subtree updates
meta-arm: 025f76a14f..aba9250494:
Anusmita Dutta Mazumder (2):
arm-bsp/linux-yocto: Remove EOL Linux yocto kernel 6.1
arm-bsp/n1sdp: update to linux yocto kernel 6.6
Bence Balogh (1):
arm-bsp/trusted-firmware-m: disable libmetal doc generation
Drew Reed (5):
meta-arm: Support firmware building under a multiconfig
bsp,ci: Build Corstone-1000 firmware under multiconfig
bsp: Restore the ability to build firmware only
ci: Add back testing of firmware only builds
ci: Ensure tests are in the Corstone-1000 flash image
meta-raspberrypi: dbf1113a82..95a9103f91:
Khem Raj (1):
python3-sense-hat: Drop PYTHON_PN
Martin Jansa (2):
sdcard_image-rpi.bbclass: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME}
sdimage-raspberrypi.wks: increase /boot partition minimal size from 20 to 100
meta-openembedded: 528f273006..9f0e513211:
Andreas Mützel (1):
python3-pynacl: allow -native build
Chen Qi (1):
unixodbc: fix odbc.pc file generation
Daniel Ammann (1):
sdmon: add new package
Derek Straka (9):
python3-trustme: add runtime dependency for tests and re-add to ptest
python3-gunicorn: re-enable working ptests for the package
python-inotify: re-enable working ptests for the package
python3-license-expression: re-enable passing ptests for the package
python3-jdcal: re-add functional ptests
python3-msgpack: re-add functional ptests
python3-parse: re-add functional ptests
python3-typeguard: update ptest dependencies and re-enable functional tests
python3-service-identity: add missing ptest dependencies and re-enable functional tests
Jan Vermaete (1):
netdata: version bump 1.43.2 -> 1.44.3
Joerg Hofrichter (1):
python3-gevent: adding missing dependency to python3-zopeevent
Khawaja Shaheryar (2):
libdaq: add recipe
snort: add snort3 initial recipe
Khem Raj (25):
python3-pocketsphinx: Upgrade to 5.0.3
snort: Do not use llvm libunwind
snort3: Fix contains reference to TMPDIR [buildpaths] warnings
libcamera: Replace VLAs with alloca
dav1d: Inherit missing pkgconfig
webkitgtk3: Fix build on 32bit x86
ptest-packagelists-meta-oe: Remove oprofile for rv32/rv64
python3-jsmin: Fix ptests to run with python 3.12+
python3-ordered-set: Use automake formatter for ptest output
fuse3: Add missing runtime deps for ptests
python3-looseversion: Add recipe
sshfs-fuse: Fix ptest builds with python 3.12
meta-filesystems: Add meta-filesystems-image-ptest
meta-multimedia-image-ptest: Add images to enable BBCLASSEXTEND parallel execution
meta-networking-image-ptest: Add images to enable BBCLASSEXTEND parallel execution
python3-scapy: Add missing rdeps for ptests
ptest-packagelists-meta-oe.inc: Remove oprofile from PTESTS_PROBLEMS_META_OE
ptest-packagelists-meta-networking: firewalld hangs therefore disabled
ptest-packagelists-meta-perl.inc: Move couple of test to PTESTS_FAST_META_PERL
openhpi: Fix ptest run time failures
squid: Add missing bash dependency for ptest package
meta-networking: Express dependency on meta-python
ostree: Remove strace from ptest rdeps
python3-pydantic-core,python3-pydantic: Update to 2.16.3 and 2.6.3 respectively
python3-pydantic-core: Fix build for arches without 64bit atomics
Lei Maohui (1):
Fix install error when enable multilib.
Markus Volk (7):
iwd: update 2.13 -> 2.14
libgedit-gtksourceview: update 299.0.5 -> 299.1.0
gedit: update 46.1 -> 46.2
mutter: update 45.3 -> 45.4
gnome-shell: update 45.3 -> 45.4
gnome-control-center: update 45.2 -> 45.3
dav1d: update 1.3.0 -> 1.4.0
Martin Jansa (5):
python3-httpx: respect libdir in packaging
snort3: drop SRCPV from PV
snort3: fix snort.pc
gattlib: use python3native and depend on python3-packaging-native
networkmanager-fortisslvpn: use python3native and depend on python3-packaging-native
Mingli Yu (1):
mariadb: Upgrade to 10.11.7
Niko Mauno (2):
python3-pybind11: Migrate to python_setuptools_build_meta
python3-pybind11: Restore strip prevention patch
Oleh Matiusha (1):
yasm: improve reproducibility
Peter Marko (1):
dnsmasq: Upgrade 2.89 -> 2.90
Romain Naour (1):
wavemon: add recipe for version 0.9.5
Sascha Hauer (1):
signing.bbclass: fix wrong function name
Tim Orling (16):
python_mesonpy.bbclass: move to oe-core
python3-meson-python: move to oe-core
python3-pyproject-metadata: move to oe-core
meta-python: drop ${PYTHON_PN}
meta-oe: drop ${PYTHON_PN}
meta-filesystems: drop ${PYTHON_PN}
meta-networking: drop ${PYTHON_PN}
meta-gnome: drop ${PYTHON_PN}
python3-pytest-lazy-fixtures: add 1.0.5
python3-prettytable: upgrade 3.9.0 => 3.10.0; fix ptests
python3-pytest-lazy-fixture: drop recipe
meta-oe-image-ptest: add PTESTS_PROBLEMS_META_OE
meta-perl-image-ptest: add PTESTS_PROBLEMS_META_PERL
meta-python-image-ptest: add PTESTS_PROBLEMS_META_PYTHON
libencode-perl: drop recipe
libencode-locale-perl: drop recipe
Wang Mingyu (49):
babl: upgrade 0.1.106 -> 0.1.108
btop: upgrade 1.3.0 -> 1.3.2
gegl: upgrade 0.4.46 -> 0.4.48
gjs: upgrade 1.78.3 -> 1.78.4
gnome-bluetooth: upgrade 42.7 -> 42.8
gnome-keyring: upgrade 42.1 -> 46.1
isomd5sum: upgrade 1.2.3 -> 1.2.4
libei: upgrade 1.2.0 -> 1.2.1
libmanette: upgrade 0.2.6 -> 0.2.7
libmime-types-perl: upgrade 2.24 -> 2.26
logwatch: upgrade 7.9 -> 7.10
mpich: upgrade 4.1.2 -> 4.2.0
ostree: upgrade 2024.1 -> 2024.3
python3-aiohue: upgrade 4.7.0 -> 4.7.1
python3-awesomeversion: upgrade 23.11.0 -> 24.2.0
python3-bidict: upgrade 0.22.1 -> 0.23.0
python3-cantools: upgrade 39.4.3 -> 39.4.4
python3-cmake: upgrade 3.28.1 -> 3.28.3
python3-django: upgrade 5.0.1 -> 5.0.2
python3-dnspython: upgrade 2.5.0 -> 2.6.0
python3-elementpath: upgrade 4.2.0 -> 4.3.0
python3-engineio: upgrade 4.8.2 -> 4.9.0
python3-gevent: upgrade 23.9.1 -> 24.2.1
unbound: upgrade 1.19.0 -> 1.19.1
wireshark: upgrade 4.2.2 -> 4.2.3
protobuf: upgrade 4.25.2 -> 4.25.3
webkitgtk3: upgrade 2.42.4 -> 2.42.5
python3-tqdm: upgrade 4.66.1 -> 4.66.2
python3-google-api-python-client: upgrade 2.116.0 -> 2.118.0
python3-httpcore: upgrade 1.0.2 -> 1.0.3
python3-jsbeautifier: upgrade 1.14.11 -> 1.15.1
python3-langtable: upgrade 0.0.64 -> 0.0.65
python3-polyline: upgrade 2.0.1 -> 2.0.2
python3-protobuf: upgrade 4.25.2 -> 4.25.3
python3-pymisp: upgrade 2.4.184 -> 2.4.185
python3-pymodbus: upgrade 3.6.3 -> 3.6.4
python3-pytest-asyncio: upgrade 0.23.4 -> 0.23.5
python3-tox: upgrade 4.12.1 -> 4.13.0
python3-twine: upgrade 4.0.2 -> 5.0.0
python3-watchdog: upgrade 3.0.0 -> 4.0.0
python3-zopeinterface: upgrade 6.1 -> 6.2
remmina: upgrade 1.4.33 -> 1.4.34
sip: upgrade 6.8.2 -> 6.8.3
python3-google-auth: upgrade 2.27.0 -> 2.28.0
python3-gspread: upgrade 6.0.1 -> 6.0.2
python3-socketio: upgrade 5.11.0 -> 5.11.1
python3-sentry-sdk: upgrade 1.40.0 -> 1.40.4
python3-pydantic-core: upgrade 2.14.6 -> 2.16.1
python3-pydantic: upgrade 2.5.3 -> 2.6.0
William Lyu (1):
e2tools: Add ptest
Yi Zhao (1):
audit: upgrade 3.1.2 -> 4.0
Yoann Congal (2):
influxdb: Fix /etc files owner
influxdb: Add missing group to static id
chenheyun (1):
dropwatch: Use header files from sysroot instead of build host
poky: fc8e5d7c13..25d60ac6f6:
Adrian Freihofer (5):
devtool: ide-sdk python 3.12 escaping
sdk-manual: extensible.rst: cover devtool ide-sdk
devtool: ide-sdk launch.json per recipe only
devtool: ide-sdk prefer sources from workspace
oe-selftest devtool: ide-sdk tests
Alexander Kanavin (1):
dbus: disable assertions and enable only modular tests
Alexis Lothoré (7):
testimage: log exception when failing to retrieve artifacts
lib/oeqa: share get_json_result_dir helper
testimage: create a list of failed test post actions
oeqa/utils/postactions: isolate directory creation in dedicated action
oeqa/utils/postactions: add target disk usage stat as post action
oeqa/utils/postactions: testimage: add host disk usage stat as post action
oeqa/lib/utils/postactions: fix host disk usage stats retrieval
Bruce Ashfield (8):
linux-yocto/6.6: update to v6.6.17
linux-yocto/6.6: update CVE exclusions
linux-yocto/6.6: enable squashfs for selftests
linux-yocto/6.6: config: x86 tidy & consolidation
kern-tools: depend on git-replacement-native
linux-yocto/6.6: genericarm64 configuration/definition
linux-yocto/6.6: update to v6.6.18
linux-yocto/6.6: update CVE exclusions
Christoph Vogtländer (1):
overlayfs: add missing vardeps
Claus Stovgaard (1):
wpa-supplicant: Fix CVE-2023-52160
Eilís 'pidge' Ní Fhlannagáin (2):
creategroup*: Remove coreutils-native as a DEPENDS
selftest-users: Convoluted selftest for USERADD_DEPENDS
Emil Kronborg (1):
bluez5: remove configuration files from install task
Enguerrand de Ribaucourt (4):
devtool: ide: define compilerPath for meson projects
Revert "meson: use absolute cross-compiler paths"
bitbake: bitbake: progressbar: accept value over initial maxval
devtool: ide-sdk source mapping for vscode
Enrico Jörns (1):
wic: 'empty' plugin: fix typo in comment
Joe Slater (1):
qemuboot: predictable network interface names
Jonathan GUILLOT (2):
lib/oe/package: fix LOCALE_PATHS scan to create locale packages
glibc-locale: add an explicit dedicated package for locale.alias file
Jose Quaresma (1):
go: update 1.20.13 -> 1.20.14
Joshua Watt (1):
bitbake: asyncrpc: Add support for server headers
Khem Raj (6):
ncurses: Always pass -D_GNU_SOURCE
linux-yocto: Remove unused patch
ref-manual: variables: remove PYTHON_PN
python3-bcrypt: Fix build break on arches without 64 bit atomics
python3-maturin: Recognise riscv32 architecture
llvm: Update to 18.1.0 RC4
Lee Chee Yang (1):
migration-guide: add release notes for 4.3.3
Lei Maohui (1):
rpm: Fix the following error when run nativesdk-rpm in nativesdk environment.
Martin Jansa (1):
glib-2.0: backport a switch from distutils to packaging in codegen
Michael Halstead (1):
yocto-uninative: Update to 4.4 for glibc 2.39
Michael Opdenacker (5):
ref-manual: system-requirements: update packages to build docs
ref-manual: release-process: grammar fix
manuals: suppress excess use of "following" word
dev-manual: packages: clarify shared PR service constraint
dev-manual: packages: need enough free space
Munehisa Kamata (1):
kernel.bbclass: Set pkg-config variables for building modules
Nick Owens (1):
python3: dont disable readline module for editline
Philip Lorenz (1):
bitbake: fetch2: Ensure that git LFS objects are available
Piotr Łobacz (1):
useradd.bbclass: Fix order of postinst-useradd-*
Richard Purdie (6):
numactl: Upgrade 2.0.17 -> 2.0.18
lttng-ust: Upgrade 2.13.6 -> 2.13.7
oeqa/selftest/rust: Simplify the rust testsuite output gathering/processing
recipetool: Fix errors with meta-poky bbappend
bitbake: runqueue: Add support for BB_LOADFACTOR_MAX
mirrors: Switch llvm to use shallow cloning
Ross Burton (4):
base-files: add usage warning to motd
libexif: remove unused version_underscore
gstreamer1.0: skip a test that is known to be flaky
linux-firmware: split out more firmware pieces
Simone Weiß (6):
patchtest: provide further guidance for failed testcases
patchtest: Skip test for CVE_CHECK_IGNORE for older branches
meta: Remove some not needed CVE_STATUS
meta: Update CVE_STATUS for incorrect cpes
cve-check: Log if CVE_STATUS set but not reported for component
dev-manual: Rephrase spdx creation
Soumya Sambu (1):
bind: Upgrade 9.18.21 -> 9.18.24
Tim Orling (3):
bitbake: layerindexlib: fix missing layer branch backtrace
python3-cryptography{-vectors}: upgrade to 42.0.5
python3-attrs: disable Hypothesis deadline
Tobias Hagelborn (1):
bitbake: hashserv: Re-enable connection pooling with psycopg 3 driver
Trevor Gamblin (1):
python3-git: upgrade 3.1.41 -> 3.1.42
Trevor Woerner (1):
wic: allow imager-specific filename extensions
Ulrich Ölmann (1):
bitbake: taskexp_ncurses: fix execution example in introductory comment
Wang Mingyu (44):
bash-completion: upgrade 2.11 -> 2.12.0
ccache: upgrade 4.9 -> 4.9.1
createrepo-c: upgrade 1.0.3 -> 1.0.4
ed: upgrade 1.20 -> 1.20.1
efivar: upgrade 38 -> 39
gcr: upgrade 4.1.0 -> 4.2.0
git: upgrade 2.43.0 -> 2.44.0
libffi: upgrade 3.4.5 -> 3.4.6
libgpg-error: upgrade 1.47 -> 1.48
libhandy: upgrade 1.8.2 -> 1.8.3
libksba: upgrade 1.6.5 -> 1.6.6
libmicrohttpd: upgrade 0.9.77 -> 1.0.1
libpng: upgrade 1.6.41 -> 1.6.42
libsecret: upgrade 0.21.2 -> 0.21.4
libunistring: upgrade 1.1 -> 1.2
liburi-perl: upgrade 5.25 -> 5.27
libxext: upgrade 1.3.5 -> 1.3.6
libxkbfile: upgrade 1.1.2 -> 1.1.3
libxvmc: upgrade 1.0.13 -> 1.0.14
lighttpd: upgrade 1.4.73 -> 1.4.74
makedepend: upgrade 1.0.8 -> 1.0.9
mpg123: upgrade 1.32.4 -> 1.32.5
ofono: upgrade 2.3 -> 2.4
pango: upgrade 1.51.0 -> 1.52.0
pciutils: upgrade 3.10.0 -> 3.11.1
pkgconf: upgrade 2.1.0 -> 2.1.1
python3-beartype: upgrade 0.17.0 -> 0.17.2
python3-certifi: upgrade 2023.11.17 -> 2024.2.2
python3-dbusmock: upgrade 0.30.2 -> 0.31.1
python3-hypothesis: upgrade 6.97.3 -> 6.98.12
python3-pip: upgrade 23.3.2 -> 24.0
python3-pycairo: upgrade 1.25.1 -> 1.26.0
python3-pytest: upgrade 8.0.0 -> 8.0.2
python3-pytz: upgrade 2023.4 -> 2024.1
python3-setuptools-rust: upgrade 1.8.1 -> 1.9.0
python3-trove-classifiers: upgrade 2024.1.8 -> 2024.2.23
python3-typing-extensions: upgrade 4.9.0 -> 4.10.0
python3: upgrade 3.12.1 -> 3.12.2
python3-urllib3: upgrade 2.1.0 -> 2.2.1
python3-yamllint: upgrade 1.33.0 -> 1.35.1
swig: upgrade 4.2.0 -> 4.2.1
xkbcomp: upgrade 1.4.6 -> 1.4.7
xkeyboard-config: upgrade 2.40 -> 2.41
xprop: upgrade 1.2.6 -> 1.2.7
Xiangyu Chen (2):
systemd-systemctl: fix dead loop when multi services enable each other
libc-locale: fix ASCII compatible warning cause build failure.
Xiaotian Wu (2):
loongarch64: change -march to loongarch64
openssl: Match target name for loongarch64
Yash Shinde (3):
rust: Upgrade 1.74.1 -> 1.75.0
rust: Revert PGO to it's default
rust: reproducibility issue fix with v1.75
Yoann Congal (1):
waf: Improve version parsing to avoid failing on warnings
Change-Id: I6dfb848feb4ec8f5aae56a9ccbff475f4eb1edc6
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
new file mode 100644
index 0000000..620560d
--- /dev/null
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch
@@ -0,0 +1,213 @@
+From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 8 Jul 2023 19:55:32 +0300
+Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements
+
+The previous PEAP client behavior allowed the server to skip Phase 2
+authentication with the expectation that the server was authenticated
+during Phase 1 through TLS server certificate validation. Various PEAP
+specifications are not exactly clear on what the behavior on this front
+is supposed to be and as such, this ended up being more flexible than
+the TTLS/FAST/TEAP cases. However, this is not really ideal when
+unfortunately common misconfiguration of PEAP is used in deployed
+devices where the server trust root (ca_cert) is not configured or the
+user has an easy option for allowing this validation step to be skipped.
+
+Change the default PEAP client behavior to be to require Phase 2
+authentication to be successfully completed for cases where TLS session
+resumption is not used and the client certificate has not been
+configured. Those two exceptions are the main cases where a deployed
+authentication server might skip Phase 2 and as such, where a more
+strict default behavior could result in undesired interoperability
+issues. Requiring Phase 2 authentication will end up disabling TLS
+session resumption automatically to avoid interoperability issues.
+
+Allow Phase 2 authentication behavior to be configured with a new phase1
+configuration parameter option:
+'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
+tunnel) behavior for PEAP:
+ * 0 = do not require Phase 2 authentication
+ * 1 = require Phase 2 authentication when client certificate
+ (private_key/client_cert) is no used and TLS session resumption was
+ not used (default)
+ * 2 = require Phase 2 authentication in all cases
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2023-52160
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c]
+
+Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com>
+
+---
+ src/eap_peer/eap_config.h | 8 ++++++
+ src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++---
+ src/eap_peer/eap_tls_common.c | 6 +++++
+ src/eap_peer/eap_tls_common.h | 5 ++++
+ wpa_supplicant/wpa_supplicant.conf | 7 ++++++
+ 5 files changed, 63 insertions(+), 3 deletions(-)
+
+diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
+index 3238f74..047eec2 100644
+--- a/src/eap_peer/eap_config.h
++++ b/src/eap_peer/eap_config.h
+@@ -469,6 +469,14 @@ struct eap_peer_config {
+ * 1 = use cryptobinding if server supports it
+ * 2 = require cryptobinding
+ *
++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS
++ * tunnel) behavior for PEAP:
++ * 0 = do not require Phase 2 authentication
++ * 1 = require Phase 2 authentication when client certificate
++ * (private_key/client_cert) is no used and TLS session resumption was
++ * not used (default)
++ * 2 = require Phase 2 authentication in all cases
++ *
+ * EAP-WSC (WPS) uses following options: pin=Device_Password and
+ * uuid=Device_UUID
+ *
+diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c
+index 12e30df..6080697 100644
+--- a/src/eap_peer/eap_peap.c
++++ b/src/eap_peer/eap_peap.c
+@@ -67,6 +67,7 @@ struct eap_peap_data {
+ u8 cmk[20];
+ int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
+ * is enabled. */
++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
+ };
+
+
+@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data,
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding");
+ }
+
++ if (os_strstr(phase1, "phase2_auth=0")) {
++ data->phase2_auth = NO_AUTH;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Do not require Phase 2 authentication");
++ } else if (os_strstr(phase1, "phase2_auth=1")) {
++ data->phase2_auth = FOR_INITIAL;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for initial connection");
++ } else if (os_strstr(phase1, "phase2_auth=2")) {
++ data->phase2_auth = ALWAYS;
++ wpa_printf(MSG_DEBUG,
++ "EAP-PEAP: Require Phase 2 authentication for all cases");
++ }
+ #ifdef EAP_TNC
+ if (os_strstr(phase1, "tnc=soh2")) {
+ data->soh = 2;
+@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm)
+ data->force_peap_version = -1;
+ data->peap_outer_success = 2;
+ data->crypto_binding = OPTIONAL_BINDING;
++ data->phase2_auth = FOR_INITIAL;
+
+ if (config && config->phase1)
+ eap_peap_parse_phase1(data, config->phase1);
+@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm,
+ }
+
+
++static bool peap_phase2_sufficient(struct eap_sm *sm,
++ struct eap_peap_data *data)
++{
++ if ((data->phase2_auth == ALWAYS ||
++ (data->phase2_auth == FOR_INITIAL &&
++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) &&
++ !data->ssl.client_cert_conf) ||
++ data->phase2_eap_started) &&
++ !data->phase2_eap_success)
++ return false;
++ return true;
++}
++
++
+ /**
+ * eap_tlv_process - Process a received EAP-TLV message and generate a response
+ * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init()
+@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data,
+ " - force failed Phase 2");
+ resp_status = EAP_TLV_RESULT_FAILURE;
+ ret->decision = DECISION_FAIL;
++ } else if (!peap_phase2_sufficient(sm, data)) {
++ wpa_printf(MSG_INFO,
++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed");
++ resp_status = EAP_TLV_RESULT_FAILURE;
++ ret->decision = DECISION_FAIL;
+ } else {
+ resp_status = EAP_TLV_RESULT_SUCCESS;
+ ret->decision = DECISION_UNCOND_SUCC;
+@@ -887,8 +921,7 @@ continue_req:
+ /* EAP-Success within TLS tunnel is used to indicate
+ * shutdown of the TLS channel. The authentication has
+ * been completed. */
+- if (data->phase2_eap_started &&
+- !data->phase2_eap_success) {
++ if (!peap_phase2_sufficient(sm, data)) {
+ wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 "
+ "Success used to indicate success, "
+ "but Phase 2 EAP was not yet "
+@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv,
+ static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv)
+ {
+ struct eap_peap_data *data = priv;
++
+ return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
+- data->phase2_success;
++ data->phase2_success && data->phase2_auth != ALWAYS;
+ }
+
+
+diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
+index c1837db..a53eeb1 100644
+--- a/src/eap_peer/eap_tls_common.c
++++ b/src/eap_peer/eap_tls_common.c
+@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
+
+ sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK);
+
++ if (!phase2)
++ data->client_cert_conf = params->client_cert ||
++ params->client_cert_blob ||
++ params->private_key ||
++ params->private_key_blob;
++
+ return 0;
+ }
+
+diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
+index 9ac0012..3348634 100644
+--- a/src/eap_peer/eap_tls_common.h
++++ b/src/eap_peer/eap_tls_common.h
+@@ -79,6 +79,11 @@ struct eap_ssl_data {
+ * tls_v13 - Whether TLS v1.3 or newer is used
+ */
+ int tls_v13;
++
++ /**
++ * client_cert_conf: Whether client certificate has been configured
++ */
++ bool client_cert_conf;
+ };
+
+
+diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
+index 6619d6b..d63f73c 100644
+--- a/wpa_supplicant/wpa_supplicant.conf
++++ b/wpa_supplicant/wpa_supplicant.conf
+@@ -1321,6 +1321,13 @@ fast_reauth=1
+ # * 0 = do not use cryptobinding (default)
+ # * 1 = use cryptobinding if server supports it
+ # * 2 = require cryptobinding
++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
++# tunnel) behavior for PEAP:
++# * 0 = do not require Phase 2 authentication
++# * 1 = require Phase 2 authentication when client certificate
++# (private_key/client_cert) is no used and TLS session resumption was
++# not used (default)
++# * 2 = require Phase 2 authentication in all cases
+ # EAP-WSC (WPS) uses following options: pin=<Device Password> or
+ # pbc=1.
+ #
diff --git a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index 4660404..22028ce 100644
--- a/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/poky/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -18,6 +18,7 @@
file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \
file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \
file://0001-Install-wpa_passphrase-when-not-disabled.patch \
+ file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \
"
SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"