wpa: Remove the now not-needed local logic to hard-code cipher support

A previous commit now exposes the supported net80211 ciphers for the
given NIC, rather than the hardware cipher list. This is going to be
especially important moving forward when we add more cipher and key
management support.

Differential Revision: https://reviews.freebsd.org/D44821

WPA: driver_bsd.c: backout upstream IFF_ change and add logging

This reverts the state to our old supplicant logic setting or clearing
IFF_UP if needed. In addition this adds logging for the cases in which
we do (not) change the interface state.

Depending on testing this seems to help bringing WiFi up or not log
any needed changes (which would be the expected wpa_supplicant logic
now). People should look out for ``(changed)`` log entries (at least
if debugging the issue; this way we will at least have data points).

There is a hypothesis still pondered that the entire IFF_UP toggling
only exploits a race in net80211 (see further discssussions for more
debugging and alternative solutions see D38508 and D38753).
That may also explain why the changes to the rc startup script [1]
only helped partially for some people to no longer see the
continuous CTRL-EVENT-SCAN-FAILED.

It is highly likely that we will want further changes and until
we know for sure that people are seeing ''(changed)'' events
this should stay local. Should we need to upstream this we'll
likely need #ifdef __FreeBSD__ around this code.

[1] 5fcdc19a81115d975e238270754e28557a2fcfc5 and
d06d7eb09131edea666bf049d6c0c55672726f76

Sponsored by: The FreeBSD Foundation
MFC after: 10 days
Reviewed by: cy, enweiwu (earlier)
Differential Revision: https://reviews.freebsd.org/D38807

wpa_supplicant: Resolve secondary VAP association issue

Association will fail on a secondary open unprotected VAP when the
primary VAP is configured for WPA. Examples of secondary VAPs are,
hotels, universities, and commodity routers' guest networks.

A broadly similar bug was discussed on Red Hat's bugzilla affecting
association to a D-Link DIR-842.

This suggests that as IEs were added to the 802.11 protocol the old code
was increasingly inadaquate to handle the additional IEs, not only a
secondary VAP.

PR: 264238
Reported by: Jaskie <jiangjun12321@gmail.com>
"J.R. Oldroyd" <fbsd@opal.com>
Submitted by: "J.R. Oldroyd" <fbsd@opal.com>
MFC after: 3 days

wpa: Restore missing patch

In December after a failed MFV due to a now understood issue I had with
git -- git aborts with extremely large MFV -- this patch was removed
during the revert. Restore this patch.

PR: 264238
Fixes: 4b72b91a7132df1f77bbae194e1071ac621f1edb
MFC after: 1 week

wpa: Import wpa_supplicant/hostapd commits up to b4f7506ff

Merge vendor commits 40c7ff83e74eabba5a7e2caefeea12372b2d3f9a,
efec8223892b3e677acb46eae84ec3534989971f, and
2f6c3ea9600b494d24cac5a38c1cea0ac192245e.

Tested by: philip
MFC after: 2 months

wpa_supplicant uses PF_ROUTE to return the routing table in order to
determine the length of the routing table buffer. As of 81728a538d24
wpa_supplicant is started before the routing table has been populated
resulting in the length of zero to be returned. This causes
wpa_supplicant to loop endlessly. (The workaround is to kill and restart
wpa_supplicant as by the time it is restarted the routing table is
populated.)

(Personally, I was not able to reproduce this unless wlan0 was a member of
lagg0. However, others experienced this problem on standalone wlan0.)

PR: 252844
Submitted by: shu <ankohuu _ outlook.com>
Reported by: shu <ankohuu _ outlook.com>
Reviewed by: cy
X-MFC with: 81728a538d24f483d0986850fa3f51d5d84d8f26
Differential Revision: https://reviews.freebsd.org/D28249

Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi
radio is disabled through the communication device toggle key (also known
as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be
issued.

Submitted by: avg
Reported by: avg
MFC after: 1 week

MFV r346563:

Update wpa 2.8 --> 2.9

hostapd:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
* added configuration of airtime policy
* fixed FILS to and RSNE into (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* added support for regulatory WMM limitation (for ETSI)
* added support for MACsec Key Agreement using IEEE 802.1X/PSK
* added experimental support for EAP-TEAP server (RFC 7170)
* added experimental support for EAP-TLS server with TLS v1.3
* added support for two server certificates/keys (RSA/ECC)
* added AKMSuiteSelector into "STA <addr>" control interface data to
determine with AKM was used for an association
* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
fast reauthentication use to be disabled
* fixed an ECDH operation corner case with OpenSSL

wpa_supplicant:
* SAE changes
- disable use of groups using Brainpool curves
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* EAP-pwd changes
- disable use of groups using Brainpool curves
- allow the set of groups to be configured (eap_pwd_groups)
- improved protection against side channel attacks
[https://w1.fi/security/2019-6/]
* fixed FT-EAP initial mobility domain association using PMKSA caching
(disabled by default for backwards compatibility; can be enabled
with ft_eap_pmksa_caching=1)
* fixed a regression in OpenSSL 1.1+ engine loading
* added validation of RSNE in (Re)Association Response frames
* fixed DPP bootstrapping URI parser of channel list
* extended EAP-SIM/AKA fast re-authentication to allow use with FILS
* extended ca_cert_blob to support PEM format
* improved robustness of P2P Action frame scheduling
* added support for EAP-SIM/AKA using anonymous@realm identity
* fixed Hotspot 2.0 credential selection based on roaming consortium
to ignore credentials without a specific EAP method
* added experimental support for EAP-TEAP peer (RFC 7170)
* added experimental support for EAP-TLS peer with TLS v1.3
* fixed a regression in WMM parameter configuration for a TDLS peer
* fixed a regression in operation with drivers that offload 802.1X
4-way handshake
* fixed an ECDH operation corner case with OpenSSL

MFC after: 1 week
Security: https://w1.fi/security/2019-6/\
sae-eap-pwd-side-channel-attack-update.txt

MFV r346563:

Update wpa_supplicant/hostapd 2.7 --> 2.8

Upstream documents the following advisories:

- https://w1.fi/security/2019-1/sae-side-channel-attacks.txt
- https://w1.fi/security/2019-2/eap-pwd-side-channel-attack.txt
- https://w1.fi/security/2019-3/sae-confirm-missing-state-validation.txt
- https://w1.fi/security/2019-4/eap-pwd-missing-commit-validation.txt
- https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-\
with-unexpected-fragment.txt

Relnotes: yes
MFC after: 1 week (or less)
Security: CVE-2019-9494, VU#871675, CVE-2019-9495, CVE-2019-9496,
CVE-2019-9497, CVE-2019-9498, CVE-2019-9499

For CID 1394785, add a comment explaining that global->event_buf is
not really a char * but a struct rt_msghdr *.

MFC after: 3 days

MFV r324714:

Update wpa 2.5 --> 2.6.

MFC after: 1 month

[wpa] use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation.

PR: bin/203086
Submitted by: avos

[wpa] bring up interface in ap_mode=2

This is required for WPA-NONE operation.

PR: bin/203086
Submitted by: avos@

[wpa] handle IBSS mediatype.

same as the previous commit to ifconfig - handle a mediatype of IBSS
without failing/complaining.

Internally inside wpa_s things treat IBSS/ADHOC as equivalent.

Update hostapd/wpa_supplicant to version 2.5.

Tested by several people on current@/wireless@.

Relnotes: yes

Merge wpa_supplicant/hostapd 2.4.

Major changes are: SAE, Suite B, RFC 7268, EAP-PKE, ACS, and tons of
bug fixes.

Relnotes: yes

Enable all cryptocaps because net80211 can do software encryption.

MFC after: 1 week

Merge hostapd / wpa_supplicant 2.0.

Reviewed by: adrian (driver_bsd + usr.sbin/wpa)

Remove unused files.

MFV hostapd & wpa_supplicant 0.6.10.

wpa_supplicant uses PF_ROUTE to return the routing table in order to
determine the length of the routing table buffer. As of 81728a538d24
wpa_supplicant is started before the routing table has been populated
resulting in the length of zero to be returned. This causes
wpa_supplicant to loop endlessly. (The workaround is to kill and restart
wpa_supplicant as by the time it is restarted the routing table is
populated.)

(Personally, I was not able to reproduce this unless wlan0 was a member of
lagg0. However, others experienced this problem on standalone wlan0.)

PR: 252844
Submitted by: shu <ankohuu _ outlook.com>
Reported by: shu <ankohuu _ outlook.com>
Reviewed by: cy
X-MFC with: 81728a538d24f483d0986850fa3f51d5d84d8f26
Differential Revision: https://reviews.freebsd.org/D28249

Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi
radio is disabled through the communication device toggle key (also known
as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be
issued.

Submitted by: avg
Reported by: avg
MFC after: 1 week

For CID 1394785, add a comment explaining that global->event_buf is
not really a char * but a struct rt_msghdr *.

MFC after: 3 days

[wpa] use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation.

PR: bin/203086
Submitted by: avos

[wpa] bring up interface in ap_mode=2

This is required for WPA-NONE operation.

PR: bin/203086
Submitted by: avos@

[wpa] handle IBSS mediatype.

same as the previous commit to ifconfig - handle a mediatype of IBSS
without failing/complaining.

Internally inside wpa_s things treat IBSS/ADHOC as equivalent.

Enable all cryptocaps because net80211 can do software encryption.

MFC after: 1 week

Remove unused files.