hostapd/* wpa_supplicant/*: Support CCMP-256/GMCP-256

Chase src/fa06d18b3b87 adding support for CCMP-256/GMCP-256.
2025-04-29 01:56:37 -04:00 · 2025-04-07 13:03:44 -07:00 · 2025-04-07 13:03:44 -07:00 · 60ebc751f7
commit 60ebc751f7
parent 2eda1ee296
8 changed files with 279 additions and 139 deletions
--- a/net/hostapd-devel/Makefile
+++ b/net/hostapd-devel/Makefile
@ -1,5 +1,6 @@
 PORTNAME=	hostapd
 PORTVERSION=	${COMMIT_DATE}
 PORTREVISION=	1
 CATEGORIES=	net
 PKGNAMESUFFIX=	-devel
--- a/net/hostapd-devel/files/patch-src_drivers_driver__bsd.c
+++ b/net/hostapd-devel/files/patch-src_drivers_driver__bsd.c
@ -1,5 +1,5 @@
 --- src/drivers/driver_bsd.c.orig	2024-07-20 11:04:37.000000000 -0700
-+++ src/drivers/driver_bsd.c	2025-03-17 06:07:14.891847000 -0700
+++ src/drivers/driver_bsd.c	2025-04-07 12:57:12.036618000 -0700
@@ -9,11 +9,13 @@
 #include "includes.h"
@ -25,10 +25,14 @@
 	struct ifreq ifr;
 	os_memset(&ifr, 0, sizeof(ifr));
-@@ -306,7 +309,34 @@
+@@ -302,11 +305,38 @@
- 		return -1;
+ 
- 	}
+ 	if (ioctl(drv->global->sock, SIOCGIFFLAGS, &ifr) < 0) {
- 	drv->flags = ifr.ifr_flags;
+ 		wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
 +			   strerror(errno));
 +		return -1;
 +	}
 +	drv->flags = ifr.ifr_flags;
 +
 +
 +	if (enable) {
@ -43,14 +47,14 @@
 +
 +	if (ioctl(drv->global->sock, SIOCSIFFLAGS, &ifr) < 0) {
 +		wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
-+			   strerror(errno));
+ 			   strerror(errno));
-+		return -1;
+ 		return -1;
-+	}
+ 	}
 +
 +	wpa_printf(MSG_DEBUG, "%s: if %s (changed) enable %d IFF_UP %d ",
 +	    __func__, drv->ifname, enable, ((ifr.ifr_flags & IFF_UP) != 0));
 +
-+	drv->flags = ifr.ifr_flags;
+ 	drv->flags = ifr.ifr_flags;
 	return 0;
 +
 +nochange:
@ -60,14 +64,20 @@
 }
 static int
-@@ -349,6 +379,14 @@
+@@ -349,6 +379,20 @@
 	case WPA_ALG_CCMP:
 		wk.ik_type = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_ALG_CCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_ALG_GCMP:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_ALG_GCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_ALG_BIP_CMAC_128:
 +		wk.ik_type = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -75,14 +85,34 @@
 	default:
 		wpa_printf(MSG_ERROR, "%s: unknown alg=%d", __func__, alg);
 		return -1;
-@@ -420,6 +458,14 @@
+@@ -413,13 +457,34 @@
 {
 #ifndef IEEE80211_IOC_APPIE
 	static const char *ciphernames[] =
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE",
 +		  "AES-CCM-256", "BIP-CMAC-128", "BIP-CMAC-256", "BIP-GMAC-128",
 +		  "BIP-GMAC-256", "AES-GCM-128", "AES-GCM-256" };
 +#else
 		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE" };
 +#endif
 +
 	int v;
 	switch (params->wpa_group) {
 	case WPA_CIPHER_CCMP:
 		v = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_CIPHER_CCMP_256:
 +		v = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_CIPHER_GCMP:
 +		v = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_CIPHER_GCMP_256:
 +		v = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_CIPHER_BIP_CMAC_128:
 +		v = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -90,7 +120,7 @@
 	case WPA_CIPHER_TKIP:
 		v = IEEE80211_CIPHER_TKIP;
 		break;
-@@ -456,6 +502,12 @@
+@@ -456,8 +521,20 @@
 	}
 	v = 0;
@ -99,11 +129,19 @@
 +		v |= 1<<IEEE80211_CIPHER_BIP_CMAC_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_CCMP)
 		v |= 1<<IEEE80211_CIPHER_AES_CCM;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	if (params->wpa_pairwise & WPA_CIPHER_CCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_CCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_TKIP)
-@@ -525,7 +577,7 @@
+ 		v |= 1<<IEEE80211_CIPHER_TKIP;
 	if (params->wpa_pairwise & WPA_CIPHER_NONE)
@@ -525,7 +602,7 @@
 			   __func__);
 		return -1;
 	}
@ -112,7 +150,7 @@
 }
 static void
-@@ -586,6 +638,7 @@
+@@ -586,6 +663,7 @@
 		mode = IFM_IEEE80211_11B;
 	} else {
 		mode =
@ -120,7 +158,7 @@
 			freq->ht_enabled ? IFM_IEEE80211_11NA :
 			IFM_IEEE80211_11A;
 	}
-@@ -853,14 +906,18 @@
+@@ -853,14 +931,18 @@
 		drv = bsd_get_drvindex(global, ifm->ifm_index);
 		if (drv == NULL)
 			return;
@ -142,7 +180,7 @@
 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
 				   drv->ifname);
 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
-@@ -1027,7 +1084,8 @@
+@@ -1027,7 +1109,8 @@
 	if (l2_packet_get_own_addr(drv->sock_xmit, params->own_addr))
 		goto bad;
@ -152,7 +190,7 @@
 		goto bad;
 	if (bsd_set_mediaopt(drv, IFM_OMASK, IFM_IEEE80211_HOSTAP) < 0) {
-@@ -1052,12 +1110,13 @@
+@@ -1052,12 +1135,13 @@
 {
 	struct bsd_driver_data *drv = priv;
@ -167,7 +205,7 @@
 static int
 bsd_set_sta_authorized(void *priv, const u8 *addr,
 		       unsigned int total_flags, unsigned int flags_or,
-@@ -1199,13 +1258,41 @@
+@@ -1199,13 +1283,41 @@
 }
 static int
@ -210,7 +248,7 @@
 	wpa_printf(MSG_DEBUG,
 		"%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u"
-@@ -1222,7 +1309,10 @@
+@@ -1222,7 +1334,10 @@
 		mode = 0 /* STA */;
 		break;
 	case IEEE80211_MODE_IBSS:
@ -221,7 +259,7 @@
 		break;
 	case IEEE80211_MODE_AP:
 		mode = IFM_IEEE80211_HOSTAP;
-@@ -1251,24 +1341,33 @@
+@@ -1251,22 +1366,31 @@
 		ret = -1;
 	if (wpa_driver_bsd_set_auth_alg(drv, params->auth_alg) < 0)
 		ret = -1;
@ -234,6 +272,9 @@
 -	    params->key_mgmt_suite == WPA_KEY_MGMT_NONE &&
 -	    params->wpa_ie_len == 0);
 -	wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy);
 -
 -	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
 -		return -1;
 +	if (params->wpa_ie_len) {
 +		rsn_ie = get_ie(params->wpa_ie, params->wpa_ie_len,
 +		    WLAN_EID_RSN);
@ -253,7 +294,9 @@
 +		}
 +	}
-	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
+-	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 +	/*
 +	 * NB: interface must be marked UP for association
 +	 * or scanning (ap_scan=2)
@ -261,15 +304,8 @@
 +	if (bsd_ctrl_iface(drv, 1) < 0)
 		return -1;
 -	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 -		return -1;
 -
 	os_memset(&mlme, 0, sizeof(mlme));
- 	mlme.im_op = IEEE80211_MLME_ASSOC;
+@@ -1311,11 +1435,8 @@
 	if (params->ssid != NULL)
@@ -1311,11 +1410,8 @@
 	}
 	/* NB: interface must be marked UP to do a scan */
@ -282,7 +318,7 @@
 #ifdef IEEE80211_IOC_SCAN_MAX_SSID
 	os_memset(&sr, 0, sizeof(sr));
-@@ -1495,6 +1591,12 @@
+@@ -1495,6 +1616,12 @@
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_TKIP;
 	if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_AES_CCM)
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_CCMP;
@ -295,7 +331,7 @@
 	if (devcaps.dc_drivercaps & IEEE80211_C_HOSTAP)
 		drv->capa.flags |= WPA_DRIVER_FLAGS_AP;
-@@ -1547,6 +1649,8 @@
+@@ -1547,6 +1674,8 @@
 		}
 		if (ifmr.ifm_current & IFM_IEEE80211_HOSTAP)
 			return IEEE80211_M_HOSTAP;
@ -304,7 +340,7 @@
 		if (ifmr.ifm_current & IFM_IEEE80211_MONITOR)
 			return IEEE80211_M_MONITOR;
 #ifdef IEEE80211_M_MBSS
-@@ -1607,7 +1711,7 @@
+@@ -1607,7 +1736,7 @@
 		drv->capa.key_mgmt_iftype[i] = drv->capa.key_mgmt;
 	/* Down interface during setup. */
@ -313,13 +349,13 @@
 		goto fail;
 	/* Proven to work, lets go! */
-@@ -1630,6 +1734,9 @@
+@@ -1631,6 +1760,9 @@
 	if (drv->ifindex != 0 && !drv->if_removed) {
 		wpa_driver_bsd_set_wpa(drv, 0);
-+
+ 
 +		/* NB: mark interface down */
 +		bsd_ctrl_iface(drv, 0);
- 
+
 		wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa,
 						drv->prev_privacy);
--- a/net/hostapd/Makefile
+++ b/net/hostapd/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	hostapd
 PORTVERSION=	2.11
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	net
 MASTER_SITES=	https://w1.fi/releases/
--- a/net/hostapd/files/patch-src_drivers_driver__bsd.c
+++ b/net/hostapd/files/patch-src_drivers_driver__bsd.c
@ -1,5 +1,5 @@
 --- src/drivers/driver_bsd.c.orig	2024-07-20 11:04:37.000000000 -0700
-+++ src/drivers/driver_bsd.c	2025-03-17 06:07:14.891847000 -0700
+++ src/drivers/driver_bsd.c	2025-04-07 12:57:12.036618000 -0700
@@ -9,11 +9,13 @@
 #include "includes.h"
@ -25,10 +25,14 @@
 	struct ifreq ifr;
 	os_memset(&ifr, 0, sizeof(ifr));
-@@ -306,7 +309,34 @@
+@@ -302,11 +305,38 @@
- 		return -1;
+ 
- 	}
+ 	if (ioctl(drv->global->sock, SIOCGIFFLAGS, &ifr) < 0) {
- 	drv->flags = ifr.ifr_flags;
+ 		wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
 +			   strerror(errno));
 +		return -1;
 +	}
 +	drv->flags = ifr.ifr_flags;
 +
 +
 +	if (enable) {
@ -43,14 +47,14 @@
 +
 +	if (ioctl(drv->global->sock, SIOCSIFFLAGS, &ifr) < 0) {
 +		wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
-+			   strerror(errno));
+ 			   strerror(errno));
-+		return -1;
+ 		return -1;
-+	}
+ 	}
 +
 +	wpa_printf(MSG_DEBUG, "%s: if %s (changed) enable %d IFF_UP %d ",
 +	    __func__, drv->ifname, enable, ((ifr.ifr_flags & IFF_UP) != 0));
 +
-+	drv->flags = ifr.ifr_flags;
+ 	drv->flags = ifr.ifr_flags;
 	return 0;
 +
 +nochange:
@ -60,14 +64,20 @@
 }
 static int
-@@ -349,6 +379,14 @@
+@@ -349,6 +379,20 @@
 	case WPA_ALG_CCMP:
 		wk.ik_type = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_ALG_CCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_ALG_GCMP:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_ALG_GCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_ALG_BIP_CMAC_128:
 +		wk.ik_type = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -75,14 +85,34 @@
 	default:
 		wpa_printf(MSG_ERROR, "%s: unknown alg=%d", __func__, alg);
 		return -1;
-@@ -420,6 +458,14 @@
+@@ -413,13 +457,34 @@
 {
 #ifndef IEEE80211_IOC_APPIE
 	static const char *ciphernames[] =
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE",
 +		  "AES-CCM-256", "BIP-CMAC-128", "BIP-CMAC-256", "BIP-GMAC-128",
 +		  "BIP-GMAC-256", "AES-GCM-128", "AES-GCM-256" };
 +#else
 		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE" };
 +#endif
 +
 	int v;
 	switch (params->wpa_group) {
 	case WPA_CIPHER_CCMP:
 		v = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_CIPHER_CCMP_256:
 +		v = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_CIPHER_GCMP:
 +		v = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_CIPHER_GCMP_256:
 +		v = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_CIPHER_BIP_CMAC_128:
 +		v = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -90,7 +120,7 @@
 	case WPA_CIPHER_TKIP:
 		v = IEEE80211_CIPHER_TKIP;
 		break;
-@@ -456,6 +502,12 @@
+@@ -456,8 +521,20 @@
 	}
 	v = 0;
@ -99,11 +129,19 @@
 +		v |= 1<<IEEE80211_CIPHER_BIP_CMAC_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_CCMP)
 		v |= 1<<IEEE80211_CIPHER_AES_CCM;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	if (params->wpa_pairwise & WPA_CIPHER_CCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_CCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_TKIP)
-@@ -525,7 +577,7 @@
+ 		v |= 1<<IEEE80211_CIPHER_TKIP;
 	if (params->wpa_pairwise & WPA_CIPHER_NONE)
@@ -525,7 +602,7 @@
 			   __func__);
 		return -1;
 	}
@ -112,7 +150,7 @@
 }
 static void
-@@ -586,6 +638,7 @@
+@@ -586,6 +663,7 @@
 		mode = IFM_IEEE80211_11B;
 	} else {
 		mode =
@ -120,7 +158,7 @@
 			freq->ht_enabled ? IFM_IEEE80211_11NA :
 			IFM_IEEE80211_11A;
 	}
-@@ -853,14 +906,18 @@
+@@ -853,14 +931,18 @@
 		drv = bsd_get_drvindex(global, ifm->ifm_index);
 		if (drv == NULL)
 			return;
@ -142,7 +180,7 @@
 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
 				   drv->ifname);
 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
-@@ -1027,7 +1084,8 @@
+@@ -1027,7 +1109,8 @@
 	if (l2_packet_get_own_addr(drv->sock_xmit, params->own_addr))
 		goto bad;
@ -152,7 +190,7 @@
 		goto bad;
 	if (bsd_set_mediaopt(drv, IFM_OMASK, IFM_IEEE80211_HOSTAP) < 0) {
-@@ -1052,12 +1110,13 @@
+@@ -1052,12 +1135,13 @@
 {
 	struct bsd_driver_data *drv = priv;
@ -167,7 +205,7 @@
 static int
 bsd_set_sta_authorized(void *priv, const u8 *addr,
 		       unsigned int total_flags, unsigned int flags_or,
-@@ -1199,13 +1258,41 @@
+@@ -1199,13 +1283,41 @@
 }
 static int
@ -210,7 +248,7 @@
 	wpa_printf(MSG_DEBUG,
 		"%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u"
-@@ -1222,7 +1309,10 @@
+@@ -1222,7 +1334,10 @@
 		mode = 0 /* STA */;
 		break;
 	case IEEE80211_MODE_IBSS:
@ -221,7 +259,7 @@
 		break;
 	case IEEE80211_MODE_AP:
 		mode = IFM_IEEE80211_HOSTAP;
-@@ -1251,24 +1341,33 @@
+@@ -1251,22 +1366,31 @@
 		ret = -1;
 	if (wpa_driver_bsd_set_auth_alg(drv, params->auth_alg) < 0)
 		ret = -1;
@ -234,6 +272,9 @@
 -	    params->key_mgmt_suite == WPA_KEY_MGMT_NONE &&
 -	    params->wpa_ie_len == 0);
 -	wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy);
 -
 -	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
 -		return -1;
 +	if (params->wpa_ie_len) {
 +		rsn_ie = get_ie(params->wpa_ie, params->wpa_ie_len,
 +		    WLAN_EID_RSN);
@ -253,7 +294,9 @@
 +		}
 +	}
-	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
+-	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 +	/*
 +	 * NB: interface must be marked UP for association
 +	 * or scanning (ap_scan=2)
@ -261,15 +304,8 @@
 +	if (bsd_ctrl_iface(drv, 1) < 0)
 		return -1;
 -	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 -		return -1;
 -
 	os_memset(&mlme, 0, sizeof(mlme));
- 	mlme.im_op = IEEE80211_MLME_ASSOC;
+@@ -1311,11 +1435,8 @@
 	if (params->ssid != NULL)
@@ -1311,11 +1410,8 @@
 	}
 	/* NB: interface must be marked UP to do a scan */
@ -282,7 +318,7 @@
 #ifdef IEEE80211_IOC_SCAN_MAX_SSID
 	os_memset(&sr, 0, sizeof(sr));
-@@ -1495,6 +1591,12 @@
+@@ -1495,6 +1616,12 @@
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_TKIP;
 	if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_AES_CCM)
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_CCMP;
@ -295,7 +331,7 @@
 	if (devcaps.dc_drivercaps & IEEE80211_C_HOSTAP)
 		drv->capa.flags |= WPA_DRIVER_FLAGS_AP;
-@@ -1547,6 +1649,8 @@
+@@ -1547,6 +1674,8 @@
 		}
 		if (ifmr.ifm_current & IFM_IEEE80211_HOSTAP)
 			return IEEE80211_M_HOSTAP;
@ -304,7 +340,7 @@
 		if (ifmr.ifm_current & IFM_IEEE80211_MONITOR)
 			return IEEE80211_M_MONITOR;
 #ifdef IEEE80211_M_MBSS
-@@ -1607,7 +1711,7 @@
+@@ -1607,7 +1736,7 @@
 		drv->capa.key_mgmt_iftype[i] = drv->capa.key_mgmt;
 	/* Down interface during setup. */
@ -313,13 +349,13 @@
 		goto fail;
 	/* Proven to work, lets go! */
-@@ -1630,6 +1734,9 @@
+@@ -1631,6 +1760,9 @@
 	if (drv->ifindex != 0 && !drv->if_removed) {
 		wpa_driver_bsd_set_wpa(drv, 0);
-+
+ 
 +		/* NB: mark interface down */
 +		bsd_ctrl_iface(drv, 0);
- 
+
 		wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa,
 						drv->prev_privacy);
--- a/security/wpa_supplicant-devel/Makefile
+++ b/security/wpa_supplicant-devel/Makefile
@ -1,5 +1,6 @@
 PORTNAME=	wpa_supplicant
 PORTVERSION=	${COMMIT_DATE}
 PORTREVISION=	1
 CATEGORIES=	security net
 PKGNAMESUFFIX=	-devel
--- a/security/wpa_supplicant-devel/files/patch-src_drivers_driver__bsd.c
+++ b/security/wpa_supplicant-devel/files/patch-src_drivers_driver__bsd.c
@ -1,5 +1,5 @@
 --- src/drivers/driver_bsd.c.orig	2024-07-20 11:04:37.000000000 -0700
-+++ src/drivers/driver_bsd.c	2025-03-17 06:07:14.891847000 -0700
+++ src/drivers/driver_bsd.c	2025-04-07 12:57:12.036618000 -0700
@@ -9,11 +9,13 @@
 #include "includes.h"
@ -25,10 +25,14 @@
 	struct ifreq ifr;
 	os_memset(&ifr, 0, sizeof(ifr));
-@@ -306,7 +309,34 @@
+@@ -302,11 +305,38 @@
- 		return -1;
+ 
- 	}
+ 	if (ioctl(drv->global->sock, SIOCGIFFLAGS, &ifr) < 0) {
- 	drv->flags = ifr.ifr_flags;
+ 		wpa_printf(MSG_ERROR, "ioctl[SIOCGIFFLAGS]: %s",
 +			   strerror(errno));
 +		return -1;
 +	}
 +	drv->flags = ifr.ifr_flags;
 +
 +
 +	if (enable) {
@ -43,14 +47,14 @@
 +
 +	if (ioctl(drv->global->sock, SIOCSIFFLAGS, &ifr) < 0) {
 +		wpa_printf(MSG_ERROR, "ioctl[SIOCSIFFLAGS]: %s",
-+			   strerror(errno));
+ 			   strerror(errno));
-+		return -1;
+ 		return -1;
-+	}
+ 	}
 +
 +	wpa_printf(MSG_DEBUG, "%s: if %s (changed) enable %d IFF_UP %d ",
 +	    __func__, drv->ifname, enable, ((ifr.ifr_flags & IFF_UP) != 0));
 +
-+	drv->flags = ifr.ifr_flags;
+ 	drv->flags = ifr.ifr_flags;
 	return 0;
 +
 +nochange:
@ -60,14 +64,20 @@
 }
 static int
-@@ -349,6 +379,14 @@
+@@ -349,6 +379,20 @@
 	case WPA_ALG_CCMP:
 		wk.ik_type = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_ALG_CCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_ALG_GCMP:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_ALG_GCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_ALG_BIP_CMAC_128:
 +		wk.ik_type = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -75,14 +85,34 @@
 	default:
 		wpa_printf(MSG_ERROR, "%s: unknown alg=%d", __func__, alg);
 		return -1;
-@@ -420,6 +458,14 @@
+@@ -413,13 +457,34 @@
 {
 #ifndef IEEE80211_IOC_APPIE
 	static const char *ciphernames[] =
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE",
 +		  "AES-CCM-256", "BIP-CMAC-128", "BIP-CMAC-256", "BIP-GMAC-128",
 +		  "BIP-GMAC-256", "AES-GCM-128", "AES-GCM-256" };
 +#else
 		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE" };
 +#endif
 +
 	int v;
 	switch (params->wpa_group) {
 	case WPA_CIPHER_CCMP:
 		v = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_CIPHER_CCMP_256:
 +		v = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_CIPHER_GCMP:
 +		v = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_CIPHER_GCMP_256:
 +		v = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_CIPHER_BIP_CMAC_128:
 +		v = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -90,7 +120,7 @@
 	case WPA_CIPHER_TKIP:
 		v = IEEE80211_CIPHER_TKIP;
 		break;
-@@ -456,6 +502,12 @@
+@@ -456,8 +521,20 @@
 	}
 	v = 0;
@ -99,11 +129,19 @@
 +		v |= 1<<IEEE80211_CIPHER_BIP_CMAC_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_CCMP)
 		v |= 1<<IEEE80211_CIPHER_AES_CCM;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	if (params->wpa_pairwise & WPA_CIPHER_CCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_CCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_TKIP)
-@@ -525,7 +577,7 @@
+ 		v |= 1<<IEEE80211_CIPHER_TKIP;
 	if (params->wpa_pairwise & WPA_CIPHER_NONE)
@@ -525,7 +602,7 @@
 			   __func__);
 		return -1;
 	}
@ -112,7 +150,7 @@
 }
 static void
-@@ -586,6 +638,7 @@
+@@ -586,6 +663,7 @@
 		mode = IFM_IEEE80211_11B;
 	} else {
 		mode =
@ -120,7 +158,7 @@
 			freq->ht_enabled ? IFM_IEEE80211_11NA :
 			IFM_IEEE80211_11A;
 	}
-@@ -853,14 +906,18 @@
+@@ -853,14 +931,18 @@
 		drv = bsd_get_drvindex(global, ifm->ifm_index);
 		if (drv == NULL)
 			return;
@ -142,7 +180,7 @@
 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
 				   drv->ifname);
 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
-@@ -1027,7 +1084,8 @@
+@@ -1027,7 +1109,8 @@
 	if (l2_packet_get_own_addr(drv->sock_xmit, params->own_addr))
 		goto bad;
@ -152,7 +190,7 @@
 		goto bad;
 	if (bsd_set_mediaopt(drv, IFM_OMASK, IFM_IEEE80211_HOSTAP) < 0) {
-@@ -1052,12 +1110,13 @@
+@@ -1052,12 +1135,13 @@
 {
 	struct bsd_driver_data *drv = priv;
@ -167,7 +205,7 @@
 static int
 bsd_set_sta_authorized(void *priv, const u8 *addr,
 		       unsigned int total_flags, unsigned int flags_or,
-@@ -1199,13 +1258,41 @@
+@@ -1199,13 +1283,41 @@
 }
 static int
@ -210,7 +248,7 @@
 	wpa_printf(MSG_DEBUG,
 		"%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u"
-@@ -1222,7 +1309,10 @@
+@@ -1222,7 +1334,10 @@
 		mode = 0 /* STA */;
 		break;
 	case IEEE80211_MODE_IBSS:
@ -221,7 +259,7 @@
 		break;
 	case IEEE80211_MODE_AP:
 		mode = IFM_IEEE80211_HOSTAP;
-@@ -1251,24 +1341,33 @@
+@@ -1251,22 +1366,31 @@
 		ret = -1;
 	if (wpa_driver_bsd_set_auth_alg(drv, params->auth_alg) < 0)
 		ret = -1;
@ -234,6 +272,9 @@
 -	    params->key_mgmt_suite == WPA_KEY_MGMT_NONE &&
 -	    params->wpa_ie_len == 0);
 -	wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy);
 -
 -	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
 -		return -1;
 +	if (params->wpa_ie_len) {
 +		rsn_ie = get_ie(params->wpa_ie, params->wpa_ie_len,
 +		    WLAN_EID_RSN);
@ -253,7 +294,9 @@
 +		}
 +	}
-	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
+-	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 +	/*
 +	 * NB: interface must be marked UP for association
 +	 * or scanning (ap_scan=2)
@ -261,15 +304,8 @@
 +	if (bsd_ctrl_iface(drv, 1) < 0)
 		return -1;
 -	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 -		return -1;
 -
 	os_memset(&mlme, 0, sizeof(mlme));
- 	mlme.im_op = IEEE80211_MLME_ASSOC;
+@@ -1311,11 +1435,8 @@
 	if (params->ssid != NULL)
@@ -1311,11 +1410,8 @@
 	}
 	/* NB: interface must be marked UP to do a scan */
@ -282,7 +318,7 @@
 #ifdef IEEE80211_IOC_SCAN_MAX_SSID
 	os_memset(&sr, 0, sizeof(sr));
-@@ -1495,6 +1591,12 @@
+@@ -1495,6 +1616,12 @@
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_TKIP;
 	if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_AES_CCM)
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_CCMP;
@ -295,7 +331,7 @@
 	if (devcaps.dc_drivercaps & IEEE80211_C_HOSTAP)
 		drv->capa.flags |= WPA_DRIVER_FLAGS_AP;
-@@ -1547,6 +1649,8 @@
+@@ -1547,6 +1674,8 @@
 		}
 		if (ifmr.ifm_current & IFM_IEEE80211_HOSTAP)
 			return IEEE80211_M_HOSTAP;
@ -304,7 +340,7 @@
 		if (ifmr.ifm_current & IFM_IEEE80211_MONITOR)
 			return IEEE80211_M_MONITOR;
 #ifdef IEEE80211_M_MBSS
-@@ -1607,7 +1711,7 @@
+@@ -1607,7 +1736,7 @@
 		drv->capa.key_mgmt_iftype[i] = drv->capa.key_mgmt;
 	/* Down interface during setup. */
@ -313,13 +349,13 @@
 		goto fail;
 	/* Proven to work, lets go! */
-@@ -1630,6 +1734,9 @@
+@@ -1631,6 +1760,9 @@
 	if (drv->ifindex != 0 && !drv->if_removed) {
 		wpa_driver_bsd_set_wpa(drv, 0);
-+
+ 
 +		/* NB: mark interface down */
 +		bsd_ctrl_iface(drv, 0);
- 
+
 		wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa,
 						drv->prev_privacy);
--- a/security/wpa_supplicant/Makefile
+++ b/security/wpa_supplicant/Makefile
@ -1,6 +1,6 @@
 PORTNAME=	wpa_supplicant
 PORTVERSION=	2.11
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	security net
 MASTER_SITES=	https://w1.fi/releases/
--- a/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c
+++ b/security/wpa_supplicant/files/patch-src_drivers_driver__bsd.c
@ -1,5 +1,5 @@
 --- src/drivers/driver_bsd.c.orig	2024-07-20 11:04:37.000000000 -0700
-+++ src/drivers/driver_bsd.c	2025-03-17 06:07:14.891847000 -0700
+++ src/drivers/driver_bsd.c	2025-04-07 12:47:28.984390000 -0700
@@ -9,11 +9,13 @@
 #include "includes.h"
@ -60,14 +60,20 @@
 }
 static int
-@@ -349,6 +379,14 @@
+@@ -349,6 +379,20 @@
 	case WPA_ALG_CCMP:
 		wk.ik_type = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_ALG_CCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_ALG_GCMP:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_ALG_GCMP_256:
 +		wk.ik_type = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_ALG_BIP_CMAC_128:
 +		wk.ik_type = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -75,14 +81,34 @@
 	default:
 		wpa_printf(MSG_ERROR, "%s: unknown alg=%d", __func__, alg);
 		return -1;
-@@ -420,6 +458,14 @@
+@@ -413,13 +457,34 @@
 {
 #ifndef IEEE80211_IOC_APPIE
 	static const char *ciphernames[] =
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE",
 +		  "AES-CCM-256", "BIP-CMAC-128", "BIP-CMAC-256", "BIP-GMAC-128",
 +		  "BIP-GMAC-256", "AES-GCM-128", "AES-GCM-256" };
 +#else
 		{ "WEP", "TKIP", "AES-OCB", "AES-CCM", "CKIP", "NONE" };
 +#endif
 +
 	int v;
 	switch (params->wpa_group) {
 	case WPA_CIPHER_CCMP:
 		v = IEEE80211_CIPHER_AES_CCM;
 		break;
 +#if defined(__FreeBSD_version) && __FreeBSD_version >= 1500027
 +	case WPA_CIPHER_CCMP_256:
 +		v = IEEE80211_CIPHER_AES_CCM_256;
 +		break;
 +	case WPA_CIPHER_GCMP:
 +		v = IEEE80211_CIPHER_AES_GCM_128;
 +		break;
 +	case WPA_CIPHER_GCMP_256:
 +		v = IEEE80211_CIPHER_AES_GCM_256;
 +		break;
 +	case WPA_CIPHER_BIP_CMAC_128:
 +		v = IEEE80211_CIPHER_BIP_CMAC_128;
 +		break;
@ -90,7 +116,7 @@
 	case WPA_CIPHER_TKIP:
 		v = IEEE80211_CIPHER_TKIP;
 		break;
-@@ -456,6 +502,12 @@
+@@ -456,8 +521,18 @@
 	}
 	v = 0;
@ -99,11 +125,17 @@
 +		v |= 1<<IEEE80211_CIPHER_BIP_CMAC_128;
 +	if (params->wpa_pairwise & WPA_CIPHER_GCMP)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_128;
-+#endif
+	if (params->wpa_pairwise & WPA_CIPHER_GCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_GCM_256;
 	if (params->wpa_pairwise & WPA_CIPHER_CCMP)
 		v |= 1<<IEEE80211_CIPHER_AES_CCM;
 +	if (params->wpa_pairwise & WPA_CIPHER_CCMP_256)
 +		v |= 1<<IEEE80211_CIPHER_AES_CCM_256;
 +#endif
 	if (params->wpa_pairwise & WPA_CIPHER_TKIP)
-@@ -525,7 +577,7 @@
+ 		v |= 1<<IEEE80211_CIPHER_TKIP;
 	if (params->wpa_pairwise & WPA_CIPHER_NONE)
@@ -525,7 +600,7 @@
 			   __func__);
 		return -1;
 	}
@ -112,7 +144,7 @@
 }
 static void
-@@ -586,6 +638,7 @@
+@@ -586,6 +661,7 @@
 		mode = IFM_IEEE80211_11B;
 	} else {
 		mode =
@ -120,7 +152,7 @@
 			freq->ht_enabled ? IFM_IEEE80211_11NA :
 			IFM_IEEE80211_11A;
 	}
-@@ -853,14 +906,18 @@
+@@ -853,14 +929,18 @@
 		drv = bsd_get_drvindex(global, ifm->ifm_index);
 		if (drv == NULL)
 			return;
@ -142,7 +174,7 @@
 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
 				   drv->ifname);
 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
-@@ -1027,7 +1084,8 @@
+@@ -1027,7 +1107,8 @@
 	if (l2_packet_get_own_addr(drv->sock_xmit, params->own_addr))
 		goto bad;
@ -152,7 +184,7 @@
 		goto bad;
 	if (bsd_set_mediaopt(drv, IFM_OMASK, IFM_IEEE80211_HOSTAP) < 0) {
-@@ -1052,12 +1110,13 @@
+@@ -1052,12 +1133,13 @@
 {
 	struct bsd_driver_data *drv = priv;
@ -167,7 +199,7 @@
 static int
 bsd_set_sta_authorized(void *priv, const u8 *addr,
 		       unsigned int total_flags, unsigned int flags_or,
-@@ -1199,13 +1258,41 @@
+@@ -1199,13 +1281,41 @@
 }
 static int
@ -210,7 +242,7 @@
 	wpa_printf(MSG_DEBUG,
 		"%s: ssid '%.*s' wpa ie len %u pairwise %u group %u key mgmt %u"
-@@ -1222,7 +1309,10 @@
+@@ -1222,7 +1332,10 @@
 		mode = 0 /* STA */;
 		break;
 	case IEEE80211_MODE_IBSS:
@ -221,7 +253,7 @@
 		break;
 	case IEEE80211_MODE_AP:
 		mode = IFM_IEEE80211_HOSTAP;
-@@ -1251,24 +1341,33 @@
+@@ -1251,22 +1364,31 @@
 		ret = -1;
 	if (wpa_driver_bsd_set_auth_alg(drv, params->auth_alg) < 0)
 		ret = -1;
@ -234,6 +266,9 @@
 -	    params->key_mgmt_suite == WPA_KEY_MGMT_NONE &&
 -	    params->wpa_ie_len == 0);
 -	wpa_printf(MSG_DEBUG, "%s: set PRIVACY %u", __func__, privacy);
 -
 -	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
 -		return -1;
 +	if (params->wpa_ie_len) {
 +		rsn_ie = get_ie(params->wpa_ie, params->wpa_ie_len,
 +		    WLAN_EID_RSN);
@ -253,7 +288,9 @@
 +		}
 +	}
-	if (set80211param(drv, IEEE80211_IOC_PRIVACY, privacy) < 0)
+-	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 +	/*
 +	 * NB: interface must be marked UP for association
 +	 * or scanning (ap_scan=2)
@ -261,15 +298,8 @@
 +	if (bsd_ctrl_iface(drv, 1) < 0)
 		return -1;
 -	if (params->wpa_ie_len &&
 -	    set80211param(drv, IEEE80211_IOC_WPA,
 -			  params->wpa_ie[0] == WLAN_EID_RSN ? 2 : 1) < 0)
 -		return -1;
 -
 	os_memset(&mlme, 0, sizeof(mlme));
- 	mlme.im_op = IEEE80211_MLME_ASSOC;
+@@ -1311,11 +1433,8 @@
 	if (params->ssid != NULL)
@@ -1311,11 +1410,8 @@
 	}
 	/* NB: interface must be marked UP to do a scan */
@ -282,7 +312,7 @@
 #ifdef IEEE80211_IOC_SCAN_MAX_SSID
 	os_memset(&sr, 0, sizeof(sr));
-@@ -1495,6 +1591,12 @@
+@@ -1495,6 +1614,12 @@
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_TKIP;
 	if (devcaps.dc_cryptocaps & IEEE80211_CRYPTO_AES_CCM)
 		drv->capa.enc |= WPA_DRIVER_CAPA_ENC_CCMP;
@ -295,7 +325,7 @@
 	if (devcaps.dc_drivercaps & IEEE80211_C_HOSTAP)
 		drv->capa.flags |= WPA_DRIVER_FLAGS_AP;
-@@ -1547,6 +1649,8 @@
+@@ -1547,6 +1672,8 @@
 		}
 		if (ifmr.ifm_current & IFM_IEEE80211_HOSTAP)
 			return IEEE80211_M_HOSTAP;
@ -304,7 +334,7 @@
 		if (ifmr.ifm_current & IFM_IEEE80211_MONITOR)
 			return IEEE80211_M_MONITOR;
 #ifdef IEEE80211_M_MBSS
-@@ -1607,7 +1711,7 @@
+@@ -1607,7 +1734,7 @@
 		drv->capa.key_mgmt_iftype[i] = drv->capa.key_mgmt;
 	/* Down interface during setup. */
@ -313,13 +343,13 @@
 		goto fail;
 	/* Proven to work, lets go! */
-@@ -1630,6 +1734,9 @@
+@@ -1631,6 +1758,9 @@
 	if (drv->ifindex != 0 && !drv->if_removed) {
 		wpa_driver_bsd_set_wpa(drv, 0);
-+
+ 
 +		/* NB: mark interface down */
 +		bsd_ctrl_iface(drv, 0);
- 
+
 		wpa_driver_bsd_set_wpa_internal(drv, drv->prev_wpa,
 						drv->prev_privacy);