SOURCES/0001-D-Bus-Add-wep_disabled-capability.patch

@@ -0,0 +1,52 @@
+From 5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff Mon Sep 17 00:00:00 2001
+Message-Id: <5b093570dca1855c5bf40bcbd8d149fa6f8ea8ff.1650620058.git.davide.caratti@gmail.com>
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Mon, 7 Mar 2022 09:54:46 +0100
+Subject: [PATCH] D-Bus: Add 'wep_disabled' capability
+
+Since commit 200c7693c9a1 ('Make WEP functionality an optional build
+parameter'), WEP support is optional and, indeed, off by default.
+
+The distributions are now catching up and disabling WEP in their builds.
+Unfortunately, there's no indication prior to an attempt to connect to a
+WEP network that it's not going to work. Add a capability to communicate
+that.
+
+Unlike other capabilities, this one is negative. That is, it indicates
+lack of a WEP support as opposed to its presence. This is necessary
+because historically there has been no capability to indicate presence
+of WEP support and therefore NetworkManager (and probably others) just
+assumes it's there.
+
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Acked-by: Davide Caratti <davide.caratti@gmail.com>
+---
+ wpa_supplicant/dbus/dbus_new_handlers.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
+index 1c9ded09a..0b1002bf1 100644
+--- a/wpa_supplicant/dbus/dbus_new_handlers.c
++++ b/wpa_supplicant/dbus/dbus_new_handlers.c
+@@ -1121,7 +1121,7 @@ dbus_bool_t wpas_dbus_getter_global_capabilities(
+ 	const struct wpa_dbus_property_desc *property_desc,
+ 	DBusMessageIter *iter, DBusError *error, void *user_data)
+ {
+-	const char *capabilities[13];
++	const char *capabilities[14];
+ 	size_t num_items = 0;
+ 	struct wpa_global *global = user_data;
+ 	struct wpa_supplicant *wpa_s;
+@@ -1177,6 +1177,9 @@ dbus_bool_t wpas_dbus_getter_global_capabilities(
+ #endif /* CONFIG_SUITEB192 */
+ 	if (ext_key_id_supported)
+ 		capabilities[num_items++] = "extended_key_id";
++#ifndef CONFIG_WEP
++	capabilities[num_items++] = "wep_disabled";
++#endif /* !CONFIG_WEP */
+ 
+ 	return wpas_dbus_simple_array_property_getter(iter,
+ 						      DBUS_TYPE_STRING,
+-- 
+2.35.1
+

SOURCES/0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch

@@ -0,0 +1,103 @@
+From 566ce69a8d0e64093309cbde80235aa522fbf84e Mon Sep 17 00:00:00 2001
+Message-Id: <566ce69a8d0e64093309cbde80235aa522fbf84e.1652450572.git.davide.caratti@gmail.com>
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Thu, 5 May 2022 00:07:44 +0300
+Subject: [PATCH] EAP peer: Workaround for servers that do not support safe TLS
+ renegotiation
+
+The TLS protocol design for renegotiation was identified to have a
+significant security flaw in 2009 and an extension to secure this design
+was published in 2010 (RFC 5746). However, some old RADIUS
+authentication servers without support for this are still used commonly.
+
+This is obviously not good from the security view point, but since there
+are cases where the user of a network service has no realistic means for
+getting the authentication server upgraded, TLS handshake may still need
+to be allowed to be able to use the network.
+
+OpenSSL 3.0 disabled the client side workaround by default and this
+resulted in issues connection to some networks with insecure
+authentication servers. With OpenSSL 3.0, the client is now enforcing
+security by refusing to authenticate with such servers. The pre-3.0
+behavior of ignoring this issue and leaving security to the server can
+now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
+This should be used only when having to connect to a network that has an
+insecure authentication server that cannot be upgraded.
+
+The old (pre-2010) TLS renegotiation mechanism might open security
+vulnerabilities if the authentication server were to allow TLS
+renegotiation to be initiated. While this is unlikely to cause real
+issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
+an authentication server that does not support RFC 5746 might result in
+a security vulnerability.
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/crypto/tls.h                   | 1 +
+ src/crypto/tls_openssl.c           | 5 +++++
+ src/eap_peer/eap_tls_common.c      | 4 ++++
+ wpa_supplicant/wpa_supplicant.conf | 5 +++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index ccaac94c9..7ea32ee4a 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -112,6 +112,7 @@ struct tls_config {
+ #define TLS_CONN_ENABLE_TLSv1_1 BIT(15)
+ #define TLS_CONN_ENABLE_TLSv1_2 BIT(16)
+ #define TLS_CONN_TEAP_ANON_DH BIT(17)
++#define TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION BIT(18)
+ 
+ /**
+  * struct tls_connection_params - Parameters for TLS connection
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 388c6b0f4..0d23f44ad 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -3081,6 +3081,11 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
+ 		SSL_clear_options(ssl, SSL_OP_NO_TICKET);
+ #endif /* SSL_OP_NO_TICKET */
+ 
++#ifdef SSL_OP_LEGACY_SERVER_CONNECT
++	if (flags & TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION)
++		SSL_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++#endif /* SSL_OP_LEGACY_SERVER_CONNECT */
++
+ #ifdef SSL_OP_NO_TLSv1
+ 	if (flags & TLS_CONN_DISABLE_TLSv1_0)
+ 		SSL_set_options(ssl, SSL_OP_NO_TLSv1);
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index 06c9b211e..6193b4bdb 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -102,6 +102,10 @@ static void eap_tls_params_flags(struct tls_connection_params *params,
+ 		params->flags |= TLS_CONN_SUITEB_NO_ECDH;
+ 	if (os_strstr(txt, "tls_suiteb_no_ecdh=0"))
+ 		params->flags &= ~TLS_CONN_SUITEB_NO_ECDH;
++	if (os_strstr(txt, "allow_unsafe_renegotiation=1"))
++		params->flags |= TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
++	if (os_strstr(txt, "allow_unsafe_renegotiation=0"))
++		params->flags &= ~TLS_CONN_ALLOW_UNSAFE_RENEGOTIATION;
+ }
+ 
+ 
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index a1dc769c9..b5304a77e 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1370,6 +1370,11 @@ fast_reauth=1
+ # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
+ # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
+ #	particular when using Suite B with RSA keys of >= 3K (3072) bits
++# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
++#	not support safe renegotiation (RFC 5746); please note that this
++#	workaround should be only when having to authenticate with an old
++#	authentication server that cannot be updated to use secure TLS
++#	implementation.
+ #
+ # Following certificate/private key fields are used in inner Phase2
+ # authentication when using EAP-TTLS or EAP-PEAP.
+-- 
+2.35.1
+

SOURCES/0001-EAP-peer-status-notification-for-server-not-supporti.patch

@@ -0,0 +1,106 @@
+From a561d12d24c2c8bb0f825d4a3a55a5e47e845853 Mon Sep 17 00:00:00 2001
+Message-Id: <a561d12d24c2c8bb0f825d4a3a55a5e47e845853.1652450863.git.davide.caratti@gmail.com>
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 4 May 2022 23:55:38 +0300
+Subject: [PATCH] EAP peer status notification for server not supporting RFC
+ 5746
+
+Add a notification message to indicate reason for TLS handshake failure
+due to the server not supporting safe renegotiation (RFC 5746).
+
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+---
+ src/ap/authsrv.c         |  3 +++
+ src/crypto/tls.h         |  3 ++-
+ src/crypto/tls_openssl.c | 15 +++++++++++++--
+ src/eap_peer/eap.c       |  5 +++++
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
+index 516c1da74..fd9c96fad 100644
+--- a/src/ap/authsrv.c
++++ b/src/ap/authsrv.c
+@@ -169,6 +169,9 @@ static void authsrv_tls_event(void *ctx, enum tls_event ev,
+ 			wpa_printf(MSG_DEBUG, "authsrv: remote TLS alert: %s",
+ 				   data->alert.description);
+ 		break;
++	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++		/* Not applicable to TLS server */
++		break;
+ 	}
+ }
+ #endif /* EAP_TLS_FUNCS */
+diff --git a/src/crypto/tls.h b/src/crypto/tls.h
+index 7ea32ee4a..7a2ee32df 100644
+--- a/src/crypto/tls.h
++++ b/src/crypto/tls.h
+@@ -22,7 +22,8 @@ enum tls_event {
+ 	TLS_CERT_CHAIN_SUCCESS,
+ 	TLS_CERT_CHAIN_FAILURE,
+ 	TLS_PEER_CERTIFICATE,
+-	TLS_ALERT
++	TLS_ALERT,
++	TLS_UNSAFE_RENEGOTIATION_DISABLED,
+ };
+ 
+ /*
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 0d23f44ad..912471ba2 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -4443,6 +4443,7 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
+ static struct wpabuf *
+ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ {
++	struct tls_context *context = conn->context;
+ 	int res;
+ 	struct wpabuf *out_data;
+ 
+@@ -4472,7 +4473,19 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ 			wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
+ 				   "write");
+ 		else {
++			unsigned long error = ERR_peek_last_error();
++
+ 			tls_show_errors(MSG_INFO, __func__, "SSL_connect");
++
++			if (context->event_cb &&
++			    ERR_GET_LIB(error) == ERR_LIB_SSL &&
++			    ERR_GET_REASON(error) ==
++			    SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED) {
++				context->event_cb(
++					context->cb_ctx,
++					TLS_UNSAFE_RENEGOTIATION_DISABLED,
++					NULL);
++			}
+ 			conn->failed++;
+ 			if (!conn->server && !conn->client_hello_generated) {
+ 				/* The server would not understand TLS Alert
+@@ -4495,8 +4508,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
+ 	if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
+ 	    os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
+ 	    conn->server_dh_prime_len < 3072) {
+-		struct tls_context *context = conn->context;
+-
+ 		/*
+ 		 * This should not be reached since earlier cert_cb should have
+ 		 * terminated the handshake. Keep this check here for extra
+diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
+index 429b20d3a..729388f4f 100644
+--- a/src/eap_peer/eap.c
++++ b/src/eap_peer/eap.c
+@@ -2172,6 +2172,11 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
+ 			eap_notify_status(sm, "remote TLS alert",
+ 					  data->alert.description);
+ 		break;
++	case TLS_UNSAFE_RENEGOTIATION_DISABLED:
++		wpa_printf(MSG_INFO,
++			   "TLS handshake failed due to the server not supporting safe renegotiation (RFC 5746); phase1 parameter allow_unsafe_renegotiation=1 can be used to work around this");
++		eap_notify_status(sm, "unsafe server renegotiation", "failure");
++		break;
+ 	}
+ 
+ 	os_free(hash_hex);
+-- 
+2.35.1
+

SOURCES/build-config

@@ -1,47 +0,0 @@
-CONFIG_CTRL_IFACE=y
-CONFIG_CTRL_IFACE_DBUS=y
-CONFIG_CTRL_IFACE_DBUS_NEW=y
-CONFIG_CTRL_IFACE_DBUS_INTRO=y
-CONFIG_LIBNL32=y
-CONFIG_DRIVER_NL80211=y
-CONFIG_DRIVER_WIRED=y
-CONFIG_DRIVER_MACSEC_LINUX=y
-CONFIG_IEEE8021X_EAPOL=y
-CONFIG_EAP_MD5=y
-CONFIG_EAP_MSCHAPV2=y
-CONFIG_EAP_TLS=y
-CONFIG_EAP_PEAP=y
-CONFIG_EAP_TTLS=y
-CONFIG_EAP_FAST=y
-CONFIG_EAP_GTC=y
-CONFIG_EAP_OTP=y
-CONFIG_EAP_AKA=y
-CONFIG_EAP_PAX=y
-CONFIG_EAP_LEAP=y
-CONFIG_EAP_SAKE=y
-CONFIG_EAP_GPSK=y
-CONFIG_EAP_GPSK_SHA256=y
-CONFIG_EAP_TNC=y
-CONFIG_WPS=y
-CONFIG_EAP_IKEV2=y
-CONFIG_PKCS12=y
-CONFIG_SMARTCARD=y
-CONFIG_DEBUG_SYSLOG=y
-CONFIG_DEBUG_FILE=y
-CONFIG_BACKEND=file
-CONFIG_PEERKEY=y
-CONFIG_BGSCAN_SIMPLE=y
-#CONFIG_FIPS=y
-CONFIG_AP=y
-CONFIG_P2P=y
-CONFIG_IBSS_RSN=y
-CONFIG_IEEE80211N=y
-CONFIG_MACSEC=y
-CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
-CONFIG_IEEE80211W=y
-CONFIG_SAE=y
-CONFIG_OWE=y
-CONFIG_DPP=y
-CONFIG_WIFI_DISPLAY=y
-CONFIG_SUITEB192=y
-CONFIG_WEP=Y

SOURCES/rh1542234-remove-wpa_gui.patch

@@ -1,21 +0,0 @@
---- a/wpa_supplicant/doc/docbook/Makefile
-+++ b/wpa_supplicant/doc/docbook/Makefile
-@@ -2,9 +2,7 @@ all: man html pdf
- 
- FILES += wpa_background
- FILES += wpa_cli
--FILES += wpa_gui
- FILES += wpa_passphrase
--FILES += wpa_priv
- FILES += wpa_supplicant.conf
- FILES += wpa_supplicant
- FILES += eapol_test
-@@ -21,7 +19,7 @@ pdf:
- 
- 
- clean:
--	rm -f wpa_background.8 wpa_cli.8 wpa_gui.8 wpa_passphrase.8 wpa_priv.8 wpa_supplicant.8 eapol_test.8
-+	rm -f wpa_background.8 wpa_cli.8 wpa_passphrase.8 wpa_supplicant.8 eapol_test.8
- 	rm -f wpa_supplicant.conf.5
- 	rm -f manpage.links manpage.refs
- 	rm -f $(FILES:%=%.pdf)

SOURCES/wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch

@@ -0,0 +1,192 @@
+From 46c635910a724ed14ee9ace549fed9790ed5980b Mon Sep 17 00:00:00 2001
+Message-ID: <46c635910a724ed14ee9ace549fed9790ed5980b.1706279119.git.davide.caratti@gmail.com>
+From: leiwei <quic_leiwei@quicinc.com>
+Date: Mon, 15 Nov 2021 18:22:19 +0800
+Subject: [PATCH] MACsec: Support GCM-AES-256 cipher suite
+
+Allow macsec_csindex to be configured and select the cipher suite when
+the participant acts as a key server.
+
+Signed-off-by: leiwei <quic_leiwei@quicinc.com>
+---
+ hostapd/config_file.c        | 10 ++++++++++
+ hostapd/hostapd.conf         |  4 ++++
+ src/ap/ap_config.h           |  7 +++++++
+ src/ap/wpa_auth_kay.c        |  4 +++-
+ src/pae/ieee802_1x_cp.c      |  8 ++++----
+ src/pae/ieee802_1x_kay.c     | 17 +++++++++++++----
+ src/pae/ieee802_1x_kay.h     |  3 ++-
+ wpa_supplicant/config.c      |  1 +
+ wpa_supplicant/config_file.c |  1 +
+ wpa_supplicant/config_ssid.h |  7 +++++++
+ wpa_supplicant/wpas_kay.c    |  4 ++--
+ 11 files changed, 54 insertions(+), 12 deletions(-)
+
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -849,6 +849,13 @@ struct hostapd_bss_config {
+ 	int mka_priority;
+ 
+ 	/**
++	 * macsec_csindex - Cipher suite index for MACsec
++	 *
++	 * Range: 0-1 (default: 0)
++	 */
++	int macsec_csindex;
++
++	/**
+ 	 * mka_ckn - MKA pre-shared CKN
+ 	 */
+ #define MACSEC_CKN_MAX_LEN 32
+--- a/src/ap/wpa_auth_kay.c
++++ b/src/ap/wpa_auth_kay.c
+@@ -329,7 +329,9 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
+ 				  hapd->conf->macsec_replay_protect,
+ 				  hapd->conf->macsec_replay_window,
+ 				  hapd->conf->macsec_port,
+-				  hapd->conf->mka_priority, hapd->conf->iface,
++				  hapd->conf->mka_priority,
++				  hapd->conf->macsec_csindex,
++				  hapd->conf->iface,
+ 				  hapd->own_addr);
+ 	/* ieee802_1x_kay_init() frees kay_ctx on failure */
+ 	if (!res)
+--- a/src/pae/ieee802_1x_cp.c
++++ b/src/pae/ieee802_1x_cp.c
+@@ -20,7 +20,7 @@
+ #define STATE_MACHINE_DATA struct ieee802_1x_cp_sm
+ #define STATE_MACHINE_DEBUG_PREFIX "CP"
+ 
+-static u64 default_cs_id = CS_ID_GCM_AES_128;
++static u64 cs_id[] = { CS_ID_GCM_AES_128, CS_ID_GCM_AES_256 };
+ 
+ /* The variable defined in clause 12 in IEEE Std 802.1X-2010 */
+ enum connect_type { PENDING, UNAUTHENTICATED, AUTHENTICATED, SECURE };
+@@ -210,7 +210,6 @@ SM_STATE(CP, SECURED)
+ 	sm->replay_protect = sm->kay->macsec_replay_protect;
+ 	sm->validate_frames = sm->kay->macsec_validate;
+ 
+-	/* NOTE: now no other than default cipher suite (AES-GCM-128) */
+ 	sm->current_cipher_suite = sm->cipher_suite;
+ 	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
+ 
+@@ -473,8 +472,8 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
+ 	sm->orx = false;
+ 	sm->otx = false;
+ 
+-	sm->current_cipher_suite = default_cs_id;
+-	sm->cipher_suite = default_cs_id;
++	sm->current_cipher_suite = cs_id[kay->macsec_csindex];
++	sm->cipher_suite = cs_id[kay->macsec_csindex];
+ 	sm->cipher_offset = CONFIDENTIALITY_OFFSET_0;
+ 	sm->confidentiality_offset = sm->cipher_offset;
+ 	sm->transmit_delay = MKA_LIFE_TIME;
+@@ -491,6 +490,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
+ 	secy_cp_control_enable_port(sm->kay, sm->controlled_port_enabled);
+ 	secy_cp_control_confidentiality_offset(sm->kay,
+ 					       sm->confidentiality_offset);
++	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
+ 
+ 	SM_STEP_RUN(CP);
+ 
+--- a/src/pae/ieee802_1x_kay.c
++++ b/src/pae/ieee802_1x_kay.c
+@@ -221,8 +221,16 @@ ieee802_1x_mka_dump_dist_sak_body(struct
+ 
+ 	wpa_printf(MSG_DEBUG, "\tKey Number............: %d",
+ 		   be_to_host32(body->kn));
+-	/* TODO: Other than GCM-AES-128 case: MACsec Cipher Suite */
+-	wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:", body->sak, 24);
++	if (body_len == 28) {
++		wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:",
++			    body->sak, 24);
++	} else if (body_len > CS_ID_LEN - sizeof(body->kn)) {
++		wpa_hexdump(MSG_DEBUG, "\tMACsec Cipher Suite...:",
++			    body->sak, CS_ID_LEN);
++		wpa_hexdump(MSG_DEBUG, "\tAES Key Wrap of SAK...:",
++			    body->sak + CS_ID_LEN,
++			    body_len - CS_ID_LEN - sizeof(body->kn));
++	}
+ }
+ 
+ 
+@@ -3456,7 +3464,8 @@ static void kay_l2_receive(void *ctx, co
+ struct ieee802_1x_kay *
+ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
+ 		    bool macsec_replay_protect, u32 macsec_replay_window,
+-		    u16 port, u8 priority, const char *ifname, const u8 *addr)
++		    u16 port, u8 priority, u32 macsec_csindex,
++		    const char *ifname, const u8 *addr)
+ {
+ 	struct ieee802_1x_kay *kay;
+ 
+@@ -3493,7 +3502,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
+ 	kay->dist_time = 0;
+ 
+ 	kay->pn_exhaustion = PENDING_PN_EXHAUSTION;
+-	kay->macsec_csindex = DEFAULT_CS_INDEX;
++	kay->macsec_csindex = macsec_csindex;
+ 	kay->mka_algindex = DEFAULT_MKA_ALG_INDEX;
+ 	kay->mka_version = MKA_VERSION_ID;
+ 
+--- a/src/pae/ieee802_1x_kay.h
++++ b/src/pae/ieee802_1x_kay.h
+@@ -240,7 +240,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
+ struct ieee802_1x_kay *
+ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
+ 		    bool macsec_replay_protect, u32 macsec_replay_window,
+-		    u16 port, u8 priority, const char *ifname, const u8 *addr);
++		    u16 port, u8 priority, u32 macsec_csindex,
++		    const char *ifname, const u8 *addr);
+ void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
+ 
+ struct ieee802_1x_mka_participant *
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2612,6 +2612,7 @@ static const struct parse_data ssid_fiel
+ 	{ INT(macsec_replay_window) },
+ 	{ INT_RANGE(macsec_port, 1, 65534) },
+ 	{ INT_RANGE(mka_priority, 0, 255) },
++	{ INT_RANGE(macsec_csindex, 0, 1) },
+ 	{ FUNC_KEY(mka_cak) },
+ 	{ FUNC_KEY(mka_ckn) },
+ #endif /* CONFIG_MACSEC */
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -810,6 +810,7 @@ static void wpa_config_write_network(FIL
+ 	INT(macsec_replay_window);
+ 	INT(macsec_port);
+ 	INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
++	INT(macsec_csindex);
+ #endif /* CONFIG_MACSEC */
+ #ifdef CONFIG_HS20
+ 	INT(update_identifier);
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -912,6 +912,13 @@ struct wpa_ssid {
+ 	int mka_priority;
+ 
+ 	/**
++	 * macsec_csindex - Cipher suite index for MACsec
++	 *
++	 * Range: 0-1 (default: 0)
++	 */
++	int macsec_csindex;
++
++	/**
+ 	 * mka_ckn - MKA pre-shared CKN
+ 	 */
+ #define MACSEC_CKN_MAX_LEN 32
+--- a/wpa_supplicant/wpas_kay.c
++++ b/wpa_supplicant/wpas_kay.c
+@@ -241,8 +241,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
+ 
+ 	res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
+ 				  ssid->macsec_replay_window, ssid->macsec_port,
+-				  ssid->mka_priority, wpa_s->ifname,
+-				  wpa_s->own_addr);
++				  ssid->mka_priority, ssid->macsec_csindex,
++				  wpa_s->ifname, wpa_s->own_addr);
+ 	/* ieee802_1x_kay_init() frees kay_ctx on failure */
+ 	if (res == NULL)
+ 		return -1;

SOURCES/wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch

@@ -0,0 +1,198 @@
+From 8e6485a1bcb0baffdea9e55255a81270b768439c Mon Sep 17 00:00:00 2001
+Message-ID: <8e6485a1bcb0baffdea9e55255a81270b768439c.1708356763.git.davide.caratti@gmail.com>
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+   (private_key/client_cert) is no used and TLS session resumption was
+   not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/eap_peer/eap_config.h          |  8 ++++++
+ src/eap_peer/eap_peap.c            | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c      |  6 +++++
+ src/eap_peer/eap_tls_common.h      |  5 ++++
+ wpa_supplicant/wpa_supplicant.conf |  7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ 	 * 1 = use cryptobinding if server supports it
+ 	 * 2 = require cryptobinding
+ 	 *
++	 * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++	 * tunnel) behavior for PEAP:
++	 * 0 = do not require Phase 2 authentication
++	 * 1 = require Phase 2 authentication when client certificate
++	 *  (private_key/client_cert) is no used and TLS session resumption was
++	 *  not used (default)
++	 * 2 = require Phase 2 authentication in all cases
++	 *
+ 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ 	 * uuid=Device_UUID
+ 	 *
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ 	u8 cmk[20];
+ 	int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ 		  * is enabled. */
++	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+ 
+ 
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct
+ 		wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ 	}
+ 
++	if (os_strstr(phase1, "phase2_auth=0")) {
++		data->phase2_auth = NO_AUTH;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Do not require Phase 2 authentication");
++	} else if (os_strstr(phase1, "phase2_auth=1")) {
++		data->phase2_auth = FOR_INITIAL;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for initial connection");
++	} else if (os_strstr(phase1, "phase2_auth=2")) {
++		data->phase2_auth = ALWAYS;
++		wpa_printf(MSG_DEBUG,
++			   "EAP-PEAP: Require Phase 2 authentication for all cases");
++	}
+ #ifdef EAP_TNC
+ 	if (os_strstr(phase1, "tnc=soh2")) {
+ 		data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_s
+ 	data->force_peap_version = -1;
+ 	data->peap_outer_success = 2;
+ 	data->crypto_binding = OPTIONAL_BINDING;
++	data->phase2_auth = FOR_INITIAL;
+ 
+ 	if (config && config->phase1)
+ 		eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobindin
+ }
+ 
+ 
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++				   struct eap_peap_data *data)
++{
++	if ((data->phase2_auth == ALWAYS ||
++	     (data->phase2_auth == FOR_INITIAL &&
++	      !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++	      !data->ssl.client_cert_conf) ||
++	     data->phase2_eap_started) &&
++	    !data->phase2_eap_success)
++		return false;
++	return true;
++}
++
++
+ /**
+  * eap_tlv_process - Process a received EAP-TLV message and generate a response
+  * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm
+ 					   " - force failed Phase 2");
+ 				resp_status = EAP_TLV_RESULT_FAILURE;
+ 				ret->decision = DECISION_FAIL;
++			} else if (!peap_phase2_sufficient(sm, data)) {
++				wpa_printf(MSG_INFO,
++					   "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++				resp_status = EAP_TLV_RESULT_FAILURE;
++				ret->decision = DECISION_FAIL;
+ 			} else {
+ 				resp_status = EAP_TLV_RESULT_SUCCESS;
+ 				ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ 			/* EAP-Success within TLS tunnel is used to indicate
+ 			 * shutdown of the TLS channel. The authentication has
+ 			 * been completed. */
+-			if (data->phase2_eap_started &&
+-			    !data->phase2_eap_success) {
++			if (!peap_phase2_sufficient(sm, data)) {
+ 				wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ 					   "Success used to indicate success, "
+ 					   "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ 	struct eap_peap_data *data = priv;
++
+ 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+-		data->phase2_success;
++		data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+ 
+ 
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(stru
+ 
+ 	sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+ 
++	if (!phase2)
++		data->client_cert_conf = params->client_cert ||
++			params->client_cert_blob ||
++			params->private_key ||
++			params->private_key_blob;
++
+ 	return 0;
+ }
+ 
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ 	 * tls_v13 - Whether TLS v1.3 or newer is used
+ 	 */
+ 	int tls_v13;
++
++	/**
++	 * client_cert_conf: Whether client certificate has been configured
++	 */
++	bool client_cert_conf;
+ };
+ 
+ 
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1330,6 +1330,13 @@ fast_reauth=1
+ #	 * 0 = do not use cryptobinding (default)
+ #	 * 1 = use cryptobinding if server supports it
+ #	 * 2 = require cryptobinding
++#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++#	tunnel) behavior for PEAP:
++#	 * 0 = do not require Phase 2 authentication
++#	 * 1 = require Phase 2 authentication when client certificate
++#	   (private_key/client_cert) is no used and TLS session resumption was
++#	   not used (default)
++#	 * 2 = require Phase 2 authentication in all cases
+ #	EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ #	pbc=1.
+ #

SOURCES/wpa_supplicant-config.patch

@@ -0,0 +1,71 @@
+From 72ee1e934e98ea87e4de292958817e724114703e Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Fri, 6 Sep 2019 09:46:00 +0200
+Subject: [PATCH] defconfig: Fedora configuration
+
+---
+ wpa_supplicant/defconfig | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/wpa_supplicant/defconfig
++++ b/wpa_supplicant/defconfig
+@@ -146,7 +146,7 @@ CONFIG_EAP_PAX=y
+ CONFIG_EAP_LEAP=y
+ 
+ # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
+-#CONFIG_EAP_AKA=y
++CONFIG_EAP_AKA=y
+ 
+ # EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
+ # This requires CONFIG_EAP_AKA to be enabled, too.
+@@ -338,6 +338,7 @@ CONFIG_BACKEND=file
+ # Select which ciphers to use by default with OpenSSL if the user does not
+ # specify them.
+ #CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
++CONFIG_TLS_DEFAULT_CIPHERS="PROFILE=SYSTEM:3DES"
+ 
+ # If CONFIG_TLS=internal is used, additional library and include paths are
+ # needed for LibTomMath. Alternatively, an integrated, minimal version of
+@@ -390,7 +391,7 @@ CONFIG_CTRL_IFACE_DBUS_INTRO=y
+ #CONFIG_DYNAMIC_EAP_METHODS=y
+ 
+ # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
+-CONFIG_IEEE80211R=y
++#CONFIG_IEEE80211R=y
+ 
+ # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
+ CONFIG_DEBUG_FILE=y
+@@ -469,7 +470,7 @@ CONFIG_DEBUG_SYSLOG=y
+ # Should we attempt to use the getrandom(2) call that provides more reliable
+ # yet secure randomness source than /dev/random on Linux 3.17 and newer.
+ # Requires glibc 2.25 to build, falls back to /dev/random if unavailable.
+-#CONFIG_GETRANDOM=y
++CONFIG_GETRANDOM=y
+ 
+ # IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
+ CONFIG_IEEE80211AC=y
+@@ -587,7 +588,7 @@ CONFIG_IBSS_RSN=y
+ #CONFIG_PMKSA_CACHE_EXTERNAL=y
+ 
+ # Mesh Networking (IEEE 802.11s)
+-#CONFIG_MESH=y
++CONFIG_MESH=y
+ 
+ # Background scanning modules
+ # These can be used to request wpa_supplicant to perform background scanning
+@@ -601,7 +602,7 @@ CONFIG_BGSCAN_SIMPLE=y
+ 
+ # Opportunistic Wireless Encryption (OWE)
+ # Experimental implementation of draft-harkins-owe-07.txt
+-#CONFIG_OWE=y
++CONFIG_OWE=y
+ 
+ # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
+ CONFIG_DPP=y
+@@ -633,3 +634,6 @@ CONFIG_DPP2=y
+ # design is still subject to change. As such, this should not yet be enabled in
+ # production use.
+ #CONFIG_PASN=y
++#
++CONFIG_SUITEB192=y
++

SOURCES/wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch

@@ -0,0 +1,106 @@
+From 40c139664439b2576e1506fbca14a7b79425a9dd Mon Sep 17 00:00:00 2001
+Message-ID: <40c139664439b2576e1506fbca14a7b79425a9dd.1706279171.git.davide.caratti@gmail.com>
+From: Emeel Hakim <ehakim@nvidia.com>
+Date: Tue, 14 Feb 2023 10:26:57 +0200
+Subject: [PATCH] macsec_linux: Add support for MACsec hardware offload
+
+This uses libnl3 to communicate with the macsec module available on
+Linux. A recent enough version of libnl is needed for the hardware
+offload support.
+
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+---
+ src/drivers/driver_macsec_linux.c | 49 +++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/src/drivers/driver_macsec_linux.c b/src/drivers/driver_macsec_linux.c
+index b609bbf38..c79e8733a 100644
+--- a/src/drivers/driver_macsec_linux.c
++++ b/src/drivers/driver_macsec_linux.c
+@@ -32,6 +32,10 @@
+ 
+ #define UNUSED_SCI 0xffffffffffffffff
+ 
++#if LIBNL_VER_NUM >= LIBNL_VER(3, 6)
++#define LIBNL_HAS_OFFLOAD
++#endif
++
+ struct cb_arg {
+ 	struct macsec_drv_data *drv;
+ 	u32 *pn;
+@@ -73,6 +77,11 @@ struct macsec_drv_data {
+ 	bool replay_protect;
+ 	bool replay_protect_set;
+ 
++#ifdef LIBNL_HAS_OFFLOAD
++	enum macsec_offload offload;
++	bool offload_set;
++#endif /* LIBNL_HAS_OFFLOAD */
++
+ 	u32 replay_window;
+ 
+ 	u8 encoding_sa;
+@@ -228,6 +237,15 @@ static int try_commit(struct macsec_drv_data *drv)
+ 						    drv->replay_window);
+ 	}
+ 
++#ifdef LIBNL_HAS_OFFLOAD
++	if (drv->offload_set) {
++		wpa_printf(MSG_DEBUG, DRV_PREFIX
++			   "%s: try_commit offload=%d",
++			   drv->ifname, drv->offload);
++		rtnl_link_macsec_set_offload(drv->link, drv->offload);
++	}
++#endif /* LIBNL_HAS_OFFLOAD */
++
+ 	if (drv->encoding_sa_set) {
+ 		wpa_printf(MSG_DEBUG, DRV_PREFIX
+ 			   "%s: try_commit encoding_sa=%d",
+@@ -455,6 +473,36 @@ static int macsec_drv_set_replay_protect(void *priv, bool enabled,
+ }
+ 
+ 
++/**
++ * macsec_drv_set_offload - Set offload status
++ * @priv: Private driver interface data
++ * @offload: 0 = MACSEC_OFFLOAD_OFF
++ *           1 = MACSEC_OFFLOAD_PHY
++ *           2 = MACSEC_OFFLOAD_MAC
++ * Returns: 0 on success, -1 on failure (or if not supported)
++ */
++static int macsec_drv_set_offload(void *priv, u8 offload)
++{
++#ifdef LIBNL_HAS_OFFLOAD
++	struct macsec_drv_data *drv = priv;
++
++	wpa_printf(MSG_DEBUG, "%s -> %02" PRIx8, __func__, offload);
++
++	drv->offload_set = true;
++	drv->offload = offload;
++
++	return try_commit(drv);
++#else /* LIBNL_HAS_OFFLOAD */
++	if (offload == 0)
++		return 0;
++	wpa_printf(MSG_INFO,
++		   "%s: libnl version does not include support for MACsec offload",
++		   __func__);
++	return -1;
++#endif /* LIBNL_HAS_OFFLOAD */
++}
++
++
+ /**
+  * macsec_drv_set_current_cipher_suite - Set current cipher suite
+  * @priv: Private driver interface data
+@@ -1648,6 +1696,7 @@ const struct wpa_driver_ops wpa_driver_macsec_linux_ops = {
+ 	.enable_protect_frames = macsec_drv_enable_protect_frames,
+ 	.enable_encrypt = macsec_drv_enable_encrypt,
+ 	.set_replay_protect = macsec_drv_set_replay_protect,
++	.set_offload = macsec_drv_set_offload,
+ 	.set_current_cipher_suite = macsec_drv_set_current_cipher_suite,
+ 	.enable_controlled_port = macsec_drv_enable_controlled_port,
+ 	.get_receive_lowest_pn = macsec_drv_get_receive_lowest_pn,
+-- 
+2.43.0
+

SOURCES/wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch

@@ -0,0 +1,93 @@
+From 7e941e7a1560699a18c5890cb6e1309161bc01af Mon Sep 17 00:00:00 2001
+Message-ID: <7e941e7a1560699a18c5890cb6e1309161bc01af.1706279136.git.davide.caratti@gmail.com>
+From: leiwei <quic_leiwei@quicinc.com>
+Date: Mon, 15 Nov 2021 18:43:33 +0800
+Subject: [PATCH] macsec_linux: Support cipher suite configuration
+
+Set the cipher suite for the link. Unlike the other parameters, this
+needs to be done with the first rtnl_link_add() call (NLM_F_CREATE))
+instead of the update in try_commit() since the kernel is rejecting
+changes to the cipher suite after the link is first added.
+
+Signed-off-by: leiwei <quic_leiwei@quicinc.com>
+---
+ src/drivers/driver_macsec_linux.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+--- a/src/drivers/driver_macsec_linux.c
++++ b/src/drivers/driver_macsec_linux.c
+@@ -77,6 +77,9 @@ struct macsec_drv_data {
+ 
+ 	u8 encoding_sa;
+ 	bool encoding_sa_set;
++
++	u64 cipher_suite;
++	bool cipher_suite_set;
+ };
+ 
+ 
+@@ -460,8 +463,14 @@ static int macsec_drv_set_replay_protect
+  */
+ static int macsec_drv_set_current_cipher_suite(void *priv, u64 cs)
+ {
++	struct macsec_drv_data *drv = priv;
++
+ 	wpa_printf(MSG_DEBUG, "%s -> %016" PRIx64, __func__, cs);
+-	return 0;
++
++	drv->cipher_suite_set = true;
++	drv->cipher_suite = cs;
++
++	return try_commit(drv);
+ }
+ 
+ 
+@@ -1063,7 +1072,8 @@ static int macsec_drv_disable_receive_sa
+ }
+ 
+ 
+-static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci)
++static struct rtnl_link * lookup_sc(struct nl_cache *cache, int parent, u64 sci,
++				    u64 cs)
+ {
+ 	struct rtnl_link *needle;
+ 	void *match;
+@@ -1074,6 +1084,8 @@ static struct rtnl_link * lookup_sc(stru
+ 
+ 	rtnl_link_set_link(needle, parent);
+ 	rtnl_link_macsec_set_sci(needle, sci);
++	if (cs)
++		rtnl_link_macsec_set_cipher_suite(needle, cs);
+ 
+ 	match = nl_cache_find(cache, (struct nl_object *) needle);
+ 	rtnl_link_put(needle);
+@@ -1098,6 +1110,7 @@ static int macsec_drv_create_transmit_sc
+ 	char *ifname;
+ 	u64 sci;
+ 	int err;
++	u64 cs = 0;
+ 
+ 	wpa_printf(MSG_DEBUG, DRV_PREFIX
+ 		   "%s: create_transmit_sc -> " SCISTR " (conf_offset=%d)",
+@@ -1122,6 +1135,12 @@ static int macsec_drv_create_transmit_sc
+ 
+ 	drv->created_link = true;
+ 
++	if (drv->cipher_suite_set) {
++		cs = drv->cipher_suite;
++		drv->cipher_suite_set = false;
++		rtnl_link_macsec_set_cipher_suite(link, cs);
++	}
++
+ 	err = rtnl_link_add(drv->sk, link, NLM_F_CREATE);
+ 	if (err == -NLE_BUSY) {
+ 		wpa_printf(MSG_INFO,
+@@ -1137,7 +1156,7 @@ static int macsec_drv_create_transmit_sc
+ 	rtnl_link_put(link);
+ 
+ 	nl_cache_refill(drv->sk, drv->link_cache);
+-	link = lookup_sc(drv->link_cache, drv->parent_ifi, sci);
++	link = lookup_sc(drv->link_cache, drv->parent_ifi, sci, cs);
+ 	if (!link) {
+ 		wpa_printf(MSG_ERROR, DRV_PREFIX "couldn't find link");
+ 		return -1;

SOURCES/wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch

@@ -0,0 +1,363 @@
+From 6d24673ab89d9002990ee51e7c87d308ca07cd01 Mon Sep 17 00:00:00 2001
+Message-ID: <6d24673ab89d9002990ee51e7c87d308ca07cd01.1706279162.git.davide.caratti@gmail.com>
+From: Emeel Hakim <ehakim@nvidia.com>
+Date: Tue, 14 Feb 2023 10:26:56 +0200
+Subject: [PATCH] mka: Allow configuration of MACsec hardware offload
+
+Add new configuration parameter macsec_offload to allow user to set up
+MACsec hardware offload feature.
+
+Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
+---
+ hostapd/config_file.c              | 10 ++++++++++
+ hostapd/hostapd.conf               |  8 ++++++++
+ src/ap/ap_config.h                 | 13 +++++++++++++
+ src/ap/wpa_auth_kay.c              |  1 +
+ src/drivers/driver.h               | 10 ++++++++++
+ src/pae/ieee802_1x_cp.c            |  7 +++++++
+ src/pae/ieee802_1x_kay.c           |  7 +++++--
+ src/pae/ieee802_1x_kay.h           |  6 ++++--
+ src/pae/ieee802_1x_secy_ops.c      | 20 ++++++++++++++++++++
+ src/pae/ieee802_1x_secy_ops.h      |  1 +
+ wpa_supplicant/config.c            |  1 +
+ wpa_supplicant/config_file.c       |  1 +
+ wpa_supplicant/config_ssid.h       | 12 ++++++++++++
+ wpa_supplicant/driver_i.h          |  8 ++++++++
+ wpa_supplicant/wpa_cli.c           |  1 +
+ wpa_supplicant/wpa_supplicant.conf |  9 +++++++++
+ wpa_supplicant/wpas_kay.c          | 10 +++++++++-
+ 17 files changed, 120 insertions(+), 5 deletions(-)
+
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -833,6 +833,19 @@ struct hostapd_bss_config {
+ 	u32 macsec_replay_window;
+ 
+ 	/**
++	 * macsec_offload - Enable MACsec offload
++	 *
++	 * This setting applies only when MACsec is in use, i.e.,
++	 *  - macsec_policy is enabled
++	 *  - the key server has decided to enable MACsec
++	 *
++	 * 0 = MACSEC_OFFLOAD_OFF (default)
++	 * 1 = MACSEC_OFFLOAD_PHY
++	 * 2 = MACSEC_OFFLOAD_MAC
++	 */
++	int macsec_offload;
++
++	/**
+ 	 * macsec_port - MACsec port (in SCI)
+ 	 *
+ 	 * Port component of the SCI.
+--- a/src/ap/wpa_auth_kay.c
++++ b/src/ap/wpa_auth_kay.c
+@@ -328,6 +328,7 @@ int ieee802_1x_alloc_kay_sm_hapd(struct
+ 	res = ieee802_1x_kay_init(kay_ctx, policy,
+ 				  hapd->conf->macsec_replay_protect,
+ 				  hapd->conf->macsec_replay_window,
++				  hapd->conf->macsec_offload,
+ 				  hapd->conf->macsec_port,
+ 				  hapd->conf->mka_priority,
+ 				  hapd->conf->macsec_csindex,
+--- a/src/drivers/driver.h
++++ b/src/drivers/driver.h
+@@ -4168,6 +4168,16 @@ struct wpa_driver_ops {
+ 	int (*set_replay_protect)(void *priv, bool enabled, u32 window);
+ 
+ 	/**
++	 * set_offload - Set MACsec hardware offload
++	 * @priv: Private driver interface data
++	 * @offload: 0 = MACSEC_OFFLOAD_OFF
++	 *           1 = MACSEC_OFFLOAD_PHY
++	 *           2 = MACSEC_OFFLOAD_MAC
++	 * Returns: 0 on success, -1 on failure (or if not supported)
++	 */
++	int (*set_offload)(void *priv, u8 offload);
++
++	/**
+ 	 * set_current_cipher_suite - Set current cipher suite
+ 	 * @priv: Private driver interface data
+ 	 * @cs: EUI64 identifier
+--- a/src/pae/ieee802_1x_cp.c
++++ b/src/pae/ieee802_1x_cp.c
+@@ -84,6 +84,7 @@ struct ieee802_1x_cp_sm {
+ 
+ 	/* not defined IEEE Std 802.1X-2010 */
+ 	struct ieee802_1x_kay *kay;
++	u8 offload;
+ };
+ 
+ static void ieee802_1x_cp_retire_when_timeout(void *eloop_ctx,
+@@ -188,6 +189,7 @@ SM_STATE(CP, AUTHENTICATED)
+ 	sm->protect_frames = false;
+ 	sm->replay_protect = false;
+ 	sm->validate_frames = Checked;
++	sm->offload = sm->kay->macsec_offload;
+ 
+ 	sm->port_valid = false;
+ 	sm->controlled_port_enabled = true;
+@@ -197,6 +199,7 @@ SM_STATE(CP, AUTHENTICATED)
+ 	secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
+ 	secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
+ 	secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
++	secy_cp_control_offload(sm->kay, sm->offload);
+ }
+ 
+ 
+@@ -208,6 +211,7 @@ SM_STATE(CP, SECURED)
+ 
+ 	sm->protect_frames = sm->kay->macsec_protect;
+ 	sm->replay_protect = sm->kay->macsec_replay_protect;
++	sm->offload = sm->kay->macsec_offload;
+ 	sm->validate_frames = sm->kay->macsec_validate;
+ 
+ 	sm->current_cipher_suite = sm->cipher_suite;
+@@ -223,6 +227,7 @@ SM_STATE(CP, SECURED)
+ 	secy_cp_control_encrypt(sm->kay, sm->kay->macsec_encrypt);
+ 	secy_cp_control_validate_frames(sm->kay, sm->validate_frames);
+ 	secy_cp_control_replay(sm->kay, sm->replay_protect, sm->replay_window);
++	secy_cp_control_offload(sm->kay, sm->offload);
+ }
+ 
+ 
+@@ -462,6 +467,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
+ 	sm->validate_frames = kay->macsec_validate;
+ 	sm->replay_protect = kay->macsec_replay_protect;
+ 	sm->replay_window = kay->macsec_replay_window;
++	sm->offload = kay->macsec_offload;
+ 
+ 	sm->controlled_port_enabled = false;
+ 
+@@ -491,6 +497,7 @@ struct ieee802_1x_cp_sm * ieee802_1x_cp_
+ 	secy_cp_control_confidentiality_offset(sm->kay,
+ 					       sm->confidentiality_offset);
+ 	secy_cp_control_current_cipher_suite(sm->kay, sm->current_cipher_suite);
++	secy_cp_control_offload(sm->kay, sm->offload);
+ 
+ 	SM_STEP_RUN(CP);
+ 
+--- a/src/pae/ieee802_1x_kay.c
++++ b/src/pae/ieee802_1x_kay.c
+@@ -3464,8 +3464,8 @@ static void kay_l2_receive(void *ctx, co
+ struct ieee802_1x_kay *
+ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
+ 		    bool macsec_replay_protect, u32 macsec_replay_window,
+-		    u16 port, u8 priority, u32 macsec_csindex,
+-		    const char *ifname, const u8 *addr)
++		    u8 macsec_offload, u16 port, u8 priority,
++		    u32 macsec_csindex, const char *ifname, const u8 *addr)
+ {
+ 	struct ieee802_1x_kay *kay;
+ 
+@@ -3524,6 +3524,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
+ 		kay->macsec_validate = Disabled;
+ 		kay->macsec_replay_protect = false;
+ 		kay->macsec_replay_window = 0;
++		kay->macsec_offload = 0;
+ 		kay->macsec_confidentiality = CONFIDENTIALITY_NONE;
+ 		kay->mka_hello_time = MKA_HELLO_TIME;
+ 	} else {
+@@ -3540,6 +3541,7 @@ ieee802_1x_kay_init(struct ieee802_1x_ka
+ 		kay->macsec_validate = Strict;
+ 		kay->macsec_replay_protect = macsec_replay_protect;
+ 		kay->macsec_replay_window = macsec_replay_window;
++		kay->macsec_offload = macsec_offload;
+ 		kay->mka_hello_time = MKA_HELLO_TIME;
+ 	}
+ 
+@@ -3740,6 +3742,7 @@ ieee802_1x_kay_create_mka(struct ieee802
+ 	secy_cp_control_protect_frames(kay, kay->macsec_protect);
+ 	secy_cp_control_replay(kay, kay->macsec_replay_protect,
+ 			       kay->macsec_replay_window);
++	secy_cp_control_offload(kay, kay->macsec_offload);
+ 	if (secy_create_transmit_sc(kay, participant->txsc))
+ 		goto fail;
+ 
+--- a/src/pae/ieee802_1x_kay.h
++++ b/src/pae/ieee802_1x_kay.h
+@@ -166,6 +166,7 @@ struct ieee802_1x_kay_ctx {
+ 	int (*delete_transmit_sa)(void *ctx, struct transmit_sa *sa);
+ 	int (*enable_transmit_sa)(void *ctx, struct transmit_sa *sa);
+ 	int (*disable_transmit_sa)(void *ctx, struct transmit_sa *sa);
++	int (*set_offload)(void *ctx, u8 offload);
+ };
+ 
+ struct ieee802_1x_kay {
+@@ -206,6 +207,7 @@ struct ieee802_1x_kay {
+ 	bool is_key_server;
+ 	bool is_obliged_key_server;
+ 	char if_name[IFNAMSIZ];
++	u8 macsec_offload;
+ 
+ 	unsigned int macsec_csindex;  /* MACsec cipher suite table index */
+ 	int mka_algindex;  /* MKA alg table index */
+@@ -240,8 +242,8 @@ u64 mka_sci_u64(struct ieee802_1x_mka_sc
+ struct ieee802_1x_kay *
+ ieee802_1x_kay_init(struct ieee802_1x_kay_ctx *ctx, enum macsec_policy policy,
+ 		    bool macsec_replay_protect, u32 macsec_replay_window,
+-		    u16 port, u8 priority, u32 macsec_csindex,
+-		    const char *ifname, const u8 *addr);
++		    u8 macsec_offload, u16 port, u8 priority,
++		    u32 macsec_csindex, const char *ifname, const u8 *addr);
+ void ieee802_1x_kay_deinit(struct ieee802_1x_kay *kay);
+ 
+ struct ieee802_1x_mka_participant *
+--- a/src/pae/ieee802_1x_secy_ops.c
++++ b/src/pae/ieee802_1x_secy_ops.c
+@@ -85,6 +85,26 @@ int secy_cp_control_replay(struct ieee80
+ }
+ 
+ 
++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload)
++{
++	struct ieee802_1x_kay_ctx *ops;
++
++	if (!kay) {
++		wpa_printf(MSG_ERROR, "KaY: %s params invalid", __func__);
++		return -1;
++	}
++
++	ops = kay->ctx;
++	if (!ops || !ops->set_offload) {
++		wpa_printf(MSG_ERROR,
++			   "KaY: secy set_offload operation not supported");
++		return -1;
++	}
++
++	return ops->set_offload(ops->ctx, offload);
++}
++
++
+ int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs)
+ {
+ 	struct ieee802_1x_kay_ctx *ops;
+--- a/src/pae/ieee802_1x_secy_ops.h
++++ b/src/pae/ieee802_1x_secy_ops.h
+@@ -23,6 +23,7 @@ int secy_cp_control_validate_frames(stru
+ int secy_cp_control_protect_frames(struct ieee802_1x_kay *kay, bool flag);
+ int secy_cp_control_encrypt(struct ieee802_1x_kay *kay, bool enabled);
+ int secy_cp_control_replay(struct ieee802_1x_kay *kay, bool flag, u32 win);
++int secy_cp_control_offload(struct ieee802_1x_kay *kay, u8 offload);
+ int secy_cp_control_current_cipher_suite(struct ieee802_1x_kay *kay, u64 cs);
+ int secy_cp_control_confidentiality_offset(struct ieee802_1x_kay *kay,
+ 					   enum confidentiality_offset co);
+--- a/wpa_supplicant/config.c
++++ b/wpa_supplicant/config.c
+@@ -2610,6 +2610,7 @@ static const struct parse_data ssid_fiel
+ 	{ INT_RANGE(macsec_integ_only, 0, 1) },
+ 	{ INT_RANGE(macsec_replay_protect, 0, 1) },
+ 	{ INT(macsec_replay_window) },
++	{ INT_RANGE(macsec_offload, 0, 2) },
+ 	{ INT_RANGE(macsec_port, 1, 65534) },
+ 	{ INT_RANGE(mka_priority, 0, 255) },
+ 	{ INT_RANGE(macsec_csindex, 0, 1) },
+--- a/wpa_supplicant/config_file.c
++++ b/wpa_supplicant/config_file.c
+@@ -808,6 +808,7 @@ static void wpa_config_write_network(FIL
+ 	INT(macsec_integ_only);
+ 	INT(macsec_replay_protect);
+ 	INT(macsec_replay_window);
++	INT(macsec_offload);
+ 	INT(macsec_port);
+ 	INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
+ 	INT(macsec_csindex);
+--- a/wpa_supplicant/config_ssid.h
++++ b/wpa_supplicant/config_ssid.h
+@@ -896,6 +896,18 @@ struct wpa_ssid {
+ 	u32 macsec_replay_window;
+ 
+ 	/**
++	 * macsec_offload - Enable MACsec hardware offload
++	 *
++	 * This setting applies only when MACsec is in use, i.e.,
++	 *  - the key server has decided to enable MACsec
++	 *
++	 * 0 = MACSEC_OFFLOAD_OFF (default)
++	 * 1 = MACSEC_OFFLOAD_PHY
++	 * 2 = MACSEC_OFFLOAD_MAC
++	 */
++	int macsec_offload;
++
++	/**
+ 	 * macsec_port - MACsec port (in SCI)
+ 	 *
+ 	 * Port component of the SCI.
+--- a/wpa_supplicant/driver_i.h
++++ b/wpa_supplicant/driver_i.h
+@@ -804,6 +804,14 @@ static inline int wpa_drv_set_replay_pro
+ 						 window);
+ }
+ 
++static inline int wpa_drv_set_offload(struct wpa_supplicant *wpa_s, u8 offload)
++{
++	if (!wpa_s->driver->set_offload)
++		return -1;
++	return wpa_s->driver->set_offload(wpa_s->drv_priv, offload);
++
++}
++
+ static inline int wpa_drv_set_current_cipher_suite(struct wpa_supplicant *wpa_s,
+ 						   u64 cs)
+ {
+--- a/wpa_supplicant/wpa_cli.c
++++ b/wpa_supplicant/wpa_cli.c
+@@ -1473,6 +1473,7 @@ static const char *network_fields[] = {
+ 	"macsec_integ_only",
+ 	"macsec_replay_protect",
+ 	"macsec_replay_window",
++	"macsec_offload",
+ 	"macsec_port",
+ 	"mka_priority",
+ #endif /* CONFIG_MACSEC */
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1094,6 +1094,15 @@ fast_reauth=1
+ # 0: No replay window, strict check (default)
+ # 1..2^32-1: number of packets that could be misordered
+ #
++# macsec_offload - Enable MACsec hardware offload
++#
++# This setting applies only when MACsec is in use, i.e.,
++#  - the key server has decided to enable MACsec
++#
++# 0 = MACSEC_OFFLOAD_OFF (default)
++# 1 = MACSEC_OFFLOAD_PHY
++# 2 = MACSEC_OFFLOAD_MAC
++#
+ # macsec_port: IEEE 802.1X/MACsec port
+ # Port component of the SCI
+ # Range: 1-65534 (default: 1)
+--- a/wpa_supplicant/wpas_kay.c
++++ b/wpa_supplicant/wpas_kay.c
+@@ -98,6 +98,12 @@ static int wpas_set_receive_lowest_pn(vo
+ }
+ 
+ 
++static int wpas_set_offload(void *wpa_s, u8 offload)
++{
++	return wpa_drv_set_offload(wpa_s, offload);
++}
++
++
+ static unsigned int conf_offset_val(enum confidentiality_offset co)
+ {
+ 	switch (co) {
+@@ -220,6 +226,7 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
+ 	kay_ctx->enable_protect_frames = wpas_enable_protect_frames;
+ 	kay_ctx->enable_encrypt = wpas_enable_encrypt;
+ 	kay_ctx->set_replay_protect = wpas_set_replay_protect;
++	kay_ctx->set_offload = wpas_set_offload;
+ 	kay_ctx->set_current_cipher_suite = wpas_set_current_cipher_suite;
+ 	kay_ctx->enable_controlled_port = wpas_enable_controlled_port;
+ 	kay_ctx->get_receive_lowest_pn = wpas_get_receive_lowest_pn;
+@@ -240,7 +247,8 @@ int ieee802_1x_alloc_kay_sm(struct wpa_s
+ 	kay_ctx->disable_transmit_sa = wpas_disable_transmit_sa;
+ 
+ 	res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
+-				  ssid->macsec_replay_window, ssid->macsec_port,
++				  ssid->macsec_replay_window,
++				  ssid->macsec_offload, ssid->macsec_port,
+ 				  ssid->mka_priority, ssid->macsec_csindex,
+ 				  wpa_s->ifname, wpa_s->own_addr);
+ 	/* ieee802_1x_kay_init() frees kay_ctx on failure */

SPECS/wpa_supplicant.spec

@@ -1,39 +1,51 @@
-%define rcver %{nil}
-%define snapshot %{nil}
-
 %global _hardened_build 1
+%if 0%{?fedora}
+%bcond_without gui
+%else
+%bcond_with gui
+%endif
 
 Summary: WPA/WPA2/IEEE 802.1X Supplicant
 Name: wpa_supplicant
 Epoch: 1
 Version: 2.10
-Release: 1%{?dist}
+Release: 5%{?dist}
 License: BSD
-Group: System Environment/Base
-Source0: http://w1.fi/releases/%{name}-%{version}%{rcver}%{snapshot}.tar.gz
-Source1: build-config
-Source2: %{name}.conf
-Source3: %{name}.service
-Source4: %{name}.sysconfig
-Source6: %{name}.logrotate
-
-%define build_gui 0
+Source0: http://w1.fi/releases/%{name}-%{version}.tar.gz
+Source1: wpa_supplicant.conf
+Source2: wpa_supplicant.service
+Source3: wpa_supplicant.sysconfig
+Source4: wpa_supplicant.logrotate
 
 # distro specific customization and not suitable for upstream,
+# Fedora-specific updates to defconfig
+Patch0: wpa_supplicant-config.patch
 # works around busted drivers
-Patch0: wpa_supplicant-assoc-timeout.patch
+Patch1: wpa_supplicant-assoc-timeout.patch
 # ensures that debug output gets flushed immediately to help diagnose driver
 # bugs, not suitable for upstream
-Patch1: wpa_supplicant-flush-debug-output.patch
+Patch2: wpa_supplicant-flush-debug-output.patch
 # quiet an annoying and frequent syslog message
 Patch3: wpa_supplicant-quiet-scan-results-message.patch
 # distro specific customization for Qt4 build tools, not suitable for upstream
-Patch5: rh1542234-remove-wpa_gui.patch
-Patch6: wpa_supplicant-gui-qt4.patch
+Patch4: wpa_supplicant-gui-qt4.patch
+# backport fix for bz2063730
+Patch5: 0001-D-Bus-Add-wep_disabled-capability.patch
+# backport fix for bz2077973
+Patch6: 0001-EAP-peer-Workaround-for-servers-that-do-not-support-.patch
+Patch7: 0001-EAP-peer-status-notification-for-server-not-supporti.patch
+# support macsec HW offload
+Patch8: wpa_supplicant-MACsec-Support-GCM-AES-256-cipher-suite.patch
+Patch9: wpa_supplicant-macsec_linux-Support-cipher-suite-configuration.patch
+Patch10: wpa_supplicant-mka-Allow-configuration-of-MACsec-hardware-offload.patch
+Patch11: wpa_supplicant-macsec_linux-Add-support-for-MACsec-hardware-offload.patch
+
+# fix PEAP client to require successful Phase2 authentication when needed (CVE-2023-52160)
+Patch12: wpa_supplicant-PEAP-client-Update-Phase-2-authentication-requiremen.patch
 
 URL: http://w1.fi/wpa_supplicant/
 
-%if %{build_gui}
+%if %with gui
 BuildRequires: qt-devel >= 4.0
 %endif
 BuildRequires: openssl-devel
@@ -42,6 +54,7 @@ BuildRequires: dbus-devel
 BuildRequires: libnl3-devel
 BuildRequires: systemd-units
 BuildRequires: docbook-utils
+BuildRequires: gcc
 Requires(post): systemd-sysv
 Requires(post): systemd
 Requires(preun): systemd
@@ -61,81 +74,83 @@ component that is used in the client stations. It implements key negotiation
 with a WPA Authenticator and it controls the roaming and IEEE 802.11
 authentication/association of the wlan driver.
 
-%if %{build_gui}
 
+%if %with gui
 %package gui
 Summary: Graphical User Interface for %{name}
-Group: Applications/System
 
 %description gui
 Graphical User Interface for wpa_supplicant written using QT
-
 %endif
 
+
 %prep
-%autosetup -p1 -n %{name}-%{version}%{rcver}%{snapshot}
+%autosetup -p1 -n %{name}-%{version}
+
 
 %build
 pushd wpa_supplicant
-  cp %{SOURCE1} .config
-  CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE" ; export CFLAGS ;
-  CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DPIE" ; export CXXFLAGS ;
-  LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now" ; export LDFLAGS ;
+  cp defconfig .config
+  export CFLAGS="${CFLAGS:-%optflags} -fPIE -DPIE"
+  export CXXFLAGS="${CXXFLAGS:-%optflags} -fPIE -DPIE"
+  export LDFLAGS="${LDFLAGS:-%optflags} -pie -Wl,-z,now"
   # yes, BINDIR=_sbindir
-  BINDIR="%{_sbindir}" ; export BINDIR ;
-  LIBDIR="%{_libdir}" ; export LIBDIR ;
-  make %{_smp_mflags}
-%if %{build_gui}
-  QTDIR=%{_libdir}/qt4 make wpa_gui-qt4 %{_smp_mflags} QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease'
+  export BINDIR="%{_sbindir}"
+  export LIBDIR="%{_libdir}"
+  make %{_smp_mflags} V=1
+%if %with gui
+  make wpa_gui-qt4 %{_smp_mflags} V=1 QTDIR=%{_libdir}/qt4 \
+    QMAKE='%{qmake_qt4}' LRELEASE='%{_qt4_bindir}/lrelease'
+%endif
+  make eapol_test V=1
+  make -C doc/docbook man V=1
+%if !%with gui
+  rm doc/docbook/wpa_gui.8
 %endif
-  make eapol_test
 popd
 
-pushd wpa_supplicant/doc/docbook
-  make man
-popd
 
 %install
-# init scripts
-install -D -m 0644 %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service
-install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}
-install -D -m 0644 %{SOURCE6} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
-
 # config
-install -D -m 0600 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}/%{name}.conf
+install -D -m 0600 %{SOURCE1} %{buildroot}/%{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf
+
+# init scripts
+install -D -m 0644 %{SOURCE2} %{buildroot}/%{_unitdir}/wpa_supplicant.service
+install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/sysconfig/wpa_supplicant
+install -D -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/wpa_supplicant
 
 # binary
 install -d %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_passphrase %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_cli %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/wpa_supplicant %{buildroot}/%{_sbindir}
-install -m 0755 %{name}/eapol_test %{buildroot}/%{_sbindir}
-install -D -m 0644 %{name}/dbus/dbus-wpa_supplicant.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
-install -D -m 0644 %{name}/dbus/fi.w1.wpa_supplicant1.service %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
+install -m 0755 wpa_supplicant/wpa_passphrase %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/wpa_cli %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/wpa_supplicant %{buildroot}/%{_sbindir}
+install -m 0755 wpa_supplicant/eapol_test %{buildroot}/%{_sbindir}
+install -D -m 0644 wpa_supplicant/dbus/dbus-wpa_supplicant.conf \
+  %{buildroot}/%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
+install -D -m 0644 wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service \
+  %{buildroot}/%{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 
-%if %{build_gui}
+%if %with gui
 # gui
 install -d %{buildroot}/%{_bindir}
-install -m 0755 %{name}/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}
-%else
-rm -f %{name}/doc/docbook/wpa_gui.8
+install -m 0755 wpa_supplicant/wpa_gui-qt4/wpa_gui %{buildroot}/%{_bindir}
 %endif
 
-rm -f %{name}/doc/docbook/wpa_priv.8
-
 # man pages
 install -d %{buildroot}%{_mandir}/man{5,8}
-install -m 0644 %{name}/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
-install -m 0644 %{name}/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
+install -m 0644 wpa_supplicant/doc/docbook/*.8 %{buildroot}%{_mandir}/man8
+install -m 0644 wpa_supplicant/doc/docbook/*.5 %{buildroot}%{_mandir}/man5
 
 # some cleanup in docs and examples
-rm -f  %{name}/doc/.cvsignore
-rm -rf %{name}/doc/docbook
-chmod -R 0644 %{name}/examples/*.py
+rm -f  wpa_supplicant/doc/.cvsignore
+rm -rf wpa_supplicant/doc/docbook
+chmod -R 0644 wpa_supplicant/examples/*.py
+
 
 %post
 %systemd_post wpa_supplicant.service
 
+
 %preun
 %systemd_preun wpa_supplicant.service
 
@@ -151,78 +166,168 @@ chmod -R 0644 %{name}/examples/*.py
 
 
 %files
-%license COPYING
-%doc %{name}/ChangeLog README %{name}/eap_testing.txt %{name}/todo.txt %{name}/wpa_supplicant.conf %{name}/examples
-%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
-%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
-%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
-%{_unitdir}/%{name}.service
-%{_sysconfdir}/dbus-1/system.d/%{name}.conf
+%config(noreplace) %{_sysconfdir}/wpa_supplicant/wpa_supplicant.conf
+%config(noreplace) %{_sysconfdir}/sysconfig/wpa_supplicant
+%dir %{_sysconfdir}/logrotate.d
+%config(noreplace) %{_sysconfdir}/logrotate.d/wpa_supplicant
+%{_unitdir}/wpa_supplicant.service
+%{_sysconfdir}/dbus-1/system.d/wpa_supplicant.conf
 %{_datadir}/dbus-1/system-services/fi.w1.wpa_supplicant1.service
 %{_sbindir}/wpa_passphrase
 %{_sbindir}/wpa_supplicant
 %{_sbindir}/wpa_cli
 %{_sbindir}/eapol_test
-%dir %{_sysconfdir}/%{name}
-%{_mandir}/man8/*
+%dir %{_sysconfdir}/wpa_supplicant
+%{_mandir}/man8/wpa_supplicant.8.gz
+%{_mandir}/man8/wpa_priv.8.gz
+%{_mandir}/man8/wpa_passphrase.8.gz
+%{_mandir}/man8/wpa_cli.8.gz
+%{_mandir}/man8/wpa_background.8.gz
+%{_mandir}/man8/eapol_test.8.gz
 %{_mandir}/man5/*
+%doc README
+%doc wpa_supplicant/ChangeLog
+%doc wpa_supplicant/eap_testing.txt
+%doc wpa_supplicant/todo.txt
+%doc wpa_supplicant/wpa_supplicant.conf
+%doc wpa_supplicant/examples
+%license COPYING
 
-%if %{build_gui}
+
+%if %with gui
 %files gui
 %{_bindir}/wpa_gui
+%{_mandir}/man8/wpa_gui.8.gz
 %endif
 
+
 %changelog
-* Thu Jan  20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
-- Update to version 2.10 (rh #2042104)
+* Thu Feb 22 2024 Davide Caratti <dcaratti@redhat.com> - 1:2.10-5
+- Support macsec HW offload.
+  Resolves: RHEL-22440
+- Backport fix for PEAP client (CVE-2023-52160)
 
-* Thu Dec  9 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-6.20211112gitc8b94bc7b347
-- restore WEP functionality (rh #2028839)
+* Fri May 13 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-4
+- Explicitly allow/disallow unsafe legacy renegotiation on configuration base.
+  Resolves: rhbz#2077973
 
-* Fri Nov 12 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-5.20211112gitc8b94bc7b347
+* Fri Apr 22 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-3
+- Expose 'wep_disabled' capability via D-Bus. Resolves: rhbz#2063730
+
+* Fri Feb  4 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-2
+- Disable CONFIG_IEEE80211R. Resolves: rhbz#2032539
+
+* Thu Jan 20 2022 Davide Caratti <dcaratti@redhat.com> - 1:2.10-1
+- Update to version 2.10. Resolves: rhbz#2042540
+
+* Mon Nov 22 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-17.20211112gitc8b94bc7b347
 - Update to latest upstream tree to include support for H2E
-  Resolves: rhbz#2007333
+  Resolves: rhbz#2007334
 
-* Fri Mar  5 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-5
-- P2P: Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
-- Fix buffer overflow when processing P2P group information (CVE-2021-0326)
+* Thu Aug 19 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-17
+- Fix NetworkManager-CI failures with OpenSSL 3.0
 
-* Fri Jan 15 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-4
-- enable WPA-EAP-SUITE-B-192 (rh #1916394)
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.9-16
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Oct 27 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-3
-- fix p2p_listen unexpectedly stopped after 5 seconds (rh #1693684)
-- allow changing 'bridge' via D-Bus (rh #1888050)
-- expose OWE configurability via D-Bus (rh #1888718)
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.9-15
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
 
-* Tue Oct 29 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
-- Fix AP mode PMF disconnection protection bypass (CVE-2019-16275)
-- Fix NULL dereference in d-bus handler when P2P control interface is removed (rh #1752780)
-- enable WIFI_DISPLAY (rh #1755941)
+* Thu Jun  3 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-14
+- Disable 'badfuncs' test in rpminspect. Related: rhbz#1967579
 
-* Mon Oct 21 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-1
-- Update to 2.9 upstream release
-- Enable OWE, SAE and DPP (rh #1730169)
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:2.9-13
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-2
-- Enable CI gating (rh #1682340) and add a basic selftest
+* Mon Mar  1 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-12
+- Fix a corner case in peer addition based on PD Request (CVE-2021-27803)
 
-* Thu Feb 07 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-1
+* Thu Feb  4 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-11
+- Fix copying of secondary device types for P2P group client (CVE-2021-0326)
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Davide Caratti <dcaratti@redhat.com> - 1:2.9-9
+- Expose OWE capability on D-Bus
+- Allow changing interface bridge using D-Bus
+
+* Thu Dec 17 2020 Antonio Cardace <acardace@redhat.com> - 1:2.9-8
+- Enable WPA-EAP-SUITE-B-192 cipher suite
+
+* Thu Dec 17 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-7
+- fix build on ELN target (rh #1902609)
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 15 2020 Benjamin Berg <bberg@redhat.com> - 1:2.9-5
+- fix some issues with P2P operation
+
+* Thu Apr 23 2020 Davide Caratti <dcaratti@redhat.com> - 1:2.9-4
+- Enable Tunneled Direct Link Setup (TDLS)
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Oct 30 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.9-2
+- fix AP mode PMF disconnection protection bypass (CVE-2019-16275, rh #1767026)
+
+* Fri Aug 16 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.9-1
+- Update to version 2.9
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 10 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.8-2
+- fix changelog for version 2.8-1
+
+* Thu May 02 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.8-1
+- Update to 2.8 upstream release, to include latest fix for NULL
+  pointer dereference when EAP-PWD peer receives unexpected EAP
+  fragments (CVE-2019-11555, rh #1701759)
+
+* Fri Apr 12 2019 Davide Caratti <dcaratti@redhat.com> - 1:2.7-5
+- fix SAE and EAP_PWD vulnerabilities:
+  CVE-2019-9494 (cache attack against SAE)
+  CVE-2019-9495 (cache attack against EAP-pwd)
+  CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
+  CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
+  CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
+  CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-3
+- Enable OWE and DPP
+- Expose SAE support on D-Bus
+
+* Mon Jan 21 2019 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-2
+- Enable MESH & SAE
+
+* Tue Dec 18 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.7-1
 - Update to 2.7 upstream release
 
-* Mon Sep 10 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-17
-- Fix duplicate Reassociation Request frame dropping (detected by Covscan)
+* Wed Aug 15 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.6-20
+- Expose availability of SHA384 and FT on D-Bus
 
-* Fri Aug 31 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-16
+* Wed Aug 15 2018 Lubomir Rintel <lkundrak@v3.sk> - 1:2.6-19
+- Drop the broken Pmf D-Bus property patch
+
+* Wed Aug  8 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-18
 - Ignore unauthenticated encrypted EAPOL-Key data (CVE-2018-14526)
 
-* Thu Jul 12 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-15
-- Disable build of wpa_gui (rh #1542234)
-- Fix build issue with latest kernel headers (rh #1582604)
-- Disable WEXT (rh #1537143)
-- Fix memory leak when macsec MKA/PSK is used (rh #1582511)
-- Fix authentication failure when the MAC is updated externally (rh #1582508)
-- Let the kernel discard EAPOL if packet type is PACKET_OTHERHOST (rh #1582501)
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 22 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-16
+- Fix endoding of NL80211_ATTR_SMPS_MODE (rh#1570903)
+
+* Fri May 11 2018 Davide Caratti <dcaratti@redhat.com> - 1:2.6-15
+- Make PMF configurable using D-Bus (rh#1567474)
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:2.6-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild