.gitignore

@@ -1 +1,25 @@
-SOURCES/wpa_supplicant-2.10.tar.gz
+madwifi-headers.tar.bz2
+wpa_supplicant-0.4.7.tar.gz
+wpa_supplicant-0.5.1.tar.gz
+wpa_supplicant-0.4.8.tar.gz
+madwifi-headers-r1475.tar.bz2
+wpa_supplicant-0.4.9.tar.gz
+wpa_supplicant-0.5.7.tar.gz
+wpa_supplicant-0.6.3.tar.gz
+wpa_supplicant-0.6.4.tar.gz
+wpa_supplicant-0.6.7.tar.gz
+wpa_supplicant-0.6.8.tar.gz
+/wpa_supplicant-0.7.3.tar.gz
+/wpa_supplicant-1.0-rc1.tar.gz
+/wpa_supplicant-1.0-rc2.tar.gz
+/wpa_supplicant-1.1.tar.gz
+/wpa_supplicant-2.0.tar.gz
+/wpa_supplicant-2.3.tar.gz
+/wpa_supplicant-2.4.tar.gz
+/wpa_supplicant-2.5.tar.gz
+/wpa_supplicant-2.6.tar.gz
+/wpa_supplicant-2.7.tar.gz
+/wpa_supplicant-2.8.tar.gz
+/wpa_supplicant-2.9.tar.gz
+/wpa_supplicant-2.10.tar.gz
+/wpa_supplicant-2.11.tar.gz

.wpa_supplicant.metadata

@@ -1 +0,0 @@
-e295b07d599da4b99c3836d4402ec5746f77e8e8 SOURCES/wpa_supplicant-2.10.tar.gz

SOURCES/build-config

@@ -1,47 +0,0 @@
-CONFIG_CTRL_IFACE=y
-CONFIG_CTRL_IFACE_DBUS=y
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-CONFIG_CTRL_IFACE_DBUS_INTRO=y
-CONFIG_LIBNL32=y
-CONFIG_DRIVER_NL80211=y
-CONFIG_DRIVER_WIRED=y
-CONFIG_DRIVER_MACSEC_LINUX=y
-CONFIG_IEEE8021X_EAPOL=y
-CONFIG_EAP_MD5=y
-CONFIG_EAP_MSCHAPV2=y
-CONFIG_EAP_TLS=y
-CONFIG_EAP_PEAP=y
-CONFIG_EAP_TTLS=y
-CONFIG_EAP_FAST=y
-CONFIG_EAP_GTC=y
-CONFIG_EAP_OTP=y
-CONFIG_EAP_AKA=y
-CONFIG_EAP_PAX=y
-CONFIG_EAP_LEAP=y
-CONFIG_EAP_SAKE=y
-CONFIG_EAP_GPSK=y
-CONFIG_EAP_GPSK_SHA256=y
-CONFIG_EAP_TNC=y
-CONFIG_WPS=y
-CONFIG_EAP_IKEV2=y
-CONFIG_PKCS12=y
-CONFIG_SMARTCARD=y
-CONFIG_DEBUG_SYSLOG=y
-CONFIG_DEBUG_FILE=y
-CONFIG_BACKEND=file
-CONFIG_PEERKEY=y
-CONFIG_BGSCAN_SIMPLE=y
-#CONFIG_FIPS=y
-CONFIG_AP=y
-CONFIG_P2P=y
-CONFIG_IBSS_RSN=y
-CONFIG_IEEE80211N=y
-CONFIG_MACSEC=y
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
-CONFIG_IEEE80211W=y
-CONFIG_SAE=y
-CONFIG_OWE=y
-CONFIG_DPP=y
-CONFIG_WIFI_DISPLAY=y
-CONFIG_SUITEB192=y
-CONFIG_WEP=Y

SOURCES/rh1542234-remove-wpa_gui.patch

@@ -1,21 +0,0 @@
---- a/wpa_supplicant/doc/docbook/Makefile
-+++ b/wpa_supplicant/doc/docbook/Makefile
-@@ -2,9 +2,7 @@ all: man html pdf
- 
- FILES += wpa_background
- FILES += wpa_cli
--FILES += wpa_gui
- FILES += wpa_passphrase
--FILES += wpa_priv
- FILES += wpa_supplicant.conf
- FILES += wpa_supplicant
- FILES += eapol_test
-@@ -21,7 +19,7 @@ pdf:
- 
- 
- clean:
--	rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8
-+	rm -f wpa_background.8 wpa_cli.8 wpa_passphrase.8 wpa_supplicant.8 eapol_test.8
- 	rm -f wpa_supplicant.conf.5
- 	rm -f manpage.links manpage.refs
- 	rm -f $(FILES:%=%.pdf)

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

rpminspect.yaml

@@ -0,0 +1,3 @@
+---
+inspections:
+    badfuncs: off

sources

@@ -0,0 +1 @@
+SHA512 (wpa_supplicant-2.11.tar.gz) = 9a0a3a9d6fa2235903c40aa57b5955f0c9dd1dccfd0e3825a3b6f92b3e32db8d464b3ea0aef3285ba3ee109e7b190560cedd744902e954f0003cdba543e277b2

tests/tests.yml

@@ -0,0 +1,14 @@
+# Tests for wpa_supplicant using NM's wifi and 802.1x tests
+- hosts: localhost
+  roles:
+  - role: standard-test-basic
+    tags:
+    - classic
+    repositories:
+    - repo: "https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci"
+      dest: "NetworkManager-ci"
+    tests:
+    - sanity-tests:
+        dir: NetworkManager-ci
+        run: run/osci/run-tests wpa_supplicant
+

wpa_supplicant-OpenSSL-Use-pkcs11-provider-when-OPENSSL_NO_ENGINE-i.patch

@@ -0,0 +1,386 @@
+From 400b89162294f0344d82334218e8950fd01bb12f Mon Sep 17 00:00:00 2001
+Message-ID: <400b89162294f0344d82334218e8950fd01bb12f.1744107874.git.davide.caratti@gmail.com>
+From: Davide Caratti <davide.caratti@gmail.com>
+Date: Wed, 15 Jan 2025 18:04:54 +0100
+Subject: [PATCH] OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is
+ defined
+
+Now that ENGINE API starts being deprecated in distros (like Fedora [1])
+wpa_supplicant users might need a way to load certificates and keys from
+PKCS11 URIs even when OPENSSL_NO_ENGINE is defined. We can do that using
+pkcs11-provider: load it by default in wpa_supplicant, and try to use it
+when OPENSSL_NO_ENGINE is defined and configuration requests PKCS11 URIs
+for certificates / keys.
+
+Inspired by pkcs11-provider test program 'tlssetkey.c' [2]
+
+[1] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
+[2] https://github.com/latchset/pkcs11-provider/blob/main/tests/tlssetkey.c
+
+Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ src/crypto/tls_openssl.c | 215 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 190 insertions(+), 25 deletions(-)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 17283f998..e225817fe 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -33,6 +33,8 @@
+ #include <openssl/core_names.h>
+ #include <openssl/decoder.h>
+ #include <openssl/param_build.h>
++#include <openssl/store.h>
++#include <openssl/provider.h>
+ #else /* OpenSSL version >= 3.0 */
+ #ifndef OPENSSL_NO_DSA
+ #include <openssl/dsa.h>
+@@ -244,8 +246,8 @@ struct tls_connection {
+ 	BIO *ssl_in, *ssl_out;
+ #if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
+ 	ENGINE *engine;        /* functional reference to the engine */
+-	EVP_PKEY *private_key; /* the private key if using engine */
+ #endif /* OPENSSL_NO_ENGINE */
++	EVP_PKEY *private_key; /* the private key if using engine/provider */
+ 	char *subject_match, *altsubject_match, *suffix_match, *domain_match;
+ 	char *check_cert_subject;
+ 	int read_alerts, write_alerts, failed;
+@@ -357,6 +359,149 @@ static X509_STORE * tls_crl_cert_reload(const char *ca_cert, int check_crl)
+ }
+ 
+ 
++#ifdef OPENSSL_NO_ENGINE
++
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++static OSSL_PROVIDER *openssl_pkcs11_provider = NULL;
++#endif /* OpenSSL version >= 3.0 */
++
++static void openssl_load_pkcs11_provider(void)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	if (openssl_pkcs11_provider)
++		return;
++
++	openssl_pkcs11_provider = OSSL_PROVIDER_try_load(NULL, "pkcs11", 1);
++	if (!openssl_pkcs11_provider)
++		wpa_printf(MSG_WARNING, "PKCS11 provider not present");
++#endif /* OpenSSL version >= 3.0 */
++}
++
++
++static void openssl_unload_pkcs11_provider(void)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	if (openssl_pkcs11_provider) {
++		OSSL_PROVIDER_unload(openssl_pkcs11_provider);
++		openssl_pkcs11_provider = NULL;
++	}
++#endif /* OpenSSL version >= 3.0 */
++}
++
++
++static bool openssl_can_use_provider(const char *engine_id, const char *req)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	if (!os_strcmp(engine_id, "pkcs11") && openssl_pkcs11_provider)
++		return true;
++
++	wpa_printf(MSG_ERROR,
++		   "Cannot find OpenSSL provider for '%s' (missing '%s')",
++		   req, engine_id);
++#endif /* OpenSSL version >= 3.0 */
++	return false;
++}
++
++
++static EVP_PKEY * provider_load_key(const char *uri)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	OSSL_STORE_CTX *store;
++	OSSL_STORE_INFO *info;
++	EVP_PKEY *key = NULL;
++
++	if (!uri) {
++		tls_show_errors(MSG_ERROR, __func__,
++				"Invalid NULL uri for key");
++		goto err_key;
++	}
++
++	store = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL);
++	if (!store) {
++		wpa_printf(MSG_DEBUG, "Bad uri for private key:%s", uri);
++
++		tls_show_errors(MSG_ERROR, __func__,
++				"Failed to open key store");
++		goto err_key;
++	}
++
++	if (os_strncmp(uri, "pkcs11:", 7) &&
++	    os_strstr(uri, "type=private") == NULL) {
++		/* This is a workaround for OpenSSL < 3.2.0 where the code fails
++		 * to correctly source public keys unless explicitly requested
++		 * via an expect hint. */
++		if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PUBKEY) != 1) {
++			tls_show_errors(MSG_ERROR, __func__,
++					"Failed to expect Public Key File");
++			goto err_store;
++		}
++	}
++
++	while (!OSSL_STORE_eof(store)) {
++		info = OSSL_STORE_load(store);
++		if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_PKEY)
++			key = OSSL_STORE_INFO_get1_PKEY(info);
++
++		OSSL_STORE_INFO_free(info);
++		if (key)
++			break;
++	}
++
++err_store:
++	OSSL_STORE_close(store);
++err_key:
++	if (!key)
++		wpa_printf(MSG_ERROR, "OpenSSL: Failed to load key from URI");
++
++	return key;
++#else /* OpenSSL version >= 3.0 */
++	return NULL;
++#endif /* OpenSSL version >= 3.0 */
++}
++
++
++static X509 * provider_load_cert(const char *cert_id)
++{
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	OSSL_STORE_CTX *store;
++	OSSL_STORE_INFO *info;
++	X509 *cert = NULL;
++
++	if (!cert_id) {
++		tls_show_errors(MSG_ERROR, __func__, "Invalid NULL uri");
++		goto err_cert;
++	}
++
++	store = OSSL_STORE_open(cert_id, NULL, NULL, NULL, NULL);
++	if (!store) {
++		tls_show_errors(MSG_ERROR, __func__, "Failed to open store");
++		goto err_cert;
++	}
++
++	while (!OSSL_STORE_eof(store)) {
++		info = OSSL_STORE_load(store);
++		if ((OSSL_STORE_INFO_get_type(info)) == OSSL_STORE_INFO_CERT)
++			cert = OSSL_STORE_INFO_get1_CERT(info);
++
++		OSSL_STORE_INFO_free(info);
++		if (cert)
++			break;
++	}
++	OSSL_STORE_close(store);
++
++err_cert:
++	if (!cert)
++		tls_show_errors(MSG_ERROR, __func__,
++				"Failed to load cert from URI");
++	return cert;
++#else /* OpenSSL version >= 3.0 */
++	return NULL;
++#endif /* OpenSSL version >= 3.0 */
++}
++
++#endif /* OPENSSL_NO_ENGINE */
++
++
+ #ifdef CONFIG_NATIVE_WINDOWS
+ 
+ /* Windows CryptoAPI and access to certificate stores */
+@@ -1020,6 +1165,9 @@ void * tls_init(const struct tls_config *conf)
+ 		void openssl_load_legacy_provider(void);
+ 
+ 		openssl_load_legacy_provider();
++#ifdef OPENSSL_NO_ENGINE
++		openssl_load_pkcs11_provider();
++#endif /* OPENSSL_NO_ENGINE */
+ 
+ 		tls_global = context = tls_context_new(conf);
+ 		if (context == NULL)
+@@ -1211,6 +1359,9 @@ void tls_deinit(void *ssl_ctx)
+ 
+ 	tls_openssl_ref_count--;
+ 	if (tls_openssl_ref_count == 0) {
++#ifdef OPENSSL_NO_ENGINE
++		openssl_unload_pkcs11_provider();
++#endif /* OPENSSL_NO_ENGINE */
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+ #ifndef OPENSSL_NO_ENGINE
+ 		ENGINE_cleanup();
+@@ -1369,6 +1520,10 @@ err:
+ 
+ 	return ret;
+ #else /* OPENSSL_NO_ENGINE */
++	conn->private_key = provider_load_key(key_id);
++	if (!conn->private_key)
++		return -1;
++
+ 	return 0;
+ #endif /* OPENSSL_NO_ENGINE */
+ }
+@@ -1376,12 +1531,12 @@ err:
+ 
+ static void tls_engine_deinit(struct tls_connection *conn)
+ {
+-#if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
+-	wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
+ 	if (conn->private_key) {
+ 		EVP_PKEY_free(conn->private_key);
+ 		conn->private_key = NULL;
+ 	}
++#if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
++	wpa_printf(MSG_DEBUG, "ENGINE: engine deinit");
+ 	if (conn->engine) {
+ #if !defined(OPENSSL_IS_BORINGSSL)
+ 		ENGINE_finish(conn->engine);
+@@ -3799,11 +3954,16 @@ static int tls_engine_get_cert(struct tls_connection *conn,
+ static int tls_connection_engine_client_cert(struct tls_connection *conn,
+ 					     const char *cert_id)
+ {
+-#ifndef OPENSSL_NO_ENGINE
+ 	X509 *cert;
+ 
++#ifndef OPENSSL_NO_ENGINE
+ 	if (tls_engine_get_cert(conn, cert_id, &cert))
+ 		return -1;
++#else /* OPENSSL_NO_ENGINE */
++	cert = provider_load_cert(cert_id);
++	if (!cert)
++		return -1;
++#endif /* OPENSSL_NO_ENGINE */
+ 
+ 	if (!SSL_use_certificate(conn->ssl, cert)) {
+ 		tls_show_errors(MSG_ERROR, __func__,
+@@ -3812,13 +3972,9 @@ static int tls_connection_engine_client_cert(struct tls_connection *conn,
+ 		return -1;
+ 	}
+ 	X509_free(cert);
+-	wpa_printf(MSG_DEBUG, "ENGINE: SSL_use_certificate --> "
++	wpa_printf(MSG_DEBUG, "ENGINE/provider: SSL_use_certificate --> "
+ 		   "OK");
+ 	return 0;
+-
+-#else /* OPENSSL_NO_ENGINE */
+-	return -1;
+-#endif /* OPENSSL_NO_ENGINE */
+ }
+ 
+ 
+@@ -3826,13 +3982,18 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
+ 					 struct tls_connection *conn,
+ 					 const char *ca_cert_id)
+ {
+-#ifndef OPENSSL_NO_ENGINE
+ 	X509 *cert;
+ 	SSL_CTX *ssl_ctx = data->ssl;
+ 	X509_STORE *store;
+ 
++#ifndef OPENSSL_NO_ENGINE
+ 	if (tls_engine_get_cert(conn, ca_cert_id, &cert))
+ 		return -1;
++#else /* OPENSSL_NO_ENGINE */
++	cert = provider_load_cert(ca_cert_id);
++	if (!cert)
++		return -1;
++#endif /* OPENSSL_NO_ENGINE */
+ 
+ 	/* start off the same as tls_connection_ca_cert */
+ 	store = X509_STORE_new();
+@@ -3846,7 +4007,7 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
+ 	if (!X509_STORE_add_cert(store, cert)) {
+ 		unsigned long err = ERR_peek_error();
+ 		tls_show_errors(MSG_WARNING, __func__,
+-				"Failed to add CA certificate from engine "
++				"Failed to add CA certificate from engine/provider "
+ 				"to certificate store");
+ 		if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
+ 		    ERR_GET_REASON(err) == X509_R_CERT_ALREADY_IN_HASH_TABLE) {
+@@ -3859,25 +4020,21 @@ static int tls_connection_engine_ca_cert(struct tls_data *data,
+ 		}
+ 	}
+ 	X509_free(cert);
+-	wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
+-		   "to certificate store", __func__);
++	wpa_printf(MSG_DEBUG,
++		   "OpenSSL: %s - added CA certificate from engine/provider to certificate store",
++		   __func__);
+ 	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
+ 	conn->ca_cert_verify = 1;
+ 
+ 	return 0;
+-
+-#else /* OPENSSL_NO_ENGINE */
+-	return -1;
+-#endif /* OPENSSL_NO_ENGINE */
+ }
+ 
+ 
+ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ {
+-#if defined(ANDROID) || !defined(OPENSSL_NO_ENGINE)
+ 	if (SSL_use_PrivateKey(conn->ssl, conn->private_key) != 1) {
+ 		tls_show_errors(MSG_ERROR, __func__,
+-				"ENGINE: cannot use private key for TLS");
++				"ENGINE/provider: cannot use private key for TLS");
+ 		return -1;
+ 	}
+ 	if (!SSL_check_private_key(conn->ssl)) {
+@@ -3886,11 +4043,6 @@ static int tls_connection_engine_private_key(struct tls_connection *conn)
+ 		return -1;
+ 	}
+ 	return 0;
+-#else /* OPENSSL_NO_ENGINE */
+-	wpa_printf(MSG_ERROR, "SSL: Configuration uses engine, but "
+-		   "engine support was not compiled in");
+-	return -1;
+-#endif /* OPENSSL_NO_ENGINE */
+ }
+ 
+ 
+@@ -5437,6 +5589,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
+ 		return -1;
+ 
+ 	if (engine_id && ca_cert_id) {
++#ifdef OPENSSL_NO_ENGINE
++		if (!openssl_can_use_provider(engine_id, ca_cert_id))
++			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
++#endif /* OPENSSL_NO_ENGINE */
+ 		if (tls_connection_engine_ca_cert(data, conn, ca_cert_id))
+ 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
+ 	} else if (tls_connection_ca_cert(data, conn, params->ca_cert,
+@@ -5446,6 +5602,10 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
+ 		return -1;
+ 
+ 	if (engine_id && cert_id) {
++#ifdef OPENSSL_NO_ENGINE
++		if (!openssl_can_use_provider(engine_id, cert_id))
++			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
++#endif /* OPENSSL_NO_ENGINE */
+ 		if (tls_connection_engine_client_cert(conn, cert_id))
+ 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
+ 	} else if (tls_connection_client_cert(conn, params->client_cert,
+@@ -5454,7 +5614,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
+ 		return -1;
+ 
+ 	if (engine_id && key_id) {
+-		wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
++#ifdef OPENSSL_NO_ENGINE
++		if (!openssl_can_use_provider(engine_id, key_id))
++			return TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
++#endif /* OPENSSL_NO_ENGINE */
++		wpa_printf(MSG_DEBUG,
++			   "TLS: Using private key from engine/provider");
+ 		if (tls_connection_engine_private_key(conn))
+ 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
+ 	} else if (tls_connection_private_key(data, conn,
+-- 
+2.47.0
+

wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch

@@ -0,0 +1,50 @@
+From 2514856652f9a393e505d542cb8f039f8bac10f5 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-fdr@jannau.net>
+Date: Sun, 4 Aug 2024 13:24:42 +0200
+Subject: [PATCH 1/1] Revert "Mark authorization completed on driver indication
+ during 4-way HS offload"
+
+This reverts commit 41638606054a09867fe3f9a2b5523aa4678cbfa5.
+---
+ wpa_supplicant/events.c | 25 ++++++++-----------------
+ 1 file changed, 8 insertions(+), 17 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 46e7cf1ab..7b3ef7205 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -4441,23 +4441,14 @@ static void wpa_supplicant_event_assoc(struct wpa_supplicant *wpa_s,
+ 		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_PSK) &&
+ 		   wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
+-		if (already_authorized) {
+-			/*
+-			 * We are done; the driver will take care of RSN 4-way
+-			 * handshake.
+-			 */
+-			wpa_supplicant_cancel_auth_timeout(wpa_s);
+-			wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
+-			eapol_sm_notify_portValid(wpa_s->eapol, true);
+-			eapol_sm_notify_eap_success(wpa_s->eapol, true);
+-		} else {
+-			/* Update port, WPA_COMPLETED state from the
+-			 * EVENT_PORT_AUTHORIZED handler when the driver is done
+-			 * with the 4-way handshake.
+-			 */
+-			wpa_msg(wpa_s, MSG_DEBUG,
+-				"ASSOC INFO: wait for driver port authorized indication");
+-		}
++		/*
++		 * We are done; the driver will take care of RSN 4-way
++		 * handshake.
++		 */
++		wpa_supplicant_cancel_auth_timeout(wpa_s);
++		wpa_supplicant_set_state(wpa_s, WPA_COMPLETED);
++		eapol_sm_notify_portValid(wpa_s->eapol, true);
++		eapol_sm_notify_eap_success(wpa_s->eapol, true);
+ 	} else if ((wpa_s->drv_flags & WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X) &&
+ 		   wpa_key_mgmt_wpa_ieee8021x(wpa_s->key_mgmt)) {
+ 		/*
+-- 
+2.45.2
+

wpa_supplicant-Send-signal-change-as-debug-msg.patch

@@ -0,0 +1,47 @@
+From c330b5820eefa8e703dbce7278c2a62d9c69166a Mon Sep 17 00:00:00 2001
+From: Kan-Ru Chen <kanru@kanru.info>
+Date: Mon, 23 Dec 2024 08:42:33 +0900
+Subject: Send CTRL-EVENT-SIGNAL-CHANGE message to control interfaces only
+
+The default logging level for the CTRL-EVENT-SIGNAL-CHANGE message
+may be repeated many times and fill the log file or journal.
+
+For example https://bugzilla.redhat.com/show_bug.cgi?id=2309148 and
+the first few results from searching CTRL-EVENT-SIGNAL-CHANGE on the
+web contain various complaints and workarounds.
+
+Change the logging method to wpa_msg_ctrl to avoid sending frequent
+messages to the syslog but still allow the message to be consumed by
+control interface monitors.
+
+Signed-off-by: Kan-Ru Chen <kanru@kanru.info>
+---
+ wpa_supplicant/events.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
+index 5a1bc6d58..00109a0cd 100644
+--- a/wpa_supplicant/events.c
++++ b/wpa_supplicant/events.c
+@@ -6766,12 +6766,12 @@ void wpa_supplicant_event(void *ctx, enum wpa_event_type event,
+ 					data->eapol_rx.encrypted);
+ 		break;
+ 	case EVENT_SIGNAL_CHANGE:
+-		wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_SIGNAL_CHANGE
+-			"above=%d signal=%d noise=%d txrate=%lu",
+-			data->signal_change.above_threshold,
+-			data->signal_change.data.signal,
+-			data->signal_change.current_noise,
+-			data->signal_change.data.current_tx_rate);
++		wpa_msg_ctrl(wpa_s, MSG_INFO, WPA_EVENT_SIGNAL_CHANGE
++			     "above=%d signal=%d noise=%d txrate=%lu",
++			     data->signal_change.above_threshold,
++			     data->signal_change.data.signal,
++			     data->signal_change.current_noise,
++			     data->signal_change.data.current_tx_rate);
+ 		wpa_bss_update_level(wpa_s->current_bss,
+ 				     data->signal_change.data.signal);
+ 		bgscan_notify_signal_change(
+-- 
+cgit v1.2.3-70-g09d2
+

wpa_supplicant-config.patch

@@ -0,0 +1,81 @@
+From 72ee1e934e98ea87e4de292958817e724114703e Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Fri, 6 Sep 2019 09:46:00 +0200
+Subject: [PATCH] defconfig: Fedora configuration
+
+---
+ wpa_supplicant/defconfig | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/wpa_supplicant/defconfig
++++ b/wpa_supplicant/defconfig
+@@ -149,7 +149,7 @@ CONFIG_EAP_PAX=y
+ CONFIG_EAP_LEAP=y
+ 
+ # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+-#CONFIG_EAP_AKA=y
++CONFIG_EAP_AKA=y
+ 
+ # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+ # This requires CONFIG_EAP_AKA to be enabled, too.
+@@ -350,6 +350,7 @@ CONFIG_BACKEND=file
+ # Select which ciphers to use by default with OpenSSL if the user does not
+ # specify them.
+ #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+ 
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+@@ -418,7 +419,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
+ #CONFIG_NO_LOAD_DYNAMIC_EAP=y
+ 
+ # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+-CONFIG_IEEE80211R=y
++#CONFIG_IEEE80211R=y
+ 
+ # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+ CONFIG_DEBUG_FILE=y
+@@ -497,7 +498,7 @@ CONFIG_DEBUG_SYSLOG=y
+ # Should we attempt to use the getrandom(2) call that provides more reliable
+ # yet secure randomness source than /dev/random on Linux 3.17 and newer.
+ # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+-#CONFIG_GETRANDOM=y
++CONFIG_GETRANDOM=y
+ 
+ # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+ CONFIG_IEEE80211AC=y
+@@ -510,7 +511,7 @@ CONFIG_IEEE80211AX=y
+ # Note: This is experimental and work in progress. The definitions are still
+ # subject to change and this should not be expected to interoperate with the
+ # final IEEE 802.11be version.
+-#CONFIG_IEEE80211BE=y
++CONFIG_IEEE80211BE=y
+ 
+ # Wireless Network Management (IEEE Std 802.11v-2011)
+ # Note: This is experimental and not complete implementation.
+@@ -625,7 +626,7 @@ CONFIG_IBSS_RSN=y
+ #CONFIG_PMKSA_CACHE_EXTERNAL=y
+ 
+ # Mesh Networking (IEEE 802.11s)
+-#CONFIG_MESH=y
++CONFIG_MESH=y
+ 
+ # Background scanning modules
+ # These can be used to request wpa_supplicant to perform background scanning
+@@ -639,7 +640,7 @@ CONFIG_BGSCAN_SIMPLE=y
+ 
+ # Opportunistic Wireless Encryption (OWE)
+ # Experimental implementation of draft-harkins-owe-07.txt
+-#CONFIG_OWE=y
++CONFIG_OWE=y
+ 
+ # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
+ CONFIG_DPP=y
+@@ -686,3 +687,7 @@ CONFIG_DPP2=y
+ 
+ # Wi-Fi Aware unsynchronized service discovery (NAN USD)
+ #CONFIG_NAN_USD=y
++#
++CONFIG_SUITEB192=y
++CONFIG_IPV6=y
++

wpa_supplicant.spec

@@ -1,39 +1,44 @@
-%define rcver %{nil}
-%define snapshot %{nil}
-
 %global _hardened_build 1
+%if 0%{?fedora}
+%bcond_without gui
+%else
+%bcond_with gui
+%endif
 
 Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
-Version: 2.10
+Version: 2.11
-Release: 1%{?dist}
+Release: 4%{?dist}
-License: BSD
+License: BSD-3-Clause
-Group: System Environment/Base
+Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
-Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
+Source1: wpa_supplicant.conf
-Source1: build-config
+Source2: wpa_supplicant.service
-Source2: %{name}.conf
+Source3: wpa_supplicant.sysconfig
-Source3: %{name}.service
+Source4: wpa_supplicant.logrotate
-Source4: %{name}.sysconfig
-Source6: %{name}.logrotate
 
-%define build_gui 0
+# Distro specific customization and not suitable for upstream,
-
+# Fedora-specific updates to defconfig
-# distro specific customization and not suitable for upstream,
+Patch0: wpa_supplicant-config.patch
-# works around busted drivers
+# Works around busted drivers
-Patch0: wpa_supplicant-assoc-timeout.patch
+Patch1: wpa_supplicant-assoc-timeout.patch
-# ensures that debug output gets flushed immediately to help diagnose driver
+# Ensures that debug output gets flushed immediately to help diagnose driver
 # bugs, not suitable for upstream
-Patch1: wpa_supplicant-flush-debug-output.patch
+Patch2: wpa_supplicant-flush-debug-output.patch
-# quiet an annoying and frequent syslog message
+# Quiet an annoying and frequent syslog message
 Patch3: wpa_supplicant-quiet-scan-results-message.patch
-# distro specific customization for Qt4 build tools, not suitable for upstream
+# Distro specific customization for Qt4 build tools, not suitable for upstream
-Patch5: rh1542234-remove-wpa_gui.patch
+Patch4: wpa_supplicant-gui-qt4.patch
-Patch6: wpa_supplicant-gui-qt4.patch
+# fix known regression on brcmfmac (rhbz#2302577)
+Patch5: wpa_supplicant-Revert-Mark-authorization-completed-on-driver-indica.patch
+# use pkcs11-provider instead of OpenSSL engine
+Patch6: wpa_supplicant-OpenSSL-Use-pkcs11-provider-when-OPENSSL_NO_ENGINE-i.patch
+# de-clutter syslog from CTRL-EVENT-SIGNAL-CHANGE messages
+Patch7: wpa_supplicant-Send-signal-change-as-debug-msg.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
-%if %{build_gui}
+%if %with gui
 BuildRequires: qt-devel >= 4.0
 %endif
 BuildRequires: openssl-devel
@@ -42,10 +47,13 @@ BuildRequires: dbus-devel
 BuildRequires: libnl3-devel
 BuildRequires: systemd-units
 BuildRequires: docbook-utils
+BuildRequires: gcc
 Requires(post): systemd-sysv
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
+Requires: pkcs11-provider >= 1.0
+
 # libeap used to be built from wpa_supplicant with some fairly horrible
 # hackery, solely for use by WiMAX. We dropped all WiMAX support around
 # F21. This is here so people don't wind up with obsolete libeap packages
@@ -61,81 +69,83 @@ component that is used in the client stations. It implements key negotiation
 with a WPA Authenticator and it controls the roaming and IEEE 802.11
 authentication/association of the wlan driver.
 
-%if %{build_gui}
 
+%if %with gui
 %package gui
 Summary: Graphical User Interface for %{name}
-Group: Applications/System
 
 %description gui
 Graphical User Interface for wpa_supplicant written using QT
-
 %endif
 
+
 %prep
-%autosetup -p1 -n %{name}-%{version}%{rcver}%{snapshot}
+%autosetup -p1 -n %{name}-%{version}
+
 
 %build
 pushd wpa_supplicant
-  cp %{SOURCE1} .config
+  cp defconfig .config
-  CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE" ; export CFLAGS ;
+  export CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE -DOPENSSL_NO_ENGINE"
-  CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DPIE" ; export CXXFLAGS ;
+  export CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DOPENSSL_NO_ENGINE"
-  LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now" ; export LDFLAGS ;
+  export LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now"
   # yes, BINDIR=_sbindir
-  BINDIR="%{_sbindir}" ; export BINDIR ;
+  export BINDIR="%{_sbindir}"
-  LIBDIR="%{_libdir}" ; export LIBDIR ;
+  export LIBDIR="%{_libdir}"
-  make %{_smp_mflags}
+  make %{_smp_mflags} V=1
-%if %{build_gui}
+%if %with gui
-  QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease'
+  make wpa_gui-qt4 %{_smp_mflags} V=1 QTDIR=%{_libdir}/qt4 \
+    QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease'
+%endif
+  make eapol_test V=1
+  make -C doc/docbook man V=1
+%if !%with gui
+  rm doc/docbook/wpa_gui.8
 %endif
-  make eapol_test
 popd
 
-pushd wpa_supplicant/doc/docbook
-  make man
-popd
 
 %install
-# init scripts
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service
-install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}
-install -D -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
-
 # config
-install -D -m 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}/%{name}.conf
+install -D -m 0600 %{SOURCE1} %{buildroot}/%{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf
+
+# init scripts
+install -D -m 0644 %{SOURCE2} %{buildroot}/%{_unitdir}/wpa_supplicant.service
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/wpa_supplicant
+install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/wpa_supplicant
 
 # binary
 install -d %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_passphrase %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_cli %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/wpa_cli %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_supplicant %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/eapol_test %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/eapol_test %{buildroot}/%{_sbindir}
-install -D -m 0644 %{name}/dbus/dbus-wpa_supplicant.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
+install -D -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf \
-install -D -m 0644 %{name}/dbus/fi.w1.wpa_supplicant1.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
+  %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
+install -D -m 0644 wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service \
+  %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 
-%if %{build_gui}
+%if %with gui
 # gui
 install -d %{buildroot}/%{_bindir}
-install -m 0755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}
+install -m 0755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}
-%else
-rm -f %{name}/doc/docbook/wpa_gui.8
 %endif
 
-rm -f %{name}/doc/docbook/wpa_priv.8
-
 # man pages
 install -d %{buildroot}%{_mandir}/man{5,8}
-install -m 0644 %{name}/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
+install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
-install -m 0644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
+install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 
 # some cleanup in docs and examples
-rm -f  %{name}/doc/.cvsignore
+rm -f  wpa_supplicant/doc/.cvsignore
-rm -rf %{name}/doc/docbook
+rm -rf wpa_supplicant/doc/docbook
-chmod -R 0644 %{name}/examples/*.py
+chmod -R 0644 wpa_supplicant/examples/*.py
+
 
 %post
 %systemd_post wpa_supplicant.service
 
+
 %preun
 %systemd_preun wpa_supplicant.service
 
@@ -151,78 +161,193 @@ chmod -R 0644 %{name}/examples/*.py
 
 
 %files
-%license COPYING
+%config(noreplace) %{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf
-%doc %{name}/ChangeLog README %{name}/eap_testing.txt %{name}/todo.txt %{name}/wpa_supplicant.conf %{name}/examples
+%config(noreplace) %{_sysconfdir}/sysconfig/wpa_supplicant
-%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%dir %{_sysconfdir}/logrotate.d
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%config(noreplace) %{_sysconfdir}/logrotate.d/wpa_supplicant
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%{_unitdir}/wpa_supplicant.service
-%{_unitdir}/%{name}.service
+%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
-%{_sysconfdir}/dbus-1/system.d/%{name}.conf
 %{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 %{_sbindir}/wpa_passphrase
 %{_sbindir}/wpa_supplicant
 %{_sbindir}/wpa_cli
 %{_sbindir}/eapol_test
-%dir %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/wpa_supplicant
-%{_mandir}/man8/*
+%{_mandir}/man8/wpa_supplicant.8.gz
+%{_mandir}/man8/wpa_priv.8.gz
+%{_mandir}/man8/wpa_passphrase.8.gz
+%{_mandir}/man8/wpa_cli.8.gz
+%{_mandir}/man8/wpa_background.8.gz
+%{_mandir}/man8/eapol_test.8.gz
 %{_mandir}/man5/*
+%doc README
+%doc wpa_supplicant/ChangeLog
+%doc wpa_supplicant/eap_testing.txt
+%doc wpa_supplicant/todo.txt
+%doc wpa_supplicant/wpa_supplicant.conf
+%doc wpa_supplicant/examples
+%license COPYING
 
-%if %{build_gui}
+
+%if %with gui
 %files gui
 %{_bindir}/wpa_gui
+%{_mandir}/man8/wpa_gui.8.gz
 %endif
 
+
 %changelog
-* Thu Jan  20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
+* Fri Apr 11 2025 Davide Caratti <dcaratti@redhat.com> - 1:2.11-4
-- Update to version 2.10 (rh #2042104)
+- Use pkcs11 provider to resolve PKCS11 URIs (RHEL-86951)
+- De-clutter syslog from CTRL-EVENT-SIGNAL-CHANGE messages (RHEL-71344)
 
-* Thu Dec  9 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-6.20211112gitc8b94bc7b347
+* Thu Feb 13 2025 Davide Caratti <dcaratti@redhat.com> - 1:2.11-3
-- restore WEP functionality (rh #2028839)
+- Enable CONFIG_IEEE80211BE (RHEL-59010)
 
-* Fri Nov 12 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-5.20211112gitc8b94bc7b347
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:2.11-2
-- Update to latest upstream tree to include support for H2E
+- Bump release for October 2024 mass rebuild:
-  Resolves: rhbz#2007333
+  Resolves: RHEL-64018
 
-* Fri Mar  5 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-5
+* Mon Sep 16 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.11-1
-- P2P: Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
+- Update to version 2.11 (RHEL-59010)
-- Fix buffer overflow when processing P2P group information (CVE-2021-0326)
+- backport fix for known regression on brcmfmac (rhbz#2302577)
 
-* Fri Jan 15 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-4
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1:2.10-11
-- enable WPA-EAP-SUITE-B-192 (rh #1916394)
+- Bump release for June 2024 mass rebuild
 
-* Tue Oct 27 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-3
+* Fri Jun 21 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-10
-- fix p2p_listen unexpectedly stopped after 5 seconds (rh #1693684)
+- Fix package configuration/add missing patches to avoid regressions when
-- allow changing 'bridge' via D-Bus (rh #1888050)
+  upgrading from rhel-9 (RHEL-43250)
-- expose OWE configurability via D-Bus (rh #1888718)
+- Backport P2P fix causing nmci failures (RHEL-17701)
+- Disable OpenSSL ENGINE API (RHEL-33750)
 
-* Tue Oct 29 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-9
-- Fix AP mode PMF disconnection protection bypass (CVE-2019-16275)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-- Fix NULL dereference in d-bus handler when P2P control interface is removed (rh #1752780)
-- enable WIFI_DISPLAY (rh #1755941)
 
-* Mon Oct 21 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-1
+* Wed Aug 30 2023 Davide Cavalca <dcavalca@fedoraproject.org> - 1:2.10-8
-- Update to 2.9 upstream release
+- Backport WPA3 support for Broadcom devices. Fixes: rhbz#2226569
-- Enable OWE, SAE and DPP (rh #1730169)
+- Enable parsing of IPv6 addresses in RADIUS configuration (#2095296)
 
-* Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-2
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-7
-- Enable CI gating (rh #1682340) and add a basic selftest
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 
-* Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-1
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon May 02 2022 Adam Williamson <awilliam@redhat.com> - 1:2.10-4
+- Allow legacy renegotiation for bad PEAP servers (James Ralston) (#2072070)
+
+* Wed Jan 26 2022 Michael Yartys <michael.yartys@protonmail.com> - 1:2.10-3
+- Enable Operating Channel Validation (OCV) support
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Jan 17 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
+- Update to version 2.10 (keeping CONFIG_WEP enabled). Related: rhbz#2041269
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1:2.9-16
+- Rebuilt with OpenSSL 3.0.0
+
+* Fri Sep  3 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-15
+- Fix NetworkManager-CI failures with OpenSSL 3.0
+
+* Tue Jul 27 2021 Dave Olsthoorn <dave@bewaar.me> - 1:2.9-14
+- Fix issues with FT a.k.a. 802.11r when not supported by adapter
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Mar  1 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-12
+- Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
+
+* Thu Feb  4 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-11
+- Fix copying of secondary device types for P2P group client (CVE-2021-0326)
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-9
+- Expose OWE capability on D-Bus
+- Allow changing interface bridge using D-Bus
+
+* Thu Dec 17 2020 Antonio Cardace <acardace@redhat.com> - 1:2.9-8
+- Enable WPA-EAP-SUITE-B-192 cipher suite
+
+* Thu Dec 17 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-7
+- fix build on ELN target (rh #1902609)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 15 2020 Benjamin Berg <bberg@redhat.com> - 1:2.9-5
+- fix some issues with P2P operation
+
+* Thu Apr 23 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-4
+- Enable Tunneled Direct Link Setup (TDLS)
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Oct 30 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
+- fix AP mode PMF disconnection protection bypass (CVE-2019-16275, rh #1767026)
+
+* Fri Aug 16 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.9-1
+- Update to version 2.9
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 10 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.8-2
+- fix changelog for version 2.8-1
+
+* Thu May 02 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.8-1
+- Update to 2.8 upstream release, to include latest fix for NULL
+  pointer dereference when EAP-PWD peer receives unexpected EAP
+  fragments (CVE-2019-11555, rh #1701759)
+
+* Fri Apr 12 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-5
+- fix SAE and EAP_PWD vulnerabilities:
+  CVE-2019-9494 (cache attack against SAE)
+  CVE-2019-9495 (cache attack against EAP-pwd)
+  CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
+  CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
+  CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
+  CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-3
+- Enable OWE and DPP
+- Expose SAE support on D-Bus
+
+* Mon Jan 21 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-2
+- Enable MESH & SAE
+
+* Tue Dec 18 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-1
 - Update to 2.7 upstream release
 
-* Mon Sep 10 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-17
+* Wed Aug 15 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.6-20
-- Fix duplicate Reassociation Request frame dropping (detected by Covscan)
+- Expose availability of SHA384 and FT on D-Bus
 
-* Fri Aug 31 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-16
+* Wed Aug 15 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.6-19
+- Drop the broken Pmf D-Bus property patch
+
+* Wed Aug  8 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-18
 - Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526)
 
-* Thu Jul 12 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-15
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-17
-- Disable build of wpa_gui (rh #1542234)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-- Fix build issue with latest kernel headers (rh #1582604)
+
-- Disable WEXT (rh #1537143)
+* Fri Jun 22 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-16
-- Fix memory leak when macsec MKA/PSK is used (rh #1582511)
+- Fix endoding of NL80211_ATTR_SMPS_MODE (rh#1570903)
-- Fix authentication failure when the MAC is updated externally (rh #1582508)
+
-- Let the kernel discard EAPOL if packet type is PACKET_OTHERHOST (rh #1582501)
+* Fri May 11 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-15
+- Make PMF configurable using D-Bus (rh#1567474)
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild