aboutsummaryrefslogtreecommitdiff
path: root/security/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* */*: Restore non-IBSS part of wpa patchesCy Schubert2022-06-092-1/+24
| | | | | | | | b8477825c2dc42f6c595697a36f593c71f39fbad removed some non-IBSS patches. Restore them. We only want to remove the patches that make IBSS use ADHOC mode. Fixes: b8477825c2dc42f6c595697a36f593c71f39fbad
* */*: FreeBSD's WPA does support IBSS modeCy Schubert2022-06-092-40/+1
| | | | | FreeBSD's WPA does support IBSS mode. Remove the hack that forces ADHOC mode when IBSS is requested.
* */{wpa_supplicant*,hostapd*}: Fix wpa 100% CPU when USB wlan NIC removedCy Schubert2022-04-162-2/+36
| | | | | | | | | | | | | | | | | | hostapd calls pcap_next(3) to read the next packet off the wlan interface. pcap_next() returns a pointer to the packet header but does not indicate success or failure. Unfortunately this results in an infinite loop (100% CPU) when the wlan device disappears, i.e. when a USB wlan device is manually removed or a USB error results in the device removal. However pcap_next_ex(3) does return success or failure. To resolve this we use pcap_next_ex(), forcing hostapd to exit when the error is encountered. An error message is printed to syslog or stderr when debugging (-d flag) is enabled. Unfortunately wpa_printf() only works when debugging is enabled. PR: 253608 Reported by: Damjan Jovanovic <damjan.jov@gmail.com>, bz (privately) MFH: 2022Q2
* */*: Fix wpa_supplicant* and hostapd* EAPOL_TEST buildCy Schubert2022-01-311-17/+0
| | | | | | | | | Fix EAPOL_TEST build. Local funcion os_fdatasync() is valid under FreeBSD as fdatasync(2) is supported. PR: 261636 Reported by: David Siebörger <drs-freebsd@sieborger.nom.za> MFH: 2022Q1
* security/wpa_supplicant: Update to 2.10Cy Schubert2022-01-177-87/+59
| | | | The long awaited hostapd 2.10 is finally here.
* */*: Sync hostapd* and wpa_supplicant* with base ce276fe26d92010776Cy Schubert2021-06-142-3/+18
| | | | | | | | | | | | Use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation. Base commit by adrian@ on Nov 26, 2015. This commit syncs ports with base. PR: 203086 Submitted by: avos MFH: 2020Q2
* One more small cleanup, forgotten yesterday.Mathieu Arnold2021-04-071-1/+0
| | | | Reported by: lwhsu
* all: Remove all other $FreeBSD keywords.Mathieu Arnold2021-04-061-3/+0
|
* Remove # $FreeBSD$ from Makefiles.Mathieu Arnold2021-04-061-1/+0
|
* security/wpa_supplicant: fix for P2P provision vulnerabilityCy Schubert2021-03-172-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Latest version available from: https://w1.fi/security/2021-1/ Vulnerability A vulnerability was discovered in how wpa_supplicant processes P2P (Wi-Fi Direct) provision discovery requests. Under a corner case condition, an invalid Provision Discovery Request frame could end up reaching a state where the oldest peer entry needs to be removed. With a suitably constructed invalid frame, this could result in use (read+write) of freed memory. This can result in an attacker within radio range of the device running P2P discovery being able to cause unexpected behavior, including termination of the wpa_supplicant process and potentially code execution. Vulnerable versions/configurations wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled An attacker (or a system controlled by the attacker) needs to be within radio range of the vulnerable system to send a set of suitably constructed management frames that trigger the corner case to be reached in the management of the P2P peer table. Note: The P2P option is not default. MFH: 2021Q1 Security: https://w1.fi/security/2021-1/\ wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt Notes: svn path=/head/; revision=568629
* Disable NDIS by default.Cy Schubert2021-01-261-3/+3
| | | | | | | | | | | | | | | | From src/bfc99943b04b46a6c1c885ce7bcc6f235b7422aa (brooks): nids(4) was a clever idea in the early 2000's when the market was flooded with 10/100 NICs with Windows-only drivers, but that hasn't been the case for ages and the driver has had no meaningful maintenance in ages. It only supports Windows-XP era drivers. Therefore NDIS has been removed from 14-CURRENT. Those who still want or need NDIS on older supported versions of FreeBSD can still enable the options and rebuild the port. Notes: svn path=/head/; revision=562996
* This is the ports version of src commitCy Schubert2021-01-202-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | d70886d063166786ded0007af8cdcbf57b7b4827. wpa_supplicant uses PF_ROUTE to return the routing table in order to determine the length of the routing table buffer. As of 81728a538d24 wpa_supplicant is started before the routing table has been populated resulting in the length of zero to be returned. This causes wpa_supplicant to loop endlessly. (The workaround is to kill and restart wpa_supplicant as by the time it is restarted the routing table is populated.) (Personally, I was not able to reproduce this unless wlan0 was a member of lagg0. However, others experienced this problem on standalone wlan0.) PR: 252844 Submitted by: shu <ankohuu _ outlook.com> Reported by: shu <ankohuu _ outlook.com> Reviewed by: cy Differential Revision: https://reviews.freebsd.org/D28249 Notes: svn path=/head/; revision=562150
* Fix build on llvm10 and gcc.Cy Schubert2021-01-121-2/+4
| | | | | | | | | PR: 252577 Reported by: David Sieborger <drs-freebsd _ sieborger.nom.za> MFH: 2021Q1 Notes: svn path=/head/; revision=561297
* Add SIM_SIMULATOR and USIM_SIMULATOR options.Cy Schubert2020-12-301-1/+10
| | | | | | | | | | | SIM_SIMULATOR and USIM_SIMULATOR options enable features that are used for testing EAP-AKA and EAP-SIM authentication. PR: 252276 Submitted by: Terry Burton <tez _ terryburton.co.uk> Notes: svn path=/head/; revision=559640
* Fix LLVM11 build.Cy Schubert2020-12-301-0/+10
| | | | | | | | According to https://reviews.llvm.org/D75758, some software may require a pragma. Notes: svn path=/head/; revision=559639
* add MATCH option for CONFIG_MATCH_IFACE.Cy Schubert2020-06-261-3/+7
| | | | | | | | | | PR: 247177 Submitted by: greg@unrelenting.technology Reported by: greg@unrelenting.technology Tested by: swills Notes: svn path=/head/; revision=540412
* UPnP SUBSCRIBE misbehavior in hostapd WPS APCy Schubert2020-06-093-7/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As published by our hostapd upstream Vulnerability General security vulnerability in the way the callback URLs in the UPnP SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695). Some of the described issues may be applicable to the use of UPnP in WPS AP mode functionality for supporting external registrars. Such issues could allow a device connected to the local network (i.e., a device that has been authorized to transmit packets in the network in which the AP is located) could trigger the AP to initiate a HTTP (TCP/IP) connection to an arbitrary URL, including connections to servers in external networks. This could have a security implication if traffic from the local network to external destinations have different rules (e.g., firewall and packet inspection) for different local hosts and the AP having access to external hosts while the attacker controlled local device not having such access. Such deployment cases may not be common for networks where WPS would be enabled, but it is not possible to completely rule out the applicability to cases where hostapd is used to control a WPS enabled AP. In addition to the more generic issues with the UPnP protocol, couple of implementation specific issues in hostapd were discovered while reviewing this area of the WPS implementation. These issues could allow local devices (i.e., devices that have been authorized to transmit packets in the network in which the AP is located) to trigger misbehavior in hostapd and cause the process to either get terminated or to start using more CPU resources by using a specially constructed SUBSCRIBE command. All these issues require the attacker to be able to discover the UPnP service provided by hostapd and to open a TCP connection toward the IP address of the AP. The former requires access to the local network to be able to receive broadcast packets and the latter requires access to initiate TCP/IP connection to the IP address used by the AP. In most common AP deployment cases, both of these operations are available only from the local network. Vulnerable versions/configurations All hostapd versions with WPS AP support with UPnP enabled in the build parameters (CONFIG_WPS_UPNP=y) and in the runtime configuration (upnp_iface). Possible mitigation steps - Disable WPS UPnP support in the hostapd runtime configuration by removing the upnp_iface parameter. - Merge the following commits to hostapd and rebuild: For CVE-2020-12695: WPS UPnP: Do not allow event subscriptions with URLs to other networks For the other issues: WPS UPnP: Fix event message generation using a long URL path WPS UPnP: Handle HTTP initiation failures for events more properly These patches are available from https://w1.fi/security/2020-1/ - Update to hostapd v2.10 or newer, once available Obtained from: https://w1.fi/security/2020-1/ MFH: 2020Q2 Security: VU#339275 and CVE-2020-12695 Notes: svn path=/head/; revision=538281
* Chase src r361272:Cy Schubert2020-05-202-1/+25
| | | | | | | | | | | | | | Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi radio is disabled through the communication device toggle key (also known as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be issued. Submitted by: avg Reported by: avg MFH: 2020Q2 Notes: svn path=/head/; revision=535967
* security/wpa_supplicant: Simplify @comment logic by using OPTIONS_SUBCraig Leres2020-04-221-6/+1
| | | | | | | | PR: 245809 Approved by: cy (maintainer) Notes: svn path=/head/; revision=532510
* security/wpa_supplicant: Add EAPOL_TEST optionCraig Leres2020-04-224-6/+85
| | | | | | | | | | | | | | | Add an option option to builds and installs the eapol_test program. Update/patch to solve new compilation errors that result with the option enabled. Note: Leaving the changes to Packet32.c out of the PR patch set as it is not needed. PR: 245809 Approved by: cy (maintainer) Notes: svn path=/head/; revision=532442
* Fix poudriere builds.Cy Schubert2020-04-011-2/+2
| | | | Notes: svn path=/head/; revision=530188
* All other non-exclusive options should be default.Cy Schubert2020-03-301-2/+4
| | | | | | | | PR: 245099 Reported by: koobs Notes: svn path=/head/; revision=529854
* Add DBUS option.Cy Schubert2020-03-301-2/+21
| | | | | | | | PR: 245099 Submitted by: greg at unrelenting.technology Notes: svn path=/head/; revision=529853
* Add two new selectable options which allow the user to buildCy Schubert2020-01-221-2/+6
| | | | | | | | | | | wpa_supplicant to parity with the same in base. The new options, which are enabled in base are: WPS_UPNP_DESC: Universal Plug and Play IEEE8021X_EAPOL_DESC: EAP over LAN support Notes: svn path=/head/; revision=523762
* Update 2.8 --> 2.9Cy Schubert2019-08-222-4/+4
| | | | Notes: svn path=/head/; revision=509576
* Convert to UCL & cleanup pkg-message (categories s)Mathieu Arnold2019-08-141-1/+6
| | | | Notes: svn path=/head/; revision=508909
* For users who build and install FreeBSD using WITHOUT_WIRELESSCy Schubert2019-06-172-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | simply altering /etc/rc.conf isn't enough to make use of the ports versions of hostapd and wpa_supplicant. This is because the rc.d scripts are not installed when WITHOUT_WIRELESS is specified as a build option. This patch checks for the rc scripts existence and if they do not exist, installs the ports versions of the same scripts, which are added by this revision. This patch does not change the package in any way and there is no way to enable this outside of removal of hostapd or wpa_supplicant (depending on the port). Users who build their own world using the WITHOUT_WIRELESS flag will almost always not use binary packages. Hence the automatic detection and install of the rc scripts. Making this an option would IMO increase the number of bug reports due to people inadvertently setting or not setting an option. To enable this a person must: 1. buildworld and installworld -DWITHOUT_WIRELESS 2. Build and install the desired wpa_supplicant and/or hostapd port on servers one wishes to install them on. PR: 238571 Notes: svn path=/head/; revision=504433
* Completely remove a "nullfied" ifdef rather than making the codeCy Schubert2019-05-161-7/+12
| | | | | | | | | | | | unreachable. Though this is only a cosmetic change it syncs the port with base commit r347642, making it easier to compare the two when diagnosing problems in one or the other. This was discovered tonight while reviewing some code following my discussion regarding an issue lwhsu@ was having earlier today. Notes: svn path=/head/; revision=501765
* Remove the gratuitous redefinition of MIN to MINAB. This brings theCy Schubert2019-05-161-32/+0
| | | | | | | port in greater sync with base. Notes: svn path=/head/; revision=501764
* Resolve the following error discovered in DEVELOPER mode.Cy Schubert2019-05-161-7/+7
| | | | | | | | | These options name have characters outside of [-_A-Z0-9]: IKEv2 MSCHAPv2 Notes: svn path=/head/; revision=501763
* Remove the pleonastic initialization and test for eloop_initialized.Cy Schubert2019-05-161-28/+0
| | | | | | | | | | This change has no functional effect on the resulting package therefore a PORTREVISION bump is not necessary. Discovered while discussing wpa_supplicant with lwhsu@ today. Notes: svn path=/head/; revision=501762
* Update wpa_supplicant/hostapd 2.7 --> 2.8Cy Schubert2019-04-222-5/+4
| | | | Notes: svn path=/head/; revision=499654
* Update devel/readline to 8.0Sunpoet Po-Chuan Hsieh2019-04-091-0/+1
| | | | | | | | | | | - Bump PORTREVISION of dependent ports for shlib change Changes: https://tiswww.case.edu/php/chet/readline/CHANGES PR: 236156 Exp-run by: antoine Notes: svn path=/head/; revision=498476
* Add missing file that should have been in r486779.Cy Schubert2018-12-061-0/+25
| | | | Notes: svn path=/head/; revision=486801
* Update 2.6 --> 2.7Cy Schubert2018-12-066-118/+17
| | | | Notes: svn path=/head/; revision=486779
* Pet portlint.Cy Schubert2018-08-171-0/+2
| | | | Notes: svn path=/head/; revision=477405
* Switch to grouping of patches per site as suggested by mat@ in D16718.Cy Schubert2018-08-171-11/+11
| | | | | | | Reported by: mat@ Notes: svn path=/head/; revision=477401
* WPA: Ignore unauthenticated encrypted EAPOL-Key dataCy Schubert2018-08-142-4/+8
| | | | | | | | | | | | | | | | | | | | | | | Ignore unauthenticated encrypted EAPOL-Key data in supplicant processing. When using WPA2, these are frames that have the Encrypted flag set, but not the MIC flag. When using WPA2, EAPOL-Key frames that had the Encrypted flag set but not the MIC flag, had their data field decrypted without first verifying the MIC. In case the data field was encrypted using RC4 (i.e., when negotiating TKIP as the pairwise cipher), this meant that unauthenticated but decrypted data would then be processed. An adversary could abuse this as a decryption oracle to recover sensitive information in the data field of EAPOL-Key messages (e.g., the group key). (CVE-2018-14526) Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> Security: CVE-2018-14526 Security: VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317 Notes: svn path=/head/; revision=477202
* Fix build with LibreSSL 2.7Cy Schubert2018-04-012-4/+23
| | | | | | | | | PR: 227173 Submitted by: brnrd@ MFH: 2018Q3 Notes: svn path=/head/; revision=466153
* Fix "make -s" by replacing ECHO with ECHO_CMD.Cy Schubert2017-10-171-14/+14
| | | | | | | | PR: 223056 Submitted by: Franco Fichtner <franco@opnsense.org> Notes: svn path=/head/; revision=452263
* This port is too important to be orphaned.Cy Schubert2017-10-171-1/+1
| | | | | | | Take maintainership and provide a good home. Notes: svn path=/head/; revision=452258
* Add patch set 2017-1Cy Schubert2017-10-162-2/+28
| | | | | | | | | | | | | | | | | | | A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Security: https://w1.fi/security/2017-1/ \ wpa-packet-number-reuse-with-replayed-messages.txt Security: https://www.krackattacks.com/ MFH: 2017Q4 Notes: svn path=/head/; revision=452250
* Use https site.Cy Schubert2017-10-161-1/+1
| | | | | | | MFH: 2017Q4 Notes: svn path=/head/; revision=452249
* Update devel/readline to 7.0 patch 3Sunpoet Po-Chuan Hsieh2017-06-271-0/+1
| | | | | | | | | | | | | | - Bump PORTREVISION for shlib change Changes: https://cnswww.cns.cwru.edu/php/chet/readline/CHANGES https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00107.html https://lists.gnu.org/archive/html/bug-readline/2017-01/msg00002.html Differential Revision: https://reviews.freebsd.org/D11172 PR: 219947 Exp-run by: antoine Notes: svn path=/head/; revision=444463
* Remove BROKEN_FreeBSD_9Sunpoet Po-Chuan Hsieh2017-01-011-6/+0
| | | | | | | Approved by: portmgr (blanket) Notes: svn path=/head/; revision=430235
* security/wpa_supplicant: Allow users of FreeBSD 9 with libre- or opensslJoseph Mingrone2016-12-251-4/+8
| | | | | | | | | | | | | from ports to build the port. FreeBSD 9 is EOL in less than a week. Now those stragglers still running 9.3 can get online to update in the next few days. Approved by: AMDmi3 (mentor) swills (mentor) Differential Revision: https://reviews.freebsd.org/D8875 Notes: svn path=/head/; revision=429390
* - Unbreak on 10.x+Dmitry Marakasov2016-12-201-1/+1
| | | | | | | Reported by: marino Notes: svn path=/head/; revision=429033
* - Mark BROKEN: does not build (undefined reference to `get_ie')Dmitry Marakasov2016-12-191-0/+2
| | | | Notes: svn path=/head/; revision=428933
* security/wpa_supplicant: Update to version 2.6 and patch for LibreSSL supportJoseph Mingrone2016-11-1715-613/+76
| | | | | | | | | | | | Port changes: - Remove patches that have been incorporated upstream - Add patches for LibreSSL support Approved by: AMDmi3 (mentor) Differential Revision: https://reviews.freebsd.org/D8451 Notes: svn path=/head/; revision=426292
* - Add LICENSEDmitry Marakasov2016-11-111-8/+13
| | | | | | | | - Verbosify build - Switch to options helpers Notes: svn path=/head/; revision=425896
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-23 01:12:42 +0000