,8 @@ static int hostapd_config_fill(struct hostapd_config *
}
} else if (os_strcmp(buf, "wps_cred_processing") == 0) {
bss->wps_cred_processing = atoi(pos);
+ } else if (os_strcmp(buf, "wps_cred_add_sae") == 0) {
+ bss->wps_cred_add_sae = atoi(pos);
} else if (os_strcmp(buf, "ap_settings") == 0) {
os_free(bss->ap_settings);
bss->ap_settings =
@@ -3475,6 +3634,56 @@ static int hostapd_config_fill(struct hostapd_config *
line, pos);
return 1;
}
+ } else if (os_strcmp(buf, "multi_ap_backhaul_ssid") == 0) {
+ size_t slen;
+ char *str = wpa_config_parse_string(pos, &slen);
+
+ if (!str || slen < 1 || slen > SSID_MAX_LEN) {
+ wpa_printf(MSG_ERROR, "Line %d: invalid SSID '%s'",
+ line, pos);
+ os_free(str);
+ return 1;
+ }
+ os_memcpy(bss->multi_ap_backhaul_ssid.ssid, str, slen);
+ bss->multi_ap_backhaul_ssid.ssid_len = slen;
+ bss->multi_ap_backhaul_ssid.ssid_set = 1;
+ os_free(str);
+ } else if (os_strcmp(buf, "multi_ap_backhaul_wpa_passphrase") == 0) {
+ int len = os_strlen(pos);
+
+ if (len < 8 || len > 63) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid WPA passphrase length %d (expected 8..63)",
+ line, len);
+ return 1;
+ }
+ os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase);
+ bss->multi_ap_backhaul_ssid.wpa_passphrase = os_strdup(pos);
+ if (bss->multi_ap_backhaul_ssid.wpa_passphrase) {
+ hostapd_config_clear_wpa_psk(
+ &bss->multi_ap_backhaul_ssid.wpa_psk);
+ bss->multi_ap_backhaul_ssid.wpa_passphrase_set = 1;
+ }
+ } else if (os_strcmp(buf, "multi_ap_backhaul_wpa_psk") == 0) {
+ hostapd_config_clear_wpa_psk(
+ &bss->multi_ap_backhaul_ssid.wpa_psk);
+ bss->multi_ap_backhaul_ssid.wpa_psk =
+ os_zalloc(sizeof(struct hostapd_wpa_psk));
+ if (!bss->multi_ap_backhaul_ssid.wpa_psk)
+ return 1;
+ if (hexstr2bin(pos, bss->multi_ap_backhaul_ssid.wpa_psk->psk,
+ PMK_LEN) ||
+ pos[PMK_LEN * 2] != '\0') {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid PSK '%s'.",
+ line, pos);
+ hostapd_config_clear_wpa_psk(
+ &bss->multi_ap_backhaul_ssid.wpa_psk);
+ return 1;
+ }
+ bss->multi_ap_backhaul_ssid.wpa_psk->group = 1;
+ os_free(bss->multi_ap_backhaul_ssid.wpa_passphrase);
+ bss->multi_ap_backhaul_ssid.wpa_passphrase = NULL;
+ bss->multi_ap_backhaul_ssid.wpa_psk_set = 1;
} else if (os_strcmp(buf, "upnp_iface") == 0) {
os_free(bss->upnp_iface);
bss->upnp_iface = os_strdup(pos);
@@ -3717,6 +3926,16 @@ static int hostapd_config_fill(struct hostapd_config *
#ifdef CONFIG_HS20
} else if (os_strcmp(buf, "hs20") == 0) {
bss->hs20 = atoi(pos);
+ } else if (os_strcmp(buf, "hs20_release") == 0) {
+ int val = atoi(pos);
+
+ if (val < 1 || val > (HS20_VERSION >> 4) + 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Unsupported hs20_release: %s",
+ line, pos);
+ return 1;
+ }
+ bss->hs20_release = val;
} else if (os_strcmp(buf, "disable_dgaf") == 0) {
bss->disable_dgaf = atoi(pos);
} else if (os_strcmp(buf, "na_mcast_to_ucast") == 0) {
@@ -3807,6 +4026,9 @@ static int hostapd_config_fill(struct hostapd_config *
} else if (os_strcmp(buf, "hs20_t_c_server_url") == 0) {
os_free(bss->t_c_server_url);
bss->t_c_server_url = os_strdup(pos);
+ } else if (os_strcmp(buf, "hs20_sim_provisioning_url") == 0) {
+ os_free(bss->hs20_sim_provisioning_url);
+ bss->hs20_sim_provisioning_url = os_strdup(pos);
#endif /* CONFIG_HS20 */
#ifdef CONFIG_MBO
} else if (os_strcmp(buf, "mbo") == 0) {
@@ -4111,6 +4333,22 @@ static int hostapd_config_fill(struct hostapd_config *
} else if (os_strcmp(buf, "coloc_intf_reporting") == 0) {
bss->coloc_intf_reporting = atoi(pos);
#endif /* CONFIG_OWE */
+ } else if (os_strcmp(buf, "multi_ap") == 0) {
+ int val = atoi(pos);
+
+ if (val < 0 || val > 3) {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid multi_ap '%s'",
+ line, buf);
+ return -1;
+ }
+
+ bss->multi_ap = val;
+ } else if (os_strcmp(buf, "rssi_reject_assoc_rssi") == 0) {
+ conf->rssi_reject_assoc_rssi = atoi(pos);
+ } else if (os_strcmp(buf, "rssi_reject_assoc_timeout") == 0) {
+ conf->rssi_reject_assoc_timeout = atoi(pos);
+ } else if (os_strcmp(buf, "pbss") == 0) {
+ bss->pbss = atoi(pos);
} else {
wpa_printf(MSG_ERROR,
"Line %d: unknown configuration item '%s'",
Modified: head/contrib/wpa/hostapd/ctrl_iface.c
==============================================================================
--- head/contrib/wpa/hostapd/ctrl_iface.c Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/ctrl_iface.c Tue Apr 23 03:52:43 2019 (r346591)
@@ -883,7 +883,7 @@ static int hostapd_ctrl_iface_bss_tm_req(struct hostap
/* TODO: TSF configurable/learnable */
bss_term_dur[0] = 4; /* Subelement ID */
bss_term_dur[1] = 10; /* Length */
- os_memset(bss_term_dur, 2, 8);
+ os_memset(&bss_term_dur[2], 0, 8);
end = os_strchr(pos, ',');
if (end == NULL) {
wpa_printf(MSG_DEBUG, "Invalid bss_term data");
@@ -1488,6 +1488,63 @@ static int hostapd_ctrl_iface_disable(struct hostapd_i
}
+static int
+hostapd_ctrl_iface_kick_mismatch_psk_sta_iter(struct hostapd_data *hapd,
+ struct sta_info *sta, void *ctx)
+{
+ struct hostapd_wpa_psk *psk;
+ const u8 *pmk;
+ int pmk_len;
+ int pmk_match;
+ int sta_match;
+ int bss_match;
+ int reason;
+
+ pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len);
+
+ for (psk = hapd->conf->ssid.wpa_psk; pmk && psk; psk = psk->next) {
+ pmk_match = PMK_LEN == pmk_len &&
+ os_memcmp(psk->psk, pmk, pmk_len) == 0;
+ sta_match = psk->group == 0 &&
+ os_memcmp(sta->addr, psk->addr, ETH_ALEN) == 0;
+ bss_match = psk->group == 1;
+
+ if (pmk_match && (sta_match || bss_match))
+ return 0;
+ }
+
+ wpa_printf(MSG_INFO, "STA " MACSTR
+ " PSK/passphrase no longer valid - disconnect",
+ MAC2STR(sta->addr));
+ reason = WLAN_REASON_PREV_AUTH_NOT_VALID;
+ hostapd_drv_sta_deauth(hapd, sta->addr, reason);
+ ap_sta_deauthenticate(hapd, sta, reason);
+
+ return 0;
+}
+
+
+static int hostapd_ctrl_iface_reload_wpa_psk(struct hostapd_data *hapd)
+{
+ struct hostapd_bss_config *conf = hapd->conf;
+ int err;
+
+ hostapd_config_clear_wpa_psk(&conf->ssid.wpa_psk);
+
+ err = hostapd_setup_wpa_psk(conf);
+ if (err < 0) {
+ wpa_printf(MSG_ERROR, "Reloading WPA-PSK passwords failed: %d",
+ err);
+ return -1;
+ }
+
+ ap_for_each_sta(hapd, hostapd_ctrl_iface_kick_mismatch_psk_sta_iter,
+ NULL);
+
+ return 0;
+}
+
+
#ifdef CONFIG_TESTING_OPTIONS
static int hostapd_ctrl_iface_radar(struct hostapd_data *hapd, char *cmd)
@@ -2826,6 +2883,34 @@ static int hostapd_ctrl_iface_acl_add_mac(struct mac_a
}
+static int hostapd_ctrl_iface_get_capability(struct hostapd_data *hapd,
+ const char *field, char *buf,
+ size_t buflen)
+{
+ wpa_printf(MSG_DEBUG, "CTRL_IFACE: GET_CAPABILITY '%s'", field);
+
+#ifdef CONFIG_DPP
+ if (os_strcmp(field, "dpp") == 0) {
+ int res;
+
+#ifdef CONFIG_DPP2
+ res = os_snprintf(buf, buflen, "DPP=2");
+#else /* CONFIG_DPP2 */
+ res = os_snprintf(buf, buflen, "DPP=1");
+#endif /* CONFIG_DPP2 */
+ if (os_snprintf_error(buflen, res))
+ return -1;
+ return res;
+ }
+#endif /* CONFIG_DPP */
+
+ wpa_printf(MSG_DEBUG, "CTRL_IFACE: Unknown GET_CAPABILITY field '%s'",
+ field);
+
+ return -1;
+}
+
+
static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
char *buf, char *reply,
int reply_size,
@@ -3013,6 +3098,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
} else if (os_strncmp(buf, "ENABLE", 6) == 0) {
if (hostapd_ctrl_iface_enable(hapd->iface))
reply_len = -1;
+ } else if (os_strcmp(buf, "RELOAD_WPA_PSK") == 0) {
+ if (hostapd_ctrl_iface_reload_wpa_psk(hapd))
+ reply_len = -1;
} else if (os_strncmp(buf, "RELOAD", 6) == 0) {
if (hostapd_ctrl_iface_reload(hapd->iface))
reply_len = -1;
@@ -3182,7 +3270,7 @@ static int hostapd_ctrl_iface_receive_process(struct h
reply_len = -1;
}
} else if (os_strncmp(buf, "DPP_BOOTSTRAP_GEN ", 18) == 0) {
- res = hostapd_dpp_bootstrap_gen(hapd, buf + 18);
+ res = dpp_bootstrap_gen(hapd->iface->interfaces->dpp, buf + 18);
if (res < 0) {
reply_len = -1;
} else {
@@ -3191,12 +3279,14 @@ static int hostapd_ctrl_iface_receive_process(struct h
reply_len = -1;
}
} else if (os_strncmp(buf, "DPP_BOOTSTRAP_REMOVE ", 21) == 0) {
- if (hostapd_dpp_bootstrap_remove(hapd, buf + 21) < 0)
+ if (dpp_bootstrap_remove(hapd->iface->interfaces->dpp,
+ buf + 21) < 0)
reply_len = -1;
} else if (os_strncmp(buf, "DPP_BOOTSTRAP_GET_URI ", 22) == 0) {
const char *uri;
- uri = hostapd_dpp_bootstrap_get_uri(hapd, atoi(buf + 22));
+ uri = dpp_bootstrap_get_uri(hapd->iface->interfaces->dpp,
+ atoi(buf + 22));
if (!uri) {
reply_len = -1;
} else {
@@ -3205,8 +3295,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
reply_len = -1;
}
} else if (os_strncmp(buf, "DPP_BOOTSTRAP_INFO ", 19) == 0) {
- reply_len = hostapd_dpp_bootstrap_info(hapd, atoi(buf + 19),
- reply, reply_size);
+ reply_len = dpp_bootstrap_info(hapd->iface->interfaces->dpp,
+ atoi(buf + 19),
+ reply, reply_size);
} else if (os_strncmp(buf, "DPP_AUTH_INIT ", 14) == 0) {
if (hostapd_dpp_auth_init(hapd, buf + 13) < 0)
reply_len = -1;
@@ -3217,7 +3308,8 @@ static int hostapd_ctrl_iface_receive_process(struct h
hostapd_dpp_stop(hapd);
hostapd_dpp_listen_stop(hapd);
} else if (os_strncmp(buf, "DPP_CONFIGURATOR_ADD", 20) == 0) {
- res = hostapd_dpp_configurator_add(hapd, buf + 20);
+ res = dpp_configurator_add(hapd->iface->interfaces->dpp,
+ buf + 20);
if (res < 0) {
reply_len = -1;
} else {
@@ -3226,15 +3318,17 @@ static int hostapd_ctrl_iface_receive_process(struct h
reply_len = -1;
}
} else if (os_strncmp(buf, "DPP_CONFIGURATOR_REMOVE ", 24) == 0) {
- if (hostapd_dpp_configurator_remove(hapd, buf + 24) < 0)
+ if (dpp_configurator_remove(hapd->iface->interfaces->dpp,
+ buf + 24) < 0)
reply_len = -1;
} else if (os_strncmp(buf, "DPP_CONFIGURATOR_SIGN ", 22) == 0) {
- if (hostapd_dpp_configurator_sign(hapd, buf + 22) < 0)
+ if (hostapd_dpp_configurator_sign(hapd, buf + 21) < 0)
reply_len = -1;
} else if (os_strncmp(buf, "DPP_CONFIGURATOR_GET_KEY ", 25) == 0) {
- reply_len = hostapd_dpp_configurator_get_key(hapd,
- atoi(buf + 25),
- reply, reply_size);
+ reply_len = dpp_configurator_get_key_id(
+ hapd->iface->interfaces->dpp,
+ atoi(buf + 25),
+ reply, reply_size);
} else if (os_strncmp(buf, "DPP_PKEX_ADD ", 13) == 0) {
res = hostapd_dpp_pkex_add(hapd, buf + 12);
if (res < 0) {
@@ -3253,6 +3347,9 @@ static int hostapd_ctrl_iface_receive_process(struct h
if (radius_server_dac_request(hapd->radius_srv, buf + 12) < 0)
reply_len = -1;
#endif /* RADIUS_SERVER */
+ } else if (os_strncmp(buf, "GET_CAPABILITY ", 15) == 0) {
+ reply_len = hostapd_ctrl_iface_get_capability(
+ hapd, buf + 15, reply, reply_size);
} else {
os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
reply_len = 16;
@@ -3506,18 +3603,18 @@ fail:
}
if (hapd->conf->ctrl_interface_gid_set &&
- chown(hapd->conf->ctrl_interface, -1,
- hapd->conf->ctrl_interface_gid) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+ lchown(hapd->conf->ctrl_interface, -1,
+ hapd->conf->ctrl_interface_gid) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
strerror(errno));
return -1;
}
if (!hapd->conf->ctrl_interface_gid_set &&
hapd->iface->interfaces->ctrl_iface_group &&
- chown(hapd->conf->ctrl_interface, -1,
- hapd->iface->interfaces->ctrl_iface_group) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+ lchown(hapd->conf->ctrl_interface, -1,
+ hapd->iface->interfaces->ctrl_iface_group) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
strerror(errno));
return -1;
}
@@ -3590,16 +3687,16 @@ fail:
}
if (hapd->conf->ctrl_interface_gid_set &&
- chown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s",
+ lchown(fname, -1, hapd->conf->ctrl_interface_gid) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s",
strerror(errno));
goto fail;
}
if (!hapd->conf->ctrl_interface_gid_set &&
hapd->iface->interfaces->ctrl_iface_group &&
- chown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface/ifname]: %s",
+ lchown(fname, -1, hapd->iface->interfaces->ctrl_iface_group) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface/ifname]: %s",
strerror(errno));
goto fail;
}
@@ -3733,7 +3830,7 @@ static void hostapd_ctrl_iface_flush(struct hapd_inter
#endif /* CONFIG_TESTING_OPTIONS */
#ifdef CONFIG_DPP
- hostapd_dpp_deinit_global(interfaces);
+ dpp_global_clear(interfaces->dpp);
#endif /* CONFIG_DPP */
}
@@ -4273,9 +4370,9 @@ fail:
goto fail;
}
} else if (interface->ctrl_iface_group &&
- chown(interface->global_iface_path, -1,
- interface->ctrl_iface_group) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+ lchown(interface->global_iface_path, -1,
+ interface->ctrl_iface_group) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
strerror(errno));
goto fail;
}
@@ -4332,8 +4429,8 @@ fail:
}
if (interface->ctrl_iface_group &&
- chown(fname, -1, interface->ctrl_iface_group) < 0) {
- wpa_printf(MSG_ERROR, "chown[ctrl_interface]: %s",
+ lchown(fname, -1, interface->ctrl_iface_group) < 0) {
+ wpa_printf(MSG_ERROR, "lchown[ctrl_interface]: %s",
strerror(errno));
goto fail;
}
Modified: head/contrib/wpa/hostapd/defconfig
==============================================================================
--- head/contrib/wpa/hostapd/defconfig Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/defconfig Tue Apr 23 03:52:43 2019 (r346591)
@@ -53,6 +53,9 @@ CONFIG_RSN_PREAUTH=y
# IEEE 802.11w (management frame protection)
CONFIG_IEEE80211W=y
+# Support Operating Channel Validation
+#CONFIG_OCV=y
+
# Integrated EAP server
CONFIG_EAP=y
@@ -249,6 +252,11 @@ CONFIG_IPV6=y
# requirements described above.
#CONFIG_NO_RANDOM_POOL=y
+# Should we attempt to use the getrandom(2) call that provides more reliable
+# yet secure randomness source than /dev/random on Linux 3.17 and newer.
+# Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+#CONFIG_GETRANDOM=y
+
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
@@ -356,8 +364,6 @@ CONFIG_IPV6=y
#CONFIG_TAXONOMY=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
-# Note: This is an experimental and not yet complete implementation. This
-# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
Modified: head/contrib/wpa/hostapd/hostapd.conf
==============================================================================
--- head/contrib/wpa/hostapd/hostapd.conf Tue Apr 23 03:19:03 2019 (r346590)
+++ head/contrib/wpa/hostapd/hostapd.conf Tue Apr 23 03:52:43 2019 (r346591)
@@ -438,6 +438,13 @@ wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
+# Enable Multi-AP functionality
+# 0 = disabled (default)
+# 1 = AP support backhaul BSS
+# 2 = AP support fronthaul BSS
+# 3 = AP supports both backhaul BSS and fronthaul BSS
+#multi_ap=0
+
# Static WEP key configuration
#
# The key number to use when transmitting.
@@ -794,6 +801,30 @@ wmm_ac_vo_acm=0
# unsigned integer = duration in units of 16 us
#he_rts_threshold=0
+#he_mu_edca_qos_info_param_count
+#he_mu_edca_qos_info_q_ack
+#he_mu_edca_qos_info_queue_request=1
+#he_mu_edca_qos_info_txop_request
+#he_mu_edca_ac_be_aifsn=0
+#he_mu_edca_ac_be_ecwmin=15
+#he_mu_edca_ac_be_ecwmax=15
+#he_mu_edca_ac_be_timer=255
+#he_mu_edca_ac_bk_aifsn=0
+#he_mu_edca_ac_bk_aci=1
+#he_mu_edca_ac_bk_ecwmin=15
+#he_mu_edca_ac_bk_ecwmax=15
+#he_mu_edca_ac_bk_timer=255
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list