#
491938d7 |
|
16-Apr-2024 |
Adrian Chadd <adrian@FreeBSD.org> |
wpa: Remove the now not-needed local logic to hard-code cipher support A previous commit now exposes the supported net80211 ciphers for the given NIC, rather than the hardware cipher list. This is going to be especially important moving forward when we add more cipher and key management support. Differential Revision: https://reviews.freebsd.org/D44821
|
#
bfb202c4 |
|
23-Mar-2023 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
WPA: driver_bsd.c: backout upstream IFF_ change and add logging This reverts the state to our old supplicant logic setting or clearing IFF_UP if needed. In addition this adds logging for the cases in which we do (not) change the interface state. Depending on testing this seems to help bringing WiFi up or not log any needed changes (which would be the expected wpa_supplicant logic now). People should look out for ``(changed)`` log entries (at least if debugging the issue; this way we will at least have data points). There is a hypothesis still pondered that the entire IFF_UP toggling only exploits a race in net80211 (see further discssussions for more debugging and alternative solutions see D38508 and D38753). That may also explain why the changes to the rc startup script [1] only helped partially for some people to no longer see the continuous CTRL-EVENT-SCAN-FAILED. It is highly likely that we will want further changes and until we know for sure that people are seeing ''(changed)'' events this should stay local. Should we need to upstream this we'll likely need #ifdef __FreeBSD__ around this code. [1] 5fcdc19a81115d975e238270754e28557a2fcfc5 and d06d7eb09131edea666bf049d6c0c55672726f76 Sponsored by: The FreeBSD Foundation MFC after: 10 days Reviewed by: cy, enweiwu (earlier) Differential Revision: https://reviews.freebsd.org/D38807
|
#
775611ea |
|
02-Jul-2022 |
J.R. Oldroyd <fbsd@opal.com> |
wpa_supplicant: Resolve secondary VAP association issue Association will fail on a secondary open unprotected VAP when the primary VAP is configured for WPA. Examples of secondary VAPs are, hotels, universities, and commodity routers' guest networks. A broadly similar bug was discussed on Red Hat's bugzilla affecting association to a D-Link DIR-842. This suggests that as IEs were added to the 802.11 protocol the old code was increasingly inadaquate to handle the additional IEs, not only a secondary VAP. PR: 264238 Reported by: Jaskie <jiangjun12321@gmail.com> "J.R. Oldroyd" <fbsd@opal.com> Submitted by: "J.R. Oldroyd" <fbsd@opal.com> MFC after: 3 days
|
#
3b295678 |
|
20-Jun-2022 |
Cy Schubert <cy@FreeBSD.org> |
wpa: Restore missing patch In December after a failed MFV due to a now understood issue I had with git -- git aborts with extremely large MFV -- this patch was removed during the revert. Restore this patch. PR: 264238 Fixes: 4b72b91a7132df1f77bbae194e1071ac621f1edb MFC after: 1 week
|
#
c1d255d3 |
|
03-Sep-2021 |
Cy Schubert <cy@FreeBSD.org> |
wpa: Import wpa_supplicant/hostapd commits up to b4f7506ff Merge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a, efec8223892b3e677acb46eae84ec3534989971f, and 2f6c3ea9600b494d24cac5a38c1cea0ac192245e. Tested by: philip MFC after: 2 months
|
#
d70886d0 |
|
20-Jan-2021 |
Cy Schubert <cy@FreeBSD.org> |
wpa_supplicant uses PF_ROUTE to return the routing table in order to determine the length of the routing table buffer. As of 81728a538d24 wpa_supplicant is started before the routing table has been populated resulting in the length of zero to be returned. This causes wpa_supplicant to loop endlessly. (The workaround is to kill and restart wpa_supplicant as by the time it is restarted the routing table is populated.) (Personally, I was not able to reproduce this unless wlan0 was a member of lagg0. However, others experienced this problem on standalone wlan0.) PR: 252844 Submitted by: shu <ankohuu _ outlook.com> Reported by: shu <ankohuu _ outlook.com> Reviewed by: cy X-MFC with: 81728a538d24f483d0986850fa3f51d5d84d8f26 Differential Revision: https://reviews.freebsd.org/D28249 |
#
2ecd01c7 |
|
19-May-2020 |
Cy Schubert <cy@FreeBSD.org> |
Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi radio is disabled through the communication device toggle key (also known as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be issued. Submitted by: avg Reported by: avg MFC after: 1 week |
#
206b73d0 |
|
22-Aug-2019 |
Cy Schubert <cy@FreeBSD.org> |
MFV r346563: Update wpa 2.8 --> 2.9 hostapd: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching * added configuration of airtime policy * fixed FILS to and RSNE into (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * added support for regulatory WMM limitation (for ETSI) * added support for MACsec Key Agreement using IEEE 802.1X/PSK * added experimental support for EAP-TEAP server (RFC 7170) * added experimental support for EAP-TLS server with TLS v1.3 * added support for two server certificates/keys (RSA/ECC) * added AKMSuiteSelector into "STA <addr>" control interface data to determine with AKM was used for an association * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled * fixed an ECDH operation corner case with OpenSSL wpa_supplicant: * SAE changes - disable use of groups using Brainpool curves - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * EAP-pwd changes - disable use of groups using Brainpool curves - allow the set of groups to be configured (eap_pwd_groups) - improved protection against side channel attacks [https://w1.fi/security/2019-6/] * fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1) * fixed a regression in OpenSSL 1.1+ engine loading * added validation of RSNE in (Re)Association Response frames * fixed DPP bootstrapping URI parser of channel list * extended EAP-SIM/AKA fast re-authentication to allow use with FILS * extended ca_cert_blob to support PEM format * improved robustness of P2P Action frame scheduling * added support for EAP-SIM/AKA using anonymous@realm identity * fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method * added experimental support for EAP-TEAP peer (RFC 7170) * added experimental support for EAP-TLS peer with TLS v1.3 * fixed a regression in WMM parameter configuration for a TDLS peer * fixed a regression in operation with drivers that offload 802.1X 4-way handshake * fixed an ECDH operation corner case with OpenSSL MFC after: 1 week Security: https://w1.fi/security/2019-6/\ sae-eap-pwd-side-channel-attack-update.txt
|
#
4bc52338 |
|
22-Apr-2019 |
Cy Schubert <cy@FreeBSD.org> |
MFV r346563: Update wpa_supplicant/hostapd 2.7 --> 2.8 Upstream documents the following advisories: - https://w1.fi/security/2019-1/sae-side-channel-attacks.txt - https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt - https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt - https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt - https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\ with-unexpected-fragment.txt Relnotes: yes MFC after: 1 week (or less) Security: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499
|
#
cdba33f2 |
|
21-Aug-2018 |
Cy Schubert <cy@FreeBSD.org> |
For CID 1394785, add a comment explaining that global->event_buf is not really a char * but a struct rt_msghdr *. MFC after: 3 days |
#
780fb4a2 |
|
11-Jul-2018 |
Cy Schubert <cy@FreeBSD.org> |
MFV r324714: Update wpa 2.5 --> 2.6. MFC after: 1 month
|
#
ce276fe2 |
|
26-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation. PR: bin/203086 Submitted by: avos |
#
7424f50f |
|
26-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] bring up interface in ap_mode=2 This is required for WPA-NONE operation. PR: bin/203086 Submitted by: avos@ |
#
e1f2d1f3 |
|
25-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] handle IBSS mediatype. same as the previous commit to ifconfig - handle a mediatype of IBSS without failing/complaining. Internally inside wpa_s things treat IBSS/ADHOC as equivalent. |
#
325151a3 |
|
18-Oct-2015 |
Rui Paulo <rpaulo@FreeBSD.org> |
Update hostapd/wpa_supplicant to version 2.5. Tested by several people on current@/wireless@. Relnotes: yes
|
#
5b9c547c |
|
20-Apr-2015 |
Rui Paulo <rpaulo@FreeBSD.org> |
Merge wpa_supplicant/hostapd 2.4. Major changes are: SAE, Suite B, RFC 7268, EAP-PKE, ACS, and tons of bug fixes. Relnotes: yes
|
#
6f51bc45 |
|
29-Mar-2014 |
Rui Paulo <rpaulo@FreeBSD.org> |
Enable all cryptocaps because net80211 can do software encryption. MFC after: 1 week |
#
f05cddf9 |
|
04-Jul-2013 |
Rui Paulo <rpaulo@FreeBSD.org> |
Merge hostapd / wpa_supplicant 2.0. Reviewed by: adrian (driver_bsd + usr.sbin/wpa)
|
#
4f95cb6e |
|
14-Jun-2010 |
Rui Paulo <rpaulo@FreeBSD.org> |
Remove unused files. |
#
3157ba21 |
|
14-Jun-2010 |
Rui Paulo <rpaulo@FreeBSD.org> |
MFV hostapd & wpa_supplicant 0.6.10.
|
#
d70886d0 |
|
20-Jan-2021 |
Cy Schubert <cy@FreeBSD.org> |
wpa_supplicant uses PF_ROUTE to return the routing table in order to determine the length of the routing table buffer. As of 81728a538d24 wpa_supplicant is started before the routing table has been populated resulting in the length of zero to be returned. This causes wpa_supplicant to loop endlessly. (The workaround is to kill and restart wpa_supplicant as by the time it is restarted the routing table is populated.) (Personally, I was not able to reproduce this unless wlan0 was a member of lagg0. However, others experienced this problem on standalone wlan0.) PR: 252844 Submitted by: shu <ankohuu _ outlook.com> Reported by: shu <ankohuu _ outlook.com> Reviewed by: cy X-MFC with: 81728a538d24f483d0986850fa3f51d5d84d8f26 Differential Revision: https://reviews.freebsd.org/D28249
|
#
2ecd01c7 |
|
19-May-2020 |
Cy Schubert <cy@FreeBSD.org> |
Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi radio is disabled through the communication device toggle key (also known as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be issued. Submitted by: avg Reported by: avg MFC after: 1 week
|
#
cdba33f2 |
|
21-Aug-2018 |
Cy Schubert <cy@FreeBSD.org> |
For CID 1394785, add a comment explaining that global->event_buf is not really a char * but a struct rt_msghdr *. MFC after: 3 days
|
#
ce276fe2 |
|
26-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation. PR: bin/203086 Submitted by: avos
|
#
7424f50f |
|
26-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] bring up interface in ap_mode=2 This is required for WPA-NONE operation. PR: bin/203086 Submitted by: avos@
|
#
e1f2d1f3 |
|
25-Nov-2015 |
Adrian Chadd <adrian@FreeBSD.org> |
[wpa] handle IBSS mediatype. same as the previous commit to ifconfig - handle a mediatype of IBSS without failing/complaining. Internally inside wpa_s things treat IBSS/ADHOC as equivalent.
|
#
6f51bc45 |
|
29-Mar-2014 |
Rui Paulo <rpaulo@FreeBSD.org> |
Enable all cryptocaps because net80211 can do software encryption. MFC after: 1 week
|
#
4f95cb6e |
|
14-Jun-2010 |
Rui Paulo <rpaulo@FreeBSD.org> |
Remove unused files.
|