svn commit: r347588 - in releng/11.2: contrib/wpa contrib/wpa/hostapd contrib/wpa/hs20/client contrib/wpa/patches contrib/wpa/src/ap contrib/wpa/src/common contrib/wpa/src/crypto contrib/wpa/src/dr...
Gordon Tetlow
gordon at FreeBSD.org
Tue May 14 22:59:35 UTC 2019
Author: gordon
Date: Tue May 14 22:59:32 2019
New Revision: 347588
URL: https://svnweb.freebsd.org/changeset/base/347588
Log:
Update hostapd/wpa_supplicant to 2.8 to fix multiple vulnerabilities.
Approved by: so
Security: FreeBSD-SA-19:03.wpa
Security: CVE-2019-9494
Security: CVE-2019-9495
Security: CVE-2019-9496
Security: CVE-2019-9497
Security: CVE-2019-9498
Security: CVE-2019-9499
Security: CVE-2019-11555
Added:
releng/11.2/contrib/wpa/hostapd/README-MULTI-AP
releng/11.2/contrib/wpa/src/ap/dpp_hostapd.c
releng/11.2/contrib/wpa/src/ap/dpp_hostapd.h
releng/11.2/contrib/wpa/src/ap/eth_p_oui.c
releng/11.2/contrib/wpa/src/ap/eth_p_oui.h
releng/11.2/contrib/wpa/src/ap/fils_hlp.c
releng/11.2/contrib/wpa/src/ap/fils_hlp.h
releng/11.2/contrib/wpa/src/ap/gas_query_ap.c
releng/11.2/contrib/wpa/src/ap/gas_query_ap.h
releng/11.2/contrib/wpa/src/ap/ieee802_11_he.c
releng/11.2/contrib/wpa/src/ap/mbo_ap.c
releng/11.2/contrib/wpa/src/ap/mbo_ap.h
releng/11.2/contrib/wpa/src/ap/neighbor_db.c
releng/11.2/contrib/wpa/src/ap/neighbor_db.h
releng/11.2/contrib/wpa/src/ap/rrm.c
releng/11.2/contrib/wpa/src/ap/rrm.h
releng/11.2/contrib/wpa/src/ap/taxonomy.c
releng/11.2/contrib/wpa/src/ap/taxonomy.h
releng/11.2/contrib/wpa/src/ap/vlan.c
releng/11.2/contrib/wpa/src/ap/vlan.h
releng/11.2/contrib/wpa/src/ap/vlan_full.c
releng/11.2/contrib/wpa/src/ap/vlan_ifconfig.c
releng/11.2/contrib/wpa/src/ap/vlan_ioctl.c
releng/11.2/contrib/wpa/src/common/cli.c
releng/11.2/contrib/wpa/src/common/cli.h
releng/11.2/contrib/wpa/src/common/ctrl_iface_common.c
releng/11.2/contrib/wpa/src/common/ctrl_iface_common.h
releng/11.2/contrib/wpa/src/common/dhcp.h
releng/11.2/contrib/wpa/src/common/dpp.c
releng/11.2/contrib/wpa/src/common/dpp.h
releng/11.2/contrib/wpa/src/common/gas_server.c
releng/11.2/contrib/wpa/src/common/gas_server.h
releng/11.2/contrib/wpa/src/common/ocv.c
releng/11.2/contrib/wpa/src/common/ocv.h
releng/11.2/contrib/wpa/src/crypto/crypto_linux.c
releng/11.2/contrib/wpa/src/crypto/crypto_nettle.c
releng/11.2/contrib/wpa/src/crypto/crypto_wolfssl.c
releng/11.2/contrib/wpa/src/crypto/fips_prf_wolfssl.c
releng/11.2/contrib/wpa/src/crypto/sha384-internal.c
releng/11.2/contrib/wpa/src/crypto/sha384-kdf.c
releng/11.2/contrib/wpa/src/crypto/sha384.c
releng/11.2/contrib/wpa/src/crypto/sha384_i.h
releng/11.2/contrib/wpa/src/crypto/sha512-internal.c
releng/11.2/contrib/wpa/src/crypto/sha512-kdf.c
releng/11.2/contrib/wpa/src/crypto/sha512-prf.c
releng/11.2/contrib/wpa/src/crypto/sha512.c
releng/11.2/contrib/wpa/src/crypto/sha512.h
releng/11.2/contrib/wpa/src/crypto/sha512_i.h
releng/11.2/contrib/wpa/src/crypto/tls_openssl.h
releng/11.2/contrib/wpa/src/crypto/tls_openssl_ocsp.c
releng/11.2/contrib/wpa/src/crypto/tls_wolfssl.c
releng/11.2/contrib/wpa/src/drivers/driver_macsec_linux.c
releng/11.2/contrib/wpa/src/drivers/driver_wired_common.c
releng/11.2/contrib/wpa/src/drivers/driver_wired_common.h
releng/11.2/contrib/wpa/src/tls/tlsv1_client_ocsp.c
releng/11.2/contrib/wpa/src/utils/const_time.h
releng/11.2/contrib/wpa/src/utils/crc32.c
releng/11.2/contrib/wpa/src/utils/crc32.h
releng/11.2/contrib/wpa/src/utils/json.c
releng/11.2/contrib/wpa/src/utils/json.h
releng/11.2/contrib/wpa/src/utils/module_tests.h
releng/11.2/contrib/wpa/wpa_supplicant/Android.mk
releng/11.2/contrib/wpa/wpa_supplicant/README-DPP
releng/11.2/contrib/wpa/wpa_supplicant/README-Windows.txt
releng/11.2/contrib/wpa/wpa_supplicant/android.config
releng/11.2/contrib/wpa/wpa_supplicant/binder/
releng/11.2/contrib/wpa/wpa_supplicant/binder/.clang-format
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder.cpp
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder.h
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_constants.cpp
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_constants.h
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_i.h
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_manager.cpp
releng/11.2/contrib/wpa/wpa_supplicant/binder/binder_manager.h
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/IIface.aidl
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/ISupplicant.aidl
releng/11.2/contrib/wpa/wpa_supplicant/binder/fi/w1/wpa_supplicant/ISupplicantCallbacks.aidl
releng/11.2/contrib/wpa/wpa_supplicant/binder/iface.cpp
releng/11.2/contrib/wpa/wpa_supplicant/binder/iface.h
releng/11.2/contrib/wpa/wpa_supplicant/binder/supplicant.cpp
releng/11.2/contrib/wpa/wpa_supplicant/binder/supplicant.h
releng/11.2/contrib/wpa/wpa_supplicant/dpp_supplicant.c
releng/11.2/contrib/wpa/wpa_supplicant/dpp_supplicant.h
releng/11.2/contrib/wpa/wpa_supplicant/examples/dpp-qrcode.py
releng/11.2/contrib/wpa/wpa_supplicant/libwpa_test.c
releng/11.2/contrib/wpa/wpa_supplicant/mbo.c
releng/11.2/contrib/wpa/wpa_supplicant/op_classes.c
releng/11.2/contrib/wpa/wpa_supplicant/rrm.c
releng/11.2/contrib/wpa/wpa_supplicant/systemd/
releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
releng/11.2/contrib/wpa/wpa_supplicant/systemd/wpa_supplicant.service.in
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/eapol_test/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/eapol_test/eapol_test.vcproj
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/win_if_list/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/win_if_list/win_if_list.vcproj
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_cli/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_cli/wpa_cli.vcproj
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_passphrase/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_passphrase/wpa_passphrase.vcproj
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant.sln
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpa_supplicant/wpa_supplicant.vcproj
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpasvc/
releng/11.2/contrib/wpa/wpa_supplicant/vs2005/wpasvc/wpasvc.vcproj
Deleted:
releng/11.2/contrib/wpa/patches/
releng/11.2/contrib/wpa/src/ap/peerkey_auth.c
releng/11.2/contrib/wpa/src/rsn_supp/peerkey.c
releng/11.2/contrib/wpa/src/rsn_supp/peerkey.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_old_handlers_wps.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/fi.epitest.hostap.WPASupplicant.service.in
releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-test.py
releng/11.2/contrib/wpa/wpa_supplicant/tests/
Modified:
releng/11.2/contrib/wpa/CONTRIBUTIONS
releng/11.2/contrib/wpa/COPYING
releng/11.2/contrib/wpa/README
releng/11.2/contrib/wpa/hostapd/ChangeLog
releng/11.2/contrib/wpa/hostapd/README
releng/11.2/contrib/wpa/hostapd/config_file.c
releng/11.2/contrib/wpa/hostapd/config_file.h
releng/11.2/contrib/wpa/hostapd/ctrl_iface.c
releng/11.2/contrib/wpa/hostapd/defconfig
releng/11.2/contrib/wpa/hostapd/hapd_module_tests.c
releng/11.2/contrib/wpa/hostapd/hlr_auc_gw.c
releng/11.2/contrib/wpa/hostapd/hostapd.conf
releng/11.2/contrib/wpa/hostapd/hostapd.eap_user_sqlite
releng/11.2/contrib/wpa/hostapd/hostapd.wpa_psk
releng/11.2/contrib/wpa/hostapd/hostapd_cli.c
releng/11.2/contrib/wpa/hostapd/main.c
releng/11.2/contrib/wpa/hostapd/wps-ap-nfc.py
releng/11.2/contrib/wpa/hs20/client/Android.mk
releng/11.2/contrib/wpa/hs20/client/Makefile
releng/11.2/contrib/wpa/hs20/client/est.c
releng/11.2/contrib/wpa/hs20/client/oma_dm_client.c
releng/11.2/contrib/wpa/hs20/client/osu_client.c
releng/11.2/contrib/wpa/hs20/client/osu_client.h
releng/11.2/contrib/wpa/src/ap/accounting.c
releng/11.2/contrib/wpa/src/ap/accounting.h
releng/11.2/contrib/wpa/src/ap/acs.c
releng/11.2/contrib/wpa/src/ap/acs.h
releng/11.2/contrib/wpa/src/ap/ap_config.c
releng/11.2/contrib/wpa/src/ap/ap_config.h
releng/11.2/contrib/wpa/src/ap/ap_drv_ops.c
releng/11.2/contrib/wpa/src/ap/ap_drv_ops.h
releng/11.2/contrib/wpa/src/ap/ap_mlme.c
releng/11.2/contrib/wpa/src/ap/authsrv.c
releng/11.2/contrib/wpa/src/ap/beacon.c
releng/11.2/contrib/wpa/src/ap/beacon.h
releng/11.2/contrib/wpa/src/ap/bss_load.c
releng/11.2/contrib/wpa/src/ap/ctrl_iface_ap.c
releng/11.2/contrib/wpa/src/ap/ctrl_iface_ap.h
releng/11.2/contrib/wpa/src/ap/dfs.c
releng/11.2/contrib/wpa/src/ap/dfs.h
releng/11.2/contrib/wpa/src/ap/dhcp_snoop.c
releng/11.2/contrib/wpa/src/ap/drv_callbacks.c
releng/11.2/contrib/wpa/src/ap/eap_user_db.c
releng/11.2/contrib/wpa/src/ap/gas_serv.c
releng/11.2/contrib/wpa/src/ap/gas_serv.h
releng/11.2/contrib/wpa/src/ap/hostapd.c
releng/11.2/contrib/wpa/src/ap/hostapd.h
releng/11.2/contrib/wpa/src/ap/hs20.c
releng/11.2/contrib/wpa/src/ap/hs20.h
releng/11.2/contrib/wpa/src/ap/hw_features.c
releng/11.2/contrib/wpa/src/ap/iapp.c
releng/11.2/contrib/wpa/src/ap/ieee802_11.c
releng/11.2/contrib/wpa/src/ap/ieee802_11.h
releng/11.2/contrib/wpa/src/ap/ieee802_11_auth.c
releng/11.2/contrib/wpa/src/ap/ieee802_11_auth.h
releng/11.2/contrib/wpa/src/ap/ieee802_11_ht.c
releng/11.2/contrib/wpa/src/ap/ieee802_11_shared.c
releng/11.2/contrib/wpa/src/ap/ieee802_11_vht.c
releng/11.2/contrib/wpa/src/ap/ieee802_1x.c
releng/11.2/contrib/wpa/src/ap/ieee802_1x.h
releng/11.2/contrib/wpa/src/ap/ndisc_snoop.c
releng/11.2/contrib/wpa/src/ap/pmksa_cache_auth.c
releng/11.2/contrib/wpa/src/ap/pmksa_cache_auth.h
releng/11.2/contrib/wpa/src/ap/sta_info.c
releng/11.2/contrib/wpa/src/ap/sta_info.h
releng/11.2/contrib/wpa/src/ap/tkip_countermeasures.c
releng/11.2/contrib/wpa/src/ap/vlan_init.c
releng/11.2/contrib/wpa/src/ap/vlan_init.h
releng/11.2/contrib/wpa/src/ap/vlan_util.c
releng/11.2/contrib/wpa/src/ap/vlan_util.h
releng/11.2/contrib/wpa/src/ap/wmm.c
releng/11.2/contrib/wpa/src/ap/wnm_ap.c
releng/11.2/contrib/wpa/src/ap/wnm_ap.h
releng/11.2/contrib/wpa/src/ap/wpa_auth.c
releng/11.2/contrib/wpa/src/ap/wpa_auth.h
releng/11.2/contrib/wpa/src/ap/wpa_auth_ft.c
releng/11.2/contrib/wpa/src/ap/wpa_auth_glue.c
releng/11.2/contrib/wpa/src/ap/wpa_auth_i.h
releng/11.2/contrib/wpa/src/ap/wpa_auth_ie.c
releng/11.2/contrib/wpa/src/ap/wpa_auth_ie.h
releng/11.2/contrib/wpa/src/ap/wps_hostapd.c
releng/11.2/contrib/wpa/src/common/common_module_tests.c
releng/11.2/contrib/wpa/src/common/defs.h
releng/11.2/contrib/wpa/src/common/eapol_common.h
releng/11.2/contrib/wpa/src/common/gas.c
releng/11.2/contrib/wpa/src/common/gas.h
releng/11.2/contrib/wpa/src/common/hw_features_common.c
releng/11.2/contrib/wpa/src/common/hw_features_common.h
releng/11.2/contrib/wpa/src/common/ieee802_11_common.c
releng/11.2/contrib/wpa/src/common/ieee802_11_common.h
releng/11.2/contrib/wpa/src/common/ieee802_11_defs.h
releng/11.2/contrib/wpa/src/common/ieee802_1x_defs.h
releng/11.2/contrib/wpa/src/common/privsep_commands.h
releng/11.2/contrib/wpa/src/common/qca-vendor.h
releng/11.2/contrib/wpa/src/common/sae.c
releng/11.2/contrib/wpa/src/common/sae.h
releng/11.2/contrib/wpa/src/common/version.h
releng/11.2/contrib/wpa/src/common/wpa_common.c
releng/11.2/contrib/wpa/src/common/wpa_common.h
releng/11.2/contrib/wpa/src/common/wpa_ctrl.c
releng/11.2/contrib/wpa/src/common/wpa_ctrl.h
releng/11.2/contrib/wpa/src/common/wpa_helpers.c
releng/11.2/contrib/wpa/src/crypto/aes-cbc.c
releng/11.2/contrib/wpa/src/crypto/aes-ctr.c
releng/11.2/contrib/wpa/src/crypto/aes-internal-dec.c
releng/11.2/contrib/wpa/src/crypto/aes-internal-enc.c
releng/11.2/contrib/wpa/src/crypto/aes-omac1.c
releng/11.2/contrib/wpa/src/crypto/aes-siv.c
releng/11.2/contrib/wpa/src/crypto/aes.h
releng/11.2/contrib/wpa/src/crypto/aes_siv.h
releng/11.2/contrib/wpa/src/crypto/aes_wrap.h
releng/11.2/contrib/wpa/src/crypto/crypto.h
releng/11.2/contrib/wpa/src/crypto/crypto_gnutls.c
releng/11.2/contrib/wpa/src/crypto/crypto_internal-modexp.c
releng/11.2/contrib/wpa/src/crypto/crypto_internal.c
releng/11.2/contrib/wpa/src/crypto/crypto_libtomcrypt.c
releng/11.2/contrib/wpa/src/crypto/crypto_module_tests.c
releng/11.2/contrib/wpa/src/crypto/crypto_none.c
releng/11.2/contrib/wpa/src/crypto/crypto_openssl.c
releng/11.2/contrib/wpa/src/crypto/des-internal.c
releng/11.2/contrib/wpa/src/crypto/dh_group5.c
releng/11.2/contrib/wpa/src/crypto/dh_groups.c
releng/11.2/contrib/wpa/src/crypto/fips_prf_openssl.c
releng/11.2/contrib/wpa/src/crypto/md4-internal.c
releng/11.2/contrib/wpa/src/crypto/md5-internal.c
releng/11.2/contrib/wpa/src/crypto/ms_funcs.c
releng/11.2/contrib/wpa/src/crypto/ms_funcs.h
releng/11.2/contrib/wpa/src/crypto/random.c
releng/11.2/contrib/wpa/src/crypto/sha1-internal.c
releng/11.2/contrib/wpa/src/crypto/sha1-tlsprf.c
releng/11.2/contrib/wpa/src/crypto/sha256-internal.c
releng/11.2/contrib/wpa/src/crypto/sha256-kdf.c
releng/11.2/contrib/wpa/src/crypto/sha256-prf.c
releng/11.2/contrib/wpa/src/crypto/sha256.h
releng/11.2/contrib/wpa/src/crypto/sha384-prf.c
releng/11.2/contrib/wpa/src/crypto/sha384.h
releng/11.2/contrib/wpa/src/crypto/tls.h
releng/11.2/contrib/wpa/src/crypto/tls_gnutls.c
releng/11.2/contrib/wpa/src/crypto/tls_internal.c
releng/11.2/contrib/wpa/src/crypto/tls_none.c
releng/11.2/contrib/wpa/src/crypto/tls_openssl.c
releng/11.2/contrib/wpa/src/drivers/driver.h
releng/11.2/contrib/wpa/src/drivers/driver_bsd.c
releng/11.2/contrib/wpa/src/drivers/driver_common.c
releng/11.2/contrib/wpa/src/drivers/driver_macsec_qca.c
releng/11.2/contrib/wpa/src/drivers/driver_ndis.c
releng/11.2/contrib/wpa/src/drivers/driver_nl80211.h
releng/11.2/contrib/wpa/src/drivers/driver_nl80211_capa.c
releng/11.2/contrib/wpa/src/drivers/driver_nl80211_event.c
releng/11.2/contrib/wpa/src/drivers/driver_nl80211_monitor.c
releng/11.2/contrib/wpa/src/drivers/driver_nl80211_scan.c
releng/11.2/contrib/wpa/src/drivers/driver_openbsd.c
releng/11.2/contrib/wpa/src/drivers/driver_privsep.c
releng/11.2/contrib/wpa/src/drivers/driver_wired.c
releng/11.2/contrib/wpa/src/drivers/drivers.c
releng/11.2/contrib/wpa/src/eap_common/eap_eke_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_fast_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_fast_common.h
releng/11.2/contrib/wpa/src/eap_common/eap_gpsk_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_pax_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_pwd_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_pwd_common.h
releng/11.2/contrib/wpa/src/eap_common/eap_sake_common.c
releng/11.2/contrib/wpa/src/eap_common/eap_sake_common.h
releng/11.2/contrib/wpa/src/eap_common/eap_sim_common.c
releng/11.2/contrib/wpa/src/eap_common/ikev2_common.c
releng/11.2/contrib/wpa/src/eap_peer/eap.c
releng/11.2/contrib/wpa/src/eap_peer/eap.h
releng/11.2/contrib/wpa/src/eap_peer/eap_aka.c
releng/11.2/contrib/wpa/src/eap_peer/eap_config.h
releng/11.2/contrib/wpa/src/eap_peer/eap_eke.c
releng/11.2/contrib/wpa/src/eap_peer/eap_fast.c
releng/11.2/contrib/wpa/src/eap_peer/eap_fast_pac.c
releng/11.2/contrib/wpa/src/eap_peer/eap_gpsk.c
releng/11.2/contrib/wpa/src/eap_peer/eap_gtc.c
releng/11.2/contrib/wpa/src/eap_peer/eap_i.h
releng/11.2/contrib/wpa/src/eap_peer/eap_ikev2.c
releng/11.2/contrib/wpa/src/eap_peer/eap_leap.c
releng/11.2/contrib/wpa/src/eap_peer/eap_md5.c
releng/11.2/contrib/wpa/src/eap_peer/eap_methods.c
releng/11.2/contrib/wpa/src/eap_peer/eap_methods.h
releng/11.2/contrib/wpa/src/eap_peer/eap_mschapv2.c
releng/11.2/contrib/wpa/src/eap_peer/eap_otp.c
releng/11.2/contrib/wpa/src/eap_peer/eap_pax.c
releng/11.2/contrib/wpa/src/eap_peer/eap_peap.c
releng/11.2/contrib/wpa/src/eap_peer/eap_proxy.h
releng/11.2/contrib/wpa/src/eap_peer/eap_proxy_dummy.c
releng/11.2/contrib/wpa/src/eap_peer/eap_psk.c
releng/11.2/contrib/wpa/src/eap_peer/eap_pwd.c
releng/11.2/contrib/wpa/src/eap_peer/eap_sake.c
releng/11.2/contrib/wpa/src/eap_peer/eap_sim.c
releng/11.2/contrib/wpa/src/eap_peer/eap_tls.c
releng/11.2/contrib/wpa/src/eap_peer/eap_tls_common.c
releng/11.2/contrib/wpa/src/eap_peer/eap_tls_common.h
releng/11.2/contrib/wpa/src/eap_peer/eap_tnc.c
releng/11.2/contrib/wpa/src/eap_peer/eap_ttls.c
releng/11.2/contrib/wpa/src/eap_peer/eap_vendor_test.c
releng/11.2/contrib/wpa/src/eap_peer/eap_wsc.c
releng/11.2/contrib/wpa/src/eap_peer/ikev2.c
releng/11.2/contrib/wpa/src/eap_peer/tncc.c
releng/11.2/contrib/wpa/src/eap_server/eap.h
releng/11.2/contrib/wpa/src/eap_server/eap_i.h
releng/11.2/contrib/wpa/src/eap_server/eap_methods.h
releng/11.2/contrib/wpa/src/eap_server/eap_server.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_aka.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_eke.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_fast.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_gpsk.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_gtc.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_identity.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_ikev2.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_md5.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_methods.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_mschapv2.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_pax.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_peap.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_psk.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_pwd.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_sake.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_sim.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_tls.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_tls_common.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_tnc.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_ttls.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_vendor_test.c
releng/11.2/contrib/wpa/src/eap_server/eap_server_wsc.c
releng/11.2/contrib/wpa/src/eap_server/eap_sim_db.c
releng/11.2/contrib/wpa/src/eap_server/eap_sim_db.h
releng/11.2/contrib/wpa/src/eap_server/eap_tls_common.h
releng/11.2/contrib/wpa/src/eap_server/ikev2.c
releng/11.2/contrib/wpa/src/eap_server/tncs.c
releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm.c
releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm.h
releng/11.2/contrib/wpa/src/eapol_auth/eapol_auth_sm_i.h
releng/11.2/contrib/wpa/src/eapol_supp/eapol_supp_sm.c
releng/11.2/contrib/wpa/src/eapol_supp/eapol_supp_sm.h
releng/11.2/contrib/wpa/src/fst/fst.c
releng/11.2/contrib/wpa/src/fst/fst.h
releng/11.2/contrib/wpa/src/fst/fst_ctrl_aux.c
releng/11.2/contrib/wpa/src/fst/fst_ctrl_aux.h
releng/11.2/contrib/wpa/src/fst/fst_ctrl_iface.c
releng/11.2/contrib/wpa/src/fst/fst_defs.h
releng/11.2/contrib/wpa/src/fst/fst_group.c
releng/11.2/contrib/wpa/src/fst/fst_group.h
releng/11.2/contrib/wpa/src/fst/fst_iface.c
releng/11.2/contrib/wpa/src/fst/fst_iface.h
releng/11.2/contrib/wpa/src/fst/fst_session.c
releng/11.2/contrib/wpa/src/l2_packet/l2_packet.h
releng/11.2/contrib/wpa/src/l2_packet/l2_packet_privsep.c
releng/11.2/contrib/wpa/src/p2p/p2p.c
releng/11.2/contrib/wpa/src/p2p/p2p.h
releng/11.2/contrib/wpa/src/p2p/p2p_build.c
releng/11.2/contrib/wpa/src/p2p/p2p_go_neg.c
releng/11.2/contrib/wpa/src/p2p/p2p_group.c
releng/11.2/contrib/wpa/src/p2p/p2p_i.h
releng/11.2/contrib/wpa/src/p2p/p2p_invitation.c
releng/11.2/contrib/wpa/src/p2p/p2p_parse.c
releng/11.2/contrib/wpa/src/p2p/p2p_pd.c
releng/11.2/contrib/wpa/src/p2p/p2p_sd.c
releng/11.2/contrib/wpa/src/p2p/p2p_utils.c
releng/11.2/contrib/wpa/src/pae/ieee802_1x_cp.c
releng/11.2/contrib/wpa/src/pae/ieee802_1x_cp.h
releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay.c
releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay.h
releng/11.2/contrib/wpa/src/pae/ieee802_1x_kay_i.h
releng/11.2/contrib/wpa/src/pae/ieee802_1x_key.c
releng/11.2/contrib/wpa/src/pae/ieee802_1x_key.h
releng/11.2/contrib/wpa/src/pae/ieee802_1x_secy_ops.c
releng/11.2/contrib/wpa/src/pae/ieee802_1x_secy_ops.h
releng/11.2/contrib/wpa/src/radius/radius.c
releng/11.2/contrib/wpa/src/radius/radius.h
releng/11.2/contrib/wpa/src/radius/radius_client.c
releng/11.2/contrib/wpa/src/radius/radius_client.h
releng/11.2/contrib/wpa/src/radius/radius_das.c
releng/11.2/contrib/wpa/src/radius/radius_das.h
releng/11.2/contrib/wpa/src/radius/radius_server.c
releng/11.2/contrib/wpa/src/radius/radius_server.h
releng/11.2/contrib/wpa/src/rsn_supp/pmksa_cache.c
releng/11.2/contrib/wpa/src/rsn_supp/pmksa_cache.h
releng/11.2/contrib/wpa/src/rsn_supp/preauth.c
releng/11.2/contrib/wpa/src/rsn_supp/preauth.h
releng/11.2/contrib/wpa/src/rsn_supp/tdls.c
releng/11.2/contrib/wpa/src/rsn_supp/wpa.c
releng/11.2/contrib/wpa/src/rsn_supp/wpa.h
releng/11.2/contrib/wpa/src/rsn_supp/wpa_ft.c
releng/11.2/contrib/wpa/src/rsn_supp/wpa_i.h
releng/11.2/contrib/wpa/src/rsn_supp/wpa_ie.c
releng/11.2/contrib/wpa/src/rsn_supp/wpa_ie.h
releng/11.2/contrib/wpa/src/tls/asn1.c
releng/11.2/contrib/wpa/src/tls/asn1.h
releng/11.2/contrib/wpa/src/tls/bignum.c
releng/11.2/contrib/wpa/src/tls/libtommath.c
releng/11.2/contrib/wpa/src/tls/pkcs5.c
releng/11.2/contrib/wpa/src/tls/rsa.c
releng/11.2/contrib/wpa/src/tls/tlsv1_client.c
releng/11.2/contrib/wpa/src/tls/tlsv1_client.h
releng/11.2/contrib/wpa/src/tls/tlsv1_client_i.h
releng/11.2/contrib/wpa/src/tls/tlsv1_client_read.c
releng/11.2/contrib/wpa/src/tls/tlsv1_client_write.c
releng/11.2/contrib/wpa/src/tls/tlsv1_common.c
releng/11.2/contrib/wpa/src/tls/tlsv1_common.h
releng/11.2/contrib/wpa/src/tls/tlsv1_cred.c
releng/11.2/contrib/wpa/src/tls/tlsv1_cred.h
releng/11.2/contrib/wpa/src/tls/tlsv1_server.c
releng/11.2/contrib/wpa/src/tls/tlsv1_server.h
releng/11.2/contrib/wpa/src/tls/tlsv1_server_i.h
releng/11.2/contrib/wpa/src/tls/tlsv1_server_read.c
releng/11.2/contrib/wpa/src/tls/tlsv1_server_write.c
releng/11.2/contrib/wpa/src/tls/x509v3.c
releng/11.2/contrib/wpa/src/tls/x509v3.h
releng/11.2/contrib/wpa/src/utils/base64.c
releng/11.2/contrib/wpa/src/utils/base64.h
releng/11.2/contrib/wpa/src/utils/browser-android.c
releng/11.2/contrib/wpa/src/utils/browser-wpadebug.c
releng/11.2/contrib/wpa/src/utils/browser.c
releng/11.2/contrib/wpa/src/utils/common.c
releng/11.2/contrib/wpa/src/utils/common.h
releng/11.2/contrib/wpa/src/utils/edit_simple.c
releng/11.2/contrib/wpa/src/utils/eloop.c
releng/11.2/contrib/wpa/src/utils/eloop.h
releng/11.2/contrib/wpa/src/utils/eloop_win.c
releng/11.2/contrib/wpa/src/utils/ext_password.c
releng/11.2/contrib/wpa/src/utils/ext_password_i.h
releng/11.2/contrib/wpa/src/utils/http_curl.c
releng/11.2/contrib/wpa/src/utils/list.h
releng/11.2/contrib/wpa/src/utils/os.h
releng/11.2/contrib/wpa/src/utils/os_internal.c
releng/11.2/contrib/wpa/src/utils/os_none.c
releng/11.2/contrib/wpa/src/utils/os_unix.c
releng/11.2/contrib/wpa/src/utils/os_win32.c
releng/11.2/contrib/wpa/src/utils/pcsc_funcs.c
releng/11.2/contrib/wpa/src/utils/platform.h
releng/11.2/contrib/wpa/src/utils/radiotap.c
releng/11.2/contrib/wpa/src/utils/radiotap.h
releng/11.2/contrib/wpa/src/utils/radiotap_iter.h
releng/11.2/contrib/wpa/src/utils/trace.c
releng/11.2/contrib/wpa/src/utils/trace.h
releng/11.2/contrib/wpa/src/utils/utils_module_tests.c
releng/11.2/contrib/wpa/src/utils/uuid.c
releng/11.2/contrib/wpa/src/utils/uuid.h
releng/11.2/contrib/wpa/src/utils/wpa_debug.c
releng/11.2/contrib/wpa/src/utils/wpa_debug.h
releng/11.2/contrib/wpa/src/utils/wpabuf.c
releng/11.2/contrib/wpa/src/utils/wpabuf.h
releng/11.2/contrib/wpa/src/utils/xml-utils.c
releng/11.2/contrib/wpa/src/utils/xml_libxml2.c
releng/11.2/contrib/wpa/src/wps/wps.c
releng/11.2/contrib/wpa/src/wps/wps.h
releng/11.2/contrib/wpa/src/wps/wps_attr_build.c
releng/11.2/contrib/wpa/src/wps/wps_attr_parse.c
releng/11.2/contrib/wpa/src/wps/wps_attr_parse.h
releng/11.2/contrib/wpa/src/wps/wps_attr_process.c
releng/11.2/contrib/wpa/src/wps/wps_common.c
releng/11.2/contrib/wpa/src/wps/wps_defs.h
releng/11.2/contrib/wpa/src/wps/wps_dev_attr.c
releng/11.2/contrib/wpa/src/wps/wps_dev_attr.h
releng/11.2/contrib/wpa/src/wps/wps_enrollee.c
releng/11.2/contrib/wpa/src/wps/wps_er.c
releng/11.2/contrib/wpa/src/wps/wps_i.h
releng/11.2/contrib/wpa/src/wps/wps_module_tests.c
releng/11.2/contrib/wpa/src/wps/wps_registrar.c
releng/11.2/contrib/wpa/src/wps/wps_upnp.c
releng/11.2/contrib/wpa/src/wps/wps_upnp.h
releng/11.2/contrib/wpa/src/wps/wps_upnp_i.h
releng/11.2/contrib/wpa/src/wps/wps_upnp_ssdp.c
releng/11.2/contrib/wpa/src/wps/wps_upnp_web.c
releng/11.2/contrib/wpa/src/wps/wps_validate.c
releng/11.2/contrib/wpa/wpa_supplicant/ChangeLog
releng/11.2/contrib/wpa/wpa_supplicant/README
releng/11.2/contrib/wpa/wpa_supplicant/README-HS20
releng/11.2/contrib/wpa/wpa_supplicant/README-P2P
releng/11.2/contrib/wpa/wpa_supplicant/ap.c
releng/11.2/contrib/wpa/wpa_supplicant/ap.h
releng/11.2/contrib/wpa/wpa_supplicant/autoscan.c
releng/11.2/contrib/wpa/wpa_supplicant/autoscan.h
releng/11.2/contrib/wpa/wpa_supplicant/bgscan.c
releng/11.2/contrib/wpa/wpa_supplicant/bgscan.h
releng/11.2/contrib/wpa/wpa_supplicant/bgscan_learn.c
releng/11.2/contrib/wpa/wpa_supplicant/bgscan_simple.c
releng/11.2/contrib/wpa/wpa_supplicant/bss.c
releng/11.2/contrib/wpa/wpa_supplicant/bss.h
releng/11.2/contrib/wpa/wpa_supplicant/config.c
releng/11.2/contrib/wpa/wpa_supplicant/config.h
releng/11.2/contrib/wpa/wpa_supplicant/config_file.c
releng/11.2/contrib/wpa/wpa_supplicant/config_ssid.h
releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface.c
releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_named_pipe.c
releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_udp.c
releng/11.2/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/Makefile
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus-wpa_supplicant.conf
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_common.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_common_i.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_dict_helpers.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_dict_helpers.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_p2p.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_handlers_wps.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.h
releng/11.2/contrib/wpa/wpa_supplicant/dbus/dbus_new_introspect.c
releng/11.2/contrib/wpa/wpa_supplicant/defconfig
releng/11.2/contrib/wpa/wpa_supplicant/driver_i.h
releng/11.2/contrib/wpa/wpa_supplicant/eapol_test.c
releng/11.2/contrib/wpa/wpa_supplicant/eapol_test.py
releng/11.2/contrib/wpa/wpa_supplicant/events.c
releng/11.2/contrib/wpa/wpa_supplicant/examples/dbus-listen-preq.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p-nfc.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_connect.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_disconnect.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_find.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_flush.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_group_add.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_invite.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_listen.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/p2p/p2p_stop_find.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-getall.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-signals.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new-wps.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/wpas-dbus-new.py
releng/11.2/contrib/wpa/wpa_supplicant/examples/wps-ap-cli
releng/11.2/contrib/wpa/wpa_supplicant/examples/wps-nfc.py
releng/11.2/contrib/wpa/wpa_supplicant/gas_query.c
releng/11.2/contrib/wpa/wpa_supplicant/gas_query.h
releng/11.2/contrib/wpa/wpa_supplicant/hs20_supplicant.c
releng/11.2/contrib/wpa/wpa_supplicant/hs20_supplicant.h
releng/11.2/contrib/wpa/wpa_supplicant/ibss_rsn.c
releng/11.2/contrib/wpa/wpa_supplicant/ibss_rsn.h
releng/11.2/contrib/wpa/wpa_supplicant/interworking.c
releng/11.2/contrib/wpa/wpa_supplicant/interworking.h
releng/11.2/contrib/wpa/wpa_supplicant/main.c
releng/11.2/contrib/wpa/wpa_supplicant/mesh.c
releng/11.2/contrib/wpa/wpa_supplicant/mesh.h
releng/11.2/contrib/wpa/wpa_supplicant/mesh_mpm.c
releng/11.2/contrib/wpa/wpa_supplicant/mesh_mpm.h
releng/11.2/contrib/wpa/wpa_supplicant/mesh_rsn.c
releng/11.2/contrib/wpa/wpa_supplicant/mesh_rsn.h
releng/11.2/contrib/wpa/wpa_supplicant/notify.c
releng/11.2/contrib/wpa/wpa_supplicant/notify.h
releng/11.2/contrib/wpa/wpa_supplicant/offchannel.c
releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant.c
releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant.h
releng/11.2/contrib/wpa/wpa_supplicant/p2p_supplicant_sd.c
releng/11.2/contrib/wpa/wpa_supplicant/preauth_test.c
releng/11.2/contrib/wpa/wpa_supplicant/scan.c
releng/11.2/contrib/wpa/wpa_supplicant/scan.h
releng/11.2/contrib/wpa/wpa_supplicant/sme.c
releng/11.2/contrib/wpa/wpa_supplicant/sme.h
releng/11.2/contrib/wpa/wpa_supplicant/utils/log2pcap.py
releng/11.2/contrib/wpa/wpa_supplicant/wifi_display.c
releng/11.2/contrib/wpa/wpa_supplicant/wmm_ac.c
releng/11.2/contrib/wpa/wpa_supplicant/wmm_ac.h
releng/11.2/contrib/wpa/wpa_supplicant/wnm_sta.c
releng/11.2/contrib/wpa/wpa_supplicant/wnm_sta.h
releng/11.2/contrib/wpa/wpa_supplicant/wpa_cli.c
releng/11.2/contrib/wpa/wpa_supplicant/wpa_passphrase.c
releng/11.2/contrib/wpa/wpa_supplicant/wpa_priv.c
releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant.c
releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant.conf
releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant_i.h
releng/11.2/contrib/wpa/wpa_supplicant/wpa_supplicant_template.conf
releng/11.2/contrib/wpa/wpa_supplicant/wpas_glue.c
releng/11.2/contrib/wpa/wpa_supplicant/wpas_kay.c
releng/11.2/contrib/wpa/wpa_supplicant/wpas_kay.h
releng/11.2/contrib/wpa/wpa_supplicant/wpas_module_tests.c
releng/11.2/contrib/wpa/wpa_supplicant/wps_supplicant.c
releng/11.2/contrib/wpa/wpa_supplicant/wps_supplicant.h
releng/11.2/usr.sbin/wpa/Makefile.crypto
releng/11.2/usr.sbin/wpa/Makefile.inc
releng/11.2/usr.sbin/wpa/hostapd/Makefile
releng/11.2/usr.sbin/wpa/hostapd_cli/Makefile
releng/11.2/usr.sbin/wpa/wpa_cli/Makefile
releng/11.2/usr.sbin/wpa/wpa_supplicant/Makefile
Modified: releng/11.2/contrib/wpa/CONTRIBUTIONS
==============================================================================
--- releng/11.2/contrib/wpa/CONTRIBUTIONS Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/CONTRIBUTIONS Tue May 14 22:59:32 2019 (r347588)
@@ -29,6 +29,34 @@ using your real name. Pseudonyms or anonymous contribu
unfortunately be accepted.
+The preferred method of submitting the contribution to the project is by
+email to the hostap mailing list:
+hostap at lists.infradead.org
+Note that the list may require subscription before accepting message
+without moderation. You can subscribe to the list at this address:
+http://lists.infradead.org/mailman/listinfo/hostap
+
+The message should contain an inlined patch against the current
+development branch (i.e., the master branch of
+git://w1.fi/hostap.git). Please make sure the software you use for
+sending the patch does not corrupt whitespace. If that cannot be fixed
+for some reason, it is better to include an attached version of the
+patch file than just send a whitespace damaged version in the message
+body.
+
+The patches should be separate logical changes rather than doing
+everything in a single patch. In other words, please keep cleanup, new
+features, and bug fixes all in their own patches. Each patch needs a
+commit log that describes the changes (what the changes fix, what
+functionality is added, why the changes are useful, etc.).
+
+Please try to follow the coding style used in the project.
+
+In general, the best way of generating a suitable formatted patch file
+is by committing the changes to a cloned git repository and using git
+format-patch. The patch can then be sent, e.g., with git send-email.
+
+
History of license and contributions terms
------------------------------------------
@@ -112,7 +140,7 @@ The license terms used for hostap.git files
Modified BSD license (no advertisement clause):
-Copyright (c) 2002-2015, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
Modified: releng/11.2/contrib/wpa/COPYING
==============================================================================
--- releng/11.2/contrib/wpa/COPYING Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/COPYING Tue May 14 22:59:32 2019 (r347588)
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2015, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
Modified: releng/11.2/contrib/wpa/README
==============================================================================
--- releng/11.2/contrib/wpa/README Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/README Tue May 14 22:59:32 2019 (r347588)
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2015, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
These programs are licensed under the BSD license (the one with
Modified: releng/11.2/contrib/wpa/hostapd/ChangeLog
==============================================================================
--- releng/11.2/contrib/wpa/hostapd/ChangeLog Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/hostapd/ChangeLog Tue May 14 22:59:32 2019 (r347588)
@@ -1,5 +1,188 @@
ChangeLog for hostapd
+2019-04-21 - v2.8
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only group 19
+ (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+ disable all unsuitable groups completely based on REVmd changes
+ - improved anti-clogging token mechanism and SAE authentication
+ frame processing during heavy CPU load; this mitigates some issues
+ with potential DoS attacks trying to flood an AP with large number
+ of SAE messages
+ - added Finite Cyclic Group field in status code 77 responses
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ - fixed confirm message validation in error cases
+ [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify peer scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * Hotspot 2.0 changes
+ - added support for release number 3
+ - reject release 2 or newer association without PMF
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and configuration parameter ocv=1)
+ * added Multi-AP protocol support
+ * added FTM responder configuration
+ * fixed build with LibreSSL
+ * added FT/RRB workaround for short Ethernet frame padding
+ * fixed KEK2 derivation for FILS+FT
+ * added RSSI-based association rejection from OCE
+ * extended beacon reporting functionality
+ * VLAN changes
+ - allow local VLAN management with remote RADIUS authentication
+ - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+ * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+ in preparation for DPP protocol extension
+ * RADIUS server: started to accept ERP keyName-NAI as user identity
+ automatically without matching EAP database entry
+ * fixed PTK rekeying with FILS and FT
+
+2018-12-02 - v2.7
+ * fixed WPA packet number reuse with replayed messages and key
+ reinstallation
+ [http://w1.fi/security/2017-1/] (CVE-2017-13082)
+ * added support for FILS (IEEE 802.11ai) shared key authentication
+ * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
+ and transition mode defined by WFA)
+ * added support for DPP (Wi-Fi Device Provisioning Protocol)
+ * FT:
+ - added local generation of PMK-R0/PMK-R1 for FT-PSK
+ (ft_psk_generate_local=1)
+ - replaced inter-AP protocol with a cleaner design that is more
+ easily extensible; this breaks backward compatibility and requires
+ all APs in the ESS to be updated at the same time to maintain FT
+ functionality
+ - added support for wildcard R0KH/R1KH
+ - replaced r0_key_lifetime (minutes) parameter with
+ ft_r0_key_lifetime (seconds)
+ - fixed wpa_psk_file use for FT-PSK
+ - fixed FT-SAE PMKID matching
+ - added expiration to PMK-R0 and PMK-R1 cache
+ - added IEEE VLAN support (including tagged VLANs)
+ - added support for SHA384 based AKM
+ * SAE
+ - fixed some PMKSA caching cases with SAE
+ - added support for configuring SAE password separately of the
+ WPA2 PSK/passphrase
+ - added option to require MFP for SAE associations
+ (sae_require_pmf=1)
+ - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
+ for SAE;
+ note: this is not backwards compatible, i.e., both the AP and
+ station side implementations will need to be update at the same
+ time to maintain interoperability
+ - added support for Password Identifier
+ * hostapd_cli: added support for command history and completion
+ * added support for requesting beacon report
+ * large number of other fixes, cleanup, and extensions
+ * added option to configure EAPOL-Key retry limits
+ (wpa_group_update_count and wpa_pairwise_update_count)
+ * removed all PeerKey functionality
+ * fixed nl80211 AP mode configuration regression with Linux 4.15 and
+ newer
+ * added support for using wolfSSL cryptographic library
+ * fixed some 20/40 MHz coexistence cases where the BSS could drop to
+ 20 MHz even when 40 MHz would be allowed
+ * Hotspot 2.0
+ - added support for setting Venue URL ANQP-element (venue_url)
+ - added support for advertising Hotspot 2.0 operator icons
+ - added support for Roaming Consortium Selection element
+ - added support for Terms and Conditions
+ - added support for OSEN connection in a shared RSN BSS
+ * added support for using OpenSSL 1.1.1
+ * added EAP-pwd server support for salted passwords
+
+2016-10-02 - v2.6
+ * fixed EAP-pwd last fragment validation
+ [http://w1.fi/security/2015-7/] (CVE-2015-5314)
+ * fixed WPS configuration update vulnerability with malformed passphrase
+ [http://w1.fi/security/2016-1/] (CVE-2016-4476)
+ * extended channel switch support for VHT bandwidth changes
+ * added support for configuring new ANQP-elements with
+ anqp_elem=<InfoID>:<hexdump of payload>
+ * fixed Suite B 192-bit AKM to use proper PMK length
+ (note: this makes old releases incompatible with the fixed behavior)
+ * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response
+ frame sending for not-associated STAs if max_num_sta limit has been
+ reached
+ * added option (-S as command line argument) to request all interfaces
+ to be started at the same time
+ * modified rts_threshold and fragm_threshold configuration parameters
+ to allow -1 to be used to disable RTS/fragmentation
+ * EAP-pwd: added support for Brainpool Elliptic Curves
+ (with OpenSSL 1.0.2 and newer)
+ * fixed EAPOL reauthentication after FT protocol run
+ * fixed FTIE generation for 4-way handshake after FT protocol run
+ * fixed and improved various FST operations
+ * TLS server
+ - support SHA384 and SHA512 hashes
+ - support TLS v1.2 signature algorithm with SHA384 and SHA512
+ - support PKCS #5 v2.0 PBES2
+ - support PKCS #5 with PKCS #12 style key decryption
+ - minimal support for PKCS #12
+ - support OCSP stapling (including ocsp_multi)
+ * added support for OpenSSL 1.1 API changes
+ - drop support for OpenSSL 0.9.8
+ - drop support for OpenSSL 1.0.0
+ * EAP-PEAP: support fast-connect crypto binding
+ * RADIUS
+ - fix Called-Station-Id to not escape SSID
+ - add Event-Timestamp to all Accounting-Request packets
+ - add Acct-Session-Id to Accounting-On/Off
+ - add Acct-Multi-Session-Id ton Access-Request packets
+ - add Service-Type (= Frames)
+ - allow server to provide PSK instead of passphrase for WPA-PSK
+ Tunnel_password case
+ - update full message for interim accounting updates
+ - add Acct-Delay-Time into Accounting messages
+ - add require_message_authenticator configuration option to require
+ CoA/Disconnect-Request packets to be authenticated
+ * started to postpone WNM-Notification frame sending by 100 ms so that
+ the STA has some more time to configure the key before this frame is
+ received after the 4-way handshake
+ * VHT: added interoperability workaround for 80+80 and 160 MHz channels
+ * extended VLAN support (per-STA vif, etc.)
+ * fixed PMKID derivation with SAE
+ * nl80211
+ - added support for full station state operations
+ - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
+ unencrypted EAPOL frames
+ * added initial MBO support; number of extensions to WNM BSS Transition
+ Management
+ * added initial functionality for location related operations
+ * added assocresp_elements parameter to allow vendor specific elements
+ to be added into (Re)Association Response frames
+ * improved Public Action frame addressing
+ - use Address 3 = wildcard BSSID in GAS response if a query from an
+ unassociated STA used that address
+ - fix TX status processing for Address 3 = wildcard BSSID
+ - add gas_address3 configuration parameter to control Address 3
+ behavior
+ * added command line parameter -i to override interface parameter in
+ hostapd.conf
+ * added command completion support to hostapd_cli
+ * added passive client taxonomy determination (CONFIG_TAXONOMY=y
+ compile option and "SIGNATURE <addr>" control interface command)
+ * number of small fixes
+
2015-09-27 - v2.5
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
[http://w1.fi/security/2015-2/] (CVE-2015-4141)
Modified: releng/11.2/contrib/wpa/hostapd/README
==============================================================================
--- releng/11.2/contrib/wpa/hostapd/README Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/hostapd/README Tue May 14 22:59:32 2019 (r347588)
@@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WP
Authenticator and RADIUS authentication server
================================================================
-Copyright (c) 2002-2015, Jouni Malinen <j at w1.fi> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j at w1.fi> and contributors
All Rights Reserved.
This program is licensed under the BSD license (the one with
@@ -70,7 +70,7 @@ Requirements
Current hardware/software requirements:
- drivers:
Host AP driver for Prism2/2.5/3.
- (http://hostap.epitest.fi/)
+ (http://w1.fi/hostap-driver.html)
Please note that station firmware version needs to be 1.7.0 or newer
to work in WPA mode.
@@ -81,8 +81,7 @@ Current hardware/software requirements:
Any wired Ethernet driver for wired IEEE 802.1X authentication
(experimental code)
- FreeBSD -current (with some kernel mods that have not yet been
- committed when hostapd v0.3.0 was released)
+ FreeBSD -current
BSD net80211 layer (e.g., Atheros driver)
@@ -186,24 +185,14 @@ Authenticator and RADIUS encapsulation between the Aut
the Authentication Server. Other than this, the functionality is similar
to the case with the co-located Authentication Server.
-Authentication Server and Supplicant
-------------------------------------
+Authentication Server
+---------------------
Any RADIUS server supporting EAP should be usable as an IEEE 802.1X
Authentication Server with hostapd Authenticator. FreeRADIUS
(http://www.freeradius.org/) has been successfully tested with hostapd
-Authenticator and both Xsupplicant (http://www.open1x.org) and Windows
-XP Supplicants. EAP/TLS was used with Xsupplicant and
-EAP/MD5-Challenge with Windows XP.
+Authenticator.
-http://www.missl.cs.umd.edu/wireless/eaptls/ has useful information
-about using EAP/TLS with FreeRADIUS and Xsupplicant (just replace
-Cisco access point with Host AP driver, hostapd daemon, and a Prism2
-card ;-). http://www.freeradius.org/doc/EAP-MD5.html has information
-about using EAP/MD5 with FreeRADIUS, including instructions for WinXP
-configuration. http://www.denobula.com/EAPTLS.pdf has a HOWTO on
-EAP/TLS use with WinXP Supplicant.
-
Automatic WEP key configuration
-------------------------------
@@ -243,16 +232,15 @@ networks that require some kind of security. Task grou
of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked
to address the flaws of the base standard and has in practice
completed its work in May 2004. The IEEE 802.11i amendment to the IEEE
-802.11 standard was approved in June 2004 and this amendment is likely
-to be published in July 2004.
+802.11 standard was approved in June 2004 and this amendment was
+published in July 2004.
Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the
IEEE 802.11i work (draft 3.0) to define a subset of the security
enhancements that can be implemented with existing wlan hardware. This
is called Wi-Fi Protected Access<TM> (WPA). This has now become a
mandatory component of interoperability testing and certification done
-by Wi-Fi Alliance. Wi-Fi provides information about WPA at its web
-site (http://www.wi-fi.org/OpenSection/protected_access.asp).
+by Wi-Fi Alliance.
IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm
for protecting wireless networks. WEP uses RC4 with 40-bit keys,
Added: releng/11.2/contrib/wpa/hostapd/README-MULTI-AP
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ releng/11.2/contrib/wpa/hostapd/README-MULTI-AP Tue May 14 22:59:32 2019 (r347588)
@@ -0,0 +1,160 @@
+hostapd, wpa_supplicant and the Multi-AP Specification
+======================================================
+
+This document describes how hostapd and wpa_supplicant can be configured to
+support the Multi-AP Specification.
+
+Introduction to Multi-AP
+------------------------
+
+The Wi-Fi Alliance Multi-AP Specification is the technical specification for
+Wi-Fi CERTIFIED EasyMesh(TM) [1], the Wi-Fi Alliance® certification program for
+Multi-AP. It defines control protocols between Wi-Fi® access points (APs) to
+join them into a network with centralized control and operation. It is targeted
+only at routers (repeaters, gateways, ...), not at clients. Clients are not
+involved at all in the protocols.
+
+Most of the Multi-AP specification falls outside of the scope of
+hostapd/wpa_supplicant. hostapd/wpa_supplicant is only involved for the items
+summarized below. The rest of the protocol must be implemented by a separate
+daemon, e.g., prplMesh [2]. That daemon also needs to communicate with hostapd,
+e.g., to get a list of associated clients, but this can be done using the normal
+hostapd interfaces.
+
+hostapd/wpa_supplicant needs to be configured specifically to support:
+- the WPS onboarding process;
+- configuring backhaul links.
+
+The text below refers to "Multi-AP Specification v1.0" [3].
+
+
+Fronthaul and backhaul links
+----------------------------
+
+In a Multi-AP network, the central controller can configure the BSSs on the
+devices that are joined into the network. These are called fronthaul BSSs.
+From the point of view of hostapd, there is nothing special about these
+fronthaul BSSs.
+
+In addition to fronthaul BSSs, the controller can also configure backhaul
+links. A backhaul link is a link between two access point devices, giving
+internet access to access point devices that don't have a wired link. The
+Multi-AP specification doesn't dictate this, but typically the backhaul link
+will be bridged into a LAN together with (one of) the fronthaul BSS(s) and the
+wired Ethernet ports.
+
+A backhaul link must be treated specially by hostapd and wpa_supplicant. One
+side of the backhaul link is configured through the Multi-AP protocol as the
+"backhaul STA", i.e., the client side of the link. A backhaul STA is like any
+station and is handled appropriately by wpa_supplicant, but two additional
+features are required. It must send an additional information element in each
+(Re)Association Request frame ([3], section 5.2, paragraph 4). In addition, it
+must use 4-address mode for all frames sent over this link ([3], section 14).
+Therefore, wpa_supplicant must be configured explicitly as the backhaul STA
+role, by setting 'multi_ap_backhaul_sta=1' in the network configuration block
+or when configuring the network profile through the control interface. When
+'multi_ap_backhaul_sta=1', wpa_supplicant includes the Multi-AP IE in
+(Re)Association Request frame and verifies that it is included in the
+(Re)Association Response frame. If it is not, association fails. If it is,
+wpa_supplicant sets 4-address mode for this interface through a driver
+callback.
+
+The AP side of the backhaul link is called a "backhaul BSS". Such a BSS must
+be handled specially by hostapd, because it must add an additional information
+element in each (Re)Association Response frame, but only to stations that have
+identified themselves as backhaul stations ([3], section 5.2, paragraph 5-6).
+This is important because it is possible to use the same BSS and SSID for
+fronthaul and backhaul at the same time. The additional information element must
+only be used for frames sent to a backhaul STA, not to a normal STA. Also,
+frames sent to a backhaul STA must use 4-address mode, while frames sent to a
+normal STA (fronthaul, when it's a fronthaul and backhaul BSS) must use
+3-address mode.
+
+A BSS is configured in Multi-AP mode in hostapd by setting the 'multi_ap'
+configuration option to 1 (backhaul BSS), 2 (fronthaul BSS), or 3
+(simultaneous backhaul and fronthaul BSS). If this option is set, hostapd
+parses the Multi-AP information element in the Association Request frame. If the
+station is a backhaul STA and the BSS is configured as a backhaul BSS,
+hostapd sets up 4-address mode. Since there may be multiple stations connected
+simultaneously, and each of them has a different RA (receiver address), a VLAN
+is created for each backhaul STA and it is automatically added to a bridge.
+This is the same behavior as for WDS, and the relevant option ('bridge' or
+'wds_bridge') applies here as well.
+
+If 'multi_ap' is 1 (backhaul BSS only), any station that tries to associate
+without the Multi-AP information element will be denied.
+
+If 'multi_ap' is 2 (fronthaul BSS only), any station that tries to associate
+with the Multi-AP information element will be denied. That is also the only
+difference with 'multi_ap' set to 0: in the latter case, the Multi-AP
+information element is simply ignored.
+
+In summary, this is the end-to-end behavior for a backhaul BSS (i.e.,
+multi_ap_backhaul_sta=1 in wpa_supplicant on STA, and multi_ap=1 or 3 in
+hostapd on AP). Note that point 1 means that hostapd must not be configured
+with WPS support on the backhaul BSS (multi_ap=1). hostapd does not check for
+that.
+
+1. Backhaul BSS beacons do not advertise WPS support (other than that, nothing
+ Multi-AP specific).
+2. STA sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. STA sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. STA and AP both use 4-address mode for Data frames.
+
+
+WPS support
+-----------
+
+WPS requires more special handling. WPS must only be advertised on fronthaul
+BSSs, not on backhaul BSSs, so WPS should not be enabled on a backhaul-only
+BSS in hostapd.conf. The WPS configuration purely works on the fronthaul BSS.
+When a WPS M1 message has an additional subelement that indicates a request for
+a Multi-AP backhaul link, hostapd must not respond with the normal fronthaul
+BSS credentials; instead, it should respond with the (potentially different)
+backhaul BSS credentials.
+
+To support this, hostapd has the 'multi_ap_backhaul_ssid',
+'multi_ap_backhaul_wpa_psk' and 'multi_ap_backhaul_wpa_passphrase' options.
+When these are set on an BSS with WPS, they are used instead of the normal
+credentials when hostapd receives a WPS M1 message with the Multi-AP IE. Only
+WPA2-Personal is supported in the Multi-AP specification, so there is no need
+to specify authentication or encryption options. For the backhaul credentials,
+per-device PSK is not supported.
+
+If the BSS is a simultaneous backhaul and fronthaul BSS, there is no need to
+specify the backhaul credentials, since the backhaul and fronthaul credentials
+are identical.
+
+To enable the Multi-AP backhaul STA feature when it performs WPS, a new
+parameter has been introduced to the WPS_PBC control interface call. When this
+"multi_ap=1" option is set, it adds the Multi-AP backhaul subelement to the
+Association Request frame and the M1 message. It then configures the new network
+profile with 'multi_ap_backhaul_sta=1'. Note that this means that if the AP does
+not follow the Multi-AP specification, wpa_supplicant will fail to associate.
+
+In summary, this is the end-to-end behavior for WPS of a backhaul link (i.e.,
+multi_ap=1 option is given in the wps_pbc call on the STA side, and multi_ap=2
+and multi_ap_backhaul_ssid and either multi_ap_backhaul_wpa_psk or
+multi_ap_backhaul_wpa_passphrase are set to the credentials of a backhaul BSS
+in hostapd on Registrar AP).
+
+1. Fronthaul BSS Beacon frames advertise WPS support (nothing Multi-AP
+ specific).
+2. Enrollee sends Authentication frame (nothing Multi-AP specific).
+3. AP sends Authentication frame (nothing Multi-AP specific).
+4. Enrollee sends Association Request frame with Multi-AP IE.
+5. AP sends Association Response frame with Multi-AP IE.
+6. Enrollee sends M1 with additional Multi-AP subelement.
+7. AP sends M8 with backhaul instead of fronthaul credentials.
+8. Enrollee sends Deauthentication frame.
+
+
+References
+----------
+
+[1] https://www.wi-fi.org/discover-wi-fi/wi-fi-easymesh
+[2] https://github.com/prplfoundation/prplMesh
+[3] https://www.wi-fi.org/file/multi-ap-specification-v10
+ (requires registration)
Modified: releng/11.2/contrib/wpa/hostapd/config_file.c
==============================================================================
--- releng/11.2/contrib/wpa/hostapd/config_file.c Tue May 14 22:57:29 2019 (r347587)
+++ releng/11.2/contrib/wpa/hostapd/config_file.c Tue May 14 22:59:32 2019 (r347588)
@@ -1,6 +1,6 @@
/*
* hostapd / Configuration file parser
- * Copyright (c) 2003-2015, Jouni Malinen <j at w1.fi>
+ * Copyright (c) 2003-2018, Jouni Malinen <j at w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -14,6 +14,8 @@
#include "utils/common.h"
#include "utils/uuid.h"
#include "common/ieee802_11_defs.h"
+#include "crypto/sha256.h"
+#include "crypto/tls.h"
#include "drivers/driver.h"
#include "eap_server/eap.h"
#include "radius/radius_client.h"
@@ -35,7 +37,7 @@ static int hostapd_config_read_vlan_file(struct hostap
const char *fname)
{
FILE *f;
- char buf[128], *pos, *pos2;
+ char buf[128], *pos, *pos2, *pos3;
int line = 0, vlan_id;
struct hostapd_vlan *vlan;
@@ -80,7 +82,10 @@ static int hostapd_config_read_vlan_file(struct hostap
pos2 = pos;
while (*pos2 != ' ' && *pos2 != '\t' && *pos2 != '\0')
pos2++;
- *pos2 = '\0';
+
+ if (*pos2 != '\0')
+ *(pos2++) = '\0';
+
if (*pos == '\0' || os_strlen(pos) > IFNAMSIZ) {
wpa_printf(MSG_ERROR, "Invalid VLAN ifname at line %d "
"in '%s'", line, fname);
@@ -88,6 +93,13 @@ static int hostapd_config_read_vlan_file(struct hostap
return -1;
}
+ while (*pos2 == ' ' || *pos2 == '\t')
+ pos2++;
+ pos3 = pos2;
+ while (*pos3 != ' ' && *pos3 != '\t' && *pos3 != '\0')
+ pos3++;
+ *pos3 = '\0';
+
vlan = os_zalloc(sizeof(*vlan));
if (vlan == NULL) {
wpa_printf(MSG_ERROR, "Out of memory while reading "
@@ -97,7 +109,10 @@ static int hostapd_config_read_vlan_file(struct hostap
}
vlan->vlan_id = vlan_id;
+ vlan->vlan_desc.untagged = vlan_id;
+ vlan->vlan_desc.notempty = !!vlan_id;
os_strlcpy(vlan->ifname, pos, sizeof(vlan->ifname));
+ os_strlcpy(vlan->bridge, pos2, sizeof(vlan->bridge));
vlan->next = bss->vlan;
bss->vlan = vlan;
}
@@ -109,7 +124,7 @@ static int hostapd_config_read_vlan_file(struct hostap
#endif /* CONFIG_NO_VLAN */
-static int hostapd_acl_comp(const void *a, const void *b)
+int hostapd_acl_comp(const void *a, const void *b)
{
const struct mac_acl_entry *aa = a;
const struct mac_acl_entry *bb = b;
@@ -117,6 +132,44 @@ static int hostapd_acl_comp(const void *a, const void
}
+int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
+ int vlan_id, const u8 *addr)
+{
+ struct mac_acl_entry *newacl;
+
+ newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
+ if (!newacl) {
+ wpa_printf(MSG_ERROR, "MAC list reallocation failed");
+ return -1;
+ }
+
+ *acl = newacl;
+ os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
+ os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
+ (*acl)[*num].vlan_id.untagged = vlan_id;
+ (*acl)[*num].vlan_id.notempty = !!vlan_id;
+ (*num)++;
+
+ return 0;
+}
+
+
+void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
+ const u8 *addr)
+{
+ int i = 0;
+
+ while (i < *num) {
+ if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == 0) {
+ os_remove_in_array(*acl, *num, sizeof(**acl), i);
+ (*num)--;
+ } else {
+ i++;
+ }
+ }
+}
+
+
static int hostapd_config_read_maclist(const char *fname,
struct mac_acl_entry **acl, int *num)
{
@@ -124,12 +177,8 @@ static int hostapd_config_read_maclist(const char *fna
char buf[128], *pos;
int line = 0;
u8 addr[ETH_ALEN];
- struct mac_acl_entry *newacl;
int vlan_id;
- if (!fname)
- return 0;
-
f = fopen(fname, "r");
if (!f) {
wpa_printf(MSG_ERROR, "MAC list file '%s' not found.", fname);
@@ -137,7 +186,7 @@ static int hostapd_config_read_maclist(const char *fna
}
while (fgets(buf, sizeof(buf), f)) {
- int i, rem = 0;
+ int rem = 0;
line++;
@@ -167,16 +216,7 @@ static int hostapd_config_read_maclist(const char *fna
}
if (rem) {
- i = 0;
- while (i < *num) {
- if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) ==
- 0) {
- os_remove_in_array(*acl, *num,
- sizeof(**acl), i);
- (*num)--;
- } else
- i++;
- }
+ hostapd_remove_acl_mac(acl, num, addr);
continue;
}
vlan_id = 0;
@@ -188,28 +228,78 @@ static int hostapd_config_read_maclist(const char *fna
if (*pos != '\0')
vlan_id = atoi(pos);
- newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
- if (newacl == NULL) {
- wpa_printf(MSG_ERROR, "MAC list reallocation failed");
+ if (hostapd_add_acl_maclist(acl, num, vlan_id, addr) < 0) {
fclose(f);
return -1;
}
-
- *acl = newacl;
- os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
- (*acl)[*num].vlan_id = vlan_id;
- (*num)++;
}
fclose(f);
- qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
+ if (*acl)
+ qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
return 0;
}
#ifdef EAP_SERVER
+
+static int hostapd_config_eap_user_salted(struct hostapd_eap_user *user,
+ const char *hash, size_t len,
+ char **pos, int line,
+ const char *fname)
+{
+ char *pos2 = *pos;
+
+ while (*pos2 != '\0' && *pos2 != ' ' && *pos2 != '\t' && *pos2 != '#')
+ pos2++;
+
+ if (pos2 - *pos < (int) (2 * (len + 1))) { /* at least 1 byte of salt */
+ wpa_printf(MSG_ERROR,
+ "Invalid salted %s hash on line %d in '%s'",
+ hash, line, fname);
+ return -1;
+ }
+
+ user->password = os_malloc(len);
+ if (!user->password) {
+ wpa_printf(MSG_ERROR,
+ "Failed to allocate memory for salted %s hash",
+ hash);
+ return -1;
+ }
+
+ if (hexstr2bin(*pos, user->password, len) < 0) {
+ wpa_printf(MSG_ERROR,
+ "Invalid salted password on line %d in '%s'",
+ line, fname);
+ return -1;
+ }
+ user->password_len = len;
+ *pos += 2 * len;
+
+ user->salt_len = (pos2 - *pos) / 2;
+ user->salt = os_malloc(user->salt_len);
+ if (!user->salt) {
+ wpa_printf(MSG_ERROR,
+ "Failed to allocate memory for salted %s hash",
+ hash);
+ return -1;
+ }
+
+ if (hexstr2bin(*pos, user->salt, user->salt_len) < 0) {
+ wpa_printf(MSG_ERROR,
+ "Invalid salt for password on line %d in '%s'",
+ line, fname);
+ return -1;
+ }
+
+ *pos = pos2;
+ return 0;
+}
+
+
static int hostapd_config_read_eap_user(const char *fname,
struct hostapd_bss_config *conf)
{
@@ -218,9 +308,6 @@ static int hostapd_config_read_eap_user(const char *fn
int line = 0, ret = 0, num_methods;
struct hostapd_eap_user *user = NULL, *tail = NULL, *new_user = NULL;
- if (!fname)
- return 0;
-
if (os_strncmp(fname, "sqlite:", 7) == 0) {
#ifdef CONFIG_SQLITE
os_free(conf->eap_user_sqlite);
@@ -307,13 +394,12 @@ static int hostapd_config_read_eap_user(const char *fn
goto failed;
}
- user->identity = os_malloc(pos - start);
+ user->identity = os_memdup(start, pos - start);
if (user->identity == NULL) {
wpa_printf(MSG_ERROR, "Failed to allocate "
"memory for EAP identity");
goto failed;
}
- os_memcpy(user->identity, start, pos - start);
user->identity_len = pos - start;
if (pos[0] == '"' && pos[1] == '*') {
@@ -431,13 +517,12 @@ static int hostapd_config_read_eap_user(const char *fn
goto failed;
}
- user->password = os_malloc(pos - start);
+ user->password = os_memdup(start, pos - start);
if (user->password == NULL) {
wpa_printf(MSG_ERROR, "Failed to allocate "
"memory for EAP password");
goto failed;
}
- os_memcpy(user->password, start, pos - start);
user->password_len = pos - start;
pos++;
@@ -466,6 +551,24 @@ static int hostapd_config_read_eap_user(const char *fn
user->password_len = 16;
user->password_hash = 1;
pos = pos2;
+ } else if (os_strncmp(pos, "ssha1:", 6) == 0) {
+ pos += 6;
+ if (hostapd_config_eap_user_salted(user, "sha1", 20,
+ &pos,
+ line, fname) < 0)
+ goto failed;
+ } else if (os_strncmp(pos, "ssha256:", 8) == 0) {
+ pos += 8;
+ if (hostapd_config_eap_user_salted(user, "sha256", 32,
+ &pos,
+ line, fname) < 0)
+ goto failed;
+ } else if (os_strncmp(pos, "ssha512:", 8) == 0) {
+ pos += 8;
+ if (hostapd_config_eap_user_salted(user, "sha512", 64,
+ &pos,
+ line, fname) < 0)
+ goto failed;
} else {
pos2 = pos;
while (*pos2 != '\0' && *pos2 != ' ' &&
@@ -517,19 +620,15 @@ static int hostapd_config_read_eap_user(const char *fn
fclose(f);
if (ret == 0) {
- user = conf->eap_user;
- while (user) {
- struct hostapd_eap_user *prev;
-
- prev = user;
- user = user->next;
- hostapd_config_free_eap_user(prev);
- }
+ hostapd_config_free_eap_users(conf->eap_user);
conf->eap_user = new_user;
+ } else {
+ hostapd_config_free_eap_users(new_user);
}
return ret;
}
+
#endif /* EAP_SERVER */
@@ -631,8 +730,7 @@ hostapd_parse_radius_attr(const char *value)
}
-static int hostapd_parse_das_client(struct hostapd_bss_config *bss,
- const char *val)
+static int hostapd_parse_das_client(struct hostapd_bss_config *bss, char *val)
{
char *secret;
@@ -640,7 +738,7 @@ static int hostapd_parse_das_client(struct hostapd_bss
if (secret == NULL)
return -1;
- secret++;
+ *secret++ = '\0';
if (hostapd_parse_ip_addr(val, &bss->radius_das_client_addr))
return -1;
@@ -680,12 +778,16 @@ static int hostapd_config_parse_key_mgmt(int line, con
val |= WPA_KEY_MGMT_PSK;
else if (os_strcmp(start, "WPA-EAP") == 0)
val |= WPA_KEY_MGMT_IEEE8021X;
-#ifdef CONFIG_IEEE80211R
+#ifdef CONFIG_IEEE80211R_AP
else if (os_strcmp(start, "FT-PSK") == 0)
val |= WPA_KEY_MGMT_FT_PSK;
else if (os_strcmp(start, "FT-EAP") == 0)
val |= WPA_KEY_MGMT_FT_IEEE8021X;
-#endif /* CONFIG_IEEE80211R */
+#ifdef CONFIG_SHA384
+ else if (os_strcmp(start, "FT-EAP-SHA384") == 0)
+ val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
+#endif /* CONFIG_SHA384 */
+#endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_IEEE80211W
else if (os_strcmp(start, "WPA-PSK-SHA256") == 0)
val |= WPA_KEY_MGMT_PSK_SHA256;
@@ -706,6 +808,30 @@ static int hostapd_config_parse_key_mgmt(int line, con
else if (os_strcmp(start, "WPA-EAP-SUITE-B-192") == 0)
val |= WPA_KEY_MGMT_IEEE8021X_SUITE_B_192;
#endif /* CONFIG_SUITEB192 */
+#ifdef CONFIG_FILS
+ else if (os_strcmp(start, "FILS-SHA256") == 0)
+ val |= WPA_KEY_MGMT_FILS_SHA256;
+ else if (os_strcmp(start, "FILS-SHA384") == 0)
+ val |= WPA_KEY_MGMT_FILS_SHA384;
+#ifdef CONFIG_IEEE80211R_AP
+ else if (os_strcmp(start, "FT-FILS-SHA256") == 0)
+ val |= WPA_KEY_MGMT_FT_FILS_SHA256;
+ else if (os_strcmp(start, "FT-FILS-SHA384") == 0)
+ val |= WPA_KEY_MGMT_FT_FILS_SHA384;
+#endif /* CONFIG_IEEE80211R_AP */
+#endif /* CONFIG_FILS */
+#ifdef CONFIG_OWE
+ else if (os_strcmp(start, "OWE") == 0)
+ val |= WPA_KEY_MGMT_OWE;
+#endif /* CONFIG_OWE */
+#ifdef CONFIG_DPP
+ else if (os_strcmp(start, "DPP") == 0)
+ val |= WPA_KEY_MGMT_DPP;
+#endif /* CONFIG_DPP */
+#ifdef CONFIG_HS20
+ else if (os_strcmp(start, "OSEN") == 0)
+ val |= WPA_KEY_MGMT_OSEN;
+#endif /* CONFIG_HS20 */
else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start);
@@ -751,17 +877,34 @@ static int hostapd_config_read_wep(struct hostapd_wep_
{
size_t len = os_strlen(val);
- if (keyidx < 0 || keyidx > 3 || wep->key[keyidx] != NULL)
+ if (keyidx < 0 || keyidx > 3)
return -1;
+ if (len == 0) {
+ int i, set = 0;
+
+ bin_clear_free(wep->key[keyidx], wep->len[keyidx]);
+ wep->key[keyidx] = NULL;
+ wep->len[keyidx] = 0;
+ for (i = 0; i < NUM_WEP_KEYS; i++) {
+ if (wep->key[i])
+ set++;
+ }
+ if (!set)
+ wep->keys_set = 0;
+ return 0;
+ }
+
+ if (wep->key[keyidx] != NULL)
+ return -1;
+
if (val[0] == '"') {
if (len < 2 || val[len - 1] != '"')
return -1;
len -= 2;
- wep->key[keyidx] = os_malloc(len);
+ wep->key[keyidx] = os_memdup(val + 1, len);
if (wep->key[keyidx] == NULL)
return -1;
- os_memcpy(wep->key[keyidx], val + 1, len);
wep->len[keyidx] = len;
} else {
if (len & 1)
@@ -974,7 +1117,27 @@ static int hostapd_config_tx_queue(struct hostapd_conf
}
-#ifdef CONFIG_IEEE80211R
+#ifdef CONFIG_IEEE80211R_AP
+
+static int rkh_derive_key(const char *pos, u8 *key, size_t key_len)
+{
+ u8 oldkey[16];
+ int ret;
+
+ if (!hexstr2bin(pos, key, key_len))
+ return 0;
+
+ /* Try to use old short key for backwards compatibility */
+ if (hexstr2bin(pos, oldkey, sizeof(oldkey)))
+ return -1;
+
+ ret = hmac_sha256_kdf(oldkey, sizeof(oldkey), "FT OLDKEY", NULL, 0,
+ key, key_len);
+ os_memset(oldkey, 0, sizeof(oldkey));
+ return ret;
+}
+
+
static int add_r0kh(struct hostapd_bss_config *bss, char *value)
{
struct ft_remote_r0kh *r0kh;
@@ -1008,7 +1171,7 @@ static int add_r0kh(struct hostapd_bss_config *bss, ch
os_memcpy(r0kh->id, pos, r0kh->id_len);
pos = next;
- if (hexstr2bin(pos, r0kh->key, sizeof(r0kh->key))) {
+ if (rkh_derive_key(pos, r0kh->key, sizeof(r0kh->key)) < 0) {
wpa_printf(MSG_ERROR, "Invalid R0KH key: '%s'", pos);
os_free(r0kh);
return -1;
@@ -1053,7 +1216,7 @@ static int add_r1kh(struct hostapd_bss_config *bss, ch
}
pos = next;
- if (hexstr2bin(pos, r1kh->key, sizeof(r1kh->key))) {
+ if (rkh_derive_key(pos, r1kh->key, sizeof(r1kh->key)) < 0) {
wpa_printf(MSG_ERROR, "Invalid R1KH key: '%s'", pos);
os_free(r1kh);
return -1;
@@ -1064,7 +1227,7 @@ static int add_r1kh(struct hostapd_bss_config *bss, ch
return 0;
}
-#endif /* CONFIG_IEEE80211R */
+#endif /* CONFIG_IEEE80211R_AP */
#ifdef CONFIG_IEEE80211N
@@ -1081,6 +1244,12 @@ static int hostapd_config_ht_capab(struct hostapd_conf
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list