wpa: Fix gcc build

Order of libraries still matters with GCC toolchains. Moving the
wpapasn library before the wpacommon specification resolves the link
problem.

This issue was not detected by make

wpa: Fix gcc build

Order of libraries still matters with GCC toolchains. Moving the
wpapasn library before the wpacommon specification resolves the link
problem.

This issue was not detected by make universe.

Fixes: a90b9d015907
MFC after: 2 months
X-MFC with: a90b9d015907

show more ...

wpa: Import 2.11

Following is a changelog of new features and fixes to wpa:

hostapd:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during c

wpa: Import 2.11

Following is a changelog of new features and fixes to wpa:

hostapd:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions

wpa_supplicant:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions

MFC after: 2 months

Merge commit '6377230b3cf4f238dcd0dc2d76ff25943d3040e5'

show more ...

Remove residual blank line at start of Makefile

This is a residual of the $FreeBSD$ removal.

MFC After: 3 days (though I'll just run the command on the branches)
Sponsored by: Netflix

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

wpa: Fix WITHOUT_OPENSSL build

PR: 259517
Reported by: emaste, FreeBSD Build Option Survey
https://callfortesting.org/results/bos-2021-11-04/
Fixes: c1d255d3ffdbe447de3ab875bf4e7d7accc5bfc5
MFC

wpa: Fix WITHOUT_OPENSSL build

PR: 259517
Reported by: emaste, FreeBSD Build Option Survey
https://callfortesting.org/results/bos-2021-11-04/
Fixes: c1d255d3ffdbe447de3ab875bf4e7d7accc5bfc5
MFC after: 1 week

show more ...

wpa: Enable MBO

Enable WiFi 6 MBO (Multi Band Operation). MBO is a prereq to 802.11ax.

MBO allows the efficient use of multiple frequency bands (channels).

To facilitate MBO, WNM (Wireless Network

wpa: Enable MBO

Enable WiFi 6 MBO (Multi Band Operation). MBO is a prereq to 802.11ax.

MBO allows the efficient use of multiple frequency bands (channels).

To facilitate MBO, WNM (Wireless Network Monitoring) is a prerequisite.
It is required to build.

Tested by: philip
MFC after: 2 months

show more ...

wpa: Import wpa_supplicant/hostapd commits up to b4f7506ff

Merge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a,
efec8223892b3e677acb46eae84ec3534989971f, and
2f6c3ea9600b494d24cac5a38c1cea

wpa: Import wpa_supplicant/hostapd commits up to b4f7506ff

Merge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a,
efec8223892b3e677acb46eae84ec3534989971f, and
2f6c3ea9600b494d24cac5a38c1cea0ac192245e.

Tested by: philip
MFC after: 2 months

show more ...

wpa: Correctly build the hostapd BSD driver

driver.bsd.c initializes itself differently when built for
hostapd than it does when built for wpa_supplicant.

MFC after: 1 week

wpa: The ap library is not needed by wpa_supplicant or wpa_cli

The ap library is not needed by wpa_supplicant or wpa_cli. It is only
used by hostapd.

MFC after: 2 months

wpa: Fix GCC 6 build

GCC 6 searches serially to resolve external references.

MFC after: 2 months
X-MFC with: 25ecdc7d52770caf1c9b44b5ec11f468f6b636f3

wpa: Fix a SIGBUS error in wpa_sm_set_rekey_offload

Incorrectly linked built-in wpa functions resulted in overwriting
sm->ctx->set_rekey_offload with garbage. It was initialized correctly
however it

wpa: Fix a SIGBUS error in wpa_sm_set_rekey_offload

Incorrectly linked built-in wpa functions resulted in overwriting
sm->ctx->set_rekey_offload with garbage. It was initialized correctly
however it changed after wpa_supplicant became a daemon.

No SIGBUS violations reported by dhw@ were experienced during testing
of the original commit by msyelf or philip@.

Reported by: dhw
Tested by: dhw
MFC after: 2 months
X-MFC with: 25ecdc7d52770caf1c9b44b5ec11f468f6b636f3

show more ...

wpa: Restructure wpa build

The current WPA build assumes a flat namespace. However the latest sources
from w1.fi now have a duplicate config.c, in two separate subdirectories.
The flat namespace wil

wpa: Restructure wpa build

The current WPA build assumes a flat namespace. However the latest sources
from w1.fi now have a duplicate config.c, in two separate subdirectories.
The flat namespace will overwrite config.o with the output from the most
recently modified config.c, of which there are two of them.

This commit resolves this problem by building each component in
wpa's src subdirectory tree into its own .a archive, just as the w1.fi
upstream build as used by the port does. The advantages of this approach
are:

1. Duplicate source file names, i.e. config.c in the wpa_supplicant
direcory and another config.c in src/utils in the next wpa
will result in both compiles writing to the same .o file.

2. This restructure simplifies maintanence. A develper needs only to add
new files as identified by git status in the vendor branch to the
appropriate Makefile within the usr.sbin/wpa tree. This also reduces
time required to prepare a new import and should reduce error.

3. The new wpa build structure more closely represents the build as
performed by the upstream tarball.

This is in preparation for the next wpa update from w1.fi.

Reviewed by: philip
Tested by: philip
MFC after: 2 months
Differential Revision: https://reviews.freebsd.org/D30372

show more ...

usr.sbin/wpa: complete the revert of wpa import

This completes the revert of b51f459a2098622c31ed54f5c1bf0e03efce403b.

Revert wpa import.

b51f459a2098622c31ed54f5c1bf0e03efce403b resulted in a mismerge
due to having to do a remerge because my tree was over a week out of
date. Changes that were made to fix the build

Revert wpa import.

b51f459a2098622c31ed54f5c1bf0e03efce403b resulted in a mismerge
due to having to do a remerge because my tree was over a week out of
date. Changes that were made to fix the build were lost in the remerge
resulting in build errors that were fixed a week ago.

show more ...

ndis(4): remove as previous announced

nids(4) was a clever idea in the early 2000's when the market was
flooded with 10/100 NICs with Windows-only drivers, but that hasn't been
the case for ages and

ndis(4): remove as previous announced

nids(4) was a clever idea in the early 2000's when the market was
flooded with 10/100 NICs with Windows-only drivers, but that hasn't been
the case for ages and the driver has had no meaningful maintenance in
ages. It only supports Windows-XP era drivers.

Also remove:
- ndis support from wpa_supplicant
- ndiscvt(8)

Reviewed By: emaste, bcr (manpages)
Differential Revision: https://reviews.freebsd.org/D27609

show more ...

[wpa] Add support for hostapd/wpa_supplicant when WITHOUT_CRYPT=YES
is enabled.

This builds wpa_supplicant / hostpad using internal encryption routines
rather than using libcrypt.

This has been sup

[wpa] Add support for hostapd/wpa_supplicant when WITHOUT_CRYPT=YES
is enabled.

This builds wpa_supplicant / hostpad using internal encryption routines
rather than using libcrypt.

This has been supported in wpa for years now, however since we use
local makefiles for this, we bitrotted dependencies and configuration
options.

Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D27958

show more ...

Enable support for IEEE 802.11N, 802.11W, 802.11AC and 802.11.AX to
hostapd and wpa_supplicant.

Submitted by: bz
MFC after: 2 weeks
Relnotes: yes
Sponsored by: Rubicon Communications, LLC (d/b/a "Ne

Enable support for IEEE 802.11N, 802.11W, 802.11AC and 802.11.AX to
hostapd and wpa_supplicant.

Submitted by: bz
MFC after: 2 weeks
Relnotes: yes
Sponsored by: Rubicon Communications, LLC (d/b/a "Netgate")

show more ...

Add MATCH option for CONFIG_MATCH_IFACE.

If the interfaces on which wpa_supplicant is to run are not known or do
not exist, wpa_supplicant can match an interface when it arrives. Each
matched interf

Add MATCH option for CONFIG_MATCH_IFACE.

If the interfaces on which wpa_supplicant is to run are not known or do
not exist, wpa_supplicant can match an interface when it arrives. Each
matched interface is separated with -M argument and the -i argument now
allows for pattern matching.

As an example, the following command would start wpa_supplicant for a
specific wired interface called lan0, any interface starting with wlan
and lastly any other interface. Each match has its own configuration
file, and for the wired interface a specific driver has also been given.

wpa_supplicant \
-M -c wpa_wired.conf -ilan0 -D wired \
-M -c wpa1.conf -iwlan* \
-M -c wpa2.conf

PR: 247177
Reported by: greg@unrelenting.technology
MFC after: 1 month
Related to: ports r540412

show more ...

Merge ^/head r356931 through r357118.

Fix build when WITHOUT_WPA_SUPPLICANT_EAPOL option used.

The build failure was discoved by Michael Dexter's recent Build Options
Survey run, at https://callfortesting.org/results/bos-2020-01-16/\
WI

Fix build when WITHOUT_WPA_SUPPLICANT_EAPOL option used.

The build failure was discoved by Michael Dexter's recent Build Options
Survey run, at https://callfortesting.org/results/bos-2020-01-16/\
WITHOUT_WPA_SUPPLICANT_EAPOL-small.txt.

Reported by: Michael Dexter <editor@callfortesting.org> via emaste
MFC after: 2 weeks

show more ...

MFHead @r350386

Sponsored by: The FreeBSD Foundation

pkgbase: Add a FreeBSD-wpa package

Move the wpa related files from FreeBSD-runtime to a new package named
FreeBSD-wpa
The FreeBSD runtime is only intended to have everything for a working
FreeBSD in

pkgbase: Add a FreeBSD-wpa package

Move the wpa related files from FreeBSD-runtime to a new package named
FreeBSD-wpa
The FreeBSD runtime is only intended to have everything for a working
FreeBSD installation and wpa isn't needed for that.

Reviewed by: bapt, gjb
Differential Revision: https://reviews.freebsd.org/D20957

show more ...

Merge ^/head r340918 through r341763.

MFV r341618:

Update wpa 2.6 --> 2.7.

MFV r324714:

Update wpa 2.5 --> 2.6.

MFC after: 1 month