notbugAs an Amazon Associate I earn from qualifying purchases.
Want a good read? Try FreeBSD Mastery: Jails (IT Mastery Book 15)
Want a good monitor light? See my photosAll times are UTC
Ukraine
This referral link gives you 10% off a Fastmail.com account and gives me a discount on my Fastmail account.

Get notified when packages are built

A new feature has been added. FreshPorts already tracks package built by the FreeBSD project. This information is displayed on each port page. You can now get an email when FreshPorts notices a new package is available for something on one of your watch lists. However, you must opt into that. Click on Report Subscriptions on the right, and New Package Notification box, and click on Update.

Finally, under Watch Lists, click on ABI Package Subscriptions to select your ABI (e.g. FreeBSD:14:amd64) & package set (latest/quarterly) combination for a given watch list. This is what FreshPorts will look for.

non port: security/wpa_supplicant/Makefile

Number of commits found: 80

Wednesday, 29 Nov 2023
16:18 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant*: ctrl_iface set sendbuf size

In order to avoid running into the default net.local.dgram.maxdgram
of 2K currently when calling sendto(2) try to set the sndbuf size to
the maximum ctrl message size.
The problem occured, e.g., when the scan_list result had enough BSSIDs
so the text output would exceed 2048 bytes.

Written by:	bz
PR:		274990
Obtained from:	https://reviews.freebsd.org/D42558
commit hash: 60c99d3a93081cc603e104c0e6c9fe389e774657 commit hash: 60c99d3a93081cc603e104c0e6c9fe389e774657 commit hash: 60c99d3a93081cc603e104c0e6c9fe389e774657 commit hash: 60c99d3a93081cc603e104c0e6c9fe389e774657 60c99d3
Tuesday, 12 Sep 2023
05:51 Cy Schubert (cy) search for other commits by this committer Author: R. Christian McDonald
security/wpa_supplicant: wpa: Enable receiving priority tagged (VID 0) frames

Certain internet service providers transmit vlan 0 priority tagged
EAPOL frames from the ONT towards the residential gateway. VID 0
should be ignored, and the frame processed according to the priority
set in the 802.1P bits and the encapsulated EtherType (i.e. EAPOL).

The pcap filter utilized by l2_packet is inadquate for this use case.

Here we modify the pcap filter to accept both unencapsulated and
encapsulated (with VLAN 0) EAPOL EtherTypes. This preserves the
original filter behavior while also matching on encapsulated EAPOL.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
Reviewed by:    cy
Obtained from:	src bb5d6d14d81b
PR:		273696
MFH:		2023Q3
commit hash: 3a88706af1e87ff0bd2857398137194da462c85c commit hash: 3a88706af1e87ff0bd2857398137194da462c85c commit hash: 3a88706af1e87ff0bd2857398137194da462c85c commit hash: 3a88706af1e87ff0bd2857398137194da462c85c 3a88706
05:51 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant: Fix uninitialized packet pointer on error

The packet pointer (called packet) will remain uninitialized when
pcap_next_ex() returns an error. This occurs when the wlan
interface is shut down using ifconfig destroy. Adding a NULL
assignment to packet duplicates what pcap_next() does.

The reason we use pcap_next_ex() in this instance is because with
pacp_next() when we receive a null pointer if there was an error
or if no packets were read. With pcap_next_ex() we can differentiate
between an error and legitimately no packets were received.

PR:             270649, 273696
Obtained from:	src 953efa5b200f
Reported by:    Robert Morris <rtm@lcs.mit.edu>
MFH:		2023Q3
commit hash: 89484a70b0d26f483df30e43945b22a0df1be941 commit hash: 89484a70b0d26f483df30e43945b22a0df1be941 commit hash: 89484a70b0d26f483df30e43945b22a0df1be941 commit hash: 89484a70b0d26f483df30e43945b22a0df1be941 89484a7
05:50 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant: driver_bsd.c: backout upstream IFF_ change and add
logging

This reverts the state to our old supplicant logic setting or clearing
IFF_UP if needed.  In addition this adds logging for the cases in which
we do (not) change the interface state.

Depending on testing this seems to help bringing WiFi up or not log
any needed changes (which would be the expected wpa_supplicant logic
now).  People should look out for ``(changed)`` log entries (at least
if debugging the issue; this way we will at least have data points).

There is a hypothesis still pondered that the entire IFF_UP toggling
only exploits a race in net80211 (see further discssussions for more
debugging and alternative solutions see D38508 and D38753).
That may also explain why the changes to the rc startup script [1]
only helped partially for some people to no longer see the
continuous CTRL-EVENT-SCAN-FAILED.

It is highly likely that we will want further changes and until
we know for sure that people are seeing ''(changed)'' events
this should stay local.  Should we need to upstream this we'll
likely need #ifdef __FreeBSD__ around this code.

Obtained from:	src bfb202c4554a
PR:		273696
MFH:		2023Q3
commit hash: bf01744fb255852b2aed16b80e50cb76c35f19d4 commit hash: bf01744fb255852b2aed16b80e50cb76c35f19d4 commit hash: bf01744fb255852b2aed16b80e50cb76c35f19d4 commit hash: bf01744fb255852b2aed16b80e50cb76c35f19d4 bf01744
Wednesday, 28 Jun 2023
02:31 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant: Fix for OpenSSL 3.0
commit hash: 2a8cee7837ab1a35168eb37cf5a95501b770047f commit hash: 2a8cee7837ab1a35168eb37cf5a95501b770047f commit hash: 2a8cee7837ab1a35168eb37cf5a95501b770047f commit hash: 2a8cee7837ab1a35168eb37cf5a95501b770047f 2a8cee7
Wednesday, 7 Sep 2022
21:10 Stefan E├čer (se) search for other commits by this committer
Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

This commit implements such a proposal and moves one of the WWW: entries
of each pkg-descr file into the respective port's Makefile. A heuristic
attempts to identify the most relevant URL in case there is more than
one WWW: entry in some pkg-descr file. URLs that are not moved into the
Makefile are prefixed with "See also:" instead of "WWW:" in the pkg-descr
files in order to preserve them.

There are 1256 ports that had no WWW: entries in pkg-descr files. These
ports will not be touched in this commit.

The portlint port has been adjusted to expect a WWW entry in each port
Makefile, and to flag any remaining "WWW:" lines in pkg-descr files as
deprecated.

Approved by:		portmgr (tcberner)
commit hash: b7f05445c00f2625aa19b4154ebcbce5ed2daa52 commit hash: b7f05445c00f2625aa19b4154ebcbce5ed2daa52 commit hash: b7f05445c00f2625aa19b4154ebcbce5ed2daa52 commit hash: b7f05445c00f2625aa19b4154ebcbce5ed2daa52 b7f0544
Sunday, 3 Jul 2022
21:33 Cy Schubert (cy) search for other commits by this committer Author: J.R. Oldroyd
wpa_supplicant* hostapd*: Resolve secondary VAP association issue

Association will fail on a secondary open unprotected VAP when the
primary VAP is configured for WPA. Examples of secondary VAPs are,
hotels, universities, and commodity routers' guest networks.

A broadly similar bug was discussed on Red Hat's bugzilla affecting
association to a D-Link DIR-842.

This suggests that as IEs were added to the 802.11 protocol the old code
was increasingly inadaquate to handle the additional IEs, not only a
secondary VAP.

This duplcates src commit 775611ea11db here in ports.

PR:             264238
Reported by:    Jaskie <jiangjun12321@gmail.com>
                "J.R. Oldroyd" <fbsd@opal.com>
Submitted by:   "J.R. Oldroyd" <fbsd@opal.com>
MFH:      	2022Q3
commit hash: b3916c7a8d2599e99fabdc1735b095ff5a9f9381 commit hash: b3916c7a8d2599e99fabdc1735b095ff5a9f9381 commit hash: b3916c7a8d2599e99fabdc1735b095ff5a9f9381 commit hash: b3916c7a8d2599e99fabdc1735b095ff5a9f9381 b3916c7
21:33 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant-devel: Enable WEP by default

As of hostap 2.10, WEP is disabled by default. This of course is not a
bad thing but requires some planning and an announcment to remove WEP
support by default. At some point this option will default to off, to
coincide with the removal of WEP support from FreeBSD base.

MFH:		2022Q3
commit hash: fb0e9b4ce90da94c2943639f3588d25c76778a31 commit hash: fb0e9b4ce90da94c2943639f3588d25c76778a31 commit hash: fb0e9b4ce90da94c2943639f3588d25c76778a31 commit hash: fb0e9b4ce90da94c2943639f3588d25c76778a31 fb0e9b4
Monday, 20 Jun 2022
14:29 Cy Schubert (cy) search for other commits by this committer
*/*: Restore a missing wpa BSD driver patch

These patches were removed to sync with base where in fact base was
missing these patches and base should have been synced with the ports.

PR:		264238
Fixes:		b8477825c2dc42f6c595697a36f593c71f39fbad
		c86f32d652eb9dd023049122d8ca37cb13ed07b6
MFH:		2022Q2
commit hash: 05a849eec9d949b3de32e464570cefbabcd64702 commit hash: 05a849eec9d949b3de32e464570cefbabcd64702 commit hash: 05a849eec9d949b3de32e464570cefbabcd64702 commit hash: 05a849eec9d949b3de32e464570cefbabcd64702 05a849e
Thursday, 9 Jun 2022
21:58 Cy Schubert (cy) search for other commits by this committer
*/*: Restore non-IBSS part of wpa patches

b8477825c2dc42f6c595697a36f593c71f39fbad removed some non-IBSS patches.
Restore them. We only want to remove the patches that make IBSS use
ADHOC mode.

Fixes:		b8477825c2dc42f6c595697a36f593c71f39fbad
commit hash: c86f32d652eb9dd023049122d8ca37cb13ed07b6 commit hash: c86f32d652eb9dd023049122d8ca37cb13ed07b6 commit hash: c86f32d652eb9dd023049122d8ca37cb13ed07b6 commit hash: c86f32d652eb9dd023049122d8ca37cb13ed07b6 c86f32d
20:41 Cy Schubert (cy) search for other commits by this committer
*/*: FreeBSD's WPA does support IBSS mode

FreeBSD's WPA does support IBSS mode. Remove the hack that forces ADHOC
mode when IBSS is requested.
commit hash: b8477825c2dc42f6c595697a36f593c71f39fbad commit hash: b8477825c2dc42f6c595697a36f593c71f39fbad commit hash: b8477825c2dc42f6c595697a36f593c71f39fbad commit hash: b8477825c2dc42f6c595697a36f593c71f39fbad b847782
Saturday, 16 Apr 2022
15:55 Cy Schubert (cy) search for other commits by this committer
*/{wpa_supplicant*,hostapd*}: Fix wpa 100% CPU when USB wlan NIC removed

hostapd calls pcap_next(3) to read the next packet off the wlan interface.
pcap_next() returns a pointer to the packet header but does not indicate
success or failure. Unfortunately this results in an infinite loop (100%
CPU) when the wlan device disappears, i.e. when a USB wlan device is
manually removed or a USB error results in the device removal. However
pcap_next_ex(3) does return success or failure. To resolve this we use
pcap_next_ex(), forcing hostapd to exit when the error is encountered.

An error message is printed to syslog or stderr when debugging (-d flag)
is enabled. Unfortunately wpa_printf() only works when debugging is enabled.

PR:		253608
Reported by:	Damjan Jovanovic <damjan.jov@gmail.com>,
		bz (privately)
MFH:		2022Q2
commit hash: c586ac04eb662dea00ab81b226fa3e41a5110b21 commit hash: c586ac04eb662dea00ab81b226fa3e41a5110b21 commit hash: c586ac04eb662dea00ab81b226fa3e41a5110b21 commit hash: c586ac04eb662dea00ab81b226fa3e41a5110b21 c586ac0
Monday, 17 Jan 2022
17:00 Cy Schubert (cy) search for other commits by this committer
security/wpa_supplicant: Update to 2.10

The long awaited hostapd 2.10 is finally here.
commit hash: d3564c5610c4d94d97971a6b7e45a7c3e45454ee commit hash: d3564c5610c4d94d97971a6b7e45a7c3e45454ee commit hash: d3564c5610c4d94d97971a6b7e45a7c3e45454ee commit hash: d3564c5610c4d94d97971a6b7e45a7c3e45454ee d3564c5
Monday, 14 Jun 2021
16:04 Cy Schubert (cy) search for other commits by this committer
*/*: Sync hostapd* and wpa_supplicant* with base ce276fe26d92010776

Use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation.

Base commit by adrian@ on Nov 26, 2015.

This commit syncs ports with base.

PR:		203086
Submitted by:	avos
MFH:		2020Q2
commit hash: ed47e1ecc5db5576f6a2d4a47e083b2366bd65cc commit hash: ed47e1ecc5db5576f6a2d4a47e083b2366bd65cc commit hash: ed47e1ecc5db5576f6a2d4a47e083b2366bd65cc commit hash: ed47e1ecc5db5576f6a2d4a47e083b2366bd65cc ed47e1e
Wednesday, 7 Apr 2021
08:09 Mathieu Arnold (mat) search for other commits by this committer
One more small cleanup, forgotten yesterday.
Reported by:	lwhsu
commit hash: cf118ccf875508b9a1c570044c93cfcc82bd455c commit hash: cf118ccf875508b9a1c570044c93cfcc82bd455c commit hash: cf118ccf875508b9a1c570044c93cfcc82bd455c commit hash: cf118ccf875508b9a1c570044c93cfcc82bd455c cf118cc
Tuesday, 6 Apr 2021
14:31 Mathieu Arnold (mat) search for other commits by this committer
Remove # $FreeBSD$ from Makefiles.
commit hash: 305f148f482daf30dcf728039d03d019f88344eb commit hash: 305f148f482daf30dcf728039d03d019f88344eb commit hash: 305f148f482daf30dcf728039d03d019f88344eb commit hash: 305f148f482daf30dcf728039d03d019f88344eb 305f148
Wednesday, 17 Mar 2021
02:32 cy search for other commits by this committer
security/wpa_supplicant: fix for P2P provision vulnerability

Latest version available from: https://w1.fi/security/2021-1/

Vulnerability

A vulnerability was discovered in how wpa_supplicant processes P2P
(Wi-Fi Direct) provision discovery requests. Under a corner case
condition, an invalid Provision Discovery Request frame could end up
reaching a state where the oldest peer entry needs to be removed. With
a suitably constructed invalid frame, this could result in use
(read+write) of freed memory. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially code execution.

Vulnerable versions/configurations

wpa_supplicant v1.0-v2.9 with CONFIG_P2P build option enabled

An attacker (or a system controlled by the attacker) needs to be within
radio range of the vulnerable system to send a set of suitably
constructed management frames that trigger the corner case to be reached
in the management of the P2P peer table.

Note: The P2P option is not default.

MFH:		2021Q1
Security:	https://w1.fi/security/2021-1/\
	wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt
Original commitRevision:568629 
Tuesday, 26 Jan 2021
20:15 cy search for other commits by this committer
Disable NDIS by default.

From src/bfc99943b04b46a6c1c885ce7bcc6f235b7422aa (brooks):

    nids(4) was a clever idea in the early 2000's when the market was
    flooded with 10/100 NICs with Windows-only drivers, but that hasn't
    been the case for ages and the driver has had no meaningful maintenance
    in ages. It only supports Windows-XP era drivers.

Therefore NDIS has been removed from 14-CURRENT. Those who still want or
need NDIS on older supported versions of FreeBSD can still enable the
options and rebuild the port.
Original commitRevision:562996 
Wednesday, 20 Jan 2021
17:14 cy search for other commits by this committer
This is the ports version of src commit
d70886d063166786ded0007af8cdcbf57b7b4827.

wpa_supplicant uses PF_ROUTE to return the routing table in order to
determine the length of the routing table buffer. As of 81728a538d24
wpa_supplicant is started before the routing table has been populated
resulting in the length of zero to be returned. This causes
wpa_supplicant to loop endlessly. (The workaround is to kill and restart
wpa_supplicant as by the time it is restarted the routing table is
populated.)

(Personally, I was not able to reproduce this unless wlan0 was a member of
lagg0. However, others experienced this problem on standalone wlan0.)

PR:		252844
Submitted by:	shu <ankohuu _ outlook.com>
Reported by:	shu <ankohuu _ outlook.com>
Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D28249
Original commitRevision:562150 
Wednesday, 30 Dec 2020
05:38 cy search for other commits by this committer
Add SIM_SIMULATOR and USIM_SIMULATOR options.

SIM_SIMULATOR and USIM_SIMULATOR options enable features that are used for
testing EAP-AKA and EAP-SIM authentication.

PR:		252276
Submitted by:	Terry Burton <tez _ terryburton.co.uk>
Original commitRevision:559640 
Friday, 26 Jun 2020
01:33 cy search for other commits by this committer
add MATCH option for CONFIG_MATCH_IFACE.

PR:		247177
Submitted by:	greg@unrelenting.technology
Reported by:	greg@unrelenting.technology
Tested by:	swills
Original commitRevision:540412 
Tuesday, 9 Jun 2020
05:48 cy search for other commits by this committer
UPnP SUBSCRIBE misbehavior in hostapd WPS AP

As published by our hostapd  upstream

Vulnerability

General security vulnerability in the way the callback URLs in the UPnP
SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
Some of the described issues may be applicable to the use of UPnP in WPS
AP mode functionality for supporting external registrars.

Such issues could allow a device connected to the local network (i.e., a
device that has been authorized to transmit packets in the network in
which the AP is located) could trigger the AP to initiate a HTTP
(TCP/IP) connection to an arbitrary URL, including connections to
servers in external networks. This could have a security implication if
traffic from the local network to external destinations have different
rules (e.g., firewall and packet inspection) for different local hosts
and the AP having access to external hosts while the attacker controlled
local device not having such access. Such deployment cases may not be
common for networks where WPS would be enabled, but it is not possible
to completely rule out the applicability to cases where hostapd is used
to control a WPS enabled AP.

In addition to the more generic issues with the UPnP protocol, couple of
implementation specific issues in hostapd were discovered while
reviewing this area of the WPS implementation. These issues could allow
local devices (i.e., devices that have been authorized to transmit
packets in the network in which the AP is located) to trigger
misbehavior in hostapd and cause the process to either get terminated or
to start using more CPU resources by using a specially constructed
SUBSCRIBE command.

All these issues require the attacker to be able to discover the UPnP
service provided by hostapd and to open a TCP connection toward the IP
address of the AP. The former requires access to the local network to be
able to receive broadcast packets and the latter requires access to
initiate TCP/IP connection to the IP address used by the AP. In most
common AP deployment cases, both of these operations are available only
from the local network.

Vulnerable versions/configurations

All hostapd versions with WPS AP support with UPnP enabled in the build
parameters (CONFIG_WPS_UPNP=y) and in the runtime configuration
(upnp_iface).

Possible mitigation steps

- Disable WPS UPnP support in the hostapd runtime configuration by
  removing the upnp_iface parameter.

- Merge the following commits to hostapd and rebuild:

  For CVE-2020-12695:
  WPS UPnP: Do not allow event subscriptions with URLs to other networks
  For the other issues:
  WPS UPnP: Fix event message generation using a long URL path
  WPS UPnP: Handle HTTP initiation failures for events more properly

  These patches are available from https://w1.fi/security/2020-1/

- Update to hostapd v2.10 or newer, once available

Obtained from:	https://w1.fi/security/2020-1/
MFH:		2020Q2
Security:	VU#339275 and CVE-2020-12695
Original commitRevision:538281 
Wednesday, 20 May 2020
04:20 cy search for other commits by this committer
Chase src r361272:

Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi
radio is disabled through the communication device toggle key (also known
as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be
issued.

Submitted by:	avg
Reported by:	avg
MFH:		2020Q2
Original commitRevision:535967 
Wednesday, 22 Apr 2020
19:54 leres search for other commits by this committer
security/wpa_supplicant: Simplify @comment logic by using OPTIONS_SUB

PR:		245809
Approved by:	cy (maintainer)
Original commitRevision:532510 
03:37 leres search for other commits by this committer
security/wpa_supplicant: Add EAPOL_TEST option

Add an option option to builds and installs the eapol_test program.
Update/patch to solve new compilation errors that result with the
option enabled.

Note: Leaving the changes to Packet32.c out of the PR patch set as
it is not needed.

PR:		245809
Approved by:	cy (maintainer)
Original commitRevision:532442 
Wednesday, 1 Apr 2020
01:02 cy search for other commits by this committer
Fix poudriere builds.
Original commitRevision:530188 
Monday, 30 Mar 2020
02:29 cy search for other commits by this committer
All other non-exclusive options should be default.

PR:		245099
Reported by:	koobs
Original commitRevision:529854 
02:29 cy search for other commits by this committer
Add DBUS option.

PR:		245099
Submitted by:	greg at unrelenting.technology
Original commitRevision:529853 
Wednesday, 22 Jan 2020
05:11 cy search for other commits by this committer
Add two new selectable options which allow the user to build
wpa_supplicant to parity with the same in base. The new options,
which are enabled in base are:

WPS_UPNP_DESC:		Universal Plug and Play
IEEE8021X_EAPOL_DESC:	EAP over LAN support
Original commitRevision:523762 
Thursday, 22 Aug 2019
03:33 cy search for other commits by this committer
Update 2.8 --> 2.9
Original commitRevision:509576 
Monday, 17 Jun 2019
20:15 cy search for other commits by this committer
For users who build and install FreeBSD using WITHOUT_WIRELESS
simply altering /etc/rc.conf isn't enough to make use of the ports
versions of hostapd and wpa_supplicant. This is because the rc.d
scripts are not installed when WITHOUT_WIRELESS is specified as a
build option. This patch checks for the rc scripts existence and
if they do not exist, installs the ports versions of the same
scripts, which are added by this revision.

This patch does not change the package in any way and there is no way
to enable this outside of removal of hostapd or wpa_supplicant
(depending on the port). Users who build their own world using the
WITHOUT_WIRELESS flag will almost always not use binary packages. Hence
the automatic detection and install of the rc scripts. Making this an
option would IMO increase the number of bug reports due to people
inadvertently setting or not setting an option.

To enable this a person must:

1. buildworld and installworld -DWITHOUT_WIRELESS
2. Build and install the desired wpa_supplicant and/or hostapd port
   on servers one wishes to install them on.

PR:		238571
Original commitRevision:504433 
Thursday, 16 May 2019
02:41 cy search for other commits by this committer
Resolve the following error discovered in DEVELOPER mode.

These options name have characters outside of [-_A-Z0-9]:

IKEv2 MSCHAPv2
Original commitRevision:501763 
Monday, 22 Apr 2019
15:56 cy search for other commits by this committer
Update wpa_supplicant/hostapd 2.7 --> 2.8
Original commitRevision:499654 
Tuesday, 9 Apr 2019
14:04 sunpoet search for other commits by this committer
Update devel/readline to 8.0

- Bump PORTREVISION of dependent ports for shlib change

Changes:	https://tiswww.case.edu/php/chet/readline/CHANGES
PR:		236156
Exp-run by:	antoine
Original commitRevision:498476 
Thursday, 6 Dec 2018
20:11 cy search for other commits by this committer
Update 2.6 --> 2.7
Original commitRevision:486779 
Friday, 17 Aug 2018
02:18 cy search for other commits by this committer
Pet portlint.
Original commitRevision:477405 
02:12 cy search for other commits by this committer
Switch to grouping of patches per site as suggested by mat@ in D16718.

Reported by:	mat@
Original commitRevision:477401 
Tuesday, 14 Aug 2018
20:21 cy search for other commits by this committer
WPA: Ignore unauthenticated encrypted EAPOL-Key data

Ignore unauthenticated encrypted EAPOL-Key data in supplicant
processing. When using WPA2, these are frames that have the Encrypted
flag set, but not the MIC flag.

When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
not the MIC flag, had their data field decrypted without first verifying
the MIC. In case the data field was encrypted using RC4 (i.e., when
negotiating TKIP as the pairwise cipher), this meant that
unauthenticated but decrypted data would then be processed. An adversary
could abuse this as a decryption oracle to recover sensitive information
in the data field of EAPOL-Key messages (e.g., the group key).
(CVE-2018-14526)

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>

Security:	CVE-2018-14526
Security:	VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317
Original commitRevision:477202 
Tuesday, 17 Oct 2017
05:33 cy search for other commits by this committer
Fix "make -s" by replacing ECHO with ECHO_CMD.

PR:		 223056
Submitted by:	Franco Fichtner <franco@opnsense.org>
Original commitRevision:452263 
02:17 cy search for other commits by this committer
This port is too important to be orphaned.
Take maintainership and provide a good home.
Original commitRevision:452258 
Monday, 16 Oct 2017
20:08 cy search for other commits by this committer
Add patch set 2017-1

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

Security:	https://w1.fi/security/2017-1/ \
		wpa-packet-number-reuse-with-replayed-messages.txt
Security:	https://www.krackattacks.com/
MFH:		2017Q4
Original commitRevision:452250 
20:05 cy search for other commits by this committer
Use https site.

MFH:		2017Q4
Original commitRevision:452249 
Tuesday, 27 Jun 2017
13:46 sunpoet search for other commits by this committer
Update devel/readline to 7.0 patch 3

- Bump PORTREVISION for shlib change

Changes:	https://cnswww.cns.cwru.edu/php/chet/readline/CHANGES
		https://lists.gnu.org/archive/html/bug-bash/2016-09/msg00107.html
		https://lists.gnu.org/archive/html/bug-readline/2017-01/msg00002.html
Differential Revision:	https://reviews.freebsd.org/D11172
PR:		219947
Exp-run by:	antoine
Original commitRevision:444463 
Sunday, 1 Jan 2017
03:45 sunpoet search for other commits by this committer
Remove BROKEN_FreeBSD_9

Approved by:	portmgr (blanket)
Original commitRevision:430235 
Sunday, 25 Dec 2016
03:15 jrm search for other commits by this committer
security/wpa_supplicant: Allow users of FreeBSD 9 with libre- or openssl
from ports to build the port.

FreeBSD 9 is EOL in less than a week.  Now those stragglers still running
9.3 can get online to update in the next few days.

Approved by:	AMDmi3 (mentor) swills (mentor)
Differential Revision:	https://reviews.freebsd.org/D8875
Original commitRevision:429390 
Tuesday, 20 Dec 2016
21:41 amdmi3 search for other commits by this committer
- Unbreak on 10.x+

Reported by:	marino
Original commitRevision:429033 
Monday, 19 Dec 2016
14:26 amdmi3 search for other commits by this committer
- Mark BROKEN: does not build (undefined reference to `get_ie')
Original commitRevision:428933 
Thursday, 17 Nov 2016
17:43 jrm search for other commits by this committer
security/wpa_supplicant: Update to version 2.6 and patch for LibreSSL support

Port changes:
- Remove patches that have been incorporated upstream
- Add patches for LibreSSL support

Approved by:	AMDmi3 (mentor)
Differential Revision:	https://reviews.freebsd.org/D8451
Original commitRevision:426292 
Friday, 11 Nov 2016
17:26 amdmi3 search for other commits by this committer
- Add LICENSE
- Verbosify build
- Switch to options helpers
Original commitRevision:425896 
Thursday, 15 Sep 2016
01:29 marino search for other commits by this committer
Release some of my ports back to the heap
Original commitRevision:422173 
Sunday, 11 Sep 2016
17:05 marino search for other commits by this committer
security/wpa_supplicant: Add support for LibreSSL
Original commitRevision:421843 
Thursday, 19 May 2016
21:12 marino search for other commits by this committer
security/wpa_supplicant: Add security patch set 2016-1

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation (CVE-2016-4476) or through local configuration change
over the wpa_supplicant control interface (CVE-2016-4477), the resulting
configuration file may prevent the hostapd and wpa_supplicant from
starting when the updated file is used. In addition for wpa_supplicant,
it may be possible to load a local library file and execute code from
there with the same privileges under which the wpa_supplicant process
runs.

These patches were developed upstream and published as a response
to the security advisories CVE-2016-4476 and CVE-2016-4477.

PR:		209564
Requested by:	Sevan Janiyan
Original commitRevision:415527 
Monday, 18 Apr 2016
21:05 marino search for other commits by this committer
security/wpa_supplicant: patch 4 CVE security advisories

These patches address the following:
  CVE-2015-5310
  CVE-2015-5314
  CVE-2015-5315
  CVE-2015-5316

These patches were developed upstream and published as a response
to the security advisories.

PR:		208482
Requested by:	Jason Unovitch
Original commitRevision:413609 
Friday, 1 Apr 2016
14:25 mat search for other commits by this committer
Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.

With hat:	portmgr
Sponsored by:	Absolight
Original commitRevision:412349 
Sunday, 11 Oct 2015
22:52 marino search for other commits by this committer
security/wpa_supplicant: Upgrade version 2.4 => 2.5
Original commitRevision:399108 
Sunday, 12 Jul 2015
11:22 marino search for other commits by this committer
security/wpa_supplicant: Address security issue (2015-5)

There was a vulnerability to the WPS_NFC option which is off by default.
The port is being bumped anyway since people using that option will want
the latest version.

PR:		201432
Submitted by:	Jason Unovitch
Original commitRevision:391779 
Tuesday, 2 Jun 2015
09:35 marino search for other commits by this committer
security/wpa_supplicant: Address 3 latest security advisories

These are combined upstream patches 2015-2, 2015-3, 2015-4
They address the following security advisories:

  * CVE-2015-4141
  * CVE-2015-4142
  * CVE-2015-4143
  * CVE-2015-4144
  * CVE-2015-4145
  * CVE-2015-4146

These advisories also apply to net/hostapd

PR:		200568
Submitted by:	Jason Unovitch
Original commitRevision:388312 
Saturday, 25 Apr 2015
14:02 marino search for other commits by this committer
security/wpa_supplicant: Add USES=CPE

I just released that I fixed a CVE bug but WPA Supllicant was never
provided any CPE information.  Fix, bump, and reference previous PR.

PR:		199678
Original commitRevision:384729 
06:19 marino search for other commits by this committer
security/wpa_supplicant: Fix CVE-2015-1863

PR:		199678
Submitted by:	Jason Unovitch
Approved by:	maintainer (marino)
Original commitRevision:384705 
Monday, 16 Mar 2015
20:45 marino search for other commits by this committer
security/wpa_supplicant: Upgrade version 2.3 => 2.4

See http://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog for list
of changes since version 2.3.
Original commitRevision:381444 
Sunday, 19 Oct 2014
09:33 marino search for other commits by this committer
security/wpa_supplicant: Fix build on FreeBSD 11

On FreeBSD 11, the wpa_supplicant couldn't find the readline headers.
It turns out that Mk/Uses/readline.mk only augments LDFLAGS and CPPFLAGS,
but wpa_supplicant needs -I${LOCALBASE}/include add to CFLAGS.  To fix
FreeBSD build, augment CFLAGS with value of CPPFLAGS in the makefile.

This wasn't an issue on DragonFly.  Apparently wpa_supplicant found the
readline compatibility headers of libedit and used those instead.

reported by:	pkg-fallout
Original commitRevision:371174 
Monday, 13 Oct 2014
13:49 marino search for other commits by this committer
security/wpa_supplicant: Bring in BSD driver fix from DragonFly BSD

DragonFly adopted it's "new" IEEE 802.11 infrastructure from FreeBSD.
This introduced an additional isr_meshid_len field in the
ieee80211req_scan_result structure.  It is necessary to include this
additional offset when calculating the address of the IE data buffer.

Imre Vadasz introduced this fix to DragonFly on 01 Sept 2014, but a
similar fix doesn't appear to be present in FreeBSD's base wpa_supplicant.
Original commitRevision:370776 
12:56 marino search for other commits by this committer
wpa/supplicant: Fix driver list with NDIS, take 2

It turns out the driver list was only showing "null" for NDIS when -h
(help) or an unknown switch was passed to wpa_supplicant.  The cause is
that the NDIS driver is the only that that has to be initialized, and
the initialization wasn't occurring in the above case.

The fix is the move the NDIS driver initialization before the command
switches are examined in case wpa_supplicant aborts to usage early.
Original commitRevision:370769 
09:33 marino search for other commits by this committer
security/wpa_supplicant: Fix NDIS driver, privsep no longer default

The NDIS driver didn't build when privsep option was turned off.  Moveover,
it didn't display the driver name correctly, so I figured out a patch
based on base's ndis driver code.  Thirdly, when privsep option is turned
off, wpa_priv is not built, so let's handle that condition.

Finally, remove privsep from default options because it removes the
standard list of drivers and replaces it with privsep driver.
Original commitRevision:370760 
Sunday, 12 Oct 2014
21:20 marino search for other commits by this committer
Revive security/wpa_supplicant after 6.5 years => version 2.3

This port was retired at version 0.3.8 because wpa_supplicant is
part of FreeBSD base.  However, the last few releases have had a period
of only a few months, so the base is always going to be behind.  DragonFly
is also affected, so I'm bringing the port back at the latest version.

It features the same patches as FreeBSD including the conversion to use
libutil's pidfile routines.  There are some additional patches for
DragonFly support and to fix some bugs from the 9 Oct 2014 release.

The WPA Supplicant build system has been converted to ports options, and
there are dozens of them.  I've set the defaults to match the
configuration in base and verified that it builds with all options
selected at once.
Original commitRevision:370742 
Friday, 25 Apr 2008
23:21 pav search for other commits by this committer
- Remove, it's ancient and newer version is included in base of all supported
  releases

Suggested by:   sam
Original commit
Saturday, 3 Feb 2007
01:55 markus search for other commits by this committer
Utilize PORTDOCS
Original commit
Thursday, 14 Sep 2006
17:37 brooks search for other commits by this committer
Drop maintainership.  I'm not really interested in this now that we've
got it in the base.
Original commit
17:37 brooks search for other commits by this committer
Fix build with openssl 0.9.8b.

PR:             ports/102822
Submitted by:   simon
Original commit
Sunday, 10 Sep 2006
23:32 kris search for other commits by this committer
Change IGNORE to BROKEN in previous
Original commit
23:31 kris search for other commits by this committer
BROKEN on 7.x: Does not compile
Original commit
Saturday, 13 May 2006
04:15 edwin search for other commits by this committer
Remove USE_REINPLACE from all categories starting with S
Original commit
Friday, 27 May 2005
01:10 brooks search for other commits by this committer
Add a new variable WITH_STATIC_SUPPLICANT to cause wpa_supplicant to be
linked staticly.  This allows it to be used from devd at startup. [1]

Use LIB_DEPENDS instead of BUILD_DEPENDS for the libdnet depend since we
need it to run too. [2]

My changes differ from the submitted fixes.

Submitted by:   Darren Pilgrim <dmp at bitfreak dot org> [1]
                Pawel Worach <pawel dot worach at gmail dot com> [2]
Original commit
Saturday, 23 Apr 2005
03:29 brooks search for other commits by this committer
Fix wpa_cli.  You need to pass all of the sockaddr, not just part of it.
Also be sure to keep the path null terminated as Stevens does.

While I'm here, take maintainership since I use this and seem to be
making most of the recent commits.
Original commit
Wednesday, 16 Feb 2005
07:03 brooks search for other commits by this committer
- Update to 0.3.8.  See ChangeLog for details.
- Install sample config file in etc/wpa_supplication.conf.sample instead
  of DOCSDIR.
- Obey PREFIX.
- Follow move of binaries from bin to sbin.

Committed from a laptop running this version against an AP with WPA-PSK
and AES encription.

Submitted by:   Yamamoto Shigeru <shigeru at iij dot ad dot jp>
PR:             75609 (by Rong-En Fan <rafan at infor dot org>)
Original commit
Saturday, 8 Jan 2005
19:06 brooks search for other commits by this committer
- Spell wpa_supplicant with two 'p's in PORTNAME
- Remove now unnecessicary DISTNAME
- Add net to CATEGORIES
- Ditch the pkg-plist file in favor of PLIST_FILES, there were only
  three lines in the plist
- Make the patch files relative to WRKSRC so we can drop PATCH_ARGS
- Install some documentation
- Bump PORTREVISION for new docs
Original commit
Monday, 13 Dec 2004
00:19 imp search for other commits by this committer
Add support for EAP.  It might not work only in 802.1x mode, but should
work in WPA+802.1x.

Submitted by: sam
Original commit
Sunday, 12 Dec 2004
22:59 imp search for other commits by this committer
Fix grammatical error Kris pointed out.

Submitted by: kris
Original commit
22:41 imp search for other commits by this committer
wpa_supplicant is only for current.
Original commit
22:23 imp search for other commits by this committer
WPA supplicant daemon for 802.11 networks.

Submitted by: sam
Original commit

Number of commits found: 80