gentoo resync : 24.12.2018

8 files changed, 192 insertions, 435 deletions

diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest
index fe9df8bed0c0..d3ef9de00be4 100644
--- a/net-wireless/wpa_supplicant/Manifest
+++ b/net-wireless/wpa_supplicant/Manifest
@@ -6,17 +6,20 @@ AUX 2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch 194
 AUX 2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch 4309 BLAKE2B 6164e0343d7e4bedcaf2be9c3800eeb146a564fffeb339d032706797c04f268ade0674e67c962653c2a124af5a8ff8d28004bbeba0f3e73b166dbed03cd9a355 SHA512 37d050b2e4a3598484912667d8b2705fbe84c5c562267f900d42b0c7b606fb1fed09ddca8b80e2131768baa8f3690aab6ba7a232dee6ff1e66150fdb8816c927
 AUX 2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch 1649 BLAKE2B a8a486e782b7095c3eeb13706d815cd2f72ddf94c50e5bc8c3a9f36fc68580b1a10150ce405a161f2af2f2e5f2e5ba63d6c54807fcd9c71337956d69cd57b90e SHA512 111e655cfbb3a86e3792040e0ea375490d31c42c9d43cbe911290d54df5f4db437e4c8ad0e937c51729dcefeb0db0989b8ab55b9523398683abd08ebfec18076
 AUX 2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch 2750 BLAKE2B 059da1df148c8db68c9fa6aa656e46da301ebe7de3e41ecd4675ca579ebf6f1a66395e852cd8b562743ba83a345d4860618ea11bd01304a3386867115867fb9f SHA512 fc84edd8b30305cc42053c872554098f3f077292ec980ed6a442f37884087ff2f055738fd55977ed792bef1887dcc8c4626586465d78dd0258edb83dcd50a65a
+AUX rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch 1999 BLAKE2B d261d3184fcb57f804aeaad487dcbd81f1b74b1145f90285cc226839675b00bc6bf21ac8ec3a891427d3ce01a398d2fe118184ae36effa62df199e8398c1cb24 SHA512 c275cb1a41901d3e5389ca301809baa16a73b40afdcd3a24b63b294e1b9e5eaead148b30742273deecbdd03c6b387a6b3da74de2ae6c49a499b5dd326ff4da9f
 AUX wpa_cli.sh 1284 BLAKE2B 50757aa432bf714923d0ff5e2e8357bf3126c82dcfebbc2c342325ad97e3ca95a15ea138f9a55e5a7b9ac86cb2518c173e7d5186d5feb3e57ac762a71b11ef85 SHA512 250372231eda6f7228fcf76b13fc1b95637d0d9dec96b7bef820bfa1af1496f218909f521daf2ddb2ca81d0ebb3162500f833575b64d8d2b4820c247499e1c56
 AUX wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch 486 BLAKE2B 877e15a45851331a1499cf8bc96fd514d88b6b270f54d52760e46cc7edbcc4b74a48a0271f0c93b546bb659203c56fdfba63b231757c21ca8ee6ade98406ac2e SHA512 dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed
 AUX wpa_supplicant-2.6-libressl-compatibility.patch 3873 BLAKE2B 281029d49bd4267df5913aa87b2e70741def66646f6cfbf5cf163e88522ae5bb933be3ed0df971ff2872a25a36584409feb0d22acf8254f446421201026b1ce8 SHA512 61c4cfeb119a9bc7ab1d4f690c1af5bce2def7836212469011c277ad4d97ab601d2a1efca7dc7bea433d974a8820aed7740e2cf047a0c63734d8a71e3df14e45
 AUX wpa_supplicant-2.6-libressl.patch 3003 BLAKE2B 49781bcb77e84912b8f46ec992da7c6b1b015cc793208e1f8afa6457991bcc1be130810d90671f0e53fa65dcebd4528c6e359f69a2576ee715317b796d31eec2 SHA512 2fb29ec14db2f33f8c011e1c2e98eef4d36b2e9f3b36f6058c390484ae5c64ad5d67aa25f138829503fabfac374bda24172871bdefef2a0566db963a5a362ec8
+AUX wpa_supplicant-2.6-openssl-1.1.patch 1777 BLAKE2B 0c879e05aba224524919a3879cf5995bae9f973c5629079292cb17666151b981748d9e7ab8589da977cc2c04b96c232abba359446ee14b5a69742b865293f746 SHA512 638d1238387382bdd888158f4c97b2af13d16ec12db31e2d409957bf00fa45fbf3a1beb109c56c815b0dc64a861b17cccc4d7cc998110c772dd2d1bfa724efc5
+AUX wpa_supplicant-2.7-fix-undefined-remove-ie.patch 1115 BLAKE2B 207c8265f6819b9d956cd99cd1f1056d6fcdf6f857fc63150a9419ee83263e0173f2e8f00b061a4c48eb516cb1c3c00f5137a9bacb857dbe6d5e6f912d77c574 SHA512 5e790b3ae50f3d29cb38f73cff30f8994798e7bdbecc9f852def910a8150c1724c051bbb52603fa9c6818c950a5fe347bccd21848427f31f54d641ae40621c3f
 AUX wpa_supplicant-conf.d 291 BLAKE2B 348e7d21fe01d2fdd2117adf22444557fa3d401f649489afd1636105cdddc29d58d45659c5368cc177f919ce94a7e2b5a9ed3fe8ddccd1fba3d059d270bae1a8 SHA512 6bbb9d4f6132b3d4e20cd65f27245ccadd60712ef5794261499f882057a930a393297e491d8147e04e30c0a53645af0eb3514332587118c19b5594f23f1d62ad
 AUX wpa_supplicant-init.d 1250 BLAKE2B 159ebbd5a3552cbd8fdd6d48984c3a511e77cf1e140f56fc1d3e6b16454351a270e566dd7fc4717b92251193bdf59a77f57fc3fdd1d53b067f2e5253796c041b SHA512 f7439937a11d7a91eee98ab9e16a4853ce8e27395970007ae60ca9a8b1852fadc4a37ee0bf81d7e4806c545f70b139f26942ed1630db070abe8fe8e5ce752403
 AUX wpa_supplicant.conf 183 BLAKE2B ea25d56f366783548b8d4bc14615d89d1c9cff1e6535992d14fa2f87a095b6c7226fbdf6b2d2ecd5fdcc13fb413fc56d5294f906c840ab3f9386c99ea69139fc SHA512 425a5c955d462ea0d0d3f79c3e1bbf68e15b495df04ad03ed7aee12408b52616af05650dfc147ca5940d69e97360c33995d33733820fef8eb8769b31e58434e8
 DIST wpa_supplicant-2.6.tar.gz 2753524 BLAKE2B 99c61326c402f60b384fa6c9a7381e43d4d021d7e44537a6e05552909270f30997da91b690d8a30aa690f0d1ce0aed7798bd8bb8972fcf6830c282ccc91193ac SHA512 46442cddb6ca043b8b08d143908f149954c238e0f3a57a0df73ca4fab9c1acd91b078f3f26375a1d99cd1d65625986328018c735d8705882c8f91e389cad28a6
-EBUILD wpa_supplicant-2.6-r3.ebuild 11044 BLAKE2B ec092b2d8c8094c19ce1e019642ff074cfcc8ab40045d394e01c219fad6cb306dd0c8e6e33879c33d950d95af5bb5e851a667030aad5cc1fe6c9b5aeb6d9fc7d SHA512 2e2b23824a0a073a44e7c40cf21bc06f797a34d8768ecd645aa0f7216c81e1f0425fb09129824b1d927166f0d6fce0f4cff87afd1f65214db4546d83031c1e62
-EBUILD wpa_supplicant-2.6-r5.ebuild 11782 BLAKE2B b74866e78cc82cb5e3600135052024c11b628371932b52634754fa578c6f31ed0d58f5ba2e980fdd7f1ddf50c92e721e538098af2270a9061c64ee5e902940fe SHA512 afd5fc95a798031f7ac84fb17737a113db720686d9ad304d2abfd56b4c16468fc446926594ff87b17438d2b9c39762865782de794019a780074df87f9479307e
+DIST wpa_supplicant-2.7.tar.gz 3093713 BLAKE2B bbf961b6e13757e9d7bb8b9de1808382a551265cd2d54de14e24bde3567aa5298b48fdcd0df75db79189a051532c54b28eab5519c32fc8fc00459365b57039aa SHA512 8b6eb5b5f30d351c73db63d73c09f24028a18166246539b4a4f89f0d226fb42751afa2ff72296df33317f615150325d285e8e7bda30e0d88abcdc9637ab731d3
+EBUILD wpa_supplicant-2.6-r10.ebuild 12648 BLAKE2B c67a87d8edae237a17d8799fb79c2aad65da5ba6a8c80d2a8ad925542e8fb0494a5f7732a0b9e4915d64f564507c347559c459e29190e10713474b4d00c27afe SHA512 518d7f5ba4f7cd0587151af95024b8d42d7220677ba2fc73a7b29a7e6a5c47b0947e7c353d74f38fe46f17f5fe91dc6c4bd61688a8a4fe2769e55f7e48131a20
 EBUILD wpa_supplicant-2.6-r6.ebuild 11810 BLAKE2B 2c4dccf5392657392567b56598a9cf98ab968b34da44210a7608e1eda9e2eea3fbadcd6c51bbd6cffab841295cf49aa8f17d2602be537fc107b7d08370282955 SHA512 eb1a814b2cb50a5b0752061b3563c514c69c4bd637b83f9ee0e477310510869d05a1f5cbc9e2f3f894886e4309fc60c10d2f77b30adcba9d590bf9c8adde93eb
-EBUILD wpa_supplicant-2.6-r8.ebuild 12421 BLAKE2B 83f93e2381b3108939901b18a5222e0a632fd79913ba6f5c2d454e871bceb65f3d9a87dea0a5eaab2f556866ee1e554d570c7181a6e3aa12fb428a06eab677c6 SHA512 03667d27cc8c82df0b3223649f0c1649a055f3bc52dbd2cdaf6ef44a214033c9d073af41e0c569cd25cc8221db058c1112ece26f14697bc088a5719bc8327622
-EBUILD wpa_supplicant-9999.ebuild 11650 BLAKE2B e9b4ed5aac7d60c348184b07f0b56e7b4cb74f530be90a67fece55916e5065cfc82a66310fa682b6a94763e396a1ad15db967288680e1cb758754453cfacc18e SHA512 a37fbc96d8cd2b64d705fdd9f0d7499cfbf17115b42ab9aeb2d66acc277cdf1e3513a45ff95896ee03b992a2fbcaadb5572a2ff32f48428bc8d50a194f17a598
+EBUILD wpa_supplicant-2.7.ebuild 11704 BLAKE2B ee03f052b3e896025970ae8be65aea336c3c0cee3eed18af4e0f6e8d5a91b1fe1a851954b3114fbdbb8a7cca99b193f9a84509e3ec0ff5cfeff6fa03d6b79d4a SHA512 ad8dedda2a83e5ba230a60b3e32471eba5334ebe7bb80f9e048a09c0701f29652ea4184d29a84736b4708db9325481056301fdff868b085e32f952577507e33b
+EBUILD wpa_supplicant-9999.ebuild 11604 BLAKE2B bba465e8a711a22fda12cfea28378e9cef2b0f634f1c268e55bd8da5a9f630f4ca0001709c54f37160a4aa1dcdd6888f6d20c18fcd53c2b843c7399c00f54b15 SHA512 005f63ab95bdd23156ba9a878fdd06dd119b9a4bf8de2a06a12e48c24851975f8a9d20ace85883184a5ca42289cbb60d578ff8ea1b2aabecde39b79ebf99e2da
 MISC metadata.xml 1387 BLAKE2B d18ad59ec0e7852ed299596a6217d705f3344b1e215875fa5eb4afb9aeb91d17edd77ed35e5cb83b6868b529d3c173574f7d1810f2f145c8398860f72b0792fe SHA512 ab26df54e5dc68ef0db3f654df1dbf144b38d78e63d11d428bd04a4b374c6b704b334e3812a4042b4827bdab887bebe6de24a82c05edb7df7d614d4d4b8925fb
diff --git a/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
new file mode 100644
index 000000000000..a62b52c6b9a8
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch
@@ -0,0 +1,44 @@
+From 3e34cfdff6b192fe337c6fb3f487f73e96582961 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Sun, 15 Jul 2018 01:25:53 +0200
+Subject: [PATCH] WPA: Ignore unauthenticated encrypted EAPOL-Key data
+
+Ignore unauthenticated encrypted EAPOL-Key data in supplicant
+processing. When using WPA2, these are frames that have the Encrypted
+flag set, but not the MIC flag.
+
+When using WPA2, EAPOL-Key frames that had the Encrypted flag set but
+not the MIC flag, had their data field decrypted without first verifying
+the MIC. In case the data field was encrypted using RC4 (i.e., when
+negotiating TKIP as the pairwise cipher), this meant that
+unauthenticated but decrypted data would then be processed. An adversary
+could abuse this as a decryption oracle to recover sensitive information
+in the data field of EAPOL-Key messages (e.g., the group key).
+(CVE-2018-14526)
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff -upr wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c wpa_supplicant-2.6/src/rsn_supp/wpa.c
+--- wpa_supplicant-2.6.orig/src/rsn_supp/wpa.c	2016-10-02 21:51:11.000000000 +0300
++++ wpa_supplicant-2.6/src/rsn_supp/wpa.c	2018-08-08 16:55:11.506831029 +0300
+@@ -2016,6 +2016,17 @@ int wpa_sm_rx_eapol(struct wpa_sm *sm, c
+ 
+ 	if ((sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) &&
+ 	    (key_info & WPA_KEY_INFO_ENCR_KEY_DATA)) {
++		/*
++		 * Only decrypt the Key Data field if the frame's authenticity
++		 * was verified. When using AES-SIV (FILS), the MIC flag is not
++		 * set, so this check should only be performed if mic_len != 0
++		 * which is the case in this code branch.
++		 */
++		if (!(key_info & WPA_KEY_INFO_MIC)) {
++			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++				"WPA: Ignore EAPOL-Key with encrypted but unauthenticated data");
++			goto out;
++		}
+ 		if (wpa_supplicant_decrypt_key_data(sm, key, ver, key_data,
+ 						    &key_data_len))
+ 			goto out;
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
new file mode 100644
index 000000000000..1e2335f34c06
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.6-openssl-1.1.patch
@@ -0,0 +1,48 @@
+From f665c93e1d28fbab3d9127a8c3985cc32940824f Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Sun, 9 Jul 2017 11:14:10 +0200
+Subject: OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
+
+Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
+callback from the SSL object instead of the one from the CTX, so let's
+set the callback on both SSL and CTX. Note that
+SSL_set_default_passwd_cb*() is available only in 1.1.0.
+
+Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
+---
+ src/crypto/tls_openssl.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index fd94eaf..c790b53 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -2796,6 +2796,15 @@ static int tls_connection_private_key(struct tls_data *data,
+ 	} else
+ 		passwd = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	/*
++	 * In OpenSSL >= 1.1.0f SSL_use_PrivateKey_file() uses the callback
++	 * from the SSL object. See OpenSSL commit d61461a75253.
++	 */
++	SSL_set_default_passwd_cb(conn->ssl, tls_passwd_cb);
++	SSL_set_default_passwd_cb_userdata(conn->ssl, passwd);
++#endif /* >= 1.1.0f && !LibreSSL */
++	/* Keep these for OpenSSL < 1.1.0f */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb);
+ 	SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd);
+ 
+@@ -2886,6 +2895,9 @@ static int tls_connection_private_key(struct tls_data *data,
+ 		return -1;
+ 	}
+ 	ERR_clear_error();
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++	SSL_set_default_passwd_cb(conn->ssl, NULL);
++#endif /* >= 1.1.0f && !LibreSSL */
+ 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
+ 	os_free(passwd);
+ 
+-- 
+cgit v0.12
+
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch
new file mode 100644
index 000000000000..97a8cc7f3e12
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.7-fix-undefined-remove-ie.patch
@@ -0,0 +1,38 @@
+From f2973fa39d6109f0f34969e91551a98dc340d537 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 3 Dec 2018 12:00:26 +0200
+Subject: FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=y
+
+remove_ie() was defined within an ifdef CONFIG_FILS block while it is
+now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition
+there.
+
+Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol")
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/sme.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
+index 39c8069..f77f751 100644
+--- a/wpa_supplicant/sme.c
++++ b/wpa_supplicant/sme.c
+@@ -1386,7 +1386,6 @@ void sme_event_auth(struct wpa_supplicant *wpa_s, union wpa_event_data *data)
+ }
+ 
+ 
+-#ifdef CONFIG_FILS
+ #ifdef CONFIG_IEEE80211R
+ static void remove_ie(u8 *buf, size_t *len, u8 eid)
+ {
+@@ -1401,7 +1400,6 @@ static void remove_ie(u8 *buf, size_t *len, u8 eid)
+ 	}
+ }
+ #endif /* CONFIG_IEEE80211R */
+-#endif /* CONFIG_FILS */
+ 
+ 
+ void sme_associate(struct wpa_supplicant *wpa_s, enum wpas_mode mode,
+-- 
+cgit v0.12
+
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r8.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
index 15d823b942f1..aee917dd595b 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r8.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r10.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -11,7 +11,7 @@ SRC_URI="https://w1.fi/releases/${P}.tar.gz"
 LICENSE="|| ( GPL-2 BSD )"
 
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+KEYWORDS="~alpha amd64 arm ~arm64 ~ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd"
 IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
 REQUIRED_USE="smartcard? ( ssl )"
 
@@ -133,6 +133,9 @@ src_prepare() {
 	# bug (596332 & 651314)
 	eapply "${FILESDIR}/${P}-libressl-compatibility.patch"
 
+	# bug (671006)
+	eapply "${FILESDIR}/${P}-openssl-1.1.patch"
+
 	# https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"
@@ -143,6 +146,9 @@ src_prepare() {
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
 	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
 
+	# https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt
+	eapply "${FILESDIR}/rebased-v2.6-0001-WPA-Ignore-unauthenticated-encrypted-EAPOL-Key-data.patch"
+
 	# bug (640492)
 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
 }
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild
deleted file mode 100644
index 94efb65ea575..000000000000
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r3.ebuild
+++ /dev/null
@@ -1,401 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-
-inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1
-
-DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
-HOMEPAGE="https://w1.fi/wpa_supplicant/"
-SRC_URI="https://w1.fi/releases/${P}.tar.gz"
-LICENSE="|| ( GPL-2 BSD )"
-
-SLOT="0"
-KEYWORDS="~alpha amd64 arm ~arm64 ~ia64 ~mips ppc ppc64 ~sparc x86 ~x86-fbsd"
-IUSE="ap dbus gnutls eap-sim fasteap +hs2-0 libressl p2p ps3 qt5 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
-REQUIRED_USE="fasteap? ( !ssl ) smartcard? ( ssl )"
-
-CDEPEND="dbus? ( sys-apps/dbus )
-	kernel_linux? (
-		dev-libs/libnl:3
-		net-wireless/crda
-		eap-sim? ( sys-apps/pcsc-lite )
-	)
-	!kernel_linux? ( net-libs/libpcap )
-	qt5? (
-		dev-qt/qtcore:5
-		dev-qt/qtgui:5
-		dev-qt/qtsvg:5
-		dev-qt/qtwidgets:5
-	)
-	readline? (
-		sys-libs/ncurses:0=
-		sys-libs/readline:0=
-	)
-	ssl? (
-		gnutls? (
-			dev-libs/libgcrypt:0=
-			net-libs/gnutls:=
-		)
-		!gnutls? (
-			!libressl? ( dev-libs/openssl:0= )
-			libressl? ( dev-libs/libressl:0= )
-		)
-	)
-	!ssl? ( dev-libs/libtommath )
-"
-DEPEND="${CDEPEND}
-	virtual/pkgconfig
-"
-RDEPEND="${CDEPEND}
-	selinux? ( sec-policy/selinux-networkmanager )
-"
-
-DOC_CONTENTS="
-	If this is a clean installation of wpa_supplicant, you
-	have to create a configuration file named
-	${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf
-	An example configuration file is available for reference in
-	${EROOT%/}/usr/share/doc/${PF}/
-"
-
-S="${WORKDIR}/${P}/${PN}"
-
-Kconfig_style_config() {
-		#param 1 is CONFIG_* item
-		#param 2 is what to set it = to, defaulting in y
-		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
-		setting="${2:-y}"
-
-		if [ ! $setting = n ]; then
-			#first remove any leading "# " if $2 is not n
-			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
-			#set item = $setting (defaulting to y)
-			sed -i "/^$CONFIG_PARAM/s/=.*/=$setting/" .config || echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
-		else
-			#ensure item commented out
-			sed -i "/^$CONFIG_PARAM/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config || echo "Kconfig_style_config error commenting $CONFIG_PARAM"
-		fi
-}
-
-pkg_setup() {
-	if use ssl ; then
-		if use gnutls && use libressl ; then
-			elog "You have both 'gnutls' and 'libressl' USE flags enabled: defaulting to USE=\"gnutls\""
-		fi
-	else
-		elog "You have 'ssl' USE flag disabled: defaulting to internal TLS implementation"
-	fi
-}
-
-src_prepare() {
-	default
-
-	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
-	sed -i \
-		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
-		../src/l2_packet/l2_packet_freebsd.c || die
-
-	# People seem to take the example configuration file too literally (bug #102361)
-	sed -i \
-		-e "s:^\(opensc_engine_path\):#\1:" \
-		-e "s:^\(pkcs11_engine_path\):#\1:" \
-		-e "s:^\(pkcs11_module_path\):#\1:" \
-		wpa_supplicant.conf || die
-
-	# Change configuration to match Gentoo locations (bug #143750)
-	sed -i \
-		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
-		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
-		wpa_supplicant.conf || die
-
-	# systemd entries to D-Bus service files (bug #372877)
-	echo 'SystemdService=wpa_supplicant.service' \
-		| tee -a dbus/*.service >/dev/null || die
-
-	cd "${WORKDIR}/${P}" || die
-
-	if use wimax; then
-		# generate-libeap-peer.patch comes before
-		# fix-undefined-reference-to-random_get_bytes.patch
-		eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"
-
-		# multilib-strict fix (bug #373685)
-		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die
-	fi
-
-	# bug (320097)
-	eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
-
-	# bug (596332)
-	eapply "${FILESDIR}/${P}-libressl.patch"
-
-	# https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
-}
-
-src_configure() {
-	# Toolchain setup
-	tc-export CC
-
-	cp defconfig .config || die
-
-	# Basic setup
-	Kconfig_style_config CTRL_IFACE
-	Kconfig_style_config MATCH_IFACE
-	Kconfig_style_config BACKEND file
-	Kconfig_style_config IBSS_RSN
-	Kconfig_style_config IEEE80211W
-	Kconfig_style_config IEEE80211R
-
-	# Basic authentication methods
-	# NOTE: we don't set GPSK or SAKE as they conflict
-	# with the below options
-	Kconfig_style_config EAP_GTC
-	Kconfig_style_config EAP_MD5
-	Kconfig_style_config EAP_OTP
-	Kconfig_style_config EAP_PAX
-	Kconfig_style_config EAP_PSK
-	Kconfig_style_config EAP_TLV
-	Kconfig_style_config EAP_EXE
-	Kconfig_style_config IEEE8021X_EAPOL
-	Kconfig_style_config PKCS12
-	Kconfig_style_config PEERKEY
-	Kconfig_style_config EAP_LEAP
-	Kconfig_style_config EAP_MSCHAPV2
-	Kconfig_style_config EAP_PEAP
-	Kconfig_style_config EAP_TLS
-	Kconfig_style_config EAP_TTLS
-
-	# Enabling background scanning.
-	Kconfig_style_config BGSCAN_SIMPLE
-	Kconfig_style_config BGSCAN_LEARN
-
-	# Enabling mesh networks.
-	Kconfig_style_config MESH
-
-	if use dbus ; then
-		Kconfig_style_config CTRL_IFACE_DBUS
-		Kconfig_style_config CTRL_IFACE_DBUS_NEW
-		Kconfig_style_config CTRL_IFACE_DBUS_INTRO
-	fi
-
-	# Enable support for writing debug info to a log file and syslog.
-	Kconfig_style_config DEBUG_FILE
-	Kconfig_style_config DEBUG_SYSLOG
-
-	if use hs2-0 ; then
-		Kconfig_style_config INTERWORKING
-		Kconfig_style_config HS20
-	fi
-
-	if use uncommon-eap-types; then
-		Kconfig_style_config EAP_GPSK
-		Kconfig_style_config EAP_SAKE
-		Kconfig_style_config EAP_GPSK_SHA256
-		Kconfig_style_config EAP_IKEV2
-		Kconfig_style_config EAP_EKE
-	fi
-
-	if use eap-sim ; then
-		# Smart card authentication
-		Kconfig_style_config EAP_SIM
-		Kconfig_style_config EAP_AKA
-		Kconfig_style_config EAP_AKA_PRIME
-		Kconfig_style_config PCSC
-	fi
-
-	if use fasteap ; then
-		Kconfig_style_config EAP_FAST
-	fi
-
-	if use readline ; then
-		# readline/history support for wpa_cli
-		Kconfig_style_config READLINE
-	else
-		#internal line edit mode for wpa_cli
-		Kconfig_style_config WPA_CLI_EDIT
-	fi
-
-	# SSL authentication methods
-	if use ssl ; then
-		if use gnutls ; then
-			Kconfig_style_config TLS gnutls
-			Kconfig_style_config GNUTLS_EXTRA
-		else
-			Kconfig_style_config TLS openssl
-		fi
-	else
-		Kconfig_style_config TLS internal
-	fi
-
-	if use smartcard ; then
-		Kconfig_style_config SMARTCARD
-	fi
-
-	if use tdls ; then
-		Kconfig_style_config TDLS
-	fi
-
-	if use kernel_linux ; then
-		# Linux specific drivers
-		Kconfig_style_config DRIVER_ATMEL
-		Kconfig_style_config DRIVER_HOSTAP
-		Kconfig_style_config DRIVER_IPW
-		Kconfig_style_config DRIVER_NL80211
-		Kconfig_style_config DRIVER_RALINK
-		Kconfig_style_config DRIVER_WEXT
-		Kconfig_style_config DRIVER_WIRED
-
-		if use ps3 ; then
-			Kconfig_style_config DRIVER_PS3
-		fi
-
-	elif use kernel_FreeBSD ; then
-		# FreeBSD specific driver
-		Kconfig_style_config DRIVER_BSD
-	fi
-
-	# Wi-Fi Protected Setup (WPS)
-	if use wps ; then
-		Kconfig_style_config WPS
-		Kconfig_style_config WPS2
-		# USB Flash Drive
-		Kconfig_style_config WPS_UFD
-		# External Registrar
-		Kconfig_style_config WPS_ER
-		# Universal Plug'n'Play
-		Kconfig_style_config WPS_UPNP
-		# Near Field Communication
-		Kconfig_style_config WPS_NFC
-	fi
-
-	# Wi-Fi Direct (WiDi)
-	if use p2p ; then
-		Kconfig_style_config P2P
-		Kconfig_style_config WIFI_DISPLAY
-	fi
-
-	# Access Point Mode
-	if use ap ; then
-		Kconfig_style_config AP
-	fi
-
-	# Enable mitigation against certain attacks against TKIP
-	Kconfig_style_config DELAYED_MIC_ERROR_REPORT
-
-	# If we are using libnl 2.0 and above, enable support for it
-	# Bug 382159
-	# Removed for now, since the 3.2 version is broken, and we don't
-	# support it.
-	if has_version ">=dev-libs/libnl-3.2"; then
-		Kconfig_style_config LIBNL32
-	fi
-
-	if use qt5 ; then
-		pushd "${S}"/wpa_gui-qt4 > /dev/null || die
-		eqmake5 wpa_gui.pro
-		popd > /dev/null || die
-	fi
-}
-
-src_compile() {
-	einfo "Building wpa_supplicant"
-	emake V=1 BINDIR=/usr/sbin
-
-	if use wimax; then
-		emake -C ../src/eap_peer clean
-		emake -C ../src/eap_peer
-	fi
-
-	if use qt5; then
-		einfo "Building wpa_gui"
-		emake -C "${S}"/wpa_gui-qt4
-	fi
-}
-
-src_install() {
-	dosbin wpa_supplicant
-	dobin wpa_cli wpa_passphrase
-
-	# baselayout-1 compat
-	if has_version "<sys-apps/baselayout-2.0.0"; then
-		dodir /sbin
-		dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant
-		dodir /bin
-		dosym ../usr/bin/wpa_cli /bin/wpa_cli
-	fi
-
-	if has_version ">=sys-apps/openrc-0.5.0"; then
-		newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
-		newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
-	fi
-
-	exeinto /etc/wpa_supplicant/
-	newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
-
-	readme.gentoo_create_doc
-	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
-		wpa_supplicant.conf
-
-	newdoc .config build-config
-
-	doman doc/docbook/*.{5,8}
-
-	if use qt5 ; then
-		into /usr
-		dobin wpa_gui-qt4/wpa_gui
-		doicon wpa_gui-qt4/icons/wpa_gui.svg
-		make_desktop_entry wpa_gui "WPA Supplicant Administration GUI" "wpa_gui" "Qt;Network;"
-	fi
-
-	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
-
-	if use dbus ; then
-		pushd "${S}"/dbus > /dev/null || die
-		insinto /etc/dbus-1/system.d
-		newins dbus-wpa_supplicant.conf wpa_supplicant.conf
-		insinto /usr/share/dbus-1/system-services
-		doins fi.epitest.hostap.WPASupplicant.service fi.w1.wpa_supplicant1.service
-		popd > /dev/null || die
-
-		# This unit relies on dbus support, bug 538600.
-		systemd_dounit systemd/wpa_supplicant.service
-	fi
-
-	systemd_dounit "systemd/wpa_supplicant@.service"
-	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
-	systemd_dounit "systemd/wpa_supplicant-wired@.service"
-}
-
-pkg_postinst() {
-	readme.gentoo_print_elog
-
-	if [[ -e "${EROOT%/}"/etc/wpa_supplicant.conf ]] ; then
-		echo
-		ewarn "WARNING: your old configuration file ${EROOT%/}/etc/wpa_supplicant.conf"
-		ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf"
-	fi
-
-	# Mea culpa, feel free to remove that after some time --mgorny.
-	local fn
-	for fn in wpa_supplicant{,@wlan0}.service; do
-		if [[ -e "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} ]]
-		then
-			ebegin "Moving ${fn} to multi-user.target"
-			mv "${EROOT%/}"/etc/systemd/system/network.target.wants/${fn} \
-				"${EROOT%/}"/etc/systemd/system/multi-user.target.wants/ || die
-			eend ${?} \
-				"Please try to re-enable ${fn}"
-		fi
-	done
-
-	systemd_reenable wpa_supplicant.service
-}
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r5.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.7.ebuild
index db98a23c929a..12a69aa090d4 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-2.6-r5.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.7.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -7,12 +7,19 @@ inherit eutils qmake-utils systemd toolchain-funcs readme.gentoo-r1
 
 DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
 HOMEPAGE="https://w1.fi/wpa_supplicant/"
-SRC_URI="https://w1.fi/releases/${P}.tar.gz"
 LICENSE="|| ( GPL-2 BSD )"
 
+if [ "${PV}" = "9999" ]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://w1.fi/hostap.git"
+	KEYWORDS=""
+else
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
+	SRC_URI="https://w1.fi/releases/${P}.tar.gz"
+fi
+
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd"
-IUSE="ap dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
+IUSE="ap bindist dbus eap-sim eapol_test fasteap gnutls +hs2-0 libressl p2p privsep ps3 qt5 readline selinux smartcard ssl suiteb tdls uncommon-eap-types wimax wps kernel_linux kernel_FreeBSD"
 REQUIRED_USE="smartcard? ( ssl )"
 
 CDEPEND="dbus? ( sys-apps/dbus )
@@ -38,7 +45,7 @@ CDEPEND="dbus? ( sys-apps/dbus )
 			net-libs/gnutls:=
 		)
 		!gnutls? (
-			!libressl? ( >=dev-libs/openssl-1.0.2k:0= )
+			!libressl? ( >=dev-libs/openssl-1.0.2k:0=[bindist=] )
 			libressl? ( dev-libs/libressl:0= )
 		)
 	)
@@ -128,20 +135,10 @@ src_prepare() {
 	fi
 
 	# bug (320097)
-	eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
-
-	# bug (596332)
-	eapply "${FILESDIR}/${P}-libressl.patch"
+	eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch"
 
-	# https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch"
-	eapply "${FILESDIR}/2017-1/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch"
+	# fix undefined reference to remove_ie()
+	eapply "${FILESDIR}/${P}-fix-undefined-remove-ie.patch"
 
 	# bug (640492)
 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
@@ -231,17 +228,31 @@ src_configure() {
 		Kconfig_style_config WPA_CLI_EDIT
 	fi
 
+	if use suiteb; then
+		Kconfig_style_config SUITEB
+	fi
+
 	# SSL authentication methods
 	if use ssl ; then
 		if use gnutls ; then
 			Kconfig_style_config TLS gnutls
 			Kconfig_style_config GNUTLS_EXTRA
 		else
+			#this fails for gnutls
+			Kconfig_style_config SUITEB192
 			Kconfig_style_config TLS openssl
-			Kconfig_style_config EAP_PWD
+			if ! use bindist; then
+			  #this fails for gnutls
+			  Kconfig_style_config EAP_PWD
+			  # SAE fails on gnutls and everything below here needs SAE
+			  # Enabling mesh networks.
+			  Kconfig_style_config MESH
+			  #WPA3
+			  Kconfig_style_config OWE
+			  Kconfig_style_config SAE
+			  #we also need to disable FILS, except that isn't enabled yet
+			fi
 
-			# Enabling mesh networks.
-			Kconfig_style_config MESH
 		fi
 	else
 		Kconfig_style_config TLS internal
@@ -376,7 +387,9 @@ src_install() {
 
 	newdoc .config build-config
 
-	doman doc/docbook/*.{5,8}
+	if [ "${PV}" != "9999" ]; then
+		doman doc/docbook/*.{5,8}
+	fi
 
 	if use qt5 ; then
 		into /usr
@@ -419,6 +432,13 @@ pkg_postinst() {
 		ewarn "needs to be moved to ${EROOT%/}/etc/wpa_supplicant/wpa_supplicant.conf"
 	fi
 
+	if use bindist || use gnutls; then
+		if ! use libressl; then
+			ewarn "Using bindist or gnutls use flags presently breaks WPA3 (specifically SAE and OWE)."
+			ewarn "This is incredibly undesirable"
+		fi
+	fi
+
 	# Mea culpa, feel free to remove that after some time --mgorny.
 	local fn
 	for fn in wpa_supplicant{,@wlan0}.service; do
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
index 5c5676770af4..df34e7baa75c 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -135,10 +135,7 @@ src_prepare() {
 	fi
 
 	# bug (320097)
-	#eapply "${FILESDIR}/${P}-do-not-call-dbus-functions-with-NULL-path.patch"
-
-	# bug (596332 & 651314)
-	#eapply "${FILESDIR}/${P}-libressl-compatibility.patch"
+	eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch"
 
 	# bug (640492)
 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
@@ -387,7 +384,9 @@ src_install() {
 
 	newdoc .config build-config
 
-	#doman doc/docbook/*.{5,8}
+	if [ "${PV}" != "9999" ]; then
+		doman doc/docbook/*.{5,8}
+	fi
 
 	if use qt5 ; then
 		into /usr