* update wpa_supplicant to 2:2.11-2

2024-10-05 01:06:52 +02:00 · 2024-10-05 01:06:52 +02:00 · d981a62a22
commit d981a62a22
parent e312d6a57d
11 changed files with 466 additions and 54 deletions
--- a/wpa_supplicant/.SRCINFO
+++ b/wpa_supplicant/.SRCINFO
@ -0,0 +1,44 @@
+pkgbase = wpa_supplicant
+	pkgdesc = A utility providing key negotiation for WPA wireless networks
+	pkgver = 2.11
+	pkgrel = 2
+	epoch = 2
+	url = https://w1.fi/wpa_supplicant/
+	install = wpa_supplicant.install
+	arch = x86_64
+	arch = powerpc64le
+	arch = powerpc64
+	arch = powerpc
+	arch = riscv64
+	license = BSD-3-Clause
+	makedepends = docbook-sgml
+	makedepends = docbook-utils
+	makedepends = git
+	makedepends = perl-sgmls
+	depends = glibc
+	depends = libdbus
+	depends = libnl
+	depends = openssl
+	depends = pcsclite
+	depends = readline
+	source = git+https://w1.fi/hostap.git?signed#tag=hostap_2_11
+	source = wpa_supplicant_config
+	source = 0001-Enable-TLSv1.0-by-default.patch
+	source = 0002-Disable-Werror-for-eapol_test.patch
+	source = 0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch
+	source = 0004-Tweak-D-Bus-systemd-service-activation-configuration.patch
+	source = 0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch
+	source = 0006-Add-reload-support-to-the-systemd-unit-files.patch
+	source = 0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+	validpgpkeys = EC4AA0A991A5F2464582D52D2B6EF432EFC895FA
+	b2sums = 163d2e6644902f36b3b5f25e328221fa34495d745801e8d3dce874b05366c81370ef75c8f7e0198e206a3d04c5ea4bb501bf97693fa481e15cf5067d80ab0c1e
+	b2sums = 9785af24e59e3d48dc3ab055cc6b9e5bbf081e801fbbfa70d532c2ad8f7f4e59c2679385c75aa02f856ec387cd5182640ff91d892aed9846c738da57e05574d9
+	b2sums = 96b82aaa5315e931424150d47e52f70186e2eea3928a5c97792473b69e8f92463863e8044e073bf940d597a3620f63381bd6996a594c85977785cdce4038f768
+	b2sums = bd00e0f6c04db9c2dc274763b97dace4d886fb105b0a605bb15877ee84e4a93a7b95ab9a0242b4937c748c8e7991e3dddb795ac4c2b0e99be0f5e48098041b70
+	b2sums = aaa7604faf1fede451582c8b981579cc86724a66c783d8368d1c122e0c381b75842d83bd85a982c1d4461d65bc74e62d34768762d15b4005a24a17e1392a109a
+	b2sums = 7175e7aab682370aef1b3358eaa839dcb009e12940aa2b9949c8c3254406341433e84af09d09ad670bf41f5201d979af02095c87a368b76465a952b1be9de049
+	b2sums = 6472d571f18c3ee718315888b9c756c4579a4b411e8c6994002f9a79fb0a36fbebe8b3d419af0f9ea881dd1bc439d03dbe3c6d6661e670f16575197c31f0bd7a
+	b2sums = c1ce2e8d6f42cbc8181aeb2bdc19d4a22bff804c18f6e505d8315a294c67c936e90135046812ec37765be3d0f433e31554604deb1d7b160549d7e3284610a22b
+	b2sums = 28bf078147cc2f3395d3f907d6d900c7976dbd9948a9513f1d7ef32a40b89fee55e243c9302d24eda62dc1f813857fa09ae79e6faf52881e463a163acb437380
+
+pkgname = wpa_supplicant
--- a/wpa_supplicant/.nvchecker.toml
+++ b/wpa_supplicant/.nvchecker.toml
@ -0,0 +1,8 @@
+[wpa_supplicant]
+source = "git"
+git = "https://w1.fi/hostap.git"
+include_regex = 'hostap(_\d+)+'
+prefix = "hostap_"
+from_pattern = "_"
+to_pattern = "."
+use_max_tag = true
--- a/wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch
+++ b/wpa_supplicant/0001-Enable-TLSv1.0-by-default.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrej Shadura <andrewsh@debian.org>
+Date: Sat, 15 Dec 2018 14:19:22 +0100
+Subject: [PATCH] Enable TLSv1.0 by default
+
+OpenSSL 1.1.1 disables TLSv1.0 by default and sets the security level to 2.
+Some older networks may support for TLSv1.0 and less secure cyphers.
+---
+ src/crypto/tls_openssl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 17283f99817a..b27c238ec864 100644
+--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
+@@ -1098,6 +1098,13 @@ void * tls_init(const struct tls_config *conf)
+ 		os_free(data);
+ 		return NULL;
+ 	}
+
+#ifndef EAP_SERVER_TLS
+	/* Enable TLSv1.0 by default to allow connecting to legacy
+	 * networks since Debian OpenSSL is set to minimum TLSv1.2 and SECLEVEL=2. */
+	SSL_CTX_set_min_proto_version(ssl, TLS1_VERSION);
+#endif
+
+ 	data->ssl = ssl;
+ 	if (conf) {
+ 		data->tls_session_lifetime = conf->tls_session_lifetime;
--- a/wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch
+++ b/wpa_supplicant/0002-Disable-Werror-for-eapol_test.patch
@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrej Shadura <andrew.shadura@collabora.co.uk>
+Date: Fri, 12 Feb 2021 14:28:19 +0100
+Subject: [PATCH] Disable -Werror for eapol_test
+
+This may make sense for the upstream, but we just want to build
+the tool to be useful to our users; dealing with build errors due
+to issues normally manifesting themselves as warnings is burdening
+for Debian and its downstreams.
+---
+ wpa_supplicant/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
+index 743c8acd683f..04f6dd78b580 100644
+--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
+@@ -187,7 +187,7 @@ CFLAGS += -DCONFIG_ELOOP_KQUEUE
+ endif
+ 
+ ifdef CONFIG_EAPOL_TEST
+-CFLAGS += -Werror -DEAPOL_TEST
+CFLAGS += -DEAPOL_TEST
+ endif
+ 
+ ifdef CONFIG_CODE_COVERAGE
--- a/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch
+++ b/wpa_supplicant/0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch
@ -0,0 +1,32 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: James Ralston <ralston@pobox.com>
+Date: Sun, 1 May 2022 16:15:23 -0700
+Subject: [PATCH] Allow legacy renegotiation to fix PEAP issues with some
+ servers
+
+Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+---
+ src/crypto/tls_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index b27c238ec864..59a1b0d9b9c7 100644
+--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
+@@ -1114,6 +1114,16 @@ void * tls_init(const struct tls_config *conf)
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
+	/* Many enterprise PEAP server implementations (e.g. used in large
+	 corporations and universities) do not support RFC5746 secure
+	 renegotiation, and starting with OpenSSL 3.0,
+	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
+	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
+	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
+	 globally. */
+
+	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
+
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
--- a/wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch
+++ b/wpa_supplicant/0004-Tweak-D-Bus-systemd-service-activation-configuration.patch
@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Kel Modderman <kel@otaku42.de>
+Date: Sat, 21 Apr 2012 15:59:32 +1000
+Subject: [PATCH] Tweak D-Bus/systemd service activation configuration files:
+
+ * log wpa_supplicant messages to syslog
+ * activate control socket interface so that wpa_cli can be used by D-Bus
+   activated wpa_supplicant daemon
+---
+ wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in | 2 +-
+ wpa_supplicant/systemd/wpa_supplicant.service.in     | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+index d97ff392175d..3b0af67afde0 100644
+--- a/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+++ b/wpa_supplicant/dbus/fi.w1.wpa_supplicant1.service.in
+@@ -1,5 +1,5 @@
+ [D-BUS Service]
+ Name=fi.w1.wpa_supplicant1
+-Exec=@BINDIR@/wpa_supplicant -u
+Exec=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ User=root
+ SystemdService=wpa_supplicant.service
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
+index 58a622887cd9..bc0688a800d3 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
+@@ -7,7 +7,7 @@ Wants=network.target
+ [Service]
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+-ExecStart=@BINDIR@/wpa_supplicant -u
+ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch
+++ b/wpa_supplicant/0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch
@ -0,0 +1,37 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
+Date: Mon, 13 Mar 2017 13:46:12 -0400
+Subject: [PATCH] Add IgnoreOnIsolate=yes to keep wpa-supplicant running while
+ systemctl isolate
+
+> Add IgnoreOnIsolate=yes so that when switching "runlevels" in
+> oem-config will not kill off wpa and cause wireless to be
+> unavailable on first boot. (LP: #1576024)
+
+Also happens when running systemctl isolate default.target:
+
+> NM should be detecting that wpasupplicant is not running and start
+> it -- this should already have been working by way of wpasupplicant
+> being dbus-activated.
+[...]
+> It seems to me like IgnoreOnIsolate for wpasupplicant would be the
+> right thing to do, or to figure out why it isn't being properly
+> started when NM tries to use it.
+
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1576024
+---
+ wpa_supplicant/systemd/wpa_supplicant.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
+index bc0688a800d3..561ae8f827ab 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
+@@ -3,6 +3,7 @@ Description=WPA supplicant
+ Before=network.target
+ After=dbus.service
+ Wants=network.target
+IgnoreOnIsolate=true
+ 
+ [Service]
+ Type=dbus
--- a/wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch
+++ b/wpa_supplicant/0006-Add-reload-support-to-the-systemd-unit-files.patch
@ -0,0 +1,68 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Ryutaroh Matsumoto <ryutaroh.matsumoto@nagoya-u.jp>
+Date: Mon, 8 Jul 2019 00:25:48 +0900
+Subject: [PATCH] Add reload support to the systemd unit files
+
+When wifi password is written in /etc/wpa_supplicant/wpa_supplicant-if.conf,
+wpa_supplicant@if.service is started by systemd.
+When one adds a new pair of SSID and its password in the above config
+file, wpa_supplicant has to reload the changed config file.
+But "systemctl reload" was not accepted because "ExecReload" was missing
+from wpa_supplicant@.service.
+
+Bug-Debian: https://bugs.debian.org/931554
+---
+ wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in | 1 +
+ wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in   | 1 +
+ wpa_supplicant/systemd/wpa_supplicant.service.arg.in         | 1 +
+ wpa_supplicant/systemd/wpa_supplicant.service.in             | 1 +
+ 4 files changed, 4 insertions(+)
+
+diff --git a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
+index 4eab33526bba..577e550477f0 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
+++ b/wpa_supplicant/systemd/wpa_supplicant-nl80211.service.arg.in
+@@ -10,6 +10,7 @@ Wants=network.target
+ [Service]
+ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-nl80211-%I.conf -Dnl80211 -i%I
+ExecReload=/bin/kill -HUP $MAINPID
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
+index ca3054bc6d55..c0855babd4d1 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
+++ b/wpa_supplicant/systemd/wpa_supplicant-wired.service.arg.in
+@@ -10,6 +10,7 @@ Wants=network.target
+ [Service]
+ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-wired-%I.conf -Dwired -i%I
+ExecReload=/bin/kill -HUP $MAINPID
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
+index b0d610fa8efb..57f6f51ce4cf 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.arg.in
+@@ -10,6 +10,7 @@ Wants=network.target
+ [Service]
+ Type=simple
+ ExecStart=@BINDIR@/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant-%I.conf -i%I
+ExecReload=/bin/kill -HUP $MAINPID
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in
+index 561ae8f827ab..18cbc1108597 100644
+--- a/wpa_supplicant/systemd/wpa_supplicant.service.in
+++ b/wpa_supplicant/systemd/wpa_supplicant.service.in
+@@ -9,6 +9,7 @@ IgnoreOnIsolate=true
+ Type=dbus
+ BusName=fi.w1.wpa_supplicant1
+ ExecStart=@BINDIR@/wpa_supplicant -u -s -O /run/wpa_supplicant
+ExecReload=/bin/kill -HUP $MAINPID
+ 
+ [Install]
+ WantedBy=multi-user.target
--- a/wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+++ b/wpa_supplicant/0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
@ -0,0 +1,73 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: David Bauer <mail@david-bauer.net>
+Date: Sun, 30 Jan 2022 20:22:00 +0100
+Subject: [PATCH] nl80211: add extra-ies only if allowed by driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl
+based adapters. The reason for it is hostapd tries to install additional
+IEs for scanning while the driver does not support this.
+
+The kernel indicates the maximum number of bytes for additional scan IEs
+using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
+only add additional scan IEs in case the driver can accommodate these
+additional IEs.
+
+Reported-by: Étienne Morice <neon.emorice@mail.com>
+Tested-by: Étienne Morice <neon.emorice@mail.com>
+Signed-off-by: David Bauer <mail@david-bauer.net>
+
+Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+Bug-ArchLinux: https://bugs.archlinux.org/task/73495
+Bug-Debian: https://bugs.debian.org/1004524
+Origin: http://lists.infradead.org/pipermail/hostap/2022-January/040185.html
+---
+ src/drivers/driver.h              | 3 +++
+ src/drivers/driver_nl80211_capa.c | 4 ++++
+ src/drivers/driver_nl80211_scan.c | 2 +-
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/drivers/driver.h b/src/drivers/driver.h
+index 4331782d897a..243e9b5cc4d8 100644
+--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
+@@ -2357,6 +2357,9 @@ struct wpa_driver_capa {
+ 	/** Maximum number of iterations in a single scan plan */
+ 	u32 max_sched_scan_plan_iterations;
+ 
+	/** Maximum number of extra IE bytes for scans */
+	u16 max_scan_ie_len;
+
+ 	/** Whether sched_scan (offloaded scanning) is supported */
+ 	int sched_scan_supported;
+ 
+diff --git a/src/drivers/driver_nl80211_capa.c b/src/drivers/driver_nl80211_capa.c
+index 26c1f41406d2..d5ba66b1073e 100644
+--- a/src/drivers/driver_nl80211_capa.c
+++ b/src/drivers/driver_nl80211_capa.c
+@@ -976,6 +976,10 @@ static int wiphy_info_handler(struct nl_msg *msg, void *arg)
+ 			nla_get_u32(tb[NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS]);
+ 	}
+ 
+	if (tb[NL80211_ATTR_MAX_SCAN_IE_LEN])
+		capa->max_scan_ie_len =
+			nla_get_u16(tb[NL80211_ATTR_MAX_SCAN_IE_LEN]);
+
+ 	if (tb[NL80211_ATTR_MAX_MATCH_SETS])
+ 		capa->max_match_sets =
+ 			nla_get_u8(tb[NL80211_ATTR_MAX_MATCH_SETS]);
+diff --git a/src/drivers/driver_nl80211_scan.c b/src/drivers/driver_nl80211_scan.c
+index b055e684a9f8..a8ea8f2cf1d7 100644
+--- a/src/drivers/driver_nl80211_scan.c
+++ b/src/drivers/driver_nl80211_scan.c
+@@ -221,7 +221,7 @@ nl80211_scan_common(struct i802_bss *bss, u8 cmd,
+ 		wpa_printf(MSG_DEBUG, "nl80211: Passive scan requested");
+ 	}
+ 
+-	if (params->extra_ies) {
+	if (params->extra_ies && drv->capa.max_scan_ie_len >= params->extra_ies_len) {
+ 		wpa_hexdump(MSG_MSGDUMP, "nl80211: Scan extra IEs",
+ 			    params->extra_ies, params->extra_ies_len);
+ 		if (nla_put(msg, NL80211_ATTR_IE, params->extra_ies_len,
--- a/wpa_supplicant/PKGBUILD
+++ b/wpa_supplicant/PKGBUILD
@ -5,82 +5,100 @@
 # Contributor: loqs

 pkgname=wpa_supplicant
-pkgver=2.10
-pkgrel=8
+pkgver=2.11
+pkgrel=2
 epoch=2
 pkgdesc='A utility providing key negotiation for WPA wireless networks'
 url='https://w1.fi/wpa_supplicant/'
 arch=(x86_64 powerpc64le powerpc64 powerpc riscv64)
-license=(GPL)
-depends=(openssl libdbus readline libnl pcsclite)
+license=(BSD-3-Clause)
+depends=(
+  glibc
+  libdbus
+  libnl
+  openssl
+  pcsclite
+  readline
+)
+makedepends=(
+  docbook-sgml
+  docbook-utils
+  git
+  perl-sgmls
+)
 install=wpa_supplicant.install
 source=(
-  https://w1.fi/releases/${pkgname}-${pkgver}.tar.gz{,.asc}
+  "git+https://w1.fi/hostap.git?signed#tag=hostap_${pkgver//./_}"
  wpa_supplicant_config
-  wpa_supplicant_tls.patch
-  wpa_supplicant_dbus_service_syslog.patch
-  wpa_supplicant_service_ignore-on-isolate.patch
-  wpa_supplicant-legacy-server-connect.patch
-  lower_security_level_for_tls_1.patch
-  disable-eapol-werror.patch
-  0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
-  0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
-)
-validpgpkeys=('EC4AA0A991A5F2464582D52D2B6EF432EFC895FA') # Jouni Malinen
-sha256sums=('20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f'
-            'SKIP'
-            '1e32af4a1a147ee75358fd0b5636fb41332a7b91ec7a904292178256f735e9d2'
-            '08915b040d03a3e07cdc8ea6c76b497e00059e01ce85b67413dfe41d4fc68992'
-            '60f6a1cf2e124813dfce1da78ee1818e2ff5236aafa4113c7ae3b3f2a0b84006'
-            'd42bdbf3d4980b9f0a819612df0c39843c7e96c8afcb103aa656c824f93790b0'
-            '8fba11e4a5056d9e710707ded93341f61fdfef6c64ced992e3936cbd2d41a011'
-            'c3c0fb363f734c1512d24fd749b3ff7515f961b27bfadd04c128434b5c9f4a93'
-            '9aca193cc26682765467cf9131240e5de71f9b49a765a934284da5e308ea904e'
-            '7901d42eda48f82106901cbeb5e7be39025c878d5085a0a0d54ccbe36c3ecef4'
-            '24e844b0a08fe3fede1676cedfe29643375ae56ab1a5fe4f5783765a7b759c15')
-
-prepare() {
-  cd $pkgname-$pkgver

  # More permissive TLS fallback
-  patch -Np1 -i ../wpa_supplicant_tls.patch
-
-  # Unit improvements from Ubuntu
-  patch -Np1 -i ../wpa_supplicant_dbus_service_syslog.patch
-
-  # More unit improvements from Ubuntu
-  patch -Np1 -i ../wpa_supplicant_service_ignore-on-isolate.patch
-
-  # https://bugzilla.redhat.com/show_bug.cgi?id=2072070#c24
-  patch -Np1 -i ../wpa_supplicant-legacy-server-connect.patch
-
-  # http://lists.infradead.org/pipermail/hostap/2022-May/040571.html
-  # https://bugs.archlinux.org/task/76474
-  patch -Np1 -i ../lower_security_level_for_tls_1.patch
+  0001-Enable-TLSv1.0-by-default.patch

  # https://salsa.debian.org/debian/wpa/-/commit/13e1d28e4f987a220c546df94df86bb9b2371874
-  patch -Np1 -i ../disable-eapol-werror.patch
+  0002-Disable-Werror-for-eapol_test.patch

-  # http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
-  patch -Np1 -i ../0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+  # https://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+  # https://bugs.archlinux.org/task/76474
+  0003-Allow-legacy-renegotiation-to-fix-PEAP-issues-with-s.patch

-  # https://lists.infradead.org/pipermail/hostap/2022-April/040352.html
-  patch -Np1 -i ../0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch
+  # Unit improvements from Ubuntu
+  0004-Tweak-D-Bus-systemd-service-activation-configuration.patch
+  0005-Add-IgnoreOnIsolate-yes-to-keep-wpa-supplicant-runni.patch
+
+  # More unit improvements from Debian
+  0006-Add-reload-support-to-the-systemd-unit-files.patch
+
+  # https://lists.infradead.org/pipermail/hostap/2022-January/040178.html
+  0007-nl80211-add-extra-ies-only-if-allowed-by-driver.patch
+)
+b2sums=('163d2e6644902f36b3b5f25e328221fa34495d745801e8d3dce874b05366c81370ef75c8f7e0198e206a3d04c5ea4bb501bf97693fa481e15cf5067d80ab0c1e'
+        '9785af24e59e3d48dc3ab055cc6b9e5bbf081e801fbbfa70d532c2ad8f7f4e59c2679385c75aa02f856ec387cd5182640ff91d892aed9846c738da57e05574d9'
+        '96b82aaa5315e931424150d47e52f70186e2eea3928a5c97792473b69e8f92463863e8044e073bf940d597a3620f63381bd6996a594c85977785cdce4038f768'
+        'bd00e0f6c04db9c2dc274763b97dace4d886fb105b0a605bb15877ee84e4a93a7b95ab9a0242b4937c748c8e7991e3dddb795ac4c2b0e99be0f5e48098041b70'
+        'aaa7604faf1fede451582c8b981579cc86724a66c783d8368d1c122e0c381b75842d83bd85a982c1d4461d65bc74e62d34768762d15b4005a24a17e1392a109a'
+        '7175e7aab682370aef1b3358eaa839dcb009e12940aa2b9949c8c3254406341433e84af09d09ad670bf41f5201d979af02095c87a368b76465a952b1be9de049'
+        '6472d571f18c3ee718315888b9c756c4579a4b411e8c6994002f9a79fb0a36fbebe8b3d419af0f9ea881dd1bc439d03dbe3c6d6661e670f16575197c31f0bd7a'
+        'c1ce2e8d6f42cbc8181aeb2bdc19d4a22bff804c18f6e505d8315a294c67c936e90135046812ec37765be3d0f433e31554604deb1d7b160549d7e3284610a22b'
+        '28bf078147cc2f3395d3f907d6d900c7976dbd9948a9513f1d7ef32a40b89fee55e243c9302d24eda62dc1f813857fa09ae79e6faf52881e463a163acb437380')
+validpgpkeys=(
+  EC4AA0A991A5F2464582D52D2B6EF432EFC895FA # Jouni Malinen <j@w1.fi>
+)
+
+prepare() {
+  cd hostap
+
+  local src
+  for src in "${source[@]}"; do
+    [[ $src = *.patch ]] || continue
+    echo "Applying patch $src..."
+    patch -Np1 < "../$src"
+  done

  cp ../wpa_supplicant_config $pkgname/.config
 }

-build() {
-  cd $pkgname-$pkgver/$pkgname
+_make() {
+  local make_options=(
+    BINDIR=/usr/bin
+    LIBDIR=/usr/lib
+    "$@"
+  )

-  make LIBDIR=/usr/lib BINDIR=/usr/bin
-  make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
+  make "${make_options[@]}"
+}
+
+build() {
+  cd hostap/$pkgname
+
+  _make
+  _make eapol_test
+  _make -C doc/docbook man
 }

 package() {
-  cd $pkgname-$pkgver/$pkgname
+  cd hostap/$pkgname

-  make LIBDIR=/usr/lib BINDIR=/usr/bin DESTDIR="$pkgdir" install
+  _make DESTDIR="$pkgdir" install

  install -Dm755 eapol_test "$pkgdir/usr/bin/eapol_test"

@ -98,4 +116,8 @@ package() {
  rm "$pkgdir"/usr/share/man/man8/wpa_{priv,gui}.8

  install -Dm644 systemd/*.service -t "$pkgdir/usr/lib/systemd/system"
+
+  install -Dm644 ../README "$pkgdir/usr/share/licenses/$pkgname/LICENSE"
 }
+
+# vim:set sw=2 sts=-1 et:
--- a/wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc
+++ b/wpa_supplicant/keys/pgp/EC4AA0A991A5F2464582D52D2B6EF432EFC895FA.asc
@ -0,0 +1,36 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBDoydw4RBAC9vfqCsU+dgrxUSdGf70zrEAIBxcjeqHusovztR65XOWE0ccjm
+QS2TVgJM+OzYg9FJG7DuLQZDwhR10BZKJfG97fNyZVBCoO90bEcTufn96oceJlz/
+MHmy99+i6wYdIKYzvmaxcC1QPhENr1scgin9nMiW1MTPJ7sSgjDqd0QPVwCgmaZU
+pzhKRusR5E/MmgI2kz73Ui0D/03lVNypkQTbuBp1q71YqT9qjO8+5kXU5QXJhel0
+qUgJHcu3rdnIVaiANw1qauMM0DtnRKOtcaZntn03sFNnaJRx0JlmLa/cMP0nm1kP
+nR6Q3Cruz7InJnJZDXGsGH/ku4OcYLUJ8UgqzaO0J5o66j7pxQQDo1UAs4PQaoYq
+/ECbA/9B6b3TzuHdqUgS/g2AYTc5MU+i92ydrBv2g9SPuH78m/X4YicGR1HF7yNi
+J/hiVa/axBUHpXE4vW0Bndj1bN4sctFeGGezGRaLiiggZkBBNnL8nF5eZebLvPrv
+4kr8Cchz+lGF5UFNVyLWwi/I5CSUqUtSXOD1Q9WcXoqJcrE2brQXSm91bmkgTWFs
+aW5lbiA8akB3MS5maT6IYgQTEQIAIgIbIwYLCQgHAwIEFQIIAwMWAgECHgECF4AF
+AkZbB/QCGQEACgkQK270Mu/IlfpuGACfd0WargWDeja0VW+R9TSKjRIfO1cAn1A8
+nkiso1bg/CvU56wSvpU4MpF6tBlKb3VuaSBNYWxpbmVuIDxqbUBraXIubnU+iF8E
+ExECAB8FAkZbB5sCGyMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJECtu9DLvyJX6
+BmAAnRSeK5z2ClLwuV5i1CtP9w2v85TkAJ9XLkaqrNqX4yDxoHqbEpHkHZ6d17Qi
+Sm91bmkgTWFsaW5lbiA8amttYWxpbmVAY2MuaHV0LmZpPohXBBMRAgAXBQI6Mn1J
+BQsHCgMEAxUDAgMWAgECF4AACgkQK270Mu/IlfqZmQCeN9xC1eqSD3xiUa/z+SMA
+2Gd5NvkAnRuwbogLyTyBb8HqC1LxISWkTSBvtCBKb3VuaSBNYWxpbmVuIDxqbUBq
+bS5lcGl0ZXN0LmZpPohXBBMRAgAXBQI6MncOBQsHCgMEAxUDAgMWAgECF4AACgkQ
+K270Mu/IlfqNLwCeLGNO35p6s0fHzCio7tYYapCHXlgAniIgNRdn+9BmfLUUb97D
+MT+t1RWauQINBDoyd1sQCAC8qbv50m22q9hhs54GMD+Xemg0dHiHuuTtVPYugJqT
+SlhSS8QJBdulR8hYYDGHbTzjB/ksiQFOcISZZ+zQRIGqLbNldf6taGUTIhZkIh09
+0RYLXCYoMFB8XLBOaLVRy7SMwsPXdbIRkT9v9CzMjZcTUVjwObQKRpTie0JZhc//
+CUmY76scpRY5ifDXT9NOr5uMA3W5FI1AFc3d856BYhdnhcuJn+QQS+Xsj3r2vpVz
+YHoS+nT0nQ9iwmqPtRHep+t1cudqEouaWT8tpXkSB0Y0MjOPyGnNDkg9om3gj5QK
+zMDcQCxCVTHjqVUrmW6Bs2Rm2YVMBu/TIG4E9hEK8Ma/AAMFB/4pOot8lGbAJcov
+gtSEvna6WyOnFtmC8UCXJyf1MnzzLAO6Fvf8cz16ig2o+7bgKiQeWxwd7LJEicv2
+kD33fZl3OqSZbNdfsOxB9g+jtWC+vOXGKzr6Pi7fIBXgkhxF/eWbhFg7Kj4rd+jB
+I9F7uK/wPyY8JivH8vy2w6Boipc3S7qcUn5Gk58w0EuZrAHSGKt9QWd/p7ppIfgg
+mbc77YFWzM/z9fiMWp4+YIJkEH6unz3+91qQXUC4JGL6QMnsIoieqoAk/6rHMCTf
+hFSvQxuhxpLUI+PT9sAvIBZLZta6hvIiYVpSTzZxiVmuioVHUhPVQdcpO5Mrr1VH
+DwC+ZH8miEYEGBECAAYFAjoyd1sACgkQK270Mu/IlfrRCACfWEtm3et85knJeUK2
+ApdQ54Evxn4AoIYi35jctzD/SfJzPiE15zTRS8NN
+=fN+f
+-----END PGP PUBLIC KEY BLOCK-----