From 99f4bf2096d3976cee01c499d7a30c1376f5f0f7 Mon Sep 17 00:00:00 2001
From: Davide Cavalca <dcavalca@fedoraproject.org>
Date: Wed, 30 Aug 2023 10:31:07 -0400
Subject: [PATCH] Backport WPA3 support for Broadcom devices

---
 ...k-sae-authentication-offload-support.patch |  26 +++++
 ...r-sae-authentication-offload-support.patch | 100 ++++++++++++++++++
 wpa_supplicant.spec                           |   9 +-
 3 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 wpa_supplicant-nl80211-check-sae-authentication-offload-support.patch
 create mode 100644 wpa_supplicant-sae-pass-sae-password-on-connect-for-sae-authentication-offload-support.patch

diff --git a/wpa_supplicant-nl80211-check-sae-authentication-offload-support.patch b/wpa_supplicant-nl80211-check-sae-authentication-offload-support.patch
new file mode 100644
index 0000000..7b34945
--- /dev/null
+++ b/wpa_supplicant-nl80211-check-sae-authentication-offload-support.patch
@@ -0,0 +1,26 @@
+diff -Naur a/src/drivers/driver.h b/src/drivers/driver.h
+--- a/src/drivers/driver.h	2022-01-16 15:51:29.000000000 -0500
++++ b/src/drivers/driver.h	2023-08-30 10:21:22.500282579 -0400
+@@ -2027,6 +2027,8 @@
+ #define WPA_DRIVER_FLAGS2_OCV			0x0000000000000080ULL
+ /** Driver expects user space implementation of SME in AP mode */
+ #define WPA_DRIVER_FLAGS2_AP_SME		0x0000000000000100ULL
++/** Driver supports SAE authentication offload */
++#define WPA_DRIVER_FLAGS2_SAE_OFFLOAD		0x0000000000008000ULL
+ 	u64 flags2;
+ 
+ #define FULL_AP_CLIENT_STATE_SUPP(drv_flags) \
+diff -Naur a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
+--- a/src/drivers/driver_nl80211_capa.c	2022-01-16 15:51:29.000000000 -0500
++++ b/src/drivers/driver_nl80211_capa.c	2023-08-30 10:20:18.666889544 -0400
+@@ -595,6 +595,10 @@
+ 		capa->flags |= WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X;
+ 
+ 	if (ext_feature_isset(ext_features, len,
++			      NL80211_EXT_FEATURE_SAE_OFFLOAD))
++		capa->flags2 |= WPA_DRIVER_FLAGS2_SAE_OFFLOAD;
++
++	if (ext_feature_isset(ext_features, len,
+ 			      NL80211_EXT_FEATURE_MFP_OPTIONAL))
+ 		capa->flags |= WPA_DRIVER_FLAGS_MFP_OPTIONAL;
+ 
diff --git a/wpa_supplicant-sae-pass-sae-password-on-connect-for-sae-authentication-offload-support.patch b/wpa_supplicant-sae-pass-sae-password-on-connect-for-sae-authentication-offload-support.patch
new file mode 100644
index 0000000..2a465eb
--- /dev/null
+++ b/wpa_supplicant-sae-pass-sae-password-on-connect-for-sae-authentication-offload-support.patch
@@ -0,0 +1,100 @@
+diff -Naur a/src/drivers/driver.h b/src/drivers/driver.h
+--- a/src/drivers/driver.h	2022-01-16 15:51:29.000000000 -0500
++++ b/src/drivers/driver.h	2023-08-30 10:22:48.193810598 -0400
+@@ -1015,6 +1015,14 @@
+ 	const u8 *psk;
+ 
+ 	/**
++	 * sae_password - Password for SAE authentication
++	 *
++	 * This value is made available only for WPA3-Personal (SAE) and only
++	 * for drivers that set WPA_DRIVER_FLAGS2_SAE_OFFLOAD.
++	 */
++	const char *sae_password;
++
++	/**
+ 	 * drop_unencrypted - Enable/disable unencrypted frame filtering
+ 	 *
+ 	 * Configure the driver to drop all non-EAPOL frames (both receive and
+diff -Naur a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
+--- a/src/drivers/driver_nl80211.c	2022-01-16 15:51:29.000000000 -0500
++++ b/src/drivers/driver_nl80211.c	2023-08-30 10:22:48.195810610 -0400
+@@ -6173,8 +6173,12 @@
+ 
+ 		if (params->wpa_proto & WPA_PROTO_WPA)
+ 			ver |= NL80211_WPA_VERSION_1;
+-		if (params->wpa_proto & WPA_PROTO_RSN)
+-			ver |= NL80211_WPA_VERSION_2;
++		if (params->wpa_proto & WPA_PROTO_RSN) {
++			if (params->key_mgmt_suite == WPA_KEY_MGMT_SAE)
++				ver |= NL80211_WPA_VERSION_3;
++			else
++				ver |= NL80211_WPA_VERSION_2;
++		}
+ 
+ 		wpa_printf(MSG_DEBUG, "  * WPA Versions 0x%x", ver);
+ 		if (nla_put_u32(msg, NL80211_ATTR_WPA_VERSIONS, ver))
+@@ -6304,6 +6308,22 @@
+ 			return -1;
+ 	}
+ 
++	/* add SAE password in case of SAE authentication offload */
++	if ((params->sae_password || params->passphrase) &&
++	    (drv->capa.flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD)) {
++		const char *password;
++		size_t pwd_len;
++
++		password = params->sae_password;
++		if (!password)
++			password = params->passphrase;
++		pwd_len = os_strlen(password);
++		wpa_hexdump_ascii_key(MSG_DEBUG, "  * SAE password",
++				      (u8 *) password, pwd_len);
++		if (nla_put(msg, NL80211_ATTR_SAE_PASSWORD, pwd_len, password))
++			return -1;
++	}
++
+ 	if (nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT))
+ 		return -1;
+ 
+@@ -6419,6 +6439,8 @@
+ 		algs++;
+ 	if (params->auth_alg & WPA_AUTH_ALG_FT)
+ 		algs++;
++	if (params->auth_alg & WPA_AUTH_ALG_SAE)
++		algs++;
+ 	if (algs > 1) {
+ 		wpa_printf(MSG_DEBUG, "  * Leave out Auth Type for automatic "
+ 			   "selection");
+diff -Naur a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
+--- a/wpa_supplicant/wpa_supplicant.c	2023-08-30 10:18:04.154061324 -0400
++++ b/wpa_supplicant/wpa_supplicant.c	2023-08-30 10:24:53.619588124 -0400
+@@ -1537,7 +1537,8 @@
+ 
+ 	sel = ie.key_mgmt & ssid->key_mgmt;
+ #ifdef CONFIG_SAE
+-	if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE))
++	if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE) &&
++	    !(wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD))
+ 		sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE);
+ #endif /* CONFIG_SAE */
+ #ifdef CONFIG_IEEE80211R
+@@ -3919,6 +3920,18 @@
+ 			params.psk = ssid->psk;
+ 	}
+ 
++	if ((wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SAE_OFFLOAD) &&
++	    wpa_key_mgmt_sae(params.key_mgmt_suite)) {
++		params.auth_alg = WPA_AUTH_ALG_SAE;
++		if (ssid->sae_password)
++			params.sae_password = ssid->sae_password;
++		else if (ssid->passphrase)
++			params.passphrase = ssid->passphrase;
++
++		if (ssid->psk_set)
++			params.psk = ssid->psk;
++	}
++
+ 	params.drop_unencrypted = use_crypt;
+ 
+ 	params.mgmt_frame_protection = wpas_get_ssid_pmf(wpa_s, ssid);
diff --git a/wpa_supplicant.spec b/wpa_supplicant.spec
index 29e71a0..c9032fb 100644
--- a/wpa_supplicant.spec
+++ b/wpa_supplicant.spec
@@ -9,7 +9,7 @@ Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.10
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: BSD-3-Clause
 Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
 Source1: wpa_supplicant.conf
@@ -39,6 +39,10 @@ Patch8: wpa_supplicant-defconfig-enable-OCV-support.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2072070
 # From James Ralston in comment #24, thanks to James
 Patch9: wpa_supplicant-allow-legacy-renegotiation.patch
+# Add WPA3 support for Broadcom device
+# https://bugzilla.redhat.com/show_bug.cgi?id=2226569
+Patch10: wpa_supplicant-nl80211-check-sae-authentication-offload-support.patch
+Patch11: wpa_supplicant-sae-pass-sae-password-on-connect-for-sae-authentication-offload-support.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
@@ -199,6 +203,9 @@ chmod -R 0644 wpa_supplicant/examples/*.py
 
 
 %changelog
+* Wed Aug 30 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 1:2.10-8
+- Backport WPA3 support for Broadcom devices. Fixes: rhbz#2226569
+
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild