contrib/wpa: pass IFM_IEEE80211_VHT5G if vht_enabled on the channelSet media mode correctly to IFM_IEEE80211_VHT5G if vht_enabled is seton the channel. Otherwise we'll end up setting 11NA.Not a
contrib/wpa: pass IFM_IEEE80211_VHT5G if vht_enabled on the channelSet media mode correctly to IFM_IEEE80211_VHT5G if vht_enabled is seton the channel. Otherwise we'll end up setting 11NA.Not a problem on first sight given net80211 does the upgrade to VHTfor us. But we would not set iv_des_mode ("desired mode") on the vap.Setting this will put a contraint on/help scanning for our desired(VHT) channels to my understanding of the code.Sponsored by: The FreeBSD FoundationMFC after: 6 weeksReviewed by: cy, adrianDifferential Revision: https://reviews.freebsd.org/D35978
show more ...
wpa: add support for GCMP-128 and BIP-128.If net80211 announces support for GCMP and/or BIP then configure itappropriately.GCMP will be used by WPA3 in the future, and BIP is required for802.11
wpa: add support for GCMP-128 and BIP-128.If net80211 announces support for GCMP and/or BIP then configure itappropriately.GCMP will be used by WPA3 in the future, and BIP is required for802.11w/MFP (which is also required by WPA3.)Differential Revision: https://reviews.freebsd.org/D46499
wpa: Import 2.11Following is a changelog of new features and fixes to wpa:hostapd:* Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during c
wpa: Import 2.11Following is a changelog of new features and fixes to wpa:hostapd:* Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange* HE/IEEE 802.11ax/Wi-Fi 6 - various fixes* EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support* SAE: add support for fetching the password from a RADIUS server* support OpenSSL 3.0 API changes* support background radar detection and CAC with some additional drivers* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)* EAP-SIM/AKA: support IMSI privacy* improve 4-way handshake operations - use Secure=1 in message 3 during PTK rekeying* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues* support new SAE AKM suites with variable length keys* support new AKM for 802.1X/EAP with SHA384* extend PASN support for secure ranging* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible* improved ACS to cover additional channel types/bandwidths* extended Multiple BSSID support* fix beacon protection with FT protocol (incorrect BIGTK was provided)* support unsynchronized service discovery (USD)* add preliminary support for RADIUS/TLS* add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1)* fix SAE H2E rejected groups validation to avoid downgrade attacks* use stricter validation for some RADIUS messages* a large number of other fixes, cleanup, and extensionswpa_supplicant:* Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange* MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers* HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes* EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support* support OpenSSL 3.0 API changes* improve EAP-TLS support for TLSv1.3* EAP-SIM/AKA: support IMSI privacy* improve mitigation against DoS attacks when PMF is used* improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues* support new SAE AKM suites with variable length keys* support new AKM for 802.1X/EAP with SHA384* improve cross-AKM roaming with driver-based SME/BSS selection* PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default* support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert* extend SCS support for QoS Characteristics* extend MSCS support* support unsynchronized service discovery (USD)* add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used* fix SAE H2E rejected groups validation to avoid downgrade attacks* a large number of other fixes, cleanup, and extensionsMFC after: 2 monthsMerge commit '6377230b3cf4f238dcd0dc2d76ff25943d3040e5'
wpa: Diff reduction with upstreamI inadvertantly added gratuitous changes to upstream. Revert thegratuitous parts of 676041c41ba5Suggested by: cyFixes: 676041c41ba5Sponsored by: Netflix
WPA: Allow CLOCK_BOOTTIME and CLOCK_MONOTONIC to #define the sameHistorically, these have been differnet values, and only one was definedor they were defined as different values. Now that they are
WPA: Allow CLOCK_BOOTTIME and CLOCK_MONOTONIC to #define the sameHistorically, these have been differnet values, and only one was definedor they were defined as different values. Now that they are about to bethe same value, add #ifdef to cope.Sponsored by: NetflixReviewed by: olce, val_packett.cool, adrianDifferential Revision: https://reviews.freebsd.org/D45418
wpa: Remove the now not-needed local logic to hard-code cipher supportA previous commit now exposes the supported net80211 ciphers for thegiven NIC, rather than the hardware cipher list. This is
wpa: Remove the now not-needed local logic to hard-code cipher supportA previous commit now exposes the supported net80211 ciphers for thegiven NIC, rather than the hardware cipher list. This is going to beespecially important moving forward when we add more cipher and keymanagement support.Differential Revision: https://reviews.freebsd.org/D44821
hostapd: Work around lack of MLME supporthostap MLME uses Linux data structures and definitions not availablein FreeBSD. The ability for hostapd to select the frequency (channel)depends Linux MLM
hostapd: Work around lack of MLME supporthostap MLME uses Linux data structures and definitions not availablein FreeBSD. The ability for hostapd to select the frequency (channel)depends Linux MLME, though strictly it's not required. Work around theLinux MLME requirement to configure device frequency.The detailed description is: hostapd will only set the channel (frequency)when Linux MLME is configured. Enabling NEED_AP_MLME will result innumerous build errors due do Linux data structures and definitions notavailable under FreeBSD. The code to set the frequency from the selectedchannel is only within the NEED_AP_MLME code path because without MLME,hostapd_get_hw_features() is an inline that always returns -1 whereas withMLME hostapd_get_hw_features() will obtain hardware features from thekernel. Until such time we simply set the frequency as configured.PR: 276375MFC after: 1 month
wpa: ctrl_iface set sendbuf sizeIn order to avoid running into the default net.local.dgram.maxdgramof 2K currently when calling sendto(2) try to set the sndbuf size tothe maximum ctrl message siz
wpa: ctrl_iface set sendbuf sizeIn order to avoid running into the default net.local.dgram.maxdgramof 2K currently when calling sendto(2) try to set the sndbuf size tothe maximum ctrl message size.While on 14 and 15 this does not actually raise the limit anymore (andbe7c095ac99ad29fd72b780c7d58949a38656c66 raised it for syslogd and this),FreeBSD 13 still requires this change and it will work as expected there.In addition we always ensure a large enough send buffer this wayindependent of kernel defaults.The problem occured, e.g., when the scan_list result had enough BSSIDsso the text output would exceed 2048 bytes.Sponsored by: The FreeBSD FoundationMFC after: 3 daysPR: 274990Reviewed by: cy, adrian (with previous comment)Differential Revision: https://reviews.freebsd.org/D42558
wpa: Enable receiving priority tagged (VID 0) framesCertain internet service providers transmit vlan 0 priority taggedEAPOL frames from the ONT towards the residential gateway. VID 0should be ign
wpa: Enable receiving priority tagged (VID 0) framesCertain internet service providers transmit vlan 0 priority taggedEAPOL frames from the ONT towards the residential gateway. VID 0should be ignored, and the frame processed according to the priorityset in the 802.1P bits and the encapsulated EtherType (i.e. EAPOL).The pcap filter utilized by l2_packet is inadquate for this use case.Here we modify the pcap filter to accept both unencapsulated andencapsulated (with VLAN 0) EAPOL EtherTypes. This preserves theoriginal filter behavior while also matching on encapsulated EAPOL.Sponsored by: Rubicon Communications, LLC ("Netgate")Reviewed by: cyMFC after: 2 weeksDifferential Revision: https://reviews.freebsd.org/D40442
wpa_supplicant/hostapd: Fix uninitialized packet pointer on errorThe packet pointer (called packet) will remain uninitialized whenpcap_next_ex() returns an error. This occurs when the wlaninterfa
wpa_supplicant/hostapd: Fix uninitialized packet pointer on errorThe packet pointer (called packet) will remain uninitialized whenpcap_next_ex() returns an error. This occurs when the wlaninterface is shut down using ifconfig destroy. Adding a NULLassignment to packet duplicates what pcap_next() does.The reason we use pcap_next_ex() in this instance is because withpacp_next() when we receive a null pointer if there was an erroror if no packets were read. With pcap_next_ex() we can differentiatebetween an error and legitimately no packets were received.PR: 270649Reported by: Robert Morris <rtm@lcs.mit.edu>Fixes: 6e5d01124fd4MFC after: 3 days
WPA: driver_bsd.c: backout upstream IFF_ change and add loggingThis reverts the state to our old supplicant logic setting or clearingIFF_UP if needed. In addition this adds logging for the cases
WPA: driver_bsd.c: backout upstream IFF_ change and add loggingThis reverts the state to our old supplicant logic setting or clearingIFF_UP if needed. In addition this adds logging for the cases in whichwe do (not) change the interface state.Depending on testing this seems to help bringing WiFi up or not logany needed changes (which would be the expected wpa_supplicant logicnow). People should look out for ``(changed)`` log entries (at leastif debugging the issue; this way we will at least have data points).There is a hypothesis still pondered that the entire IFF_UP togglingonly exploits a race in net80211 (see further discssussions for moredebugging and alternative solutions see D38508 and D38753).That may also explain why the changes to the rc startup script [1]only helped partially for some people to no longer see thecontinuous CTRL-EVENT-SCAN-FAILED.It is highly likely that we will want further changes and untilwe know for sure that people are seeing ''(changed)'' eventsthis should stay local. Should we need to upstream this we'lllikely need #ifdef __FreeBSD__ around this code.[1] 5fcdc19a81115d975e238270754e28557a2fcfc5 and d06d7eb09131edea666bf049d6c0c55672726f76Sponsored by: The FreeBSD FoundationMFC after: 10 daysReviewed by: cy, enweiwu (earlier)Differential Revision: https://reviews.freebsd.org/D38807
wpa_supplicant: Resolve secondary VAP association issueAssociation will fail on a secondary open unprotected VAP when theprimary VAP is configured for WPA. Examples of secondary VAPs are,hotels,
wpa_supplicant: Resolve secondary VAP association issueAssociation will fail on a secondary open unprotected VAP when theprimary VAP is configured for WPA. Examples of secondary VAPs are,hotels, universities, and commodity routers' guest networks.A broadly similar bug was discussed on Red Hat's bugzilla affectingassociation to a D-Link DIR-842.This suggests that as IEs were added to the 802.11 protocol the old codewas increasingly inadaquate to handle the additional IEs, not only asecondary VAP.PR: 264238Reported by: Jaskie <jiangjun12321@gmail.com> "J.R. Oldroyd" <fbsd@opal.com>Submitted by: "J.R. Oldroyd" <fbsd@opal.com>MFC after: 3 days
wpa: Restore missing patchIn December after a failed MFV due to a now understood issue I had withgit -- git aborts with extremely large MFV -- this patch was removedduring the revert. Restore thi
wpa: Restore missing patchIn December after a failed MFV due to a now understood issue I had withgit -- git aborts with extremely large MFV -- this patch was removedduring the revert. Restore this patch.PR: 264238Fixes: 4b72b91a7132df1f77bbae194e1071ac621f1edbMFC after: 1 week
wpa: Correctly call pcap_next_ex()The second argument to pcap_next_ex() is a pointer to a pointer.Not a pointer. This fixes a wpa_supplicent SIGSEGV.PR: 263266Reported by: Marek Zarychta <zary
wpa: Correctly call pcap_next_ex()The second argument to pcap_next_ex() is a pointer to a pointer.Not a pointer. This fixes a wpa_supplicent SIGSEGV.PR: 263266Reported by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>Fixes: 6e5d01124fd4dd57899ddd9260c76dbb43543aa7MFC: immediately
wpa/hostapd: Fix 100% CPU when USB wlan NIC removedhostapd calls pcap_next(3) to read the next packet off the wlan interface.pcap_next() returns a pointer to the packet header but does not indicat
wpa/hostapd: Fix 100% CPU when USB wlan NIC removedhostapd calls pcap_next(3) to read the next packet off the wlan interface.pcap_next() returns a pointer to the packet header but does not indicatesuccess or failure. Unfortunately this results in an infinite loop (100%CPU) when the wlan device disappears, i.e. when a USB wlan device ismanually removed or a USB error results in the device removal. Howeverpcap_next_ex(3) does return success or failure. To resolve this we usepcap_next_ex(), forcing hostapd to exit when the error is encountered.An error message is printed to syslog or stderr when debugging (-d flag)is enabled. Unfortunately wpa_printf() only works when debugging is enabled.PR: 253608Reported by: Damjan Jovanovic <damjan.jov@gmail.com>, bz (privately)MFC after: 3 days
wpa: Import wpa 2.10.The long awaited hostapd 2.10 is finally here.MFC after: 3 weeks
Revert "wpa: Import wpa 2.10."This reverts commit 5eb81a4b4028113e3c319f21a1db6b67613ec7ab, reversingchanges made to c6806434e79079f4f9419c3ba4fec37efcaa1635 andthis reverts commit 679ff6112361d2
Revert "wpa: Import wpa 2.10."This reverts commit 5eb81a4b4028113e3c319f21a1db6b67613ec7ab, reversingchanges made to c6806434e79079f4f9419c3ba4fec37efcaa1635 andthis reverts commit 679ff6112361d2660f4e0c3cda71198a5e773a25.What happend is git rebase --rebase-merges doesn't do what is expected.
wpa: Import wpa_supplicant/hostapd commit b26f5c0feThis is the December/January update to vendor/wpa committed upstream2021-12-13.MFC after: 1 month
wpa: Redo import wpa_supplicant/hostapd commit 14ab4a816This is the November update to vendor/wpa committed upstream 2021-11-26.MFC after: 1 month
Revert "wpa: Import wpa_supplicant/hostapd commit 14ab4a816"This reverts commit 266f97b5e9a7958e365e78288616a459b40d924a, reversingchanges made to a10253cffea84c0c980a36ba6776b00ed96c3e3b.A mism
Revert "wpa: Import wpa_supplicant/hostapd commit 14ab4a816"This reverts commit 266f97b5e9a7958e365e78288616a459b40d924a, reversingchanges made to a10253cffea84c0c980a36ba6776b00ed96c3e3b.A mismerge of a merge to catch up to main resulted in files beingcommitted which should not have been.
wpa: Import wpa_supplicant/hostapd commit 14ab4a816This is the November update to vendor/wpa committed upstream 2021-11-26.MFC after: 1 month
wpa: Import wpa_supplicant/hostapd commits up to b4f7506ffMerge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a,efec8223892b3e677acb46eae84ec3534989971f, and2f6c3ea9600b494d24cac5a38c1cea
wpa: Import wpa_supplicant/hostapd commits up to b4f7506ffMerge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a,efec8223892b3e677acb46eae84ec3534989971f, and2f6c3ea9600b494d24cac5a38c1cea0ac192245e.Tested by: philipMFC after: 2 months
wpa: Enclose FreeBSD specific definesFreeBSD only defines are specific only to FreeBSD. Document them as such.It is our intention to push this change to w1.fi.MFC after: 1 week
wpa: Add wpa_cli action file eventYan Zhong at FreeBSD Foundation is working on a wireless networkconfiguratior for an experimental FreeBSD installer. The new installerrequires an event to detect
wpa: Add wpa_cli action file eventYan Zhong at FreeBSD Foundation is working on a wireless networkconfiguratior for an experimental FreeBSD installer. The new installerrequires an event to detect when connecting to a network fails due to abad password. When this happens a WPA-EVENT-TEMP-DISABLED event istriggered. This patch passes the event to an action file provided bythe new experimental installer.Submitted by: Yang Zhong <yzhong () freebsdfoundation.org>Reviewed by: assumed to be reviewed by emaste (and cy)MFC after: 1 week
1234