Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/wpa/dist ChangeLog for wpa_supplicant
details: https://anonhg.NetBSD.org/src/rev/7338b4f72025
branches: trunk
changeset: 981142:7338b4f72025
user: christos <christos%NetBSD.org@localhost>
date: Mon Mar 01 01:37:49 2021 +0000
description:
ChangeLog for wpa_supplicant
2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
* added configuration of airtime policy
* fixed FILS to and RSNE into (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* added support for regulatory WMM limitation (for ETSI)
* added support for MACsec Key Agreement using IEEE 802.1X/PSK
* added experimental support for EAP-TEAP server (RFC 7170)
* added experimental support for EAP-TLS server with TLS v1.3
* added support for two server certificates/keys (RSA/ECC)
* added AKMSuiteSelector into "STA <addr>" control interface data to
determine with AKM was used for an association
* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
fast reauthentication use to be disabled
* fixed an ECDH operation corner case with OpenSSL
2019-04-21 - v2.8
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only group 19
(i.e., disable groups 20, 21, 25, 26 from default configuration) and
disable all unsuitable groups completely based on REVmd changes
- improved anti-clogging token mechanism and SAE authentication
frame processing during heavy CPU load; this mitigates some issues
with potential DoS attacks trying to flood an AP with large number
of SAE messages
- added Finite Cyclic Group field in status code 77 responses
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494)
- fixed confirm message validation in error cases
[https://w1.fi/security/2019-3/] (CVE-2019-9496)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495)
- verify peer scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/]
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
* Hotspot 2.0 changes
- added support for release number 3
- reject release 2 or newer association without PMF
* added support for RSN operating channel validation
(CONFIG_OCV=y and configuration parameter ocv=1)
* added Multi-AP protocol support
* added FTM responder configuration
* fixed build with LibreSSL
* added FT/RRB workaround for short Ethernet frame padding
* fixed KEK2 derivation for FILS+FT
* added RSSI-based association rejection from OCE
* extended beacon reporting functionality
* VLAN changes
- allow local VLAN management with remote RADIUS authentication
- add WPA/WPA2 passphrase/PSK -based VLAN assignment
* OpenSSL: allow systemwide policies to be overridden
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* fixed FT and SA Query Action frame with AP-MLME-in-driver cases
* OWE: allow Diffie-Hellman Parameter element to be included with DPP
in preparation for DPP protocol extension
* RADIUS server: started to accept ERP keyName-NAI as user identity
automatically without matching EAP database entry
* fixed PTK rekeying with FILS and FT
ChangeLog for hostapd
2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL
2019-04-21 - v2.8
* SAE changes
- added support for SAE Password Identifier
- changed default configuration to enable only groups 19, 20, 21
(i.e., disable groups 25 and 26) and disable all unsuitable groups
completely based on REVmd changes
- do not regenerate PWE unnecessarily when the AP uses the
anti-clogging token mechanisms
- fixed some association cases where both SAE and FT-SAE were enabled
on both the station and the selected AP
- started to prefer FT-SAE over SAE AKM if both are enabled
- started to prefer FT-SAE over FT-PSK if both are enabled
- fixed FT-SAE when SAE PMKSA caching is used
- reject use of unsuitable groups based on new implementation guidance
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
groups with prime >= 256)
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-1/] (CVE-2019-9494)
* EAP-pwd changes
- minimize timing and memory use differences in PWE derivation
[https://w1.fi/security/2019-2/] (CVE-2019-9495)
- verify server scalar/element
[https://w1.fi/security/2019-4/] (CVE-2019-9499)
- fix message reassembly issue with unexpected fragment
[https://w1.fi/security/2019-5/]
- enforce rand,mask generation rules more strictly
- fix a memory leak in PWE derivation
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
27)
* fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
* Hotspot 2.0 changes
- do not indicate release number that is higher than the one
AP supports
- added support for release number 3
- enable PMF automatically for network profiles created from
credentials
* fixed OWE network profile saving
* fixed DPP network profile saving
* added support for RSN operating channel validation
(CONFIG_OCV=y and network profile parameter ocv=1)
* added Multi-AP backhaul STA support
* fixed build with LibreSSL
* number of MKA/MACsec fixes and extensions
* extended domain_match and domain_suffix_match to allow list of values
* fixed dNSName matching in domain_match and domain_suffix_match when
using wolfSSL
* started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
are enabled
* extended nl80211 Connect and external authentication to support
SAE, FT-SAE, FT-EAP-SHA384
* fixed KEK2 derivation for FILS+FT
* extended client_cert file to allow loading of a chain of PEM
encoded certificates
* extended beacon reporting functionality
* extended D-Bus interface with number of new properties
* fixed a regression in FT-over-DS with mac80211-based drivers
* OpenSSL: allow systemwide policies to be overridden
* extended driver flags indication for separate 802.1X and PSK
4-way handshake offload capability
* added support for random P2P Device/Interface Address use
* extended PEAP to derive EMSK to enable use with ERP/FILS
* extended WPS to allow SAE configuration to be added automatically
for PSK (wps_cred_add_sae=1)
* removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
* extended domain_match and domain_suffix_match to allow list of values
* added a RSN workaround for misbehaving PMF APs that advertise
IGTK/BIP KeyID using incorrect byte order
* fixed PTK rekeying with FILS and FT
diffstat:
external/bsd/wpa/dist/CONTRIBUTIONS | 2 +-
external/bsd/wpa/dist/COPYING | 2 +-
external/bsd/wpa/dist/README | 2 +-
external/bsd/wpa/dist/hostapd/Android.mk | 25 +
external/bsd/wpa/dist/hostapd/ChangeLog | 79 +
external/bsd/wpa/dist/hostapd/Makefile | 42 +
external/bsd/wpa/dist/hostapd/README | 2 +-
external/bsd/wpa/dist/hostapd/README-MULTI-AP | 160 +
external/bsd/wpa/dist/hostapd/android.config | 3 +
external/bsd/wpa/dist/hostapd/config_file.c | 561 +-
external/bsd/wpa/dist/hostapd/ctrl_iface.c | 204 +-
external/bsd/wpa/dist/hostapd/defconfig | 26 +-
external/bsd/wpa/dist/hostapd/eap_register.c | 5 +
external/bsd/wpa/dist/hostapd/hostapd.conf | 349 +-
external/bsd/wpa/dist/hostapd/hostapd.wpa_psk | 6 +
external/bsd/wpa/dist/hostapd/wps-ap-nfc.py | 62 +-
external/bsd/wpa/dist/hs20/client/Makefile | 5 +
external/bsd/wpa/dist/hs20/client/est.c | 13 +
external/bsd/wpa/dist/hs20/client/osu_client.c | 35 +-
external/bsd/wpa/dist/src/ap/Makefile | 2 +
external/bsd/wpa/dist/src/ap/accounting.c | 3 +
external/bsd/wpa/dist/src/ap/acs.c | 108 +-
external/bsd/wpa/dist/src/ap/airtime_policy.c | 269 +
external/bsd/wpa/dist/src/ap/airtime_policy.h | 48 +
external/bsd/wpa/dist/src/ap/ap_config.c | 271 +-
external/bsd/wpa/dist/src/ap/ap_config.h | 244 +-
external/bsd/wpa/dist/src/ap/ap_drv_ops.h | 29 +-
external/bsd/wpa/dist/src/ap/authsrv.c | 25 +-
external/bsd/wpa/dist/src/ap/beacon.c | 49 +-
external/bsd/wpa/dist/src/ap/ctrl_iface_ap.c | 16 +-
external/bsd/wpa/dist/src/ap/dfs.c | 199 +-
external/bsd/wpa/dist/src/ap/dhcp_snoop.c | 18 +-
external/bsd/wpa/dist/src/ap/dpp_hostapd.c | 837 +--
external/bsd/wpa/dist/src/ap/dpp_hostapd.h | 9 +-
external/bsd/wpa/dist/src/ap/eap_user_db.c | 12 +-
external/bsd/wpa/dist/src/ap/fils_hlp.c | 13 +
external/bsd/wpa/dist/src/ap/gas_serv.c | 9 +-
external/bsd/wpa/dist/src/ap/gas_serv.h | 4 +
external/bsd/wpa/dist/src/ap/hs20.c | 17 +-
external/bsd/wpa/dist/src/ap/hw_features.c | 80 +-
external/bsd/wpa/dist/src/ap/ieee802_11.h | 33 +-
external/bsd/wpa/dist/src/ap/ieee802_11_auth.c | 14 +-
external/bsd/wpa/dist/src/ap/ieee802_11_he.c | 292 +-
external/bsd/wpa/dist/src/ap/ieee802_11_shared.c | 302 +-
external/bsd/wpa/dist/src/ap/ieee802_11_vht.c | 31 +-
external/bsd/wpa/dist/src/ap/ieee802_1x.c | 242 +-
external/bsd/wpa/dist/src/ap/ieee802_1x.h | 4 +
external/bsd/wpa/dist/src/ap/neighbor_db.c | 128 +-
external/bsd/wpa/dist/src/ap/neighbor_db.h | 3 +-
external/bsd/wpa/dist/src/ap/rrm.c | 2 +-
external/bsd/wpa/dist/src/ap/sta_info.c | 76 +-
external/bsd/wpa/dist/src/ap/sta_info.h | 18 +
external/bsd/wpa/dist/src/ap/vlan_full.c | 85 +-
external/bsd/wpa/dist/src/ap/vlan_init.c | 10 +-
external/bsd/wpa/dist/src/ap/wnm_ap.c | 90 +-
external/bsd/wpa/dist/src/ap/wpa_auth_glue.c | 98 +-
external/bsd/wpa/dist/src/ap/wpa_auth_ie.c | 107 +-
external/bsd/wpa/dist/src/ap/wpa_auth_ie.h | 4 +
external/bsd/wpa/dist/src/ap/wpa_auth_kay.c | 523 +
external/bsd/wpa/dist/src/ap/wpa_auth_kay.h | 51 +
external/bsd/wpa/dist/src/ap/wps_hostapd.c | 68 +-
external/bsd/wpa/dist/src/common/common_module_tests.c | 178 +-
external/bsd/wpa/dist/src/common/defs.h | 32 +-
external/bsd/wpa/dist/src/common/dpp.c | 2783 +++++++++-
external/bsd/wpa/dist/src/common/dpp.h | 109 +-
external/bsd/wpa/dist/src/common/dragonfly.c | 215 +
external/bsd/wpa/dist/src/common/dragonfly.h | 31 +
external/bsd/wpa/dist/src/common/hw_features_common.c | 116 +-
external/bsd/wpa/dist/src/common/hw_features_common.h | 13 +-
external/bsd/wpa/dist/src/common/ieee802_11_common.c | 440 +-
external/bsd/wpa/dist/src/common/ieee802_11_common.h | 74 +-
external/bsd/wpa/dist/src/common/ieee802_11_defs.h | 260 +-
external/bsd/wpa/dist/src/common/linux_bridge.h | 15 +
external/bsd/wpa/dist/src/common/ocv.c | 172 +
external/bsd/wpa/dist/src/common/ocv.h | 40 +
external/bsd/wpa/dist/src/common/qca-vendor.h | 914 +++-
external/bsd/wpa/dist/src/common/sae.h | 3 +
external/bsd/wpa/dist/src/common/version.h | 2 +-
external/bsd/wpa/dist/src/common/wpa_common.c | 67 +-
external/bsd/wpa/dist/src/common/wpa_ctrl.c | 23 +-
external/bsd/wpa/dist/src/common/wpa_ctrl.h | 3 +
external/bsd/wpa/dist/src/crypto/Makefile | 2 +
external/bsd/wpa/dist/src/crypto/aes-internal-enc.c | 4 +
external/bsd/wpa/dist/src/crypto/aes_i.h | 10 +-
external/bsd/wpa/dist/src/crypto/crypto.h | 16 +-
external/bsd/wpa/dist/src/crypto/crypto_gnutls.c | 43 +-
external/bsd/wpa/dist/src/crypto/crypto_internal-modexp.c | 41 +-
external/bsd/wpa/dist/src/crypto/crypto_internal.c | 3 +
external/bsd/wpa/dist/src/crypto/crypto_libtomcrypt.c | 5 +
external/bsd/wpa/dist/src/crypto/crypto_linux.c | 3 +
external/bsd/wpa/dist/src/crypto/crypto_nettle.c | 36 +-
external/bsd/wpa/dist/src/crypto/crypto_wolfssl.c | 21 +-
external/bsd/wpa/dist/src/crypto/dh_groups.c | 1 +
external/bsd/wpa/dist/src/crypto/md4-internal.c | 2 +-
external/bsd/wpa/dist/src/crypto/random.c | 74 +-
external/bsd/wpa/dist/src/crypto/sha1-internal.c | 4 +-
external/bsd/wpa/dist/src/crypto/sha1-prf.c | 2 +-
external/bsd/wpa/dist/src/crypto/sha1-tlsprf.c | 11 +-
external/bsd/wpa/dist/src/crypto/sha1-tprf.c | 2 +-
external/bsd/wpa/dist/src/crypto/sha1.c | 3 +-
external/bsd/wpa/dist/src/crypto/sha256-kdf.c | 6 +-
external/bsd/wpa/dist/src/crypto/sha256-prf.c | 2 +-
external/bsd/wpa/dist/src/crypto/sha256-tlsprf.c | 15 +-
external/bsd/wpa/dist/src/crypto/sha256.h | 6 +-
external/bsd/wpa/dist/src/crypto/sha384-kdf.c | 6 +-
external/bsd/wpa/dist/src/crypto/sha384-prf.c | 2 +-
external/bsd/wpa/dist/src/crypto/sha512-internal.c | 8 +-
external/bsd/wpa/dist/src/crypto/sha512-kdf.c | 6 +-
external/bsd/wpa/dist/src/crypto/sha512-prf.c | 2 +-
external/bsd/wpa/dist/src/crypto/sha512.c | 104 +
external/bsd/wpa/dist/src/crypto/tls.h | 82 +-
external/bsd/wpa/dist/src/crypto/tls_gnutls.c | 75 +-
external/bsd/wpa/dist/src/crypto/tls_internal.c | 46 +-
external/bsd/wpa/dist/src/crypto/tls_none.c | 5 +-
external/bsd/wpa/dist/src/crypto/tls_openssl.c | 844 ++-
external/bsd/wpa/dist/src/crypto/tls_wolfssl.c | 50 +-
external/bsd/wpa/dist/src/drivers/driver_atheros.c | 9 +-
external/bsd/wpa/dist/src/drivers/driver_common.c | 24 +-
external/bsd/wpa/dist/src/drivers/driver_hostap.c | 16 +-
external/bsd/wpa/dist/src/drivers/driver_macsec_linux.c | 377 +-
external/bsd/wpa/dist/src/drivers/driver_macsec_qca.c | 225 +
external/bsd/wpa/dist/src/drivers/driver_ndis.c | 2 +-
external/bsd/wpa/dist/src/drivers/driver_nl80211.c | 520 +-
external/bsd/wpa/dist/src/drivers/driver_nl80211.h | 17 +-
external/bsd/wpa/dist/src/drivers/driver_nl80211_capa.c | 429 +-
external/bsd/wpa/dist/src/drivers/driver_nl80211_event.c | 159 +-
external/bsd/wpa/dist/src/drivers/driver_nl80211_scan.c | 20 +-
external/bsd/wpa/dist/src/drivers/driver_openbsd.c | 3 +-
external/bsd/wpa/dist/src/drivers/driver_privsep.c | 2 +-
external/bsd/wpa/dist/src/drivers/driver_roboswitch.c | 36 +-
external/bsd/wpa/dist/src/drivers/driver_wext.c | 17 +-
external/bsd/wpa/dist/src/drivers/drivers.mak | 72 +-
external/bsd/wpa/dist/src/drivers/drivers.mk | 42 +-
external/bsd/wpa/dist/src/drivers/linux_ioctl.c | 21 +-
external/bsd/wpa/dist/src/drivers/nl80211_copy.h | 688 ++-
external/bsd/wpa/dist/src/eap_common/eap_defs.h | 1 +
external/bsd/wpa/dist/src/eap_common/eap_eke_common.c | 2 +-
external/bsd/wpa/dist/src/eap_common/eap_sake_common.c | 75 +-
external/bsd/wpa/dist/src/eap_common/eap_sake_common.h | 8 +-
external/bsd/wpa/dist/src/eap_common/eap_sim_common.c | 21 +
external/bsd/wpa/dist/src/eap_common/eap_sim_common.h | 1 +
external/bsd/wpa/dist/src/eap_common/eap_teap_common.c | 698 ++
external/bsd/wpa/dist/src/eap_common/eap_teap_common.h | 218 +
external/bsd/wpa/dist/src/eap_peer/eap.c | 10 +-
external/bsd/wpa/dist/src/eap_peer/eap.h | 12 +-
external/bsd/wpa/dist/src/eap_peer/eap_aka.c | 57 +-
external/bsd/wpa/dist/src/eap_peer/eap_config.h | 101 +-
external/bsd/wpa/dist/src/eap_peer/eap_eke.c | 12 +-
external/bsd/wpa/dist/src/eap_peer/eap_fast.c | 28 +-
external/bsd/wpa/dist/src/eap_peer/eap_leap.c | 4 +-
external/bsd/wpa/dist/src/eap_peer/eap_methods.h | 1 +
external/bsd/wpa/dist/src/eap_peer/eap_mschapv2.c | 10 +-
external/bsd/wpa/dist/src/eap_peer/eap_peap.c | 91 +-
external/bsd/wpa/dist/src/eap_peer/eap_sake.c | 12 +-
external/bsd/wpa/dist/src/eap_peer/eap_sim.c | 60 +-
external/bsd/wpa/dist/src/eap_peer/eap_teap.c | 2033 +++++++
external/bsd/wpa/dist/src/eap_peer/eap_teap_pac.c | 931 +++
external/bsd/wpa/dist/src/eap_peer/eap_teap_pac.h | 50 +
external/bsd/wpa/dist/src/eap_peer/eap_tls.c | 18 +
external/bsd/wpa/dist/src/eap_peer/eap_tls_common.c | 99 +-
external/bsd/wpa/dist/src/eap_peer/eap_tls_common.h | 7 +-
external/bsd/wpa/dist/src/eap_peer/eap_ttls.c | 48 +-
external/bsd/wpa/dist/src/eap_peer/eap_wsc.c | 3 +
external/bsd/wpa/dist/src/eap_server/eap.h | 6 +
external/bsd/wpa/dist/src/eap_server/eap_i.h | 4 +
external/bsd/wpa/dist/src/eap_server/eap_methods.h | 1 +
external/bsd/wpa/dist/src/eap_server/eap_server_aka.c | 43 +-
external/bsd/wpa/dist/src/eap_server/eap_server_gpsk.c | 4 +-
external/bsd/wpa/dist/src/eap_server/eap_server_mschapv2.c | 10 +-
external/bsd/wpa/dist/src/eap_server/eap_server_pax.c | 73 +-
external/bsd/wpa/dist/src/eap_server/eap_server_peap.c | 58 +-
external/bsd/wpa/dist/src/eap_server/eap_server_sake.c | 42 +-
external/bsd/wpa/dist/src/eap_server/eap_server_sim.c | 44 +-
external/bsd/wpa/dist/src/eap_server/eap_server_teap.c | 1947 ++++++
external/bsd/wpa/dist/src/eap_server/eap_server_tls.c | 78 +-
external/bsd/wpa/dist/src/eap_server/eap_server_ttls.c | 6 +-
external/bsd/wpa/dist/src/eap_server/eap_tls_common.h | 4 +-
external/bsd/wpa/dist/src/eapol_auth/eapol_auth_sm.c | 8 +-
external/bsd/wpa/dist/src/eapol_auth/eapol_auth_sm.h | 3 +
external/bsd/wpa/dist/src/eapol_supp/eapol_supp_sm.c | 22 +-
external/bsd/wpa/dist/src/eapol_supp/eapol_supp_sm.h | 13 +-
external/bsd/wpa/dist/src/fst/fst.h | 16 +-
external/bsd/wpa/dist/src/lib.rules | 6 +
external/bsd/wpa/dist/src/p2p/p2p.h | 15 +-
external/bsd/wpa/dist/src/p2p/p2p_build.c | 2 +-
external/bsd/wpa/dist/src/p2p/p2p_go_neg.c | 4 +-
external/bsd/wpa/dist/src/p2p/p2p_group.c | 3 +-
external/bsd/wpa/dist/src/p2p/p2p_i.h | 16 +-
external/bsd/wpa/dist/src/p2p/p2p_invitation.c | 2 +-
external/bsd/wpa/dist/src/p2p/p2p_utils.c | 23 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_cp.c | 36 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_cp.h | 1 -
external/bsd/wpa/dist/src/pae/ieee802_1x_kay.c | 990 ++-
external/bsd/wpa/dist/src/pae/ieee802_1x_kay.h | 8 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_kay_i.h | 52 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_key.c | 119 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_key.h | 26 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_secy_ops.c | 25 +-
external/bsd/wpa/dist/src/pae/ieee802_1x_secy_ops.h | 2 +
external/bsd/wpa/dist/src/radius/radius_server.c | 279 +-
external/bsd/wpa/dist/src/radius/radius_server.h | 6 +
external/bsd/wpa/dist/src/rsn_supp/pmksa_cache.c | 3 +-
external/bsd/wpa/dist/src/rsn_supp/wpa.h | 14 +-
external/bsd/wpa/dist/src/rsn_supp/wpa_ie.c | 13 +
external/bsd/wpa/dist/src/rsn_supp/wpa_ie.h | 4 +
external/bsd/wpa/dist/src/tls/asn1.c | 41 +-
external/bsd/wpa/dist/src/tls/bignum.c | 4 +-
external/bsd/wpa/dist/src/tls/libtommath.c | 1 +
external/bsd/wpa/dist/src/tls/tlsv1_client.c | 34 +-
external/bsd/wpa/dist/src/tls/tlsv1_client.h | 3 +-
external/bsd/wpa/dist/src/tls/tlsv1_client_read.c | 2 +-
external/bsd/wpa/dist/src/tls/tlsv1_client_write.c | 3 +
external/bsd/wpa/dist/src/tls/tlsv1_server.c | 57 +-
external/bsd/wpa/dist/src/tls/tlsv1_server.h | 7 +-
external/bsd/wpa/dist/src/tls/tlsv1_server_i.h | 2 +
external/bsd/wpa/dist/src/tls/tlsv1_server_read.c | 51 +-
external/bsd/wpa/dist/src/tls/tlsv1_server_write.c | 5 +-
external/bsd/wpa/dist/src/tls/x509v3.c | 81 +-
external/bsd/wpa/dist/src/utils/Makefile | 1 +
external/bsd/wpa/dist/src/utils/base64.c | 5 +-
external/bsd/wpa/dist/src/utils/browser.c | 3 +-
external/bsd/wpa/dist/src/utils/http_curl.c | 35 +-
external/bsd/wpa/dist/src/utils/json.c | 7 +
external/bsd/wpa/dist/src/utils/list.h | 6 +-
external/bsd/wpa/dist/src/utils/os_internal.c | 16 -
external/bsd/wpa/dist/src/utils/os_none.c | 6 -
external/bsd/wpa/dist/src/utils/trace.c | 6 +-
external/bsd/wpa/dist/src/utils/utils_module_tests.c | 290 +
external/bsd/wpa/dist/src/utils/wpa_debug.c | 7 +
external/bsd/wpa/dist/src/wps/wps.c | 8 +-
external/bsd/wpa/dist/src/wps/wps.h | 40 +-
external/bsd/wpa/dist/src/wps/wps_attr_build.c | 14 +-
external/bsd/wpa/dist/src/wps/wps_attr_parse.c | 11 +
external/bsd/wpa/dist/src/wps/wps_attr_parse.h | 1 +
external/bsd/wpa/dist/src/wps/wps_common.c | 16 +-
external/bsd/wpa/dist/src/wps/wps_defs.h | 3 +-
external/bsd/wpa/dist/src/wps/wps_dev_attr.c | 8 +
external/bsd/wpa/dist/src/wps/wps_dev_attr.h | 1 +
external/bsd/wpa/dist/src/wps/wps_enrollee.c | 14 +-
external/bsd/wpa/dist/src/wps/wps_er.c | 4 +-
external/bsd/wpa/dist/src/wps/wps_i.h | 5 +-
external/bsd/wpa/dist/src/wps/wps_registrar.c | 88 +-
external/bsd/wpa/dist/src/wps/wps_upnp.c | 2 +-
external/bsd/wpa/dist/src/wps/wps_validate.c | 2 +-
external/bsd/wpa/dist/wpa_supplicant/Android.mk | 73 +-
external/bsd/wpa/dist/wpa_supplicant/ChangeLog | 98 +
external/bsd/wpa/dist/wpa_supplicant/README-DPP | 195 +
external/bsd/wpa/dist/wpa_supplicant/README-P2P | 6 +-
external/bsd/wpa/dist/wpa_supplicant/android.config | 16 +-
external/bsd/wpa/dist/wpa_supplicant/ap.c | 82 +-
external/bsd/wpa/dist/wpa_supplicant/ap.h | 2 +-
external/bsd/wpa/dist/wpa_supplicant/bss.c | 19 +-
external/bsd/wpa/dist/wpa_supplicant/bss.h | 3 +-
external/bsd/wpa/dist/wpa_supplicant/config.h | 59 +
external/bsd/wpa/dist/wpa_supplicant/config_file.c | 37 +-
external/bsd/wpa/dist/wpa_supplicant/config_ssid.h | 104 +-
external/bsd/wpa/dist/wpa_supplicant/config_winreg.c | 7 +
external/bsd/wpa/dist/wpa_supplicant/ctrl_iface_unix.c | 12 +-
external/bsd/wpa/dist/wpa_supplicant/dbus/Makefile | 4 -
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus-wpa_supplicant.conf | 8 -
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_common.c | 8 -
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new.c | 342 +-
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new.h | 27 +
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers.c | 445 +-
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers.h | 18 +
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_p2p.c | 97 +-
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_p2p.h | 1 +
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_handlers_wps.c | 10 +-
external/bsd/wpa/dist/wpa_supplicant/dbus/dbus_new_helpers.c | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/eapol_test.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/eapol_test.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_background.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_background.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_cli.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_cli.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_gui.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_gui.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_passphrase.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_passphrase.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_priv.8 | 4 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_priv.sgml | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.8 | 22 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.conf.5 | 2 +-
external/bsd/wpa/dist/wpa_supplicant/doc/docbook/wpa_supplicant.sgml | 30 +-
external/bsd/wpa/dist/wpa_supplicant/dpp_supplicant.c | 934 +--
external/bsd/wpa/dist/wpa_supplicant/dpp_supplicant.h | 11 +-
external/bsd/wpa/dist/wpa_supplicant/eap_register.c | 10 +
external/bsd/wpa/dist/wpa_supplicant/eapol_test.c | 35 +-
external/bsd/wpa/dist/wpa_supplicant/eapol_test.py | 2 +-
external/bsd/wpa/dist/wpa_supplicant/examples/dbus-listen-preq.py | 20 +-
external/bsd/wpa/dist/wpa_supplicant/examples/dpp-qrcode.py | 36 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p-nfc.py | 168 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_connect.py | 70 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_disconnect.py | 30 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_find.py | 34 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_flush.py | 30 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_group_add.py | 50 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_invite.py | 44 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_listen.py | 32 +-
external/bsd/wpa/dist/wpa_supplicant/examples/p2p/p2p_stop_find.py | 32 +-
external/bsd/wpa/dist/wpa_supplicant/examples/wpas-dbus-new-getall.py | 29 +-
external/bsd/wpa/dist/wpa_supplicant/examples/wpas-dbus-new-signals.py | 34 +-
external/bsd/wpa/dist/wpa_supplicant/examples/wpas-dbus-new-wps.py | 16 +-
external/bsd/wpa/dist/wpa_supplicant/examples/wpas-dbus-new.py | 20 +-
external/bsd/wpa/dist/wpa_supplicant/examples/wps-nfc.py | 124 +-
external/bsd/wpa/dist/wpa_supplicant/gas_query.c | 2 +-
external/bsd/wpa/dist/wpa_supplicant/gas_query.h | 1 +
external/bsd/wpa/dist/wpa_supplicant/hs20_supplicant.c | 31 +-
external/bsd/wpa/dist/wpa_supplicant/hs20_supplicant.h | 4 +-
external/bsd/wpa/dist/wpa_supplicant/ibss_rsn.c | 8 +-
external/bsd/wpa/dist/wpa_supplicant/interworking.c | 13 +-
external/bsd/wpa/dist/wpa_supplicant/mbo.c | 36 +-
external/bsd/wpa/dist/wpa_supplicant/mesh.c | 255 +-
external/bsd/wpa/dist/wpa_supplicant/mesh_mpm.c | 107 +-
external/bsd/wpa/dist/wpa_supplicant/mesh_rsn.c | 17 +-
external/bsd/wpa/dist/wpa_supplicant/notify.c | 127 +-
external/bsd/wpa/dist/wpa_supplicant/notify.h | 17 +-
external/bsd/wpa/dist/wpa_supplicant/p2p_supplicant.c | 233 +-
external/bsd/wpa/dist/wpa_supplicant/p2p_supplicant.h | 9 +-
external/bsd/wpa/dist/wpa_supplicant/preauth_test.c | 2 +-
external/bsd/wpa/dist/wpa_supplicant/rrm.c | 239 +-
external/bsd/wpa/dist/wpa_supplicant/scan.c | 16 +-
external/bsd/wpa/dist/wpa_supplicant/sme.c | 314 +-
external/bsd/wpa/dist/wpa_supplicant/sme.h | 5 +
external/bsd/wpa/dist/wpa_supplicant/systemd/wpa_supplicant.service.in | 4 +-
external/bsd/wpa/dist/wpa_supplicant/utils/log2pcap.py | 2 +-
external/bsd/wpa/dist/wpa_supplicant/wmm_ac.c | 11 +-
external/bsd/wpa/dist/wpa_supplicant/wpa_supplicant.conf | 114 +-
external/bsd/wpa/dist/wpa_supplicant/wpas_glue.c | 23 +-
external/bsd/wpa/dist/wpa_supplicant/wpas_kay.c | 23 +-
external/bsd/wpa/dist/wpa_supplicant/wps_supplicant.c | 18 +-
external/bsd/wpa/dist/wpa_supplicant/wps_supplicant.h | 2 +-
332 files changed, 25886 insertions(+), 4544 deletions(-)
diffs (truncated from 47296 to 300 lines):
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/CONTRIBUTIONS
--- a/external/bsd/wpa/dist/CONTRIBUTIONS Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/CONTRIBUTIONS Mon Mar 01 01:37:49 2021 +0000
@@ -140,7 +140,7 @@
Modified BSD license (no advertisement clause):
-Copyright (c) 2002-2018, Jouni Malinen <j%w1.fi@localhost> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j%w1.fi@localhost> and contributors
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/COPYING
--- a/external/bsd/wpa/dist/COPYING Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/COPYING Mon Mar 01 01:37:49 2021 +0000
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2018, Jouni Malinen <j%w1.fi@localhost> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j%w1.fi@localhost> and contributors
All Rights Reserved.
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/README
--- a/external/bsd/wpa/dist/README Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/README Mon Mar 01 01:37:49 2021 +0000
@@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
-Copyright (c) 2002-2018, Jouni Malinen <j%w1.fi@localhost> and contributors
+Copyright (c) 2002-2019, Jouni Malinen <j%w1.fi@localhost> and contributors
All Rights Reserved.
These programs are licensed under the BSD license (the one with
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/hostapd/Android.mk
--- a/external/bsd/wpa/dist/hostapd/Android.mk Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/hostapd/Android.mk Mon Mar 01 01:37:49 2021 +0000
@@ -235,6 +235,12 @@
NEED_SHA384=y
endif
+ifdef CONFIG_OCV
+L_CFLAGS += -DCONFIG_OCV
+OBJS += src/common/ocv.c
+CONFIG_IEEE80211W=y
+endif
+
ifdef CONFIG_IEEE80211W
L_CFLAGS += -DCONFIG_IEEE80211W
NEED_SHA256=y
@@ -263,6 +269,7 @@
OBJS += src/common/sae.c
NEED_ECC=y
NEED_DH_GROUPS=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_OWE
@@ -456,6 +463,7 @@
OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c
NEED_SHA256=y
NEED_ECC=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_EAP_EKE
@@ -479,6 +487,16 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+L_CFLAGS += -DEAP_SERVER_TEAP
+OBJS += src/eap_server/eap_server_teap.c
+OBJS += src/eap_common/eap_teap_common.c
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
L_CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += src/utils/uuid.c
@@ -548,6 +566,9 @@
NEED_JSON=y
NEED_GAS=y
NEED_BASE64=y
+ifdef CONFIG_DPP2
+L_CFLAGS += -DCONFIG_DPP2
+endif
endif
ifdef CONFIG_EAP_IKEV2
@@ -586,6 +607,10 @@
L_CFLAGS += -DPKCS12_FUNCS
endif
+ifdef NEED_DRAGONFLY
+OBJS += src/common/dragonfly.c
+endif
+
ifdef MS_FUNCS
OBJS += src/crypto/ms_funcs.c
NEED_DES=y
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/hostapd/ChangeLog
--- a/external/bsd/wpa/dist/hostapd/ChangeLog Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/hostapd/ChangeLog Mon Mar 01 01:37:49 2021 +0000
@@ -1,5 +1,84 @@
ChangeLog for hostapd
+2019-08-07 - v2.9
+ * SAE changes
+ - disable use of groups using Brainpool curves
+ - improved protection against side channel attacks
+ [https://w1.fi/security/2019-6/]
+ * EAP-pwd changes
+ - disable use of groups using Brainpool curves
+ - improved protection against side channel attacks
+ [https://w1.fi/security/2019-6/]
+ * fixed FT-EAP initial mobility domain association using PMKSA caching
+ * added configuration of airtime policy
+ * fixed FILS to and RSNE into (Re)Association Response frames
+ * fixed DPP bootstrapping URI parser of channel list
+ * added support for regulatory WMM limitation (for ETSI)
+ * added support for MACsec Key Agreement using IEEE 802.1X/PSK
+ * added experimental support for EAP-TEAP server (RFC 7170)
+ * added experimental support for EAP-TLS server with TLS v1.3
+ * added support for two server certificates/keys (RSA/ECC)
+ * added AKMSuiteSelector into "STA <addr>" control interface data to
+ determine with AKM was used for an association
+ * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
+ fast reauthentication use to be disabled
+ * fixed an ECDH operation corner case with OpenSSL
+
+2019-04-21 - v2.8
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only group 19
+ (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+ disable all unsuitable groups completely based on REVmd changes
+ - improved anti-clogging token mechanism and SAE authentication
+ frame processing during heavy CPU load; this mitigates some issues
+ with potential DoS attacks trying to flood an AP with large number
+ of SAE messages
+ - added Finite Cyclic Group field in status code 77 responses
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ - fixed confirm message validation in error cases
+ [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify peer scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * Hotspot 2.0 changes
+ - added support for release number 3
+ - reject release 2 or newer association without PMF
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and configuration parameter ocv=1)
+ * added Multi-AP protocol support
+ * added FTM responder configuration
+ * fixed build with LibreSSL
+ * added FT/RRB workaround for short Ethernet frame padding
+ * fixed KEK2 derivation for FILS+FT
+ * added RSSI-based association rejection from OCE
+ * extended beacon reporting functionality
+ * VLAN changes
+ - allow local VLAN management with remote RADIUS authentication
+ - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+ * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+ in preparation for DPP protocol extension
+ * RADIUS server: started to accept ERP keyName-NAI as user identity
+ automatically without matching EAP database entry
+ * fixed PTK rekeying with FILS and FT
+
2018-12-02 - v2.7
* fixed WPA packet number reuse with replayed messages and key
reinstallation
diff -r 1701159d192a -r 7338b4f72025 external/bsd/wpa/dist/hostapd/Makefile
--- a/external/bsd/wpa/dist/hostapd/Makefile Mon Mar 01 00:51:01 2021 +0000
+++ b/external/bsd/wpa/dist/hostapd/Makefile Mon Mar 01 01:37:49 2021 +0000
@@ -278,6 +278,12 @@
NEED_SHA384=y
endif
+ifdef CONFIG_OCV
+CFLAGS += -DCONFIG_OCV
+OBJS += ../src/common/ocv.o
+CONFIG_IEEE80211W=y
+endif
+
ifdef CONFIG_IEEE80211W
CFLAGS += -DCONFIG_IEEE80211W
NEED_SHA256=y
@@ -307,6 +313,7 @@
NEED_ECC=y
NEED_DH_GROUPS=y
NEED_AP_MLME=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_OWE
@@ -320,6 +327,11 @@
NEED_SHA512=y
endif
+ifdef CONFIG_AIRTIME_POLICY
+CFLAGS += -DCONFIG_AIRTIME_POLICY
+OBJS += ../src/ap/airtime_policy.o
+endif
+
ifdef CONFIG_FILS
CFLAGS += -DCONFIG_FILS
OBJS += ../src/ap/fils_hlp.o
@@ -490,6 +502,7 @@
OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o
NEED_SHA256=y
NEED_ECC=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_EAP_EKE
@@ -513,6 +526,16 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+CFLAGS += -DEAP_SERVER_TEAP
+OBJS += ../src/eap_server/eap_server_teap.o
+OBJS += ../src/eap_common/eap_teap_common.o
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += ../src/utils/uuid.o
@@ -582,6 +605,9 @@
NEED_JSON=y
NEED_GAS=y
NEED_BASE64=y
+ifdef CONFIG_DPP2
+CFLAGS += -DCONFIG_DPP2
+endif
endif
ifdef CONFIG_EAP_IKEV2
@@ -604,6 +630,15 @@
endif
endif
+ifdef CONFIG_MACSEC
+CFLAGS += -DCONFIG_MACSEC
+OBJS += ../src/ap/wpa_auth_kay.o
+OBJS += ../src/pae/ieee802_1x_cp.o
+OBJS += ../src/pae/ieee802_1x_kay.o
+OBJS += ../src/pae/ieee802_1x_key.o
+OBJS += ../src/pae/ieee802_1x_secy_ops.o
+endif
+
# Basic EAP functionality is needed for EAPOL
OBJS += eap_register.o
OBJS += ../src/eap_server/eap_server.o
@@ -620,6 +655,10 @@
CFLAGS += -DPKCS12_FUNCS
endif
+ifdef NEED_DRAGONFLY
+OBJS += ../src/common/dragonfly.o
+endif
+
ifdef MS_FUNCS
OBJS += ../src/crypto/ms_funcs.o
NEED_DES=y
@@ -1095,6 +1134,9 @@
ifdef CONFIG_NO_RANDOM_POOL
CFLAGS += -DCONFIG_NO_RANDOM_POOL
else
+ifdef CONFIG_GETRANDOM
+CFLAGS += -DCONFIG_GETRANDOM
+endif
OBJS += ../src/crypto/random.o
Home |
Main Index |
Thread Index |
Old Index