*/*: Bring back wpa_supplicant29 and hostapd29 as new ports

The current wpa_supplicant and hostapd have an issue with AR9285.
For the time being bring back wpa_supplicant 2.9 as
security/wpa_supplicant29 and hostpd 2.9 as net/hostapd29 for those
cases that have an issue with wpa_supplicant/hostpad2.10 (in base and
in ports)

PR:		264238
(cherry picked from commit 7150a0c9b1014e445a8266c9080d0bf4738dcc9c)

32 files changed, 1661 insertions, 0 deletions

diff --git a/net/Makefile b/net/Makefile
index 501e316e38d6..544d5137d2c8 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -248,6 +248,7 @@
     SUBDIR += hlmaster
     SUBDIR += honeyd
     SUBDIR += hostapd
+    SUBDIR += hostapd29
     SUBDIR += hostapd-devel
     SUBDIR += hping3
     SUBDIR += hsflowd
diff --git a/net/hostapd29/Makefile b/net/hostapd29/Makefile
new file mode 100644
index 000000000000..a87a8ed33515
--- /dev/null
+++ b/net/hostapd29/Makefile
@@ -0,0 +1,46 @@
+# Created by: Craig Leres <leres@FreeBSD.org>
+
+PORTNAME=	hostapd
+PORTVERSION=	2.9
+PORTREVISION=	4
+CATEGORIES=	net
+MASTER_SITES=	https://w1.fi/releases/
+
+PATCH_SITES=	https://w1.fi/security/2020-1/
+PATCHFILES=	0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch:-p1 \
+		0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch:-p1 \
+		0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch:-p1
+
+MAINTAINER=	cy@FreeBSD.org
+COMMENT=	IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
+
+LICENSE=	BSD3CLAUSE
+
+USES=		cpe gmake ssl
+CPE_VENDOR=	w1.fi
+BUILD_WRKSRC=	${WRKSRC}/hostapd
+CFLAGS+=	-I${OPENSSLINC}
+LDFLAGS+=	-L${OPENSSLLIB}
+
+PLIST_FILES=	sbin/hostapd sbin/hostapd_cli man/man1/hostapd_cli.1.gz \
+		man/man8/hostapd.8.gz
+.if !exists(/etc/rc.d/hostapd)
+USE_RC_SUBR=	hostapd
+.endif
+
+post-patch:
+	@${REINPLACE_CMD} -e 's|@$$(E) "  CC " $$<|@$$(E) "  $$(CC) " $$<|' \
+		${BUILD_WRKSRC}/Makefile
+	@${SED} -e 's|@PREFIX@|${PREFIX}|g' ${FILESDIR}/config \
+		>> ${WRKSRC}/hostapd/.config
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/hostapd/hostapd ${STAGEDIR}${PREFIX}/sbin
+	${INSTALL_PROGRAM} ${WRKSRC}/hostapd/hostapd_cli \
+		${STAGEDIR}${PREFIX}/sbin
+	${INSTALL_MAN} ${WRKSRC}/hostapd/hostapd_cli.1 \
+		${STAGEDIR}${MANPREFIX}/man/man1
+	${INSTALL_MAN} ${WRKSRC}/hostapd/hostapd.8 \
+		${STAGEDIR}${MANPREFIX}/man/man8
+
+.include <bsd.port.mk>
diff --git a/net/hostapd29/distinfo b/net/hostapd29/distinfo
new file mode 100644
index 000000000000..c6fd159e26c4
--- /dev/null
+++ b/net/hostapd29/distinfo
@@ -0,0 +1,9 @@
+TIMESTAMP = 1591652140
+SHA256 (hostapd-2.9.tar.gz) = 881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7
+SIZE (hostapd-2.9.tar.gz) = 2244312
+SHA256 (0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch) = 2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7
+SIZE (0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch) = 5909
+SHA256 (0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch) = 49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de
+SIZE (0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch) = 2284
+SHA256 (0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch) = a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a
+SIZE (0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch) = 1553
diff --git a/net/hostapd29/files/config b/net/hostapd29/files/config
new file mode 100644
index 000000000000..de05f3384a1a
--- /dev/null
+++ b/net/hostapd29/files/config
@@ -0,0 +1,316 @@
+# FreeBSD hostapd build time configuration
+#
+# This file lists the configuration options that are used when building the
+# hostapd binary. All lines starting with # are ignored. Configuration option
+# lines must be commented out complete, if they are not to be included, i.e.,
+# just setting VARIABLE=n is not disabling that variable.
+#
+# This file is included in Makefile, so variables like CFLAGS and LIBS can also
+# be modified from here. In most cass, these lines should use += in order not
+# to override previous values of the variables.
+
+# Driver interface for Host AP driver
+#CONFIG_DRIVER_HOSTAP=y
+
+# Driver interface for wired authenticator
+#CONFIG_DRIVER_WIRED=y
+
+# Driver interface for madwifi driver
+#CONFIG_DRIVER_MADWIFI=y
+#CFLAGS += -I../../madwifi # change to the madwifi source directory
+
+# Driver interface for drivers using the nl80211 kernel interface
+#CONFIG_DRIVER_NL80211=y
+
+# driver_nl80211.c requires libnl. If you are compiling it yourself
+# you may need to point hostapd to your version of libnl.
+#
+#CFLAGS += -I$<path to libnl include files>
+#LIBS += -L$<path to libnl library files>
+
+# Use libnl v2.0 (or 3.0) libraries.
+#CONFIG_LIBNL20=y
+
+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
+#CONFIG_LIBNL32=y
+
+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
+CONFIG_DRIVER_BSD=y
+CFLAGS += -I@PREFIX@/include
+LIBS += -L@PREFIX@/lib
+LIBS_p += -L@PREFIX@/lib
+LIBS_c += -L@PREFIX@/lib
+
+# Driver interface for no driver (e.g., RADIUS server only)
+#CONFIG_DRIVER_NONE=y
+
+# IEEE 802.11F/IAPP
+#CONFIG_IAPP=y
+
+# WPA2/IEEE 802.11i RSN pre-authentication
+CONFIG_RSN_PREAUTH=y
+
+# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
+#CONFIG_PEERKEY=y
+
+# IEEE 802.11w (management frame protection)
+#CONFIG_IEEE80211W=y
+
+# Integrated EAP server
+CONFIG_EAP=y
+
+# EAP-MD5 for the integrated EAP server
+CONFIG_EAP_MD5=y
+
+# EAP-TLS for the integrated EAP server
+CONFIG_EAP_TLS=y
+
+# EAP-MSCHAPv2 for the integrated EAP server
+CONFIG_EAP_MSCHAPV2=y
+
+# EAP-PEAP for the integrated EAP server
+CONFIG_EAP_PEAP=y
+
+# EAP-GTC for the integrated EAP server
+CONFIG_EAP_GTC=y
+
+# EAP-TTLS for the integrated EAP server
+CONFIG_EAP_TTLS=y
+
+# EAP-SIM for the integrated EAP server
+#CONFIG_EAP_SIM=y
+
+# EAP-AKA for the integrated EAP server
+#CONFIG_EAP_AKA=y
+
+# EAP-AKA' for the integrated EAP server
+# This requires CONFIG_EAP_AKA to be enabled, too.
+#CONFIG_EAP_AKA_PRIME=y
+
+# EAP-PAX for the integrated EAP server
+#CONFIG_EAP_PAX=y
+
+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
+#CONFIG_EAP_PSK=y
+
+# EAP-pwd for the integrated EAP server (secure authentication with a password)
+#CONFIG_EAP_PWD=y
+
+# EAP-SAKE for the integrated EAP server
+#CONFIG_EAP_SAKE=y
+
+# EAP-GPSK for the integrated EAP server
+#CONFIG_EAP_GPSK=y
+# Include support for optional SHA256 cipher suite in EAP-GPSK
+#CONFIG_EAP_GPSK_SHA256=y
+
+# EAP-FAST for the integrated EAP server
+# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
+# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
+# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
+#CONFIG_EAP_FAST=y
+
+# Wi-Fi Protected Setup (WPS)
+#CONFIG_WPS=y
+# Enable UPnP support for external WPS Registrars
+#CONFIG_WPS_UPNP=y
+# Enable WPS support with NFC config method
+#CONFIG_WPS_NFC=y
+
+# EAP-IKEv2
+#CONFIG_EAP_IKEV2=y
+
+# Trusted Network Connect (EAP-TNC)
+#CONFIG_EAP_TNC=y
+
+# EAP-EKE for the integrated EAP server
+#CONFIG_EAP_EKE=y
+
+# PKCS#12 (PFX) support (used to read private key and certificate file from
+# a file that usually has extension .p12 or .pfx)
+CONFIG_PKCS12=y
+
+# RADIUS authentication server. This provides access to the integrated EAP
+# server from external hosts using RADIUS.
+#CONFIG_RADIUS_SERVER=y
+
+# Build IPv6 support for RADIUS operations
+CONFIG_IPV6=y
+
+# IEEE Std 802.11r-2008 (Fast BSS Transition)
+#CONFIG_IEEE80211R=y
+
+# Use the hostapd's IEEE 802.11 authentication (ACL), but without
+# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
+CONFIG_DRIVER_RADIUS_ACL=y
+
+# IEEE 802.11n (High Throughput) support
+#CONFIG_IEEE80211N=y
+
+# Wireless Network Management (IEEE Std 802.11v-2011)
+# Note: This is experimental and not complete implementation.
+#CONFIG_WNM=y
+
+# IEEE 802.11ac (Very High Throughput) support
+#CONFIG_IEEE80211AC=y
+
+# Remove debugging code that is printing out debug messages to stdout.
+# This can be used to reduce the size of the hostapd considerably if debugging
+# code is not needed.
+#CONFIG_NO_STDOUT_DEBUG=y
+
+# Add support for writing debug log to a file: -f /tmp/hostapd.log
+# Disabled by default.
+#CONFIG_DEBUG_FILE=y
+
+# Add support for sending all debug messages (regardless of debug verbosity)
+# to the Linux kernel tracing facility. This helps debug the entire stack by
+# making it easy to record everything happening from the driver up into the
+# same file, e.g., using trace-cmd.
+#CONFIG_DEBUG_LINUX_TRACING=y
+
+# Remove support for RADIUS accounting
+#CONFIG_NO_ACCOUNTING=y
+
+# Remove support for RADIUS
+#CONFIG_NO_RADIUS=y
+
+# Remove support for VLANs
+#CONFIG_NO_VLAN=y
+
+# Enable support for fully dynamic VLANs. This enables hostapd to
+# automatically create bridge and VLAN interfaces if necessary.
+#CONFIG_FULL_DYNAMIC_VLAN=y
+
+# Use netlink-based kernel API for VLAN operations instead of ioctl()
+# Note: This requires libnl 3.1 or newer.
+#CONFIG_VLAN_NETLINK=y
+
+# Remove support for dumping internal state through control interface commands
+# This can be used to reduce binary size at the cost of disabling a debugging
+# option.
+#CONFIG_NO_DUMP_STATE=y
+
+# Enable tracing code for developer debugging
+# This tracks use of memory allocations and other registrations and reports
+# incorrect use with a backtrace of call (or allocation) location.
+#CONFIG_WPA_TRACE=y
+# For BSD, comment out these.
+#LIBS += -lexecinfo
+#LIBS_p += -lexecinfo
+#LIBS_c += -lexecinfo
+
+# Use libbfd to get more details for developer debugging
+# This enables use of libbfd to get more detailed symbols for the backtraces
+# generated by CONFIG_WPA_TRACE=y.
+#CONFIG_WPA_TRACE_BFD=y
+# For BSD, comment out these.
+#LIBS += -lbfd -liberty -lz
+#LIBS_p += -lbfd -liberty -lz
+#LIBS_c += -lbfd -liberty -lz
+
+# hostapd depends on strong random number generation being available from the
+# operating system. os_get_random() function is used to fetch random data when
+# needed, e.g., for key generation. On Linux and BSD systems, this works by
+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
+# properly initialized before hostapd is started. This is important especially
+# on embedded devices that do not have a hardware random number generator and
+# may by default start up with minimal entropy available for random number
+# generation.
+#
+# As a safety net, hostapd is by default trying to internally collect
+# additional entropy for generating random data to mix in with the data
+# fetched from the OS. This by itself is not considered to be very strong, but
+# it may help in cases where the system pool is not initialized properly.
+# However, it is very strongly recommended that the system pool is initialized
+# with enough entropy either by using hardware assisted random number
+# generator or by storing state over device reboots.
+#
+# hostapd can be configured to maintain its own entropy store over restarts to
+# enhance random number generation. This is not perfect, but it is much more
+# secure than using the same sequence of random numbers after every reboot.
+# This can be enabled with -e<entropy file> command line option. The specified
+# file needs to be readable and writable by hostapd.
+#
+# If the os_get_random() is known to provide strong random data (e.g., on
+# Linux/BSD, the board in question is known to have reliable source of random
+# data from /dev/urandom), the internal hostapd random pool can be disabled.
+# This will save some in binary size and CPU use. However, this should only be
+# considered for builds that are known to be used on devices that meet the
+# requirements described above.
+#CONFIG_NO_RANDOM_POOL=y
+
+# Select TLS implementation
+# openssl = OpenSSL (default)
+# gnutls = GnuTLS
+# internal = Internal TLSv1 implementation (experimental)
+# none = Empty template
+#CONFIG_TLS=openssl
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
+# can be enabled to get a stronger construction of messages when block ciphers
+# are used.
+#CONFIG_TLSV11=y
+
+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
+# can be enabled to enable use of stronger crypto algorithms.
+#CONFIG_TLSV12=y
+
+# If CONFIG_TLS=internal is used, additional library and include paths are
+# needed for LibTomMath. Alternatively, an integrated, minimal version of
+# LibTomMath can be used. See beginning of libtommath.c for details on benefits
+# and drawbacks of this option.
+#CONFIG_INTERNAL_LIBTOMMATH=y
+#ifndef CONFIG_INTERNAL_LIBTOMMATH
+#LTM_PATH=/usr/src/libtommath-0.39
+#CFLAGS += -I$(LTM_PATH)
+#LIBS += -L$(LTM_PATH)
+#LIBS_p += -L$(LTM_PATH)
+#endif
+# At the cost of about 4 kB of additional binary size, the internal LibTomMath
+# can be configured to include faster routines for exptmod, sqr, and div to
+# speed up DH and RSA calculation considerably
+#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
+
+# Interworking (IEEE 802.11u)
+# This can be used to enable functionality to improve interworking with
+# external networks.
+#CONFIG_INTERWORKING=y
+
+# Hotspot 2.0
+#CONFIG_HS20=y
+
+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
+#CONFIG_SQLITE=y
+
+# Testing options
+# This can be used to enable some testing options (see also the example
+# configuration file) that are really useful only for testing clients that
+# connect to this hostapd. These options allow, for example, to drop a
+# certain percentage of probe requests or auth/(re)assoc frames.
+#
+#CONFIG_TESTING_OPTIONS=y
+
+# Automatic Channel Selection
+# This will allow hostapd to pick the channel automatically when channel is set
+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
+# similar way.
+#
+# Automatic selection is currently only done through initialization, later on
+# we hope to do background checks to keep us moving to more ideal channels as
+# time goes by. ACS is currently only supported through the nl80211 driver and
+# your driver must have survey dump capability that is filled by the driver
+# during scanning.
+#
+# You can customize the ACS survey algorithm with the hostapd.conf variable
+# acs_num_scans.
+#
+# Supported ACS drivers:
+# * ath9k
+# * ath5k
+# * ath10k
+#
+# For more details refer to:
+# http://wireless.kernel.org/en/users/Documentation/acs
+#
+#CONFIG_ACS=y
diff --git a/net/hostapd29/files/hostapd.in b/net/hostapd29/files/hostapd.in
new file mode 100644
index 000000000000..b6e717098472
--- /dev/null
+++ b/net/hostapd29/files/hostapd.in
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# PROVIDE: hostapd
+# REQUIRE: mountcritremote
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="hostapd"
+desc="Authenticator for IEEE 802.11 networks"
+#
+# This portion of this rc.script is different from base.
+case ${command} in
+/usr/sbin/hostapd)	# Assume user does not want base hostapd because
+			# user specified WITHOUT_WIRELESS in make.conf
+			# and /etc/defaults/rc.conf contains this value.
+			unset command;;
+esac
+command=${hostapd_program:-%%PREFIX%%/sbin/hostapd}
+# End of differences from base. The rest of the file should remain the same.
+
+ifn="$2"
+if [ -z "$ifn" ]; then
+	rcvar="hostapd_enable"
+	conf_file="/etc/${name}.conf"
+	pidfile="/var/run/${name}.pid"
+else
+	rcvar=
+	conf_file="/etc/${name}-${ifn}.conf"
+	pidfile="/var/run/${name}-${ifn}.pid"
+fi
+
+command_args="-P ${pidfile} -B ${conf_file}"
+required_files="${conf_file}"
+required_modules="wlan_xauth wlan_wep wlan_tkip wlan_ccmp"
+extra_commands="reload"
+
+load_rc_config ${name}
+run_rc_command "$1"
diff --git a/net/hostapd29/files/patch-src-l2_packet-l2_packet_freebsd.c b/net/hostapd29/files/patch-src-l2_packet-l2_packet_freebsd.c
new file mode 100644
index 000000000000..8b34e0fbdd89
--- /dev/null
+++ b/net/hostapd29/files/patch-src-l2_packet-l2_packet_freebsd.c
@@ -0,0 +1,14 @@
+--- src/l2_packet/l2_packet_freebsd.c.orig	2014-06-04 13:26:14 UTC
++++ src/l2_packet/l2_packet_freebsd.c
+@@ -8,7 +8,10 @@
+  */
+ 
+ #include "includes.h"
+-#if defined(__APPLE__) || defined(__GLIBC__)
++#if defined(__FreeBSD__) \
++ || defined(__DragonFly__) \
++ || defined(__APPLE__) \
++ || defined(__GLIBC__)
+ #include <net/bpf.h>
+ #endif /* __APPLE__ */
+ #include <pcap.h>
diff --git a/net/hostapd29/files/patch-src_common_dhcp.h b/net/hostapd29/files/patch-src_common_dhcp.h
new file mode 100644
index 000000000000..f88d1921a380
--- /dev/null
+++ b/net/hostapd29/files/patch-src_common_dhcp.h
@@ -0,0 +1,25 @@
+--- src/common/dhcp.h.orig	2018-12-02 11:34:59.000000000 -0800
++++ src/common/dhcp.h	2018-12-06 00:01:11.429254000 -0800
+@@ -9,6 +9,22 @@
+ #ifndef DHCP_H
+ #define DHCP_H
+ 
++/*
++ * Translate Linux to FreeBSD
++ */
++#define iphdr		ip
++#define ihl		ip_hl
++#define verson		ip_v
++#define tos		ip_tos
++#define tot_len		ip_len
++#define id		ip_id
++#define frag_off	ip_off
++#define ttl		ip_ttl
++#define protocol	ip_p
++#define check		ip_sum
++#define saddr		ip_src
++#define daddr		ip_dst
++
+ #include <netinet/ip.h>
+ #if __FAVOR_BSD
+ #include <netinet/udp.h>
diff --git a/net/hostapd29/files/patch-src_drivers_driver__bsd.c b/net/hostapd29/files/patch-src_drivers_driver__bsd.c
new file mode 100644
index 000000000000..fe3064586710
--- /dev/null
+++ b/net/hostapd29/files/patch-src_drivers_driver__bsd.c
@@ -0,0 +1,60 @@
+--- src/drivers/driver_bsd.c.orig	2019-08-07 06:25:25.000000000 -0700
++++ src/drivers/driver_bsd.c	2021-06-13 23:10:12.570253000 -0700
+@@ -649,7 +649,7 @@
+ 		len = 2048;
+ 	}
+ 
+-	return len;
++	return (len == 0) ? 2048 : len;
+ }
+ 
+ #ifdef HOSTAPD
+@@ -665,7 +665,11 @@
+ static int bsd_sta_deauth(void *priv, const u8 *own_addr, const u8 *addr,
+ 			  u16 reason_code);
+ 
++#ifdef __DragonFly__
++const char *
++#else
+ static const char *
++#endif
+ ether_sprintf(const u8 *addr)
+ {
+ 	static char buf[sizeof(MACSTR)];
+@@ -1080,7 +1084,14 @@
+ 		mode = 0 /* STA */;
+ 		break;
+ 	case IEEE80211_MODE_IBSS:
++		/*
++		 * Ref bin/203086 - FreeBSD's net80211 currently uses
++		 * IFM_IEEE80211_ADHOC.
++		 */
++#if 0
+ 		mode = IFM_IEEE80211_IBSS;
++#endif
++		mode = IFM_IEEE80211_ADHOC;
+ 		break;
+ 	case IEEE80211_MODE_AP:
+ 		mode = IFM_IEEE80211_HOSTAP;
+@@ -1336,14 +1347,18 @@
+ 		drv = bsd_get_drvindex(global, ifm->ifm_index);
+ 		if (drv == NULL)
+ 			return;
+-		if ((ifm->ifm_flags & IFF_UP) == 0 &&
+-		    (drv->flags & IFF_UP) != 0) {
++		if (((ifm->ifm_flags & IFF_UP) == 0 ||
++		    (ifm->ifm_flags & IFF_RUNNING) == 0) &&
++		    (drv->flags & IFF_UP) != 0 &&
++		    (drv->flags & IFF_RUNNING) != 0) {
+ 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' DOWN",
+ 				   drv->ifname);
+ 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_DISABLED,
+ 					     NULL);
+ 		} else if ((ifm->ifm_flags & IFF_UP) != 0 &&
+-		    (drv->flags & IFF_UP) == 0) {
++		    (ifm->ifm_flags & IFF_RUNNING) != 0 &&
++		    ((drv->flags & IFF_UP) == 0 ||
++		    (drv->flags & IFF_RUNNING)  == 0)) {
+ 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
+ 				   drv->ifname);
+ 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
diff --git a/net/hostapd29/files/patch-src_utils_os.h b/net/hostapd29/files/patch-src_utils_os.h
new file mode 100644
index 000000000000..e92661256d5f
--- /dev/null
+++ b/net/hostapd29/files/patch-src_utils_os.h
@@ -0,0 +1,17 @@
+--- src/utils/os.h.orig	2016-09-17 20:36:13 UTC
++++ src/utils/os.h
+@@ -246,12 +246,14 @@ char * os_readfile(const char *name, siz
+  */
+ int os_file_exists(const char *fname);
+ 
++#if !defined __FreeBSD__ && !defined __DragonFly__
+ /**
+  * os_fdatasync - Sync a file's (for a given stream) state with storage device
+  * @stream: the stream to be flushed
+  * Returns: 0 if the operation succeeded or -1 on failure
+  */
+ int os_fdatasync(FILE *stream);
++#endif
+ 
+ /**
+  * os_zalloc - Allocate and zero memory
diff --git a/net/hostapd29/files/patch-src_utils_os__unix.c b/net/hostapd29/files/patch-src_utils_os__unix.c
new file mode 100644
index 000000000000..c56eee136a44
--- /dev/null
+++ b/net/hostapd29/files/patch-src_utils_os__unix.c
@@ -0,0 +1,18 @@
+--- src/utils/os_unix.c.orig	2015-09-27 19:02:05 UTC
++++ src/utils/os_unix.c
+@@ -442,6 +442,7 @@ int os_file_exists(const char *fname)
+ }
+ 
+ 
++#if !defined __FreeBSD__ && !defined __DragonFly__
+ int os_fdatasync(FILE *stream)
+ {
+ 	if (!fflush(stream)) {
+@@ -459,6 +460,7 @@ int os_fdatasync(FILE *stream)
+ 
+ 	return -1;
+ }
++#endif
+ 
+ 
+ #ifndef WPA_TRACE
diff --git a/net/hostapd29/files/patch-src_wps_wps__upnp.c b/net/hostapd29/files/patch-src_wps_wps__upnp.c
new file mode 100644
index 000000000000..1e3651d33162
--- /dev/null
+++ b/net/hostapd29/files/patch-src_wps_wps__upnp.c
@@ -0,0 +1,20 @@
+--- src/wps/wps_upnp.c.orig	2015-03-15 17:30:39 UTC
++++ src/wps/wps_upnp.c
+@@ -837,7 +837,7 @@ fail:
+ }
+ 
+ 
+-#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
++#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
+ #include <sys/sysctl.h>
+ #include <net/route.h>
+ #include <net/if_dl.h>
+@@ -924,7 +924,7 @@ int get_netif_info(const char *net_if, u
+ 		goto fail;
+ 	}
+ 	os_memcpy(mac, req.ifr_addr.sa_data, 6);
+-#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
++#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
+ 	if (eth_get(net_if, mac) < 0) {
+ 		wpa_printf(MSG_ERROR, "WPS UPnP: Failed to get MAC address");
+ 		goto fail;
diff --git a/net/hostapd29/pkg-descr b/net/hostapd29/pkg-descr
new file mode 100644
index 000000000000..a3c019c9df0e
--- /dev/null
+++ b/net/hostapd29/pkg-descr
@@ -0,0 +1,12 @@
+hostapd is a user space daemon for access point and authentication
+servers. It implements IEEE 802.11 access point management, IEEE
+802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and
+RADIUS authentication server. The current version supports Linux
+(Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
+
+Add the following to /etc/rc.conf to use the ports version instead
+of the base version:
+
+    hostapd_program="/usr/local/sbin/hostapd"
+
+WWW: https://w1.fi/hostapd/
diff --git a/net/hostapd29/pkg-message b/net/hostapd29/pkg-message
new file mode 100644
index 000000000000..43d22d9a1e7d
--- /dev/null
+++ b/net/hostapd29/pkg-message
@@ -0,0 +1,10 @@
+[
+{ type: install
+  message: <<EOM
+Add the following to /etc/rc.conf to use the ports version instead
+of the base version:
+
+    hostapd_program="/usr/local/sbin/hostapd"
+EOM
+}
+]
diff --git a/security/Makefile b/security/Makefile
index d8393de07c7f..3f898cfbdebe 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1258,6 +1258,7 @@
     SUBDIR += wolfssh
     SUBDIR += wolfssl
     SUBDIR += wpa_supplicant
+    SUBDIR += wpa_supplicant29
     SUBDIR += wpa_supplicant-devel
     SUBDIR += xca
     SUBDIR += xinetd
diff --git a/security/wpa_supplicant29/Makefile b/security/wpa_supplicant29/Makefile
new file mode 100644
index 000000000000..7b23c34cd7cb
--- /dev/null
+++ b/security/wpa_supplicant29/Makefile
@@ -0,0 +1,229 @@
+PORTNAME=	wpa_supplicant
+PORTVERSION=	2.9
+PORTREVISION=	11
+CATEGORIES=	security net
+MASTER_SITES=	https://w1.fi/releases/
+
+PATCH_SITES=	https://w1.fi/security/2020-1/ \
+		https://w1.fi/security/2021-1/
+PATCHFILES=	0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch:-p1 \
+		0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch:-p1 \
+		0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch:-p1 \
+		0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch:-p1
+
+MAINTAINER=	cy@FreeBSD.org
+COMMENT=	Supplicant (client) for WPA/802.1x protocols
+
+LICENSE=	BSD3CLAUSE
+LICENSE_FILE=	${WRKSRC}/README
+
+USES=		cpe gmake pkgconfig:build readline ssl
+BUILD_WRKSRC=	${WRKSRC}/wpa_supplicant
+INSTALL_WRKSRC=	${WRKSRC}/src
+CFLAGS+=	${CPPFLAGS} # USES=readline only augments CPPFLAGS and LDFLAGS
+CFLAGS+=	-I${OPENSSLINC}
+LDFLAGS+=	-L${OPENSSLLIB} -lutil
+MAKE_ENV=	V=1
+
+SUB_FILES=	pkg-message
+PORTDOCS=	README ChangeLog
+
+CFG=		${BUILD_WRKSRC}/.config
+
+.if !exists(/etc/rc.d/wpa_supplicant)
+USE_RC_SUBR=	wpa_supplicant
+.endif
+
+OPTIONS_MULTI=		DRV EAP
+OPTIONS_MULTI_DRV=	BSD WIRED NDIS TEST NONE #ROBOSWITCH
+OPTIONS_MULTI_EAP=	TLS PEAP TTLS MD5 MSCHAPV2 GTC LEAP OTP PSK FAST \
+			SIM PWD PAX AKA AKA_PRIME SAKE GPSK TNC IKEV2 EKE
+OPTIONS_DEFINE=		WPS WPS_ER WPS_NOREG WPS_NFC WPS_UPNP PKCS12 SMARTCARD \
+			HT_OVERRIDES VHT_OVERRIDES TLSV12 IEEE80211W \
+			IEEE80211R DEBUG_FILE DEBUG_SYSLOG PRIVSEP \
+			DELAYED_MIC IEEE80211N IEEE80211AC INTERWORKING \
+			IEEE8021X_EAPOL EAPOL_TEST \
+			HS20 NO_ROAMING P2P TDLS DBUS MATCH DOCS \
+                        SIM_SIMULATOR USIM_SIMULATOR
+OPTIONS_DEFAULT=	BSD WIRED \
+			TLS PEAP TTLS MD5 MSCHAPV2 GTC LEAP OTP PSK \
+			WPS PKCS12 SMARTCARD IEEE80211R DEBUG_SYSLOG \
+			INTERWORKING HS20 DBUS MATCH IEEE80211R IEEE80211W \
+			IEEE8021X_EAPOL WPS_ER WPS_NFC WPS_UPNP \
+			FAST PWD PAX SAKE GPSK TNC IKEV2 EKE
+OPTIONS_SUB=
+
+WPS_DESC=		Wi-Fi Protected Setup
+WPS_ER_DESC=		Enable WPS External Registrar
+WPS_NOREG_DESC=		Disable open network credentials when registrar
+WPS_NFC_DESC=		Near Field Communication (NFC) configuration
+WPS_UPNP_DESC=		Universal Plug and Play support
+PKCS12_DESC=		PKCS\#12 (PFS) support
+SMARTCARD_DESC=		Private key on smartcard support
+HT_OVERRIDES_DESC=	Disable HT/HT40, mask MCS rates, etc
+VHT_OVERRIDES_DESC=	Disable VHT, mask MCS rates, etc
+TLSV12_DESC=		Build with TLS v1.2 instead of TLS v1.0
+IEEE80211AC_DESC=	Very High Throughput, AP mode (IEEE 802.11ac)
+IEEE80211N_DESC=	High Throughput, AP mode (IEEE 802.11n)
+IEEE80211R_DESC=	Fast BSS Transition (IEEE 802.11r-2008)
+IEEE80211W_DESC=	Management Frame Protection (IEEE 802.11w)
+IEEE8021X_EAPOL_DESC=	EAP over LAN support
+EAPOL_TEST_DESC=	Development testing
+DEBUG_FILE_DESC=	Support for writing debug log to a file
+DEBUG_SYSLOG_DESC=	Send debug messages to syslog instead of stdout
+PRIVSEP_DESC=		Privilege separation
+DELAYED_MIC_DESC=	Mitigate TKIP attack, random delay on MIC errors
+INTERWORKING_DESC=	Improve ext. network interworking (IEEE 802.11u)
+HS20_DESC=		Hotspot 2.0
+NO_ROAMING_DESC=	Disable roaming
+P2P_DESC=		Peer-to-Peer support
+TDLS_DESC=		Tunneled Direct Link Setup
+MATCH_DESC=		Interface match mode
+
+DRV_DESC=		Driver options
+BSD_DESC=		BSD net80211 interface
+NDIS_DESC=		Windows NDIS interface
+WIRED_DESC=		Wired ethernet interface
+ROBOSWITCH_DESC=	Broadcom Roboswitch interface
+TEST_DESC=		Development testing interface
+NONE_DESC=		The 'no driver' interface, e.g. WPS ER only
+
+EAP_DESC=		Extensible Authentication Protocols
+TLS_DESC=		Transport Layer Security
+PEAP_DESC=		Protected Extensible Authentication Protocol
+TTLS_DESC=		Tunneled Transport Layer Security
+MD5_DESC=		MD5 hash (deprecated, no key generation)
+MSCHAPV2_DESC=		Microsoft CHAP version 2 (RFC 2759)
+GTC_DESC=		Generic Token Card
+LEAP_DESC=		Lightweight Extensible Authentication Protocol
+OTP_DESC=		One-Time Password
+PSK_DESC=		Pre-Shared key
+FAST_DESC=		Flexible Authentication via Secure Tunneling
+AKA_DESC=		Autentication and Key Agreement (UMTS)
+AKA_PRIME_DESC=		AKA Prime variant (RFC 5448)
+EKE_DESC=		Encrypted Key Exchange
+SIM_DESC=		Subscriber Identity Module
+SIM_SIMULATOR_DESC=	SIM simulator (Milenage) for EAP-SIM
+USIM_SIMULATOR_DESC=	SIM simulator (Milenage) for EAP-AKA
+IKEV2_DESC=		Internet Key Exchange version 2
+PWD_DESC=		Shared password (RFC 5931)
+PAX_DESC=		Password Authenticated Exchange
+SAKE_DESC=		Shared-Secret Authentication & Key Establishment
+GPSK_DESC=		Generalized Pre-Shared Key
+TNC_DESC=		Trusted Network Connect
+
+PRIVSEP_PLIST_FILES=	sbin/wpa_priv
+DBUS_PLIST_FILES=	share/dbus-1/system-services/fi.w1.wpa_supplicant1.service \
+			etc/dbus-1/system.d/dbus-wpa_supplicant.conf
+
+.include <bsd.port.pre.mk>
+
+.if ${PORT_OPTIONS:MNDIS} && ${PORT_OPTIONS:MPRIVSEP}
+BROKEN=	Fails to compile with both NDIS and PRIVSEP
+.endif
+
+.if ${PORT_OPTIONS:MIEEE80211AC} && ${PORT_OPTIONS:MIEEE80211N}
+BROKEN=	Fails to compile with both IEEE80211AC and IEEE80211N
+.endif
+
+.if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME}
+LIB_DEPENDS+=	libpcsclite.so:devel/pcsc-lite
+CFLAGS+=	-I${LOCALBASE}/include/PCSC
+LDFLAGS+=	-L${LOCALBASE}/lib
+.endif
+
+.if ${PORT_OPTIONS:MDBUS}
+LIB_DEPENDS+=	libdbus-1.so:devel/dbus
+.endif
+
+post-patch:
+	@${CP} ${FILESDIR}/Packet32.[ch] ${FILESDIR}/ntddndis.h \
+		${WRKSRC}/src/utils
+	# Set driver(s)
+.for item in BSD NDIS WIRED ROBOSWITCH TEST NONE
+.  if ${PORT_OPTIONS:M${item}}
+	@${ECHO_CMD} CONFIG_DRIVER_${item}=y >> ${CFG}
+.  endif
+.endfor
+	# Set EAP protocol(s)
+.for item in MD5 MSCHAPV2 TLS PEAP TTLS FAST GTC OTP PSK PWD PAX LEAP SIM \
+	AKA AKA_PRIME SAKE GPSK TNC IKEV2 EKE
+.  if ${PORT_OPTIONS:M${item}}
+	@${ECHO_CMD} CONFIG_EAP_${item:tu}=y >> ${CFG}
+.  endif
+.endfor
+.if ${PORT_OPTIONS:MSIM} || ${PORT_OPTIONS:MAKA} || ${PORT_OPTIONS:MAKA_PRIME}
+	@${ECHO_CMD} CONFIG_PCSC=y >> ${CFG}
+.endif
+.for simple in WPS WPS_ER WPS_NFC WPS_UPNP PKCS12 SMARTCARD HT_OVERRIDES \
+	VHT_OVERRIDES TLSV12 IEEE80211AC IEEE80211N IEEE80211R IEEE80211W \
+	IEEE8021X_EAPOL EAPOL_TEST \
+	INTERWORKING DEBUG_FILE DEBUG_SYSLOG HS20 NO_ROAMING PRIVSEP P2P TDLS
+.  if ${PORT_OPTIONS:M${simple}}
+	@${ECHO_CMD} CONFIG_${simple}=y >> ${CFG}
+.  endif
+.endfor
+.for item in READLINE PEERKEY
+	@${ECHO_CMD} CONFIG_${item}=y >> ${CFG}
+.endfor
+.if ${PORT_OPTIONS:MIEEE80211AC} || ${PORT_OPTIONS:MIEEE80211N}
+	@${ECHO_CMD} CONFIG_AP=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MGPSK}
+	# GPSK desired, assume highest SHA desired too
+	@${ECHO_CMD} CONFIG_EAP_GPSK_SHA256=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MWPS_NOREG}
+	@${ECHO_CMD} CONFIG_WPS_REG_DISABLE_OPEN=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MDELAYED_MIC}
+	@${ECHO_CMD} CONFIG_DELAYED_MIC_ERROR_REPORT=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MDBUS}
+	@${ECHO_CMD} CONFIG_CTRL_IFACE_DBUS_NEW=y >> ${CFG}
+	@${ECHO_CMD} CONFIG_CTRL_IFACE_DBUS_INTRO=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MMATCH}
+	@${ECHO_CMD} CONFIG_MATCH_IFACE=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MUSIM_SIMULATOR}
+	@${ECHO_CMD} CONFIG_USIM_SIMULATOR=y >> ${CFG}
+.endif
+.if ${PORT_OPTIONS:MSIM_SIMULATOR}
+	@${ECHO_CMD} CONFIG_SIM_SIMULATOR=y >> ${CFG}
+.endif
+	@${ECHO_CMD} CONFIG_OS=unix >> ${CFG}
+	@${ECHO_CMD} CONFIG_CTRL_IFACE=unix >> ${CFG}
+	@${ECHO_CMD} CONFIG_BACKEND=file >> ${CFG}
+	@${ECHO_CMD} CONFIG_L2_PACKET=freebsd >> ${CFG}
+	@${ECHO_CMD} CONFIG_TLS=openssl >> ${CFG}
+
+post-build-EAPOL_TEST-on:
+	cd ${BUILD_WRKSRC} && ${GMAKE} eapol_test
+
+do-install:
+	(cd ${BUILD_WRKSRC} && ${INSTALL_PROGRAM} wpa_supplicant wpa_cli \
+		wpa_passphrase ${STAGEDIR}${PREFIX}/sbin)
+	${INSTALL_DATA} ${BUILD_WRKSRC}/wpa_supplicant.conf \
+		${STAGEDIR}${PREFIX}/etc/wpa_supplicant.conf.sample
+
+do-install-EAPOL_TEST-on:
+	${INSTALL_PROGRAM} ${BUILD_WRKSRC}/eapol_test ${STAGEDIR}${PREFIX}/sbin
+
+do-install-DOCS-on:
+	@${MKDIR} ${STAGEDIR}${DOCSDIR}
+	(cd ${BUILD_WRKSRC} && \
+		${INSTALL_DATA} ${PORTDOCS} ${STAGEDIR}${DOCSDIR})
+
+do-install-PRIVSEP-on:
+	${INSTALL_PROGRAM} ${BUILD_WRKSRC}/wpa_priv ${STAGEDIR}${PREFIX}/sbin
+
+do-install-DBUS-on:
+	@${MKDIR} ${STAGEDIR}${PREFIX}/share/dbus-1/system-services/
+	@${MKDIR} ${STAGEDIR}${PREFIX}/etc/dbus-1/system.d/
+	${INSTALL_DATA} ${BUILD_WRKSRC}/dbus/fi.w1.wpa_supplicant1.service \
+		${STAGEDIR}${PREFIX}/share/dbus-1/system-services/
+	${INSTALL_DATA} ${BUILD_WRKSRC}/dbus/dbus-wpa_supplicant.conf \
+		${STAGEDIR}${PREFIX}/etc/dbus-1/system.d/
+
+.include <bsd.port.post.mk>
diff --git a/security/wpa_supplicant29/distinfo b/security/wpa_supplicant29/distinfo
new file mode 100644
index 000000000000..ecea4c5cfca6
--- /dev/null
+++ b/security/wpa_supplicant29/distinfo
@@ -0,0 +1,11 @@
+TIMESTAMP = 1615939959
+SHA256 (wpa_supplicant-2.9.tar.gz) = fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17
+SIZE (wpa_supplicant-2.9.tar.gz) = 3231785
+SHA256 (0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch) = 2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7
+SIZE (0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch) = 5909
+SHA256 (0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch) = 49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de
+SIZE (0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch) = 2284
+SHA256 (0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch) = a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a
+SIZE (0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch) = 1553
+SHA256 (0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch) = 7f40cfec5faf5e927ea9028ab9392cd118685bde7229ad24210caf0a8f6e9611
+SIZE (0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch) = 1751
diff --git a/security/wpa_supplicant29/files/Packet32.c b/security/wpa_supplicant29/files/Packet32.c
new file mode 100644
index 000000000000..95cae8c5c975
--- /dev/null
+++ b/security/wpa_supplicant29/files/Packet32.c
@@ -0,0 +1,366 @@
+/*-
+ * Copyright (c) 2005
+ *      Bill Paul <wpaul@windriver.com>.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Bill Paul.
+ * 4. Neither the name of the author nor the names of any co-contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This file implements a small portion of the Winpcap API for the
+ * Windows NDIS interface in wpa_supplicant. It provides just enough
+ * routines to fool wpa_supplicant into thinking it's really running
+ * in a Windows environment.
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <sys/errno.h>
+#include <sys/sysctl.h>
+#include <sys/fcntl.h>
+#include <net/if.h>
+#include <net/if_dl.h>
+#include <net/if_var.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <net/route.h>
+
+#ifdef __FreeBSD__
+#include <net80211/ieee80211_ioctl.h>
+#endif
+#ifdef __DragonFly__
+#include <netproto/802_11/ieee80211_ioctl.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <pcap.h>
+
+#include "Packet32.h"
+
+#define OID_802_11_ADD_KEY      0x0d01011D
+
+typedef ULONGLONG NDIS_802_11_KEY_RSC;
+typedef UCHAR NDIS_802_11_MAC_ADDRESS[6];
+
+typedef struct NDIS_802_11_KEY {
+	ULONG Length;
+	ULONG KeyIndex;
+	ULONG KeyLength;
+	NDIS_802_11_MAC_ADDRESS BSSID;
+	NDIS_802_11_KEY_RSC KeyRSC;
+	UCHAR KeyMaterial[1];
+} NDIS_802_11_KEY;
+
+typedef struct NDIS_802_11_KEY_COMPAT {
+	ULONG Length;
+	ULONG KeyIndex;
+	ULONG KeyLength;
+	NDIS_802_11_MAC_ADDRESS BSSID;
+	UCHAR Pad[6]; /* Make struct layout match Windows. */
+	NDIS_802_11_KEY_RSC KeyRSC;
+#ifdef notdef
+	UCHAR KeyMaterial[1];
+#endif
+} NDIS_802_11_KEY_COMPAT;
+
+#define TRUE 1
+#define FALSE 0
+
+struct adapter {
+	int			socket;
+	char			name[IFNAMSIZ];
+	int			prev_roaming;
+};
+
+PCHAR
+PacketGetVersion(void)
+{
+	return("FreeBSD WinPcap compatibility shim v1.0");
+}
+
+void *
+PacketOpenAdapter(CHAR *iface)
+{
+	struct adapter		*a;
+	int			s;
+	int			ifflags;
+	struct ifreq		ifr;
+	struct ieee80211req	ireq;
+
+	s = socket(PF_INET, SOCK_DGRAM, 0);
+
+	if (s == -1)
+		return(NULL);
+
+	a = malloc(sizeof(struct adapter));
+	if (a == NULL)
+		return(NULL);
+
+	a->socket = s;
+	if (strncmp(iface, "\\Device\\NPF_", 12) == 0)
+		iface += 12;
+	else if (strncmp(iface, "\\DEVICE\\", 8) == 0)
+		iface += 8;
+	snprintf(a->name, IFNAMSIZ, "%s", iface);
+
+	/* Turn off net80211 roaming */
+	bzero((char *)&ireq, sizeof(ireq));
+	strncpy(ireq.i_name, iface, sizeof (ifr.ifr_name));
+	ireq.i_type = IEEE80211_IOC_ROAMING;
+	if (ioctl(a->socket, SIOCG80211, &ireq) == 0) {
+		a->prev_roaming = ireq.i_val;
+		ireq.i_val = IEEE80211_ROAMING_MANUAL;
+		if (ioctl(a->socket, SIOCS80211, &ireq) < 0)
+			fprintf(stderr,
+			    "Could not set IEEE80211_ROAMING_MANUAL\n");
+	}
+
+	bzero((char *)&ifr, sizeof(ifr));
+        strncpy(ifr.ifr_name, iface, sizeof (ifr.ifr_name));
+        if (ioctl(a->socket, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) {
+		free(a);
+		close(s);
+		return(NULL);
+        }
+        ifr.ifr_flags |= IFF_UP;
+        if (ioctl(a->socket, SIOCSIFFLAGS, (caddr_t)&ifr) < 0) {
+		free(a);
+		close(s);
+		return(NULL);
+        }
+
+	return(a);
+}
+
+int
+PacketRequest(void *iface, BOOLEAN set, PACKET_OID_DATA *oid)
+{
+	struct adapter		*a;
+	uint32_t		retval;
+	struct ifreq		ifr;
+	NDIS_802_11_KEY		*old;
+	NDIS_802_11_KEY_COMPAT	*new;
+	PACKET_OID_DATA		*o = NULL;
+
+	if (iface == NULL)
+		return(-1);
+
+	a = iface;
+	bzero((char *)&ifr, sizeof(ifr));
+
+	/*
+	 * This hack is necessary to work around a difference
+	 * betwee the GNU C and Microsoft C compilers. The NDIS_802_11_KEY
+	 * structure has a uint64_t in it, right after an array of
+	 * chars. The Microsoft compiler inserts padding right before
+	 * the 64-bit value to align it on a 64-bit boundary, but
+	 * GCC only aligns it on a 32-bit boundary. Trying to pass
+	 * the GCC-formatted structure to an NDIS binary driver
+	 * fails because some of the fields appear to be at the
+	 * wrong offsets.
+	 *
+	 * To get around this, if we detect someone is trying to do
+	 * a set operation on OID_802_11_ADD_KEY, we shuffle the data
+	 * into a properly padded structure and pass that into the
+	 * driver instead. This allows the driver_ndis.c code supplied
+	 * with wpa_supplicant to work unmodified.
+	 */
+
+	if (set == TRUE && oid->Oid == OID_802_11_ADD_KEY) {
+		old = (NDIS_802_11_KEY *)&oid->Data;
+		o = malloc(sizeof(PACKET_OID_DATA) +
+		    sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength);
+		if (o == NULL)
+			return(0);
+		bzero((char *)o, sizeof(PACKET_OID_DATA) +
+		    sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength);
+		o->Oid = oid->Oid;
+		o->Length = sizeof(NDIS_802_11_KEY_COMPAT) + old->KeyLength;
+		new = (NDIS_802_11_KEY_COMPAT *)&o->Data;
+		new->KeyRSC = old->KeyRSC;
+		new->Length = o->Length;
+		new->KeyIndex = old->KeyIndex;
+		new->KeyLength = old->KeyLength;
+		bcopy(old->BSSID, new->BSSID, sizeof(NDIS_802_11_MAC_ADDRESS));
+		bcopy(old->KeyMaterial, (char *)new +
+		    sizeof(NDIS_802_11_KEY_COMPAT), new->KeyLength);
+        	ifr.ifr_data = (caddr_t)o;
+	} else
+        	ifr.ifr_data = (caddr_t)oid;
+
+        strlcpy(ifr.ifr_name, a->name, sizeof(ifr.ifr_name));
+
+	if (set == TRUE)
+		retval = ioctl(a->socket, SIOCSDRVSPEC, &ifr);
+	else
+		retval = ioctl(a->socket, SIOCGDRVSPEC, &ifr);
+
+	if (o != NULL)
+		free(o);
+
+	if (retval)
+		return(0);
+
+	return(1);
+}
+
+int
+PacketGetAdapterNames(CHAR *namelist, ULONG *len)
+{
+	int			mib[6];
+	size_t			needed;
+	struct if_msghdr	*ifm;
+	struct sockaddr_dl	*sdl;
+	char			*buf, *lim, *next;
+	char			*plist;
+	int			spc;
+	int			i, ifcnt = 0;
+
+	plist = namelist;
+	spc = 0;
+
+	bzero(plist, *len);
+
+	needed = 0;
+	mib[0] = CTL_NET;
+	mib[1] = PF_ROUTE;
+	mib[2] = 0;             /* protocol */
+	mib[3] = 0;             /* wildcard address family */
+	mib[4] = NET_RT_IFLIST;
+	mib[5] = 0;             /* no flags */
+
+	if (sysctl (mib, 6, NULL, &needed, NULL, 0) < 0)
+		return(FALSE);
+
+	buf = malloc (needed);
+	if (buf == NULL)
+		return(FALSE);
+
+	if (sysctl (mib, 6, buf, &needed, NULL, 0) < 0) {
+		free(buf);
+		return(FALSE);
+	}
+
+	lim = buf + needed;
+
+	/* Generate interface name list. */
+
+	next = buf;
+	while (next < lim) {
+		ifm = (struct if_msghdr *)next;
+		if (ifm->ifm_type == RTM_IFINFO) {
+			sdl = (struct sockaddr_dl *)(ifm + 1);
+			if (strnstr(sdl->sdl_data, "wlan", sdl->sdl_nlen)) {
+				if ((spc + sdl->sdl_nlen) > *len) {
+					free(buf);
+					return(FALSE);
+				}
+				strncpy(plist, sdl->sdl_data, sdl->sdl_nlen);
+				plist += (sdl->sdl_nlen + 1);
+				spc += (sdl->sdl_nlen + 1);
+				ifcnt++;
+			}
+		}
+		next += ifm->ifm_msglen;
+	}
+
+
+	/* Insert an extra "" as a spacer */
+
+	plist++;
+	spc++;
+
+	/*
+	 * Now generate the interface description list. There
+	 * must be a unique description for each interface, and
+	 * they have to match what the ndis_events program will
+	 * feed in later. To keep this simple, we just repeat
+	 * the interface list over again.
+	 */
+
+	next = buf;
+	while (next < lim) {
+		ifm = (struct if_msghdr *)next;
+		if (ifm->ifm_type == RTM_IFINFO) {
+			sdl = (struct sockaddr_dl *)(ifm + 1);
+			if (strnstr(sdl->sdl_data, "wlan", sdl->sdl_nlen)) {
+				if ((spc + sdl->sdl_nlen) > *len) {
+					free(buf);
+					return(FALSE);
+				}
+				strncpy(plist, sdl->sdl_data, sdl->sdl_nlen);
+				plist += (sdl->sdl_nlen + 1);
+				spc += (sdl->sdl_nlen + 1);
+				ifcnt++;
+			}
+		}
+		next += ifm->ifm_msglen;
+	}
+
+	free (buf);
+
+	*len = spc + 1;
+
+	return(TRUE);
+}
+
+void
+PacketCloseAdapter(void *iface)
+{	
+	struct adapter		*a;
+	struct ifreq		ifr;
+	struct ieee80211req	ireq;
+
+	if (iface == NULL)
+		return;
+
+	a = iface;
+
+	/* Reset net80211 roaming */
+	bzero((char *)&ireq, sizeof(ireq));
+	strncpy(ireq.i_name, a->name, sizeof (ifr.ifr_name));
+	ireq.i_type = IEEE80211_IOC_ROAMING;
+	ireq.i_val = a->prev_roaming;
+	ioctl(a->socket, SIOCS80211, &ireq);
+
+	bzero((char *)&ifr, sizeof(ifr));
+        strncpy(ifr.ifr_name, a->name, sizeof (ifr.ifr_name));
+        ioctl(a->socket, SIOCGIFFLAGS, (caddr_t)&ifr);
+        ifr.ifr_flags &= ~IFF_UP;
+        ioctl(a->socket, SIOCSIFFLAGS, (caddr_t)&ifr);
+	close(a->socket);
+	free(a);
+
+	return;
+}
diff --git a/security/wpa_supplicant29/files/Packet32.h b/security/wpa_supplicant29/files/Packet32.h
new file mode 100644
index 000000000000..c75e5f9dfe91
--- /dev/null
+++ b/security/wpa_supplicant29/files/Packet32.h
@@ -0,0 +1,65 @@
+/*-
+ * Copyright (c) 2005
+ *      Bill Paul <wpaul@windriver.com>.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by Bill Paul.
+ * 4. Neither the name of the author nor the names of any co-contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR THE VOICES IN HIS HEAD
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _PACKET32_H_
+#define _PACKET32_H_
+
+#include <sys/types.h>
+#include <ntddndis.h>
+
+struct PACKET_OID_DATA {
+	uint32_t		Oid;
+	uint32_t		Length;
+	uint8_t			Data[1];
+};
+
+
+typedef struct PACKET_OID_DATA PACKET_OID_DATA;
+
+extern PCHAR PacketGetVersion(void);
+extern void *PacketOpenAdapter(CHAR *);
+extern int PacketRequest(void *, BOOLEAN, PACKET_OID_DATA *);
+extern int PacketGetAdapterNames(CHAR *, ULONG *);
+extern void PacketCloseAdapter(void *);
+
+/*
+ * This is for backwards compatibility on FreeBSD 5.
+ */
+
+#ifndef SIOCGDRVSPEC
+#define SIOCSDRVSPEC	_IOW('i', 123, struct ifreq)	/* set driver-specific
+								parameters */
+#define SIOCGDRVSPEC	_IOWR('i', 123, struct ifreq)	/* get driver-specific
+								parameters */
+#endif
+
+#endif /* _PACKET32_H_ */
diff --git a/security/wpa_supplicant29/files/ntddndis.h b/security/wpa_supplicant29/files/ntddndis.h
new file mode 100644
index 000000000000..0af0ce858b03
--- /dev/null
+++ b/security/wpa_supplicant29/files/ntddndis.h
@@ -0,0 +1,32 @@
+#ifndef _NTDDNDIS_H_
+#define _NTDDNDIS_H_
+
+/*
+ * Fake up some of the Windows type definitions so that the NDIS
+ * interface module in wpa_supplicant will build.
+ */
+
+#define ULONG uint32_t
+#define USHORT uint16_t
+#define UCHAR uint8_t
+#define LONG int32_t
+#define SHORT int16_t
+#if __FreeBSD__
+#define CHAR char
+#else
+#define CHAR int8_t
+#endif
+#define ULONGLONG uint64_t
+#define LONGLONG int64_t
+#define BOOLEAN uint8_t
+typedef void * LPADAPTER;
+typedef char * PTSTR;
+typedef char * PCHAR;
+
+#define TRUE 1
+#define FALSE 0
+
+#define OID_802_3_CURRENT_ADDRESS               0x01010102
+#define OID_802_3_MULTICAST_LIST                0x01010103
+
+#endif /* _NTDDNDIS_H_ */
diff --git a/security/wpa_supplicant29/files/patch-src_common_dhcp.h b/security/wpa_supplicant29/files/patch-src_common_dhcp.h
new file mode 100644
index 000000000000..f88d1921a380
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_common_dhcp.h
@@ -0,0 +1,25 @@
+--- src/common/dhcp.h.orig	2018-12-02 11:34:59.000000000 -0800
++++ src/common/dhcp.h	2018-12-06 00:01:11.429254000 -0800
+@@ -9,6 +9,22 @@
+ #ifndef DHCP_H
+ #define DHCP_H
+ 
++/*
++ * Translate Linux to FreeBSD
++ */
++#define iphdr		ip
++#define ihl		ip_hl
++#define verson		ip_v
++#define tos		ip_tos
++#define tot_len		ip_len
++#define id		ip_id
++#define frag_off	ip_off
++#define ttl		ip_ttl
++#define protocol	ip_p
++#define check		ip_sum
++#define saddr		ip_src
++#define daddr		ip_dst
++
+ #include <netinet/ip.h>
+ #if __FAVOR_BSD
+ #include <netinet/udp.h>
diff --git a/security/wpa_supplicant29/files/patch-src_drivers_driver__bsd.c b/security/wpa_supplicant29/files/patch-src_drivers_driver__bsd.c
new file mode 100644
index 000000000000..7c452ece7476
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_drivers_driver__bsd.c
@@ -0,0 +1,48 @@
+--- src/drivers/driver_bsd.c.orig	2019-08-07 06:25:25.000000000 -0700
++++ src/drivers/driver_bsd.c	2021-06-13 23:07:14.016849000 -0700
+@@ -649,7 +649,7 @@
+ 		len = 2048;
+ 	}
+ 
+-	return len;
++	return (len == 0) ? 2048 : len;
+ }
+ 
+ #ifdef HOSTAPD
+@@ -1080,7 +1080,14 @@
+ 		mode = 0 /* STA */;
+ 		break;
+ 	case IEEE80211_MODE_IBSS:
++		/*
++		 * Ref bin/203086 - FreeBSD's net80211 currently uses
++		 * IFM_IEEE80211_ADHOC.
++		 */
++#if 0
+ 		mode = IFM_IEEE80211_IBSS;
++#endif
++		mode = IFM_IEEE80211_ADHOC;
+ 		break;
+ 	case IEEE80211_MODE_AP:
+ 		mode = IFM_IEEE80211_HOSTAP;
+@@ -1336,14 +1343,18 @@
+ 		drv = bsd_get_drvindex(global, ifm->ifm_index);
+ 		if (drv == NULL)
+ 			return;
+-		if ((ifm->ifm_flags & IFF_UP) == 0 &&
+-		    (drv->flags & IFF_UP) != 0) {
++		if (((ifm->ifm_flags & IFF_UP) == 0 ||
++		    (ifm->ifm_flags & IFF_RUNNING) == 0) &&
++		    (drv->flags & IFF_UP) != 0 &&
++		    (drv->flags & IFF_RUNNING) != 0) {
+ 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' DOWN",
+ 				   drv->ifname);
+ 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_DISABLED,
+ 					     NULL);
+ 		} else if ((ifm->ifm_flags & IFF_UP) != 0 &&
+-		    (drv->flags & IFF_UP) == 0) {
++		    (ifm->ifm_flags & IFF_RUNNING) != 0 &&
++		    ((drv->flags & IFF_UP) == 0 ||
++		    (drv->flags & IFF_RUNNING)  == 0)) {
+ 			wpa_printf(MSG_DEBUG, "RTM_IFINFO: Interface '%s' UP",
+ 				   drv->ifname);
+ 			wpa_supplicant_event(drv->ctx, EVENT_INTERFACE_ENABLED,
diff --git a/security/wpa_supplicant29/files/patch-src_drivers_driver__ndis.c b/security/wpa_supplicant29/files/patch-src_drivers_driver__ndis.c
new file mode 100644
index 000000000000..5c58337c4b3d
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_drivers_driver__ndis.c
@@ -0,0 +1,89 @@
+--- src/drivers/driver_ndis.c.orig	2019-08-07 13:25:25 UTC
++++ src/drivers/driver_ndis.c
+@@ -504,13 +504,13 @@ static int ndis_get_oid(struct wpa_drive
+ 	o->Length = len;
+ 
+ 	if (!PacketRequest(drv->adapter, FALSE, o)) {
+-		wpa_printf(MSG_DEBUG, "%s: oid=0x%x len (%d) failed",
++		wpa_printf(MSG_DEBUG, "%s: oid=0x%x len (%lu) failed",
+ 			   __func__, oid, len);
+ 		os_free(buf);
+ 		return -1;
+ 	}
+ 	if (o->Length > len) {
+-		wpa_printf(MSG_DEBUG, "%s: oid=0x%x Length (%d) > len (%d)",
++		wpa_printf(MSG_DEBUG, "%s: oid=0x%x Length (%d) > len (%lu)",
+ 			   __func__, oid, (unsigned int) o->Length, len);
+ 		os_free(buf);
+ 		return -1;
+@@ -573,7 +573,7 @@ static int ndis_set_oid(struct wpa_drive
+ 		os_memcpy(o->Data, data, len);
+ 
+ 	if (!PacketRequest(drv->adapter, TRUE, o)) {
+-		wpa_printf(MSG_DEBUG, "%s: oid=0x%x len (%d) failed",
++		wpa_printf(MSG_DEBUG, "%s: oid=0x%x len (%lu) failed",
+ 			   __func__, oid, len);
+ 		os_free(buf);
+ 		return -1;
+@@ -1531,7 +1531,7 @@ static void wpa_driver_ndis_event_auth(s
+ 
+ 	if (data_len < sizeof(*req)) {
+ 		wpa_printf(MSG_DEBUG, "NDIS: Too short Authentication Request "
+-			   "Event (len=%d)", data_len);
++			   "Event (len=%lu)", data_len);
+ 		return;
+ 	}
+ 	req = (NDIS_802_11_AUTHENTICATION_REQUEST *) data;
+@@ -1565,7 +1565,7 @@ static void wpa_driver_ndis_event_pmkid(
+ 
+ 	if (data_len < 8) {
+ 		wpa_printf(MSG_DEBUG, "NDIS: Too short PMKID Candidate List "
+-			   "Event (len=%d)", data_len);
++			   "Event (len=%lu)", data_len);
+ 		return;
+ 	}
+ 	pmkid = (NDIS_802_11_PMKID_CANDIDATE_LIST *) data;
+@@ -1587,7 +1587,7 @@ static void wpa_driver_ndis_event_pmkid(
+ 	os_memset(&event, 0, sizeof(event));
+ 	for (i = 0; i < pmkid->NumCandidates; i++) {
+ 		PMKID_CANDIDATE *p = &pmkid->CandidateList[i];
+-		wpa_printf(MSG_DEBUG, "NDIS: %d: " MACSTR " Flags 0x%x",
++		wpa_printf(MSG_DEBUG, "NDIS: %lu: " MACSTR " Flags 0x%x",
+ 			   i, MAC2STR(p->BSSID), (int) p->Flags);
+ 		os_memcpy(event.pmkid_candidate.bssid, p->BSSID, ETH_ALEN);
+ 		event.pmkid_candidate.index = i;
+@@ -1778,7 +1778,7 @@ static void wpa_driver_ndis_get_capabili
+ 				   "overflow");
+ 			break;
+ 		}
+-		wpa_printf(MSG_MSGDUMP, "NDIS: %d - auth %d encr %d",
++		wpa_printf(MSG_MSGDUMP, "NDIS: %lu - auth %d encr %d",
+ 			   i, (int) ae->AuthModeSupported,
+ 			   (int) ae->EncryptStatusSupported);
+ 		switch (ae->AuthModeSupported) {
+@@ -2106,7 +2106,11 @@ static int wpa_driver_ndis_get_names(str
+ 		dlen = dpos - desc;
+ 	else
+ 		dlen = os_strlen(desc);
+-	drv->adapter_desc = dup_binstr(desc, dlen);
++	drv->adapter_desc = os_malloc(dlen + 1);
++	if (drv->adapter_desc) {
++		os_memcpy(drv->adapter_desc, desc, dlen);
++		drv->adapter_desc[dlen] = '\0';
++	}
+ 	os_free(b);
+ 	if (drv->adapter_desc == NULL)
+ 		return -1;
+@@ -2274,7 +2278,11 @@ static int wpa_driver_ndis_get_names(str
+ 	} else {
+ 		dlen = os_strlen(desc[i]);
+ 	}
+-	drv->adapter_desc = dup_binstr(desc[i], dlen);
++	drv->adapter_desc = os_malloc(dlen + 1);
++	if (drv->adapter_desc) {
++		os_memcpy(drv->adapter_desc, desc[i], dlen);
++		drv->adapter_desc[dlen] = '\0';
++	}
+ 	os_free(names);
+ 	if (drv->adapter_desc == NULL)
+ 		return -1;
diff --git a/security/wpa_supplicant29/files/patch-src_l2__packet_l2__packet__freebsd.c b/security/wpa_supplicant29/files/patch-src_l2__packet_l2__packet__freebsd.c
new file mode 100644
index 000000000000..5bce58b36950
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_l2__packet_l2__packet__freebsd.c
@@ -0,0 +1,12 @@
+--- src/l2_packet/l2_packet_freebsd.c.orig	2018-12-02 11:34:59.000000000 -0800
++++ src/l2_packet/l2_packet_freebsd.c	2018-12-05 23:18:27.612433000 -0800
+@@ -8,7 +8,8 @@
+  */
+ 
+ #include "includes.h"
+-#if defined(__APPLE__) || defined(__GLIBC__)
++#include <sys/param.h>
++#if defined(__APPLE__) || defined(__GLIBC__) || defined(__FreeBSD_version)
+ #include <net/bpf.h>
+ #endif /* __APPLE__ */
+ #include <pcap.h>
diff --git a/security/wpa_supplicant29/files/patch-src_radius_radius__client.c b/security/wpa_supplicant29/files/patch-src_radius_radius__client.c
new file mode 100644
index 000000000000..de86947f57b2
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_radius_radius__client.c
@@ -0,0 +1,12 @@
+--- src/radius/radius_client.c.orig	2019-08-07 06:25:25.000000000 -0700
++++ src/radius/radius_client.c	2021-01-11 08:35:20.860835000 -0800
+@@ -814,6 +814,9 @@
+ {
+ 	struct radius_client_data *radius = eloop_ctx;
+ 	struct hostapd_radius_servers *conf = radius->conf;
++#if defined(__clang_major__) && __clang_major__ >= 11
++#pragma GCC diagnostic ignored "-Wvoid-pointer-to-enum-cast"
++#endif
+ 	RadiusType msg_type = (RadiusType) sock_ctx;
+ 	int len, roundtrip;
+ 	unsigned char buf[3000];
diff --git a/security/wpa_supplicant29/files/patch-src_wps_wps__upnp.c b/security/wpa_supplicant29/files/patch-src_wps_wps__upnp.c
new file mode 100644
index 000000000000..1c7035e9a77d
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-src_wps_wps__upnp.c
@@ -0,0 +1,34 @@
+--- src/wps/wps_upnp.c.orig	2020-06-08 14:40:50.402529000 -0700
++++ src/wps/wps_upnp.c	2020-06-08 15:48:08.294830000 -0700
+@@ -861,7 +861,8 @@
+ }
+ 
+ 
+-#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
++#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) \
++ || defined(__DragonFly__)
+ #include <sys/sysctl.h>
+ #include <net/route.h>
+ #include <net/if_dl.h>
+@@ -950,7 +951,11 @@
+ 				   errno, strerror(errno));
+ 			goto fail;
+ 		}
++#if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
++		addr = (struct sockaddr_in *) &req.ifr_addr;
++#else
+ 		addr = (struct sockaddr_in *) &req.ifr_netmask;
++#endif
+ 		netmask->s_addr = addr->sin_addr.s_addr;
+ 	}
+ 
+@@ -962,7 +967,8 @@
+ 		goto fail;
+ 	}
+ 	os_memcpy(mac, req.ifr_addr.sa_data, 6);
+-#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
++#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) \
++   || defined(__DragonFly__)
+ 	if (eth_get(net_if, mac) < 0) {
+ 		wpa_printf(MSG_ERROR, "WPS UPnP: Failed to get MAC address");
+ 		goto fail;
diff --git a/security/wpa_supplicant29/files/patch-wpa__supplicant_Makefile b/security/wpa_supplicant29/files/patch-wpa__supplicant_Makefile
new file mode 100644
index 000000000000..9f1393fb85da
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-wpa__supplicant_Makefile
@@ -0,0 +1,17 @@
+--- wpa_supplicant/Makefile.orig	2015-03-15 17:30:39 UTC
++++ wpa_supplicant/Makefile
+@@ -99,6 +99,14 @@ OBJS += ../src/utils/os_$(CONFIG_OS).o
+ OBJS_p += ../src/utils/os_$(CONFIG_OS).o
+ OBJS_c += ../src/utils/os_$(CONFIG_OS).o
+ 
++ifdef CONFIG_DRIVER_NDIS
++OBJS += ../src/utils/Packet32.o
++ifdef CONFIG_PRIVSEP
++OBJS += ../src/drivers/driver_ndis.o
++endif
++OBJS_priv += ../src/utils/Packet32.o
++endif
++
+ ifdef CONFIG_WPA_TRACE
+ CFLAGS += -DWPA_TRACE
+ OBJS += ../src/utils/trace.o
diff --git a/security/wpa_supplicant29/files/patch-wpa__supplicant_main.c b/security/wpa_supplicant29/files/patch-wpa__supplicant_main.c
new file mode 100644
index 000000000000..3042768f44d9
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-wpa__supplicant_main.c
@@ -0,0 +1,33 @@
+--- wpa_supplicant/main.c.orig	2016-11-05 20:56:30 UTC
++++ wpa_supplicant/main.c
+@@ -66,7 +66,7 @@ static void usage(void)
+ 	       "  -c = Configuration file\n"
+ 	       "  -C = ctrl_interface parameter (only used if -c is not)\n"
+ 	       "  -d = increase debugging verbosity (-dd even more)\n"
+-	       "  -D = driver name (can be multiple drivers: nl80211,wext)\n"
++	       "  -D = driver name (can be multiple drivers: bsd,wired)\n"
+ 	       "  -e = entropy file\n"
+ #ifdef CONFIG_DEBUG_FILE
+ 	       "  -f = log output to debug file instead of stdout\n"
+@@ -105,8 +105,7 @@ static void usage(void)
+ 	       "  -W = wait for a control interface monitor before starting\n");
+ 
+ 	printf("example:\n"
+-	       "  wpa_supplicant -D%s -iwlan0 -c/etc/wpa_supplicant.conf\n",
+-	       wpa_drivers[0] ? wpa_drivers[0]->name : "nl80211");
++                "  wpa_supplicant -Dbsd -iwlan0 -c/etc/wpa_supplicant.conf\n");
+ #endif /* CONFIG_NO_STDOUT_DEBUG */
+ }
+ 
+@@ -199,6 +198,11 @@ int main(int argc, char *argv[])
+ 
+ 	wpa_supplicant_fd_workaround(1);
+ 
++#ifdef CONFIG_DRIVER_NDIS
++	void driver_ndis_init_ops(void);
++	driver_ndis_init_ops();
++#endif /* CONFIG_DRIVER_NDIS */
++
+ 	for (;;) {
+ 		c = getopt(argc, argv,
+ 			   "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");
diff --git a/security/wpa_supplicant29/files/patch-wpa__supplicant_wpa__supplicant.c b/security/wpa_supplicant29/files/patch-wpa__supplicant_wpa__supplicant.c
new file mode 100644
index 000000000000..42f150b3595c
--- /dev/null
+++ b/security/wpa_supplicant29/files/patch-wpa__supplicant_wpa__supplicant.c
@@ -0,0 +1,16 @@
+--- wpa_supplicant/wpa_supplicant.c.orig	2019-04-21 03:10:22.000000000 -0400
++++ wpa_supplicant/wpa_supplicant.c	2019-05-15 22:44:44.919859000 -0400
+@@ -6357,13 +6357,6 @@
+ 	if (params == NULL)
+ 		return NULL;
+ 
+-#ifdef CONFIG_DRIVER_NDIS
+-	{
+-		void driver_ndis_init_ops(void);
+-		driver_ndis_init_ops();
+-	}
+-#endif /* CONFIG_DRIVER_NDIS */
+-
+ #ifndef CONFIG_NO_WPA_MSG
+ 	wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
+ #endif /* CONFIG_NO_WPA_MSG */
diff --git a/security/wpa_supplicant29/files/pkg-message.in b/security/wpa_supplicant29/files/pkg-message.in
new file mode 100644
index 000000000000..e7b8d25b652d
--- /dev/null
+++ b/security/wpa_supplicant29/files/pkg-message.in
@@ -0,0 +1,11 @@
+[
+{ type: install
+  message: <<EOM
+To use the ports version of WPA Supplicant instead of the base, add:
+
+    wpa_supplicant_program="%%PREFIX%%/sbin/wpa_supplicant"
+
+to /etc/rc.conf
+EOM
+}
+]
diff --git a/security/wpa_supplicant29/files/wpa_supplicant.in b/security/wpa_supplicant29/files/wpa_supplicant.in
new file mode 100644
index 000000000000..c79c7ee119a9
--- /dev/null
+++ b/security/wpa_supplicant29/files/wpa_supplicant.in
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+# PROVIDE: wpa_supplicant
+# REQUIRE: mountcritremote
+# KEYWORD: nojail nostart
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="wpa_supplicant"
+desc="WPA/802.11i Supplicant for wireless network devices"
+rcvar=
+
+ifn="$2"
+if [ -z "$ifn" ]; then
+	return 1
+fi
+
+is_ndis_interface()
+{
+	case `sysctl -n net.wlan.${1#wlan}.%parent 2>/dev/null` in
+		ndis*) true ;;
+		*) false ;;
+	esac
+}
+
+if is_wired_interface ${ifn} ; then
+	driver="wired"
+elif is_ndis_interface ${ifn} ; then
+	driver="ndis"
+else
+	driver="bsd"
+fi
+
+load_rc_config $name
+
+#
+# This portion of this rc.script is different from base.
+case ${command} in
+/usr/sbin/wpa_supplicant)      # Assume user does not want base hostapd because
+                        # user specified WITHOUT_WIRELESS in make.conf
+                        # and /etc/defaults/rc.conf contains this value.
+                        unset command;;
+esac
+command=${wpa_supplicant_program:-%%PREFIX%%/sbin/wpa_supplicant}
+# End of differences from base. The rest of the file should remain the same.
+
+conf_file=${wpa_supplicant_conf_file}
+pidfile="/var/run/${name}/${ifn}.pid"
+command_args="-B -i $ifn -c $conf_file -D $driver -P $pidfile"
+required_files=$conf_file
+required_modules="wlan_wep wlan_tkip wlan_ccmp"
+
+run_rc_command "$1"
diff --git a/security/wpa_supplicant29/pkg-descr b/security/wpa_supplicant29/pkg-descr
new file mode 100644
index 000000000000..9eb5f45eea94
--- /dev/null
+++ b/security/wpa_supplicant29/pkg-descr
@@ -0,0 +1,14 @@
+wpa_supplicant is a client (supplicant) with support for WPA and WPA2
+(IEEE 802.11i / RSN). It is suitable for both desktop/laptop computers and
+embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used
+in the client stations. It implements key negotiation with a WPA
+Authenticator and it controls the roaming and IEEE 802.11 authentication/
+association of the wlan driver.
+
+wpa_supplicant is designed to be a "daemon" program that runs in the
+background and acts as the backend component controlling the wireless
+connection. wpa_supplicant supports separate frontend programs and a
+text-based frontend (wpa_cli) and a GUI (wpa_gui) are included with
+wpa_supplicant.
+
+WWW: http://w1.fi/wpa_supplicant/
diff --git a/security/wpa_supplicant29/pkg-plist b/security/wpa_supplicant29/pkg-plist
new file mode 100644
index 000000000000..9c7a743d7dea
--- /dev/null
+++ b/security/wpa_supplicant29/pkg-plist
@@ -0,0 +1,5 @@
+%%EAPOL_TEST%%sbin/eapol_test
+sbin/wpa_supplicant
+sbin/wpa_passphrase
+sbin/wpa_cli
+@sample etc/wpa_supplicant.conf.sample