#
351611 |
|
29-Aug-2019 |
cy |
MFC r351397:
MFV r346563:
Update wpa 2.8 --> 2.9
hostapd: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching * added configuration of airtime policy * fixed FILS to and RSNE into (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * added support for regulatory WMM limitation (for ETSI) * added support for MACsec Key Agreement using IEEE 802.1X/PSK * added experimental support for EAP-TEAP server (RFC 7170) * added experimental support for EAP-TLS server with TLS v1.3 * added support for two server certificates/keys (RSA/ECC) * added AKMSuiteSelector into "STA <addr>" control interface data to determine with AKM was used for an association * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled * fixed an ECDH operation corner case with OpenSSL
wpa_supplicant: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL
Security: https://w1.fi/security/2019-6/\ sae-eap-pwd-side-channel-attack-update.txt
|
#
346981 |
|
01-May-2019 |
cy |
MFC r341759, r341839, r346591: The following five MFCs update wpa 2.6 --> 2.8.
r341759: MFV r341618: Update wpa 2.6 --> 2.7.
r341839: Set default ciphers.
Submitted by: jkim@
r346591: Update wpa_supplicant/hostapd 2.7 --> 2.8
Upstream documents the following advisories:
- https://w1.fi/security/2019-1/sae-side-channel-attacks.txt - https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt - https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt - https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt - https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\ with-unexpected-fragment.txt
Security: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
Relnotes: yes
|
#
337817 |
|
14-Aug-2018 |
cy |
MFC r336203, r336499, r336501-r336502, r336506, r336510, r336512-r336513, r336515, r336528-r336531
r336203: MFV r324714:
Update wpa 2.5 --> 2.6.
r336499: MFV: r336485
Address: hostapd: Avoid key reinstallation in FT handshake
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0001-hostapd-Avoid-key-\ reinstallation-in-FT-handshake.patch
r336501: MFV: r336486
Prevent reinstallation of an already in-use group key. Upline git commit cb5132bb35698cc0c743e34fe0e845dfc4c3e410.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0002-Prevent-reinstallation-\ of-an-already-in-use-group-ke.patch
r336502: MFV r336487:
Import upline security patch: Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases. This git commit 87e2db16bafcbc60b8d0016175814a73c1e8ed45.
This commit is is simply a pops change as r324696 already plugged this vulnerability. To maintain consistency with the vendor branch props will be changed.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-\ reinstallation-of-WNM-.patch
r336506: MFV r336490:
Prevent installation of an all-zero TK. This is also upline git commit 53bb18cc8b7a4da72e47e4b3752d0d2135cffb23.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0004-Prevent-installation-\ of-an-all-zero-TK.patch
r336510: MFV r336493:
Fix PTK rekeying to generate a new ANonce. This is also upline git commit 0adc9b28b39d414d5febfff752f6a1576f785c85.
This commit is a NOP, just changing props as the heavy lifting was done by r324696. This just brings us into line with the vendor branch.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0005-Fix-PTK-rekeying-to-\ generate-a-new-ANonce.patch
r336512: MFV r336494:
TDLS: Reject TPK-TK reconfiguration. This is also upline git commmit ff89af96e5a35c86f50330d2b86c18323318a60c.
Once again this is a NOP as this is a props change to sync up with the vendor branch. The real commit is in r324696.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0006-TDLS-Reject-TPK-TK-\ reconfiguration.patch
r336513: MFV r336495:
Another props change. The real work was done by r324696. We're simply syncing up with the vendor branch again.
mport upline security patch: WNM: Ignore WNM-Sleep Mode Request in wnm_sleep_mode=0 case. This is also upline git commit 114f2830d2c2aee6db23d48240e93415a256a37c.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-\ Response-without-pending-r.patch
r336515: MFV r336496:
A props change to sync up with the vendor branch. The real work was done by r324696.
FILS: Do not allow multiple (Re)Association Response frames. This is also upline git commit e760851176c77ae6de19821bb1d5bf3ae2cb5187.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0008-FT-Do-not-allow-multiple-\ Reassociation-Response-fram.patch
r336528: Revert r336501. It was a of the wrong rev from the vendor branch.
r336529: MFV: r336486
Prevent reinstallation of an already in-use group key. Upline git commit cb5132bb35698cc0c743e34fe0e845dfc4c3e410.
Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0002-Prevent-reinstallation-\ of-an-already-in-use-group-ke.patch
r336530: To reduce our diff between our sources and our upline, sync up with upline. Also making it easier to read.
Obtained from: diffing base with ports
r336531: Remove a redundant declaration.
While at it add a blank line, conforming with the convention used in this file.
|
#
302408 |
|
07-Jul-2016 |
gjb |
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle. Prune svn:mergeinfo from the new branch, as nothing has been merged here.
Additional commits post-branch will follow.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
289549 |
|
18-Oct-2015 |
rpaulo |
Update hostapd/wpa_supplicant to version 2.5.
Tested by several people on current@/wireless@.
Relnotes: yes
|
#
281806 |
|
20-Apr-2015 |
rpaulo |
Merge wpa_supplicant/hostapd 2.4.
Major changes are: SAE, Suite B, RFC 7268, EAP-PKE, ACS, and tons of bug fixes.
Relnotes: yes
|
#
252726 |
|
04-Jul-2013 |
rpaulo |
Merge hostapd / wpa_supplicant 2.0.
Reviewed by: adrian (driver_bsd + usr.sbin/wpa)
|
#
214734 |
|
03-Nov-2010 |
rpaulo |
Merge wpa_supplicant and hostapd 0.7.3.
|
#
214503 |
|
29-Oct-2010 |
rpaulo |
Import hostapd 0.7.3.
Changes:
2010-09-07 - v0.7.3 * fixed re-association after WPS not initializing WPA state machine in some cases * fixed WPS IE update on reconfiguration * fixed WPS code not to proxy Probe Request frames for foreign SSIDs * added WPS workaround for open networks and some known interop issues * fixed WPS Diffie-Hellman derivation to use correct public key length * fixed FT RRB messages on big endian CPUs * changed WPS protection for brute force AP PIN attacks to disable AP PIN only temporarily (but with increasing time) to avoid usability issues on Label-only devices * added wps_ap_pin command for more secure handling of AP PIN operations (e.g., to generate a random AP PIN and only use it for short amount of time) * fixed HT STBC negotiation
2010-04-18 - v0.7.2 * fix WPS internal Registrar use when an external Registrar is also active * bsd: Cleaned up driver wrapper and added various low-level configuration options * TNC: fixed issues with fragmentation * EAP-TNC: add Flags field into fragment acknowledgement (needed to interoperate with other implementations; may potentially breaks compatibility with older wpa_supplicant/hostapd versions) * cleaned up driver wrapper API for multi-BSS operations * nl80211: fix multi-BSS and VLAN operations * fix number of issues with IEEE 802.11r/FT; this version is not backwards compatible with old versions * add SA Query Request processing in AP mode (IEEE 802.11w) * fix IGTK PN in group rekeying (IEEE 802.11w) * fix WPS PBC session overlap detection to use correct attribute * hostapd_notif_Assoc() can now be called with all IEs to simplify driver wrappers * work around interoperability issue with some WPS External Registrar implementations * nl80211: fix WPS IE update * hostapd_cli: add support for action script operations (run a script on hostapd events) * fix DH padding with internal crypto code (mainly, for WPS) * fix WPS association with both WPS IE and WPA/RSN IE present with driver wrappers that use hostapd MLME (e.g., nl80211)
2010-01-16 - v0.7.1 * cleaned up driver wrapper API (struct wpa_driver_ops); the new API is not fully backwards compatible, so out-of-tree driver wrappers will need modifications * cleaned up various module interfaces * merge hostapd and wpa_supplicant developers' documentation into a single document * fixed HT Capabilities IE with nl80211 drivers * moved generic AP functionality code into src/ap * WPS: handle Selected Registrar as union of info from all Registrars * remove obsolte Prism54.org driver wrapper * added internal debugging mechanism with backtrace support and memory allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 * WPS: add support for dynamically selecting whether to provision the PSK as an ASCII passphrase or PSK * added support for WDS (4-address frame) mode with per-station virtual interfaces (wds_sta=1 in config file; only supported with driver=nl80211 for now) * fixed WPS Probe Request processing to handle missing required attribute * fixed PKCS#12 use with OpenSSL 1.0.0 * detect bridge interface automatically so that bridge parameter in hostapd.conf becomes optional (though, it may now be used to automatically add then WLAN interface into a bridge with driver=nl80211)
2009-11-21 - v0.7.0 * increased hostapd_cli ping interval to 5 seconds and made this configurable with a new command line options (-G<seconds>) * driver_nl80211: use Linux socket filter to improve performance * added support for external Registrars with WPS (UPnP transport) * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel * driver_nl80211: fixed STA accounting data collection (TX/RX bytes reported correctly; TX/RX packets not yet available from kernel) * added support for WPS USBA out-of-band mechanism with USB Flash Drives (UFD) (CONFIG_WPS_UFD=y) * fixed EAPOL/EAP reauthentication when using an external RADIUS authentication server * fixed TNC with EAP-TTLS * fixed IEEE 802.11r key derivation function to match with the standard (note: this breaks interoperability with previous version) [Bug 303] * fixed SHA-256 based key derivation function to match with the standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) (note: this breaks interoperability with previous version) [Bug 307] * added number of code size optimizations to remove unnecessary functionality from the program binary based on build configuration (part of this automatic; part configurable with CONFIG_NO_* build options) * use shared driver wrapper files with wpa_supplicant * driver_nl80211: multiple updates to provide support for new Linux nl80211/mac80211 functionality * updated management frame protection to use IEEE Std 802.11w-2009 * fixed number of small WPS issues and added workarounds to interoperate with common deployed broken implementations * added some IEEE 802.11n co-existance rules to disable 40 MHz channels or modify primary/secondary channels if needed based on neighboring networks * added support for NFC out-of-band mechanism with WPS * added preliminary support for IEEE 802.11r RIC processing
|