Fix unauthenticated EAPOL-Key decryption vulnerability. [SA-18:11.hostapd]

Approved by: so

Update wpa_supplicant/hostapd for 2017-01 vulnerability release.

Note this is a different patchset than what was applied to head and
stable/11 due to the much older version of wpa_supplicant/hostapd in
stable/10.

hostapd: Avoid key reinstallation in FT handshake
Prevent reinstallation of an already in-use group key
Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
Fix TK configuration to the driver in EAPOL-Key 3/4 retry case
Prevent installation of an all-zero TK
Fix PTK rekeying to generate a new ANonce
TDLS: Reject TPK-TK reconfiguration
WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used
WNM: Ignore WNM-Sleep Mode Response without pending request
FT: Do not allow multiple Reassociation Response frames
TDLS: Ignore incoming TDLS Setup Response retries

Submitted by: jhb
Obtained from: https://w1.fi/security/2017-01/ (against later version)
Security: FreeBSD-SA-17:07
Security: CERT VU#228519
Security: CVE-2017-13077
Security: CVE-2017-13078
Security: CVE-2017-13079
Security: CVE-2017-13080
Security: CVE-2017-13081
Security: CVE-2017-13082
Security: CVE-2017-13086
Security: CVE-2017-13087
Security: CVE-2017-13088
Differential Revision: https://reviews.freebsd.org/D12724

MFC r263925
Enable all cryptocaps because net80211 can do software encryption.

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Fix previous commit: both flags must be set.

Make sure IFM_AVALID is also set when checking ifm_status.

Submitted by: yongari

Fix a timing issue with the wired driver.

After configuring the interface, wait for the link to become active.
Many ethernet drivers reset the chip when we set multicast filters
(causing significant delays due to link re-negotiation) and, by the time
we start sending packets, they are discared instead of going to the ether.

Tested by: dumbbell

Move to MSG_DEBUG to print it via syslog only when requested.

Reviewed by: rpaulo, adrian
Approved by: sbruno (mentor)

Delete .gitignore files.

Remove unused files / directories.

Merge hostapd / wpa_supplicant 2.0.

Reviewed by: adrian (driver_bsd + usr.sbin/wpa)

Import change e4ac6417c7504e1c55ec556ce908974c04e29e3c from upstream wpa:

From: Guy Eilam <guy@wizery.com>
Date: Mon, 21 Feb 2011 20:44:46 +0000 (+0200)
Subject: utils: Corrected a typo in header's name definition

utils: Corrected a typo in header's name definition

Corrected a typo in the BASE64_H definition that
might cause the header file to be included more than once.

Signed-off-by: Guy Eilam <guy@wizery.com>

Submitted by: <dt71@gmx.com>
MFC after: 3 days

Import change 40eebf235370b6fe6353784ccf01ab92eed062a5 from upstream wpa:

From: Jouni Malinen <j@w1.fi>
Date: Fri, 15 Jul 2011 13:42:06 +0300
Subject: [PATCH] MD5: Fix clearing of temporary stack memory to use correct length

sizeof of the structure instead of the pointer was supposed to be used
here. Fix this to clear the full structure at the end of MD5Final().

Found by: clang ToT
Reviewed by: rpaulo
MFC after: 3 days

MFS security patches which seem to have accidentally not reached HEAD:

Fix insufficient message length validation for EAP-TLS messages.

Fix Linux compatibility layer input validation error.

Security: FreeBSD-SA-12:07.hostapd
Security: FreeBSD-SA-12:08.linux
Security: CVE-2012-4445, CVE-2012-4576
With hat: so@

Remove unused files.

Merge wpa_supplicant and hostapd 0.7.3.

Remove unused files.

MFV hostapd & wpa_supplicant 0.6.10.

bring in local changes for:
CONFIG_DEBUG_SYSLOG
CONFIG_TERMINATE_ONLASTIF
EAP_SERVER

connect vendor wpa area to contrib

remove unused bits

import wpa_supplicant+hostapd 0.6.8