wpa-supplicant: enable OWE support

Enable Opportunistic Wireless Encryption (OWE) in wpa_supplicant for
easier testing and examples by setting CONFIG_OWE=y in defconfig.

OWE is standardized in IEEE Std 802.11-2024 and specified by RFC
8110 (updated by RFC 9672).

Disable OWE when PACKAGECONFIG selects gnutls to prevent build
failures.

Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-defconfig-Update-Opportunistic-Wireless-Encryption-O.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-defconfig-Update-Opportunistic-Wireless-Encryption-O.patch
new file mode 100644 (file)
index 0000000..7311b76
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-defconfig-Update-Opportunistic-Wireless-Encryption-O.patch
@@ -0,0 +1,39 @@
+From fb043a27324ba81502b8986a31222f38aa414bbf Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
+Date: Thu, 18 Dec 2025 09:46:03 +0800
+Subject: [PATCH 1/3] defconfig: Update Opportunistic Wireless Encryption (OWE)
+ state
+
+OWE enhances privacy in public and enterprise environments where open
+networks are prevalent. Enabling OWE aligns with modern security best
+practices and supports the testing and development of OWE-capable
+devices.
+
+OWE is now standardized in IEEE Std 802.11-2024 while it was originally
+specified in IETF RFC 8110 (updated by RFC 9672). It is not experimental
+anymore, i.e., there has been significant interoperability testing and
+there are deployed cases.
+
+Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
+Upstream-Status: Backport [https://git.w1.fi/cgit/hostap/commit/?id=39db92dcf301793ce45a8ebf85c425f67c670058]
+---
+ wpa_supplicant/defconfig | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
+index 52befd8..044604a 100644
+--- a/wpa_supplicant/defconfig
++++ b/wpa_supplicant/defconfig
+@@ -638,8 +638,7 @@ CONFIG_BGSCAN_SIMPLE=y
+ #CONFIG_BGSCAN_LEARN=y
+ 
+ # Opportunistic Wireless Encryption (OWE)
+-# Experimental implementation of draft-harkins-owe-07.txt
+-#CONFIG_OWE=y
++CONFIG_OWE=y
+ 
+ # Device Provisioning Protocol (DPP) (also known as Wi-Fi Easy Connect)
+ CONFIG_DPP=y
+-- 
+2.34.1
+

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
index 6ba10a8ca95fa87cef19fa6eddb0488bde6dc0c8..50f16e935d547193cb4390f9a100c677a2fe165d 100644 (file)
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://wpa_supplicant.conf-sane \
            file://99_wpa_supplicant \
            file://0001-macsec_linux-Hardware-offload-requires-Linux-headers.patch \
+           file://0002-defconfig-Update-Opportunistic-Wireless-Encryption-O.patch \
            file://CVE-2025-24912-01.patch \
            file://CVE-2025-24912-02.patch \
            "
@@ -45,7 +46,8 @@ do_configure () {
                echo 'CONFIG_TLS=gnutls' >>wpa_supplicant/.config
                sed -i -e 's/\(^CONFIG_DPP=\)/#\1/' \
                    -e 's/\(^CONFIG_EAP_PWD=\)/#\1/' \
-                   -e 's/\(^CONFIG_SAE=\)/#\1/' wpa_supplicant/.config
+                   -e 's/\(^CONFIG_SAE=\)/#\1/' \
+                   -e 's/\(^CONFIG_OWE=\)/#\1/' wpa_supplicant/.config
        fi
 
        # For rebuild