MFC r351397:MFV r346563:Update wpa 2.8 --> 2.9hostapd:* SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/]* EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/]* fixed FT-EAP initial mobility domain association using PMKSA caching* added configuration of airtime policy* fixed FILS to and RSNE into (Re)Association Response frames* fixed DPP bootstrapping URI parser of channel list* added support for regulatory WMM limitation (for ETSI)* added support for MACsec Key Agreement using IEEE 802.1X/PSK* added experimental support for EAP-TEAP server (RFC 7170)* added experimental support for EAP-TLS server with TLS v1.3* added support for two server certificates/keys (RSA/ECC)* added AKMSuiteSelector into "STA <addr>" control interface data to determine with AKM was used for an association* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled* fixed an ECDH operation corner case with OpenSSLwpa_supplicant:* SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/]* EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/]* fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1)* fixed a regression in OpenSSL 1.1+ engine loading* added validation of RSNE in (Re)Association Response frames* fixed DPP bootstrapping URI parser of channel list* extended EAP-SIM/AKA fast re-authentication to allow use with FILS* extended ca_cert_blob to support PEM format* improved robustness of P2P Action frame scheduling* added support for EAP-SIM/AKA using anonymous@realm identity* fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method* added experimental support for EAP-TEAP peer (RFC 7170)* added experimental support for EAP-TLS peer with TLS v1.3* fixed a regression in WMM parameter configuration for a TDLS peer* fixed a regression in operation with drivers that offload 802.1X 4-way handshake* fixed an ECDH operation corner case with OpenSSLSecurity: https://w1.fi/security/2019-6/\ sae-eap-pwd-side-channel-attack-update.txt
MFC r341759, r341839, r346591:The following five MFCs update wpa 2.6 --> 2.8.r341759:MFV r341618: Update wpa 2.6 --> 2.7.r341839:Set default ciphers.Submitted by: jkim@r346591:Update wpa_supplicant/hostapd 2.7 --> 2.8Upstream documents the following advisories:- https://w1.fi/security/2019-1/sae-side-channel-attacks.txt- https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt- https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt- https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt- https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\ with-unexpected-fragment.txtSecurity: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499Relnotes: yes
MFC r336203, r336499, r336501-r336502, r336506, r336510, r336512-r336513, r336515, r336528-r336531r336203:MFV r324714:Update wpa 2.5 --> 2.6.r336499:MFV: r336485Address: hostapd: Avoid key reinstallation in FT handshakeObtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0001-hostapd-Avoid-key-\ reinstallation-in-FT-handshake.patchr336501:MFV: r336486Prevent reinstallation of an already in-use group key.Upline git commit cb5132bb35698cc0c743e34fe0e845dfc4c3e410.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0002-Prevent-reinstallation-\ of-an-already-in-use-group-ke.patchr336502:MFV r336487:Import upline security patch: Extend protection of GTK/IGTKreinstallation of WNM-Sleep Mode cases. This git commit87e2db16bafcbc60b8d0016175814a73c1e8ed45.This commit is is simply a pops change as r324696 already pluggedthis vulnerability. To maintain consistency with the vendor branchprops will be changed.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-\ reinstallation-of-WNM-.patchr336506:MFV r336490:Prevent installation of an all-zero TK.This is also upline git commit 53bb18cc8b7a4da72e47e4b3752d0d2135cffb23.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0004-Prevent-installation-\ of-an-all-zero-TK.patchr336510:MFV r336493:Fix PTK rekeying to generate a new ANonce.This is also upline git commit 0adc9b28b39d414d5febfff752f6a1576f785c85.This commit is a NOP, just changing props as the heavy lifting wasdone by r324696. This just brings us into line with the vendor branch.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0005-Fix-PTK-rekeying-to-\ generate-a-new-ANonce.patchr336512:MFV r336494:TDLS: Reject TPK-TK reconfiguration.This is also upline git commmit ff89af96e5a35c86f50330d2b86c18323318a60c.Once again this is a NOP as this is a props change to sync up withthe vendor branch. The real commit is in r324696.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0006-TDLS-Reject-TPK-TK-\ reconfiguration.patchr336513:MFV r336495:Another props change. The real work was done by r324696. We're simplysyncing up with the vendor branch again.mport upline security patch: WNM: Ignore WNM-Sleep Mode Request inwnm_sleep_mode=0 case. This is also upline git commit114f2830d2c2aee6db23d48240e93415a256a37c.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-\ Response-without-pending-r.patchr336515:MFV r336496:A props change to sync up with the vendor branch. The real work wasdone by r324696.FILS: Do not allow multiple (Re)Association Response frames.This is also upline git commit e760851176c77ae6de19821bb1d5bf3ae2cb5187.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0008-FT-Do-not-allow-multiple-\ Reassociation-Response-fram.patchr336528:Revert r336501. It was a of the wrong rev from the vendor branch.r336529:MFV: r336486Prevent reinstallation of an already in-use group key.Upline git commit cb5132bb35698cc0c743e34fe0e845dfc4c3e410.Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0002-Prevent-reinstallation-\ of-an-already-in-use-group-ke.patchr336530:To reduce our diff between our sources and our upline, sync upwith upline. Also making it easier to read.Obtained from: diffing base with portsr336531:Remove a redundant declaration.While at it add a blank line, conforming with the conventionused in this file.
Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.Prune svn:mergeinfo from the new branch, as nothing has been mergedhere.Additional commits post-branch will follow.Approved by: re (implicit)Sponsored by: The FreeBSD Foundation
Update hostapd/wpa_supplicant to version 2.5.Tested by several people on current@/wireless@.Relnotes: yes
Merge wpa_supplicant/hostapd 2.4.Major changes are: SAE, Suite B, RFC 7268, EAP-PKE, ACS, and tons ofbug fixes.Relnotes: yes
Remove unused files / directories.
Merge hostapd / wpa_supplicant 2.0.Reviewed by: adrian (driver_bsd + usr.sbin/wpa)
MFS security patches which seem to have accidentally not reached HEAD:Fix insufficient message length validation for EAP-TLS messages.Fix Linux compatibility layer input validation error.Security: FreeBSD-SA-12:07.hostapdSecurity: FreeBSD-SA-12:08.linuxSecurity: CVE-2012-4445, CVE-2012-4576With hat: so@
Merge wpa_supplicant and hostapd 0.7.3.
MFV hostapd & wpa_supplicant 0.6.10.
connect vendor wpa area to contrib
import wpa_supplicant+hostapd 0.6.8