6 files changed, 581 insertions, 1 deletions
diff --git a/net-wireless/Manifest.gz b/net-wireless/Manifest.gz
index 12e67a5bf5c4..45c8f3a5b303 100644
--- a/net-wireless/Manifest.gz
+++ b/net-wireless/Manifest.gz
diff --git a/net-wireless/wpa_supplicant/Manifest b/net-wireless/wpa_supplicant/Manifest
index 20c6ca112df6..eafb88fe8241 100644
--- a/net-wireless/wpa_supplicant/Manifest
+++ b/net-wireless/wpa_supplicant/Manifest
@@ -1,4 +1,6 @@
 AUX wpa_cli.sh 1284 BLAKE2B 50757aa432bf714923d0ff5e2e8357bf3126c82dcfebbc2c342325ad97e3ca95a15ea138f9a55e5a7b9ac86cb2518c173e7d5186d5feb3e57ac762a71b11ef85 SHA512 250372231eda6f7228fcf76b13fc1b95637d0d9dec96b7bef820bfa1af1496f218909f521daf2ddb2ca81d0ebb3162500f833575b64d8d2b4820c247499e1c56
+AUX wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch 2386 BLAKE2B cd4db56d476e4bde8d4343c6d2f20bad644d9794184f55313c3d5a9ea04392b0173791335476cadc3bafec8d588e29be971e573b27fd975280a059f0bf22c63c SHA512 d1f7e17dd1f6e9974825f26e549c194a450190191320251e5158432d88795a502ff4d06014af43c75338c9c7b0540f13f1fdf1173bec78ce78e681388bbd04d0
+AUX wpa_supplicant-2.10-allow-legacy-renegotiation.patch 1172 BLAKE2B 90af7a43418babd981d6d092c77852ff515b187ce05a3dce6497710582ddefa5d3103ddbf1f0e2481fa102cfb9d28e775646601f139ad61633f3cfc74554dbdc SHA512 afbb89ef8248b8e32a4f537092f8255f3c17fa6281811c25cfc6dec6bae69a4fda9e65a69dae2034a4d3e8e29ecf67b867604c80fd9726cb8f26a059c3bfe8a0
 AUX wpa_supplicant-2.6-do-not-call-dbus-functions-with-NULL-path.patch 486 BLAKE2B 877e15a45851331a1499cf8bc96fd514d88b6b270f54d52760e46cc7edbcc4b74a48a0271f0c93b546bb659203c56fdfba63b231757c21ca8ee6ade98406ac2e SHA512 dac56bc505a51167042ebe548f0e81a20a5578f753af9bb7ec3335a542d799c6e8739681ef7c8f7747a9bc954f8aa6f1a147250eacba17fd7fff80c4e53638ed
 AUX wpa_supplicant-conf.d 291 BLAKE2B 348e7d21fe01d2fdd2117adf22444557fa3d401f649489afd1636105cdddc29d58d45659c5368cc177f919ce94a7e2b5a9ed3fe8ddccd1fba3d059d270bae1a8 SHA512 6bbb9d4f6132b3d4e20cd65f27245ccadd60712ef5794261499f882057a930a393297e491d8147e04e30c0a53645af0eb3514332587118c19b5594f23f1d62ad
 AUX wpa_supplicant-init.d 1250 BLAKE2B 159ebbd5a3552cbd8fdd6d48984c3a511e77cf1e140f56fc1d3e6b16454351a270e566dd7fc4717b92251193bdf59a77f57fc3fdd1d53b067f2e5253796c041b SHA512 f7439937a11d7a91eee98ab9e16a4853ce8e27395970007ae60ca9a8b1852fadc4a37ee0bf81d7e4806c545f70b139f26942ed1630db070abe8fe8e5ce752403
@@ -6,5 +8,6 @@ AUX wpa_supplicant.conf 183 BLAKE2B ea25d56f366783548b8d4bc14615d89d1c9cff1e6535
 DIST wpa_supplicant-2.10.tar.gz 3511622 BLAKE2B 7f6045e5dcf24f7ccf1ea75c99541f9d68fadaea858a6ca11a95c997de14e33b3aa89138e748664579b5a4ea493d247cf6613da3c5fae49a4dbb5cd58dace752 SHA512 021c2a48f45d39c1dc6557730be5debaee071bc0ff82a271638beee6e32314e353e49d39e2f0dc8dff6e094dcc7008cfe1c32d0c7a34a1a345a12a3f1c1e11a1
 EBUILD wpa_supplicant-2.10-r1.ebuild 13515 BLAKE2B 71a0a18099f6e233e0a73d50266b36839ab4608782712e31aeb326961b01e29f3f5ffddd699ce1cc205ca5bfddf5456f1ce2376fb1c4dc9fc5054607ab9f04bf SHA512 d669c9b3cfa9b2914e54ac70ad068a3959c282b5d64372d72036f2d88afaee4580ed9905bdd89202e072e86e1f7cce1382435496c7b7d1b44c5b5de222169a93
 EBUILD wpa_supplicant-2.10-r2.ebuild 12514 BLAKE2B 43059454cffd29b4ffde61630b5bfd3c93d7c8f83035f9a0e53af65d9082cbb9eb2122884de1f61933ca11c28600639b0c5e2820db60ddd54c1d00fe21dfe67e SHA512 458c449bf9259bbfd0e68070595e817a9b8261680d46c9216f5ab8c7ea19bc1f6834b084e29c6c4de589ea38dc7521aaee45d50404d2350129fb42a82c407de7
-EBUILD wpa_supplicant-9999.ebuild 12514 BLAKE2B 43059454cffd29b4ffde61630b5bfd3c93d7c8f83035f9a0e53af65d9082cbb9eb2122884de1f61933ca11c28600639b0c5e2820db60ddd54c1d00fe21dfe67e SHA512 458c449bf9259bbfd0e68070595e817a9b8261680d46c9216f5ab8c7ea19bc1f6834b084e29c6c4de589ea38dc7521aaee45d50404d2350129fb42a82c407de7
+EBUILD wpa_supplicant-2.10-r3.ebuild 12675 BLAKE2B 8a68ced13efab858cb891cc4c07964bfa51058699dae870773a7a4d6412bce3ad800a819b13bbe241b384a76239aac56b7bef444c59e7ac427e0980079da085c SHA512 463b23a283a232fd6efd4d1d27dab37d6cb2d13a07b2d3859bc5af01370e9bda5deb16ca310f37dd4b3dde56860abe73aea58f4dbecb9a903b9589986cc41082
+EBUILD wpa_supplicant-9999.ebuild 12597 BLAKE2B 83a4c416930a1a302a4bff751135a762eba1c022d9124cb844ab622a8fb79e2864ab6c221aa3a601eb05aeb158d3a4ddbdd7954300061bc812b027c2e4cd44b1 SHA512 d234545752a2179843632fda855b8f55eb2a999ec4c707adb0f01c739e6bf553f86afe37e99a9169ec7371187739edfa518328571a36216fc0bb7cedaba6560e
 MISC metadata.xml 2009 BLAKE2B 1325c2f5c246bd9c4760b31d5a3cd65519aada177f10fb8df4cbb591dce85e69dcf2033cad88be8e96205721d6c0523e061af0dc281afcea3b625815fb1716fe SHA512 91a69ae5aeebcc5dc5f3f121d007ba6efc61d8025023e0dcad030918af83294622ae72e93db70c835da8ae2ab77de3aab29c7e4ad890471243992b1db490376c
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
new file mode 100644
index 000000000000..18f879c9f39f
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch
@@ -0,0 +1,57 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 22 May 2022 17:01:35 +0300
+Subject: OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
+
+Commit 9afb68b03976 ("OpenSSL: Allow systemwide secpolicy overrides for
+TLS version") with commit 58bbcfa31b18 ("OpenSSL: Update security level
+drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
+enabled with an explicit network configuration parameter. However, the
+default settings are still allowing TLS 1.0 and 1.1 to be negotiated
+just to see them fail immediately when using OpenSSL 3.0. This is not
+exactly helpful especially when the OpenSSL error message for this
+particular case is "internal error" which does not really say anything
+about the reason for the error.
+
+It is is a bit inconvenient to update the security policy for this
+particular issue based on the negotiated TLS version since that happens
+in the middle of processing for the first message from the server.
+However, this can be done by using the debug callback for printing out
+the received TLS messages during processing.
+
+Drop the OpenSSL security level to 0 if that is the only option to
+continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
+in wpa_supplicant default configuration and OpenSSL 3.0 with the
+constraint on MD5-SHA1 use.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+Bug-Debian: https://bugs.debian.org/1011121
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1958267
+Origin: upstream, commit:bc99366f9b960150aa2e369048bbc2218c1d414e
+---
+ src/crypto/tls_openssl.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 6602ac64f591..78621d926dab 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1557,6 +1557,15 @@ static void tls_msg_cb(int write_p, int version, int content_type,
+ 	struct tls_connection *conn = arg;
+ 	const u8 *pos = buf;
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++	if ((SSL_version(ssl) == TLS1_VERSION ||
++	     SSL_version(ssl) == TLS1_1_VERSION) &&
++	    SSL_get_security_level(ssl) > 0) {
++		wpa_printf(MSG_DEBUG,
++			   "OpenSSL: Drop security level to 0 to allow TLS 1.0/1.1 use of MD5-SHA1 signature algorithm");
++		SSL_set_security_level(ssl, 0);
++	}
++#endif /* OpenSSL version >= 3.0 */
+ 	if (write_p == 2) {
+ 		wpa_printf(MSG_DEBUG,
+ 			   "OpenSSL: session ver=0x%x content_type=%d",
+-- 
+2.39.0
+
diff --git a/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
new file mode 100644
index 000000000000..574973fe6fe5
--- /dev/null
+++ b/net-wireless/wpa_supplicant/files/wpa_supplicant-2.10-allow-legacy-renegotiation.patch
@@ -0,0 +1,30 @@
+From: James Ralston <ralston@pobox.com>
+Date: Sun, 1 May 2022 16:15:23 -0700
+Subject: Allow legacy renegotiation to fix PEAP issues with some servers
+
+Upstream: http://lists.infradead.org/pipermail/hostap/2022-May/040511.html
+---
+ src/crypto/tls_openssl.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
+index 273e5cb..ad3aa1a 100644
+--- a/src/crypto/tls_openssl.c
++++ b/src/crypto/tls_openssl.c
+@@ -1056,6 +1056,16 @@ void * tls_init(const struct tls_config *conf)
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv2);
+ 	SSL_CTX_set_options(ssl, SSL_OP_NO_SSLv3);
+ 
++	/* Many enterprise PEAP server implementations (e.g. used in large
++	 corporations and universities) do not support RFC5746 secure
++	 renegotiation, and starting with OpenSSL 3.0,
++	 SSL_OP_LEGACY_SERVER_CONNECT is no longer set as part of SSL_OP_ALL.
++	 So until we implement a way to request SSL_OP_LEGACY_SERVER_CONNECT
++	 only in EAP peer mode, just set SSL_OP_LEGACY_SERVER_CONNECT
++	 globally. */
++
++	SSL_CTX_set_options(ssl, SSL_OP_LEGACY_SERVER_CONNECT);
++
+ 	SSL_CTX_set_mode(ssl, SSL_MODE_AUTO_RETRY);
+ 
+ #ifdef SSL_MODE_NO_AUTO_CHAIN
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-2.10-r3.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-2.10-r3.ebuild
new file mode 100644
index 000000000000..d04e2429d769
--- /dev/null
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-2.10-r3.ebuild
@@ -0,0 +1,487 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit desktop linux-info qmake-utils readme.gentoo-r1 systemd toolchain-funcs
+
+DESCRIPTION="IEEE 802.1X/WPA supplicant for secure wireless transfers"
+HOMEPAGE="https://w1.fi/wpa_supplicant/"
+LICENSE="|| ( GPL-2 BSD )"
+
+if [ "${PV}" = "9999" ]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://w1.fi/hostap.git"
+else
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+	SRC_URI="https://w1.fi/releases/${P}.tar.gz"
+fi
+
+SLOT="0"
+IUSE="ap broadcom-sta dbus eap-sim eapol-test fasteap +fils +hs2-0 macsec +mbo +mesh p2p privsep ps3 qt5 readline selinux smartcard tdls tkip uncommon-eap-types wep wimax wps"
+
+# CONFIG_PRIVSEP=y does not have sufficient support for the new driver
+# interface functions used for MACsec, so this combination cannot be used
+# at least for now. bug #684442
+REQUIRED_USE="
+	macsec? ( !privsep )
+	privsep? ( !macsec )
+	broadcom-sta? ( !fils !mesh !mbo )
+"
+
+DEPEND="
+	>=dev-libs/openssl-1.0.2k:=
+	dbus? ( sys-apps/dbus )
+	kernel_linux? (
+		>=dev-libs/libnl-3.2:3
+		eap-sim? ( sys-apps/pcsc-lite )
+	)
+	!kernel_linux? ( net-libs/libpcap )
+	qt5? (
+		dev-qt/qtcore:5
+		dev-qt/qtgui:5
+		dev-qt/qtsvg:5
+		dev-qt/qtwidgets:5
+	)
+	readline? (
+		sys-libs/ncurses:0=
+		sys-libs/readline:0=
+	)
+"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-networkmanager )
+	kernel_linux? (
+		net-wireless/wireless-regdb
+	)
+"
+BDEPEND="virtual/pkgconfig"
+
+DOC_CONTENTS="
+	If this is a clean installation of wpa_supplicant, you
+	have to create a configuration file named
+	${EROOT}/etc/wpa_supplicant/wpa_supplicant.conf
+	An example configuration file is available for reference in
+	${EROOT}/usr/share/doc/${PF}/
+"
+
+S="${WORKDIR}/${P}/${PN}"
+
+Kconfig_style_config() {
+		#param 1 is CONFIG_* item
+		#param 2 is what to set it = to, defaulting in y
+		CONFIG_PARAM="${CONFIG_HEADER:-CONFIG_}$1"
+		setting="${2:-y}"
+
+		if [ ! $setting = n ]; then
+			#first remove any leading "# " if $2 is not n
+			sed -i "/^# *$CONFIG_PARAM=/s/^# *//" .config || echo "Kconfig_style_config error uncommenting $CONFIG_PARAM"
+			#set item = $setting (defaulting to y)
+			if ! sed -i "/^$CONFIG_PARAM\>/s/=.*/=$setting/" .config; then
+				echo "Kconfig_style_config error setting $CONFIG_PARAM=$setting"
+			fi
+			if [ -z "$( grep ^$CONFIG_PARAM= .config )" ] ; then
+				echo "$CONFIG_PARAM=$setting" >>.config
+			fi
+		else
+			#ensure item commented out
+			if ! sed -i "/^$CONFIG_PARAM\>/s/$CONFIG_PARAM/# $CONFIG_PARAM/" .config; then
+				echo "Kconfig_style_config error commenting $CONFIG_PARAM"
+			fi
+		fi
+}
+
+src_prepare() {
+	default
+
+	# net/bpf.h needed for net-libs/libpcap on Gentoo/FreeBSD
+	sed -i \
+		-e "s:\(#include <pcap\.h>\):#include <net/bpf.h>\n\1:" \
+		../src/l2_packet/l2_packet_freebsd.c || die
+
+	# Change configuration to match Gentoo locations (bug #143750)
+	sed -i \
+		-e "s:/usr/lib/opensc:/usr/$(get_libdir):" \
+		-e "s:/usr/lib/pkcs11:/usr/$(get_libdir):" \
+		wpa_supplicant.conf || die
+
+	# systemd entries to D-Bus service files (bug #372877)
+	echo 'SystemdService=wpa_supplicant.service' \
+		| tee -a dbus/*.service >/dev/null || die
+
+	cd "${WORKDIR}/${P}" || die
+
+	if use wimax; then
+		# generate-libeap-peer.patch comes before
+		# fix-undefined-reference-to-random_get_bytes.patch
+		eapply "${FILESDIR}/${P}-generate-libeap-peer.patch"
+
+		# multilib-strict fix (bug #373685)
+		sed -e "s/\/usr\/lib/\/usr\/$(get_libdir)/" -i src/eap_peer/Makefile || die
+	fi
+
+	# bug (320097)
+	eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch"
+
+	# bug (912315)
+	eapply "${FILESDIR}/${PN}-2.10-allow-legacy-renegotiation.patch"
+	eapply "${FILESDIR}/${P}-Drop-security-level-to-0-with-OpenSSL-3.0-wh.patch"
+
+	# bug (640492)
+	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
+}
+
+src_configure() {
+	# Toolchain setup
+	tc-export CC PKG_CONFIG
+
+	cp defconfig .config || die
+
+	# Basic setup
+	Kconfig_style_config CTRL_IFACE
+	Kconfig_style_config MATCH_IFACE
+	Kconfig_style_config BACKEND file
+	Kconfig_style_config IBSS_RSN
+	Kconfig_style_config IEEE80211W
+	Kconfig_style_config IEEE80211R
+	Kconfig_style_config HT_OVERRIDES
+	Kconfig_style_config VHT_OVERRIDES
+	Kconfig_style_config OCV
+	Kconfig_style_config TLSV11
+	Kconfig_style_config TLSV12
+	Kconfig_style_config GETRANDOM
+
+	# Basic authentication methods
+	# NOTE: we don't set GPSK or SAKE as they conflict
+	# with the below options
+	Kconfig_style_config EAP_GTC
+	Kconfig_style_config EAP_MD5
+	Kconfig_style_config EAP_OTP
+	Kconfig_style_config EAP_PAX
+	Kconfig_style_config EAP_PSK
+	Kconfig_style_config EAP_TLV
+	Kconfig_style_config EAP_EXE
+	Kconfig_style_config IEEE8021X_EAPOL
+	Kconfig_style_config PKCS12
+	Kconfig_style_config PEERKEY
+	Kconfig_style_config EAP_LEAP
+	Kconfig_style_config EAP_MSCHAPV2
+	Kconfig_style_config EAP_PEAP
+	Kconfig_style_config EAP_TEAP
+	Kconfig_style_config EAP_TLS
+	Kconfig_style_config EAP_TTLS
+
+	# Enabling background scanning.
+	Kconfig_style_config BGSCAN_SIMPLE
+	Kconfig_style_config BGSCAN_LEARN
+
+	if use dbus ; then
+		Kconfig_style_config CTRL_IFACE_DBUS
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO
+	else
+		Kconfig_style_config CTRL_IFACE_DBUS n
+		Kconfig_style_config CTRL_IFACE_DBUS_NEW n
+		Kconfig_style_config CTRL_IFACE_DBUS_INTRO n
+	fi
+
+	if use eapol-test ; then
+		Kconfig_style_config EAPOL_TEST
+	fi
+
+	# Enable support for writing debug info to a log file and syslog.
+	Kconfig_style_config DEBUG_FILE
+	Kconfig_style_config DEBUG_SYSLOG
+
+	if use hs2-0 ; then
+		Kconfig_style_config INTERWORKING
+		Kconfig_style_config HS20
+	fi
+
+	if use mbo ; then
+		Kconfig_style_config MBO
+	else
+		Kconfig_style_config MBO n
+	fi
+
+	if use uncommon-eap-types; then
+		Kconfig_style_config EAP_GPSK
+		Kconfig_style_config EAP_SAKE
+		Kconfig_style_config EAP_GPSK_SHA256
+		Kconfig_style_config EAP_IKEV2
+		Kconfig_style_config EAP_EKE
+	fi
+
+	if use eap-sim ; then
+		# Smart card authentication
+		Kconfig_style_config EAP_SIM
+		Kconfig_style_config EAP_AKA
+		Kconfig_style_config EAP_AKA_PRIME
+		Kconfig_style_config PCSC
+	fi
+
+	if use fasteap ; then
+		Kconfig_style_config EAP_FAST
+	fi
+
+	if use readline ; then
+		# readline/history support for wpa_cli
+		Kconfig_style_config READLINE
+	else
+		#internal line edit mode for wpa_cli
+		Kconfig_style_config WPA_CLI_EDIT
+	fi
+
+	Kconfig_style_config TLS openssl
+	Kconfig_style_config FST
+
+	Kconfig_style_config EAP_PWD
+	if use fils; then
+		Kconfig_style_config FILS
+		Kconfig_style_config FILS_SK_PFS
+	fi
+	if use mesh; then
+		Kconfig_style_config MESH
+	else
+		Kconfig_style_config MESH n
+	fi
+	# WPA3
+	Kconfig_style_config OWE
+	Kconfig_style_config SAE
+	Kconfig_style_config DPP
+	Kconfig_style_config DPP2
+	Kconfig_style_config SUITEB192
+	Kconfig_style_config SUITEB
+
+	if use wep ; then
+		Kconfig_style_config WEP
+	else
+		Kconfig_style_config WEP n
+	fi
+
+	# Watch out, reversed logic
+	if use tkip ; then
+		Kconfig_style_config NO_TKIP n
+	else
+		Kconfig_style_config NO_TKIP
+	fi
+
+	if use smartcard ; then
+		Kconfig_style_config SMARTCARD
+	else
+		Kconfig_style_config SMARTCARD n
+	fi
+
+	if use tdls ; then
+		Kconfig_style_config TDLS
+	fi
+
+	if use kernel_linux ; then
+		# Linux specific drivers
+		Kconfig_style_config DRIVER_ATMEL
+		Kconfig_style_config DRIVER_HOSTAP
+		Kconfig_style_config DRIVER_IPW
+		Kconfig_style_config DRIVER_NL80211
+		Kconfig_style_config DRIVER_RALINK
+		Kconfig_style_config DRIVER_WEXT
+		Kconfig_style_config DRIVER_WIRED
+
+		if use macsec ; then
+			#requires something, no idea what
+			#Kconfig_style_config DRIVER_MACSEC_QCA
+			Kconfig_style_config DRIVER_MACSEC_LINUX
+			Kconfig_style_config MACSEC
+		else
+			# bug #831369 and bug #684442
+			Kconfig_style_config DRIVER_MACSEC_LINUX n
+			Kconfig_style_config MACSEC n
+		fi
+
+		if use ps3 ; then
+			Kconfig_style_config DRIVER_PS3
+		fi
+	fi
+
+	# Wi-Fi Protected Setup (WPS)
+	if use wps ; then
+		Kconfig_style_config WPS
+		Kconfig_style_config WPS2
+		# USB Flash Drive
+		Kconfig_style_config WPS_UFD
+		# External Registrar
+		Kconfig_style_config WPS_ER
+		# Universal Plug'n'Play
+		Kconfig_style_config WPS_UPNP
+		# Near Field Communication
+		Kconfig_style_config WPS_NFC
+	else
+		Kconfig_style_config WPS n
+		Kconfig_style_config WPS2 n
+		Kconfig_style_config WPS_UFD n
+		Kconfig_style_config WPS_ER n
+		Kconfig_style_config WPS_UPNP n
+		Kconfig_style_config WPS_NFC n
+	fi
+
+	# Wi-Fi Direct (WiDi)
+	if use p2p ; then
+		Kconfig_style_config P2P
+		Kconfig_style_config WIFI_DISPLAY
+	else
+		Kconfig_style_config P2P n
+		Kconfig_style_config WIFI_DISPLAY n
+	fi
+
+	# Access Point Mode
+	if use ap ; then
+		Kconfig_style_config AP
+	else
+		Kconfig_style_config AP n
+	fi
+
+	# Enable essentials for AP/P2P
+	if use ap || use p2p ; then
+		# Enabling HT support (802.11n)
+		Kconfig_style_config IEEE80211N
+
+		# Enabling VHT support (802.11ac)
+		Kconfig_style_config IEEE80211AC
+	fi
+
+	# Enable mitigation against certain attacks against TKIP
+	Kconfig_style_config DELAYED_MIC_ERROR_REPORT
+
+	if use privsep ; then
+		Kconfig_style_config PRIVSEP
+	fi
+
+	if use kernel_linux ; then
+		Kconfig_style_config LIBNL32
+	fi
+
+	if use qt5 ; then
+		pushd "${S}"/wpa_gui-qt4 > /dev/null || die
+		eqmake5 wpa_gui.pro
+		popd > /dev/null || die
+	fi
+}
+
+src_compile() {
+	einfo "Building wpa_supplicant"
+	emake V=1 BINDIR=/usr/sbin
+
+	if use wimax; then
+		emake -C ../src/eap_peer clean
+		emake -C ../src/eap_peer
+	fi
+
+	if use qt5; then
+		einfo "Building wpa_gui"
+		emake -C "${S}"/wpa_gui-qt4
+	fi
+
+	if use eapol-test ; then
+		emake eapol_test
+	fi
+}
+
+src_install() {
+	dosbin wpa_supplicant
+	use privsep && dosbin wpa_priv
+	dobin wpa_cli wpa_passphrase
+
+	# baselayout-1 compat
+	if has_version "<sys-apps/baselayout-2.0.0"; then
+		dodir /sbin
+		dosym ../usr/sbin/wpa_supplicant /sbin/wpa_supplicant
+		dodir /bin
+		dosym ../usr/bin/wpa_cli /bin/wpa_cli
+	fi
+
+	if has_version ">=sys-apps/openrc-0.5.0"; then
+		newinitd "${FILESDIR}/${PN}-init.d" wpa_supplicant
+		newconfd "${FILESDIR}/${PN}-conf.d" wpa_supplicant
+	fi
+
+	exeinto /etc/wpa_supplicant/
+	newexe "${FILESDIR}/wpa_cli.sh" wpa_cli.sh
+
+	readme.gentoo_create_doc
+	dodoc ChangeLog {eap_testing,todo}.txt README{,-WPS} \
+		wpa_supplicant.conf
+
+	newdoc .config build-config
+
+	if [ "${PV}" != "9999" ]; then
+		doman doc/docbook/*.{5,8}
+	fi
+
+	if use qt5 ; then
+		into /usr
+		dobin wpa_gui-qt4/wpa_gui
+		doicon wpa_gui-qt4/icons/wpa_gui.svg
+		domenu wpa_gui-qt4/wpa_gui.desktop
+	else
+		rm "${ED}"/usr/share/man/man8/wpa_gui.8
+	fi
+
+	use wimax && emake DESTDIR="${D}" -C ../src/eap_peer install
+
+	if use dbus ; then
+		pushd "${S}"/dbus > /dev/null || die
+		insinto /etc/dbus-1/system.d
+		newins dbus-wpa_supplicant.conf wpa_supplicant.conf
+		insinto /usr/share/dbus-1/system-services
+		doins fi.w1.wpa_supplicant1.service
+		popd > /dev/null || die
+
+		# This unit relies on dbus support, bug 538600.
+		systemd_dounit systemd/wpa_supplicant.service
+	fi
+
+	if use eapol-test ; then
+		dobin eapol_test
+	fi
+
+	systemd_dounit "systemd/wpa_supplicant@.service"
+	systemd_dounit "systemd/wpa_supplicant-nl80211@.service"
+	systemd_dounit "systemd/wpa_supplicant-wired@.service"
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+
+	if [[ -e "${EROOT}"/etc/wpa_supplicant.conf ]] ; then
+		echo
+		ewarn "WARNING: your old configuration file ${EROOT}/etc/wpa_supplicant.conf"
+		ewarn "needs to be moved to ${EROOT}/etc/wpa_supplicant/wpa_supplicant.conf"
+	fi
+	if ! use wep; then
+		einfo "WARNING: You are building with WEP support disabled, which is recommended since"
+		einfo "this protocol is deprecated and insecure.  If you still need to connect to"
+		einfo "WEP-enabled networks, you may turn this flag back on.  With this flag off,"
+		einfo "WEP-enabled networks will not even show up as available."
+		einfo "If your network is missing you may wish to USE=wep"
+	fi
+	if ! use tkip; then
+		ewarn "WARNING: You are building with TKIP support disabled, which is recommended since"
+		ewarn "this protocol is deprecated and insecure.  If you still need to connect to"
+		ewarn "TKIP-enabled networks, you may turn this flag back on.  With this flag off,"
+		ewarn "TKIP-enabled networks, including mixed mode TKIP/AES-CCMP will not even show up"
+		ewarn "as available.  If your network is missing you may wish to USE=tkip"
+	fi
+
+	# Mea culpa, feel free to remove that after some time --mgorny.
+	local fn
+	for fn in wpa_supplicant{,@wlan0}.service; do
+		if [[ -e "${EROOT}"/etc/systemd/system/network.target.wants/${fn} ]]
+		then
+			ebegin "Moving ${fn} to multi-user.target"
+			mv "${EROOT}"/etc/systemd/system/network.target.wants/${fn} \
+				"${EROOT}"/etc/systemd/system/multi-user.target.wants/ || die
+			eend ${?} \
+				"Please try to re-enable ${fn}"
+		fi
+	done
+
+	systemd_reenable wpa_supplicant.service
+}
diff --git a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
index 656297bfa793..8c93c31c2554 100644
--- a/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
+++ b/net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild
@@ -122,6 +122,9 @@ src_prepare() {
 	# bug (320097)
 	eapply "${FILESDIR}/${PN}-2.6-do-not-call-dbus-functions-with-NULL-path.patch"
 
+	# bug (912315)
+	eapply "${FILESDIR}/${PN}-2.10-allow-legacy-renegotiation.patch"
+
 	# bug (640492)
 	sed -i 's#-Werror ##' wpa_supplicant/Makefile || die
 }