net/hostapd*: Work around lack of MLME support

hostap MLME uses Linux data structures and definitions not available
in FreeBSD. The ability for hostapd to select the frequency (channel)
depends Linux MLME, though strictly it's not required. Work around the
Linux MLME requirement to configure device frequency.

The detailed description is: hostapd will only set the channel (frequency)
when Linux MLME is configured. Enabling NEED_AP_MLME will result in
numerous build errors due do Linux data structures and definitions not
available under FreeBSD. The code to set the frequency from the selected
channel is only within the NEED_AP_MLME code path because without MLME,
hostapd_get_hw_features() is an inline that always returns -1 whereas with
MLME hostapd_get_hw_features() will obtain hardware features from the
kernel. Until such time we simply set the frequency as configured.

PR:		276375
MFH:		2024Q1

net/hostapd: Sanitize MANPREFIX

Approved by:    portmgr (blanket)

net/hostapd: wpa: Enable receiving priority tagged (VID 0) frames

Certain internet service providers transmit vlan 0 priority tagged
EAPOL frames from the ONT towards the residential gateway. VID 0
should be ignored, and the frame processed according to the priority
set in the 802.1P bits and the encapsulated EtherType (i.e. EAPOL).

The pcap filter utilized by l2_packet is inadquate for this use case.

Here we modify the pcap filter to accept both unencapsulated and
encapsulated (with VLAN 0) EAPOL EtherTypes. This preserves the
original filter behavior while also matching on encapsulated EAPOL.

Sponsored by:   Rubicon Communications, LLC ("Netgate")
Reviewed by:    cy
Obtained from:	src bb5d6d14d81b
PR:             273696
MFH:		2023Q3

net/hostapd: Fix uninitialized packet pointer on error

The packet pointer (called packet) will remain uninitialized when
pcap_next_ex() returns an error. This occurs when the wlan
interface is shut down using ifconfig destroy. Adding a NULL
assignment to packet duplicates what pcap_next() does.

The reason we use pcap_next_ex() in this instance is because with
pacp_next() when we receive a null pointer if there was an error
or if no packets were read. With pcap_next_ex() we can differentiate
between an error and legitimately no packets were received.

PR:             270649, 273696
Obtained from:	src 953efa5b200f
Reported by:    Robert Morris <rtm@lcs.mit.edu>
MFH:		2023Q3

net/hostapd: Rename patch to current patch naming standard

net/hostapd: driver_bsd.c: backout upstream IFF_ change and add logging

This reverts the state to our old supplicant logic setting or clearing
IFF_UP if needed.  In addition this adds logging for the cases in which
we do (not) change the interface state.

Depending on testing this seems to help bringing WiFi up or not log
any needed changes (which would be the expected wpa_supplicant logic
now).  People should look out for ``(changed)`` log entries (at least
if debugging the issue; this way we will at least have data points).

There is a hypothesis still pondered that the entire IFF_UP toggling
only exploits a race in net80211 (see further discssussions for more
debugging and alternative solutions see D38508 and D38753).
That may also explain why the changes to the rc startup script [1]

Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)

Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

net: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  <ports@c0decafe.net>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Aaron Straup Cope <ascope@cpan.org>
  *  Aaron Zauner <az_mail@gmx.at>
  *  Adam Jette <jettea46@yahoo.com>
  *  Adam Weinberger <adamw@FreeBSD.org>
  *  Alan Eldridge <alane@geeksrus.net>
  *  Alex Bakhtin <Alex.Bakhtin@gmail.com>
  *  Alex Deiter <Alex.Deiter@Gmail.COM>
  *  Alex Dupre <ale@FreeBSD.org>
  *  Alex Dupre <sysadmin@alexdupre.com>

wpa_supplicant* hostapd*: Resolve secondary VAP association issue

Association will fail on a secondary open unprotected VAP when the
primary VAP is configured for WPA. Examples of secondary VAPs are,
hotels, universities, and commodity routers' guest networks.

A broadly similar bug was discussed on Red Hat's bugzilla affecting
association to a D-Link DIR-842.

This suggests that as IEs were added to the 802.11 protocol the old code
was increasingly inadaquate to handle the additional IEs, not only a
secondary VAP.

This duplcates src commit 775611ea11db here in ports.

PR:             264238
Reported by:    Jaskie <jiangjun12321@gmail.com>
                "J.R. Oldroyd" <fbsd@opal.com>
Submitted by:   "J.R. Oldroyd" <fbsd@opal.com>
MFH:      	2022Q3

*/*: Restore a missing wpa BSD driver patch

These patches were removed to sync with base where in fact base was
missing these patches and base should have been synced with the ports.

PR:		264238
Fixes:		b8477825c2dc42f6c595697a36f593c71f39fbad
		c86f32d652eb9dd023049122d8ca37cb13ed07b6
MFH:		2022Q2

*/*: Restore non-IBSS part of wpa patches

b8477825c2dc42f6c595697a36f593c71f39fbad removed some non-IBSS patches.
Restore them. We only want to remove the patches that make IBSS use
ADHOC mode.

Fixes:		b8477825c2dc42f6c595697a36f593c71f39fbad

*/*: FreeBSD's WPA does support IBSS mode

FreeBSD's WPA does support IBSS mode. Remove the hack that forces ADHOC
mode when IBSS is requested.

*/{wpa_supplicant*,hostapd*}: Fix wpa 100% CPU when USB wlan NIC removed

hostapd calls pcap_next(3) to read the next packet off the wlan interface.
pcap_next() returns a pointer to the packet header but does not indicate
success or failure. Unfortunately this results in an infinite loop (100%
CPU) when the wlan device disappears, i.e. when a USB wlan device is
manually removed or a USB error results in the device removal. However
pcap_next_ex(3) does return success or failure. To resolve this we use
pcap_next_ex(), forcing hostapd to exit when the error is encountered.

An error message is printed to syslog or stderr when debugging (-d flag)
is enabled. Unfortunately wpa_printf() only works when debugging is enabled.

PR:		253608
Reported by:	Damjan Jovanovic <damjan.jov@gmail.com>,
		bz (privately)
MFH:		2022Q2

*/*: Fix wpa_supplicant* and hostapd* EAPOL_TEST build

Fix EAPOL_TEST build. Local funcion os_fdatasync() is valid under
FreeBSD as fdatasync(2) is supported.

PR:		261636
Reported by:	David Siebörger <drs-freebsd@sieborger.nom.za>
MFH:		2022Q1

net/hostapd: Update to 2.10

The long awaited hostapd 2.10 is finally here.

net/hostapd: Fix CPE information because current one is deprecated

Approved by:    portmgr (blanket)

*/*: Sync hostapd* and wpa_supplicant* with base ce276fe26d92010776

Use IFM_IEEE80211_ADHOC for now on FreeBSD for IBSS operation.

Base commit by adrian@ on Nov 26, 2015.

This commit syncs ports with base.

PR:		203086
Submitted by:	avos
MFH:		2020Q2

all: Remove all other $FreeBSD keywords.

Remove # $FreeBSD$ from Makefiles.

This is the ports version of src commit
d70886d063166786ded0007af8cdcbf57b7b4827.

wpa_supplicant uses PF_ROUTE to return the routing table in order to
determine the length of the routing table buffer. As of 81728a538d24
wpa_supplicant is started before the routing table has been populated
resulting in the length of zero to be returned. This causes
wpa_supplicant to loop endlessly. (The workaround is to kill and restart
wpa_supplicant as by the time it is restarted the routing table is
populated.)

(Personally, I was not able to reproduce this unless wlan0 was a member of
lagg0. However, others experienced this problem on standalone wlan0.)

PR:		252844
Submitted by:	shu <ankohuu _ outlook.com>
Reported by:	shu <ankohuu _ outlook.com>
Reviewed by:	cy
Differential Revision:	https://reviews.freebsd.org/D28249

UPnP SUBSCRIBE misbehavior in hostapd WPS AP

As published by our hostapd  upstream

Vulnerability

General security vulnerability in the way the callback URLs in the UPnP
SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
Some of the described issues may be applicable to the use of UPnP in WPS
AP mode functionality for supporting external registrars.

Such issues could allow a device connected to the local network (i.e., a
device that has been authorized to transmit packets in the network in
which the AP is located) could trigger the AP to initiate a HTTP
(TCP/IP) connection to an arbitrary URL, including connections to

Chase src r361272:

Silence the once per second CTRL-EVENT-SCAN-FAILED errors when the WiFi
radio is disabled through the communication device toggle key (also known
as the RF raidio kill button). Only the CTRL-EVENT-DISCONNECTED will be
issued.

Submitted by:	avg
Reported by:	avg
MFH:		2020Q2

Update 2.8 --> 2.9

Convert to UCL & cleanup pkg-message (categories n)

(and missed 3 missed files from previous categories.)

For users who build and install FreeBSD using WITHOUT_WIRELESS
simply altering /etc/rc.conf isn't enough to make use of the ports
versions of hostapd and wpa_supplicant. This is because the rc.d
scripts are not installed when WITHOUT_WIRELESS is specified as a
build option. This patch checks for the rc scripts existence and
if they do not exist, installs the ports versions of the same
scripts, which are added by this revision.

This patch does not change the package in any way and there is no way
to enable this outside of removal of hostapd or wpa_supplicant
(depending on the port). Users who build their own world using the
WITHOUT_WIRELESS flag will almost always not use binary packages. Hence
the automatic detection and install of the rc scripts. Making this an
option would IMO increase the number of bug reports due to people
inadvertently setting or not setting an option.

To enable this a person must:

1. buildworld and installworld -DWITHOUT_WIRELESS
2. Build and install the desired wpa_supplicant and/or hostapd port
   on servers one wishes to install them on.

PR:		238571

Update wpa_supplicant/hostapd 2.7 --> 2.8

Also document usage in pkg-message for binary package users.

PR:		236230
Reported by:	mt@markoturk.info
MFH:		2019Q1

Update 2.6 --> 2.7

Pet portlint.

leres@ suggested in D16718 and offline that I assume maintainership
of net/hostapd.

Suggested by:	leres@
Approved by:	leres@

Chase net/wpa_supplicant r477202 and base contrib/wpa r337819.

WPA: Ignore unauthenticated encrypted EAPOL-Key data

Though hostapd is technically not vulnerable, the mitigation for
CVE-2018-14526 does apply cleanly, therefore it is applied to maintain
consistency with net/wpa_supplicant and wpa in base.

Approved by:	leres@
MFH:		2018Q3
Differential Revision:	https://reviews.freebsd.org/D16718

In preparation for applying security patches, switch to grouping of
patches per site as suggested by mat@.

Suggested by:	mat@
Differential Revision:	https://reviews.freebsd.org/D16718

Update patches to unbreak build with LibreSSL 2.7 and the
OpenSSL 1.1 API.

PR:		227172
Submitted by:	brnrd
Reported by:	brnrd
Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Differential Revision:	https://reviews.freebsd.org/D14957

Update pkg-descr and Makefile in my ports to use https where possible.
Remove obsolete mirrors.

 - devel/arduino
 - devel/arduino-irremote
 - net/hostapd
 - security/broccoli
 - sysutils/lbl-cf
 - sysutils/lbl-hf
 - www/mini_httpd

Reviewed by:	ler (mentor), matthew (mentor)
Approved by:	ler (mentor), matthew (mentor)
Differential Revision:	https://reviews.freebsd.org/D12748

Add patch set 2017-1.

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

Approved by:	leres (maintainer)
Security:	https://w1.fi/security/2017-1/ \
		wpa-packet-number-reuse-with-replayed-messages.txt
Security:	https://www.krackattacks.com/
MFH:		2017Q4
Differential Revision:	D12691

Use https site.

Approved by:	leres (maintainer)
MFH:		2017Q4
Differential Revision:	D12691 (part of)

Update MAINTAINER on my ports and "Created by" on the ones I created
to use my @FreeBSD.org email address.

 - devel/arduino
 - devel/arduino-glcd
 - devel/arduino-irremote
 - devel/arduino-mk
 - devel/arduino-sevseg
 - net/hostapd
 - net/py-pcap
 - security/bro
 - security/broccoli
 - security/create-cert
 - sysutils/lbl-cf
 - sysutils/lbl-hf
 - www/mini_httpd

Reviewed by:	ler (mentor)
Approved by:	ler (mentor)
Differential Revision:	https://reviews.freebsd.org/D12374

net/hostapd fails to compile with libressl

Not bumping PORTREVISION as default options are NOT libressl

PR:		218802
Submitted by:	w.schwarzenfeld@utanet.at
Approved by:	adamw (mentor, implicit), leres@ee.lbl.gov (maintainer)

Fix build broken by r436625.

PR:		218036

Update net/hostapd to 2.6 and fix multiple vulnerabilities

PR:		217907
Submitted by:	maintainer
Approved by:	mat (mentor)
Differential Revision: https://reviews.freebsd.org/D10051

net/hostapd: Update os_unix.h to follow os_unix.c change

For completeness, make update os_unix.h patch to match the previous
commit to os_unix.c (no impact for FreeBSD)

net/hostapd: Fix build on DragonFly and with LibreSSL

1. Return the driver_bsd.c patch, it's still required for DF
2. Modify the os_unix.c patch to include exception for DF
3. Add patch to fix build with LibreSSL (originates from OpenBSD)
4. There's no configure set, so replace ineffective configure arg
   with CFLAGS and LDFLAGS for non-base SSL library

Approved by:	SSL blanket and DF blanket

Update to 2.5

PR:		212779
Submitted by:	leres at ee.lbl.gov (maintainer)

net/hostapd: Remove PORTS_SSL option and use SSL_DEFAULT

The port is now configured depending on the SSL base specified by the
SSL_DEFAULT variable.  Before it would break by default if SSL_DEFAULT
was set to non-base.  This changes puts hostapd in line with the rest
of the ports tree.

Approved by:	SSL blanket

Fix usage of WITH_OPENSSL_BASE, WITH_OPENSSL_PORT and OPENSSL_PORT.

WITH_OPENSSL_* can't be set after bsd.port.pre.mk.
Fold all other usage into using SSL_DEFAULT == foo

PR:		210149
Submitted by:	mat
Exp-run by:	antoine
Sponsored by:	The FreeBSD Foundation, Absolight
Differential Revision:	https://reviews.freebsd.org/D6577

Remove BROKEN_* statements, the port builds fine everywhere.

net/hostapd: Address 3 latest security advisories

These are combined upstream patches 2015-2, 2015-3, 2015-4
They address the following security advisories:

  * CVE-2015-4141
  * CVE-2015-4142
  * CVE-2015-4143
  * CVE-2015-4144
  * CVE-2015-4145
  * CVE-2015-4146

These advisories also apply to security/wpa_supplicant

PR:		200567
Submitted by:	Jason Unovitch
Approved by:	maintainer (Craig Leres)

- Add CPE info

Approved by:	portmgr blanket

net/hostapd: Unbreak new version on DragonFly

net/hostapd: Upgrade version 2.3 => 2.4, add PORTS_SSL option

PR:		198889
Submitted by:	maintainer (leres - ee.lbl.gov)

Add missing USE_OPENSSL=yes

PR:		195796

net/hostapd: Upgrade version 2.2 => 2.3

While upgrading to the latest version released last week:
  * Rebase .config file on latest sample versoin
  * Support non-default prefixes
  * Merge new contents of do-configure target into post-patch target

PR:		194315
Approved by:	maintainer: (Craig Leres)

net/hostapd: Update WWW + MASTER_SITES and support DragonFly

The domain for hostapd has changed from hostap.epitest.fi to w1.fi
although the former still redirects.  Update WWW and MASTER_SITES to
reflect the new name.

Regenerate the l2 packet patch so that hostapd also builds on DragonFly
(no-op for FreeBSD).

While here, rearrange makefile to remove need for <pre> and <post> and
use of $PORTNAME in $WRKSRC which would break if PORTNAME changes.

- Update from 2.1 to 2.2 [1]
- Use just BSD3CLAUSE as LICENSE (according to README)

PR:		ports/190726
Submitted by:	leres@ee.lbl.gov [1]

s/-script://

Update to version 2.1

PR:		ports/187459
Submitted by:	maintainer

Support staging

Add NO_STAGE all over the place in preparation for the staging support (cat:
net)

- Remove MAKE_JOBS_SAFE variable

Approved by:	portmgr (bdrewery)

Update to version 2.0

PR:		ports/175438
Submitted by:	Craig Leres <leres@ee.lbl.gov> (maintainer)

- Update to 1.0
- Use ports framework for build:
  - Bonus: Now honours CC/CFLAGS/LDFLAGS
- Remove DISTNAME override
- Update LICENSE (GPLv2 not GPLv1)
- Mark MAKE_JOBS_SAFE
- Patch Makefile to see $(CC) not "CC" when not verbose
- Pet portlint (LICENSE order)

- while here shift where arch is tested, and use MAN{1,8}PREFIX

PR:     ports/169154 (based on)
Submitted by:   koobs.freebsd@gmail.com
Approved by:    maintainer, leres@ee.lbl.gov

Mark broken on powerpc as well as sparc64.  (In fact, on all the tier-2s.)

Hat:            portmgr

Mark as broken on sparc64: does not compile.

hostapd is a user space daemon for access point and authentication
servers. It implements IEEE 802.11 access point management, IEEE
802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and
RADIUS authentication server. The current version supports Linux
(Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).

WWW: http://hostap.epitest.fi/hostapd/

PR:             ports/154621
Submitted by:   leres at ee.lbl.gov