mirror
/
openwrt
mirror of https://git.openwrt.org/openwrt/openwrt.git
1
0
Fork 0
Code Releases Activity

hostapd: add mbedtls variant 

This adds the current WIP mbedtls patches for hostapd. The motivation
here is to reduce size.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
This commit is contained in:
Rosen Penev 2022-09-15 00:48:45 -07:00 committed by Daniel Golle
parent 17c6fb1054
commit 6d1df35747
11 changed files with 10188 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
package/network/services/hostapd/Config.in
View File

@ -4,20 +4,25 @@ config WPA_RFKILL_SUPPORT
depends on PACKAGE_wpa-supplicant || \
PACKAGE_wpa-supplicant-openssl || \
PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mbedtls || \
PACKAGE_wpa-supplicant-mesh-openssl || \
PACKAGE_wpa-supplicant-mesh-wolfssl || \
PACKAGE_wpa-supplicant-mesh-mbedtls || \
PACKAGE_wpa-supplicant-basic || \
PACKAGE_wpa-supplicant-mini || \
PACKAGE_wpa-supplicant-p2p || \
PACKAGE_wpad || \
PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-mbedtls || \
PACKAGE_wpad-basic || \
PACKAGE_wpad-basic-openssl || \
PACKAGE_wpad-basic-wolfssl || \
PACKAGE_wpad-basic-mbedtls || \
PACKAGE_wpad-mini || \
PACKAGE_wpad-mesh-openssl || \
PACKAGE_wpad-mesh-wolfssl
PACKAGE_wpad-mesh-wolfssl || \
PACKAGE_wpad-mesh-mbedtls
default n
config WPA_MSG_MIN_PRIORITY
@ -25,20 +30,25 @@ config WPA_MSG_MIN_PRIORITY
depends on PACKAGE_wpa-supplicant || \
PACKAGE_wpa-supplicant-openssl || \
PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mbedtls || \
PACKAGE_wpa-supplicant-mesh-openssl || \
PACKAGE_wpa-supplicant-mesh-wolfssl || \
PACKAGE_wpa-supplicant-mesh-mbedtls || \
PACKAGE_wpa-supplicant-basic || \
PACKAGE_wpa-supplicant-mini || \
PACKAGE_wpa-supplicant-p2p || \
PACKAGE_wpad || \
PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-mbedtls || \
PACKAGE_wpad-basic || \
PACKAGE_wpad-basic-openssl || \
PACKAGE_wpad-basic-wolfssl || \
PACKAGE_wpad-basic-mbedtls || \
PACKAGE_wpad-mini || \
PACKAGE_wpad-mesh-openssl || \
PACKAGE_wpad-mesh-wolfssl
PACKAGE_wpad-mesh-wolfssl || \
PACKAGE_wpad-mesh-mbedtls
default 3
help
Useful values are:
@ -91,9 +101,11 @@ config WPA_MBO_SUPPORT
default PACKAGE_wpa-supplicant || \
PACKAGE_wpa-supplicant-openssl || \
PACKAGE_wpa-supplicant-wolfssl || \
PACKAGE_wpa-supplicant-mbedtls || \
PACKAGE_wpad || \
PACKAGE_wpad-openssl || \
PACKAGE_wpad-wolfssl
PACKAGE_wpad-wolfssl || \
PACKAGE_wpad-mbedtls
help
Multi Band Operation aka (Agile Multiband) enables features
that facilitate efficient use of multiple frequency bands.

121
package/network/services/hostapd/Makefile
View File

@ -52,14 +52,16 @@ LOCAL_AND_LIB_VARIANT=$(patsubst hostapd-%,%,\
LOCAL_VARIANT=$(patsubst %-internal,%,\
$(patsubst %-openssl,%,\
$(patsubst %-wolfssl,%,\
$(patsubst %-mbedtls,%,\
$(LOCAL_AND_LIB_VARIANT)\
)))
))))
SSL_VARIANT=$(strip \
$(if $(findstring openssl,$(LOCAL_AND_LIB_VARIANT)),openssl,\
$(if $(findstring wolfssl,$(LOCAL_AND_LIB_VARIANT)),wolfssl,\
$(if $(findstring mbedtls,$(LOCAL_AND_LIB_VARIANT)),mbedtls,\
internal\
)))
))))
CONFIG_VARIANT:=$(LOCAL_VARIANT)
ifeq ($(LOCAL_VARIANT),mesh)
@ -116,6 +118,21 @@ ifeq ($(SSL_VARIANT),wolfssl)
endif
endif
ifeq ($(SSL_VARIANT),mbedtls)
DRIVER_MAKEOPTS += CONFIG_TLS=mbedtls CONFIG_SAE=y
TARGET_LDFLAGS += -lmbedcrypto -lmbedx509 -lmbedtls
ifeq ($(LOCAL_VARIANT),basic)
DRIVER_MAKEOPTS += CONFIG_OWE=y
endif
ifeq ($(LOCAL_VARIANT),mesh)
DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
endif
ifeq ($(LOCAL_VARIANT),full)
DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
endif
endif
ifneq ($(LOCAL_TYPE),hostapd)
ifdef CONFIG_WPA_RFKILL_SUPPORT
DRIVER_MAKEOPTS += NEED_RFKILL=y
@ -173,6 +190,15 @@ endef
Package/hostapd-wolfssl/description = $(Package/hostapd/description)
define Package/hostapd-mbedtls
$(call Package/hostapd/Default,$(1))
TITLE+= (mbedTLS full)
VARIANT:=full-mbedtls
DEPENDS+=+PACKAGE_hostapd-mbedtls:libmbedtls
endef
Package/hostapd-mbedtls/description = $(Package/hostapd/description)
define Package/hostapd-basic
$(call Package/hostapd/Default,$(1))
TITLE+= (WPA-PSK, 11r, 11w)
@ -205,6 +231,17 @@ define Package/hostapd-basic-wolfssl/description
This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
endef
define Package/hostapd-basic-mbedtls
$(call Package/hostapd/Default,$(1))
TITLE+= (WPA-PSK, 11r and 11w)
VARIANT:=basic-mbedtls
DEPENDS+=+PACKAGE_hostapd-basic-mbedtls:libmbedtls
endef
define Package/hostapd-basic-mbedtls/description
This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
endef
define Package/hostapd-mini
$(call Package/hostapd/Default,$(1))
TITLE+= (WPA-PSK only)
@ -260,6 +297,15 @@ endef
Package/wpad-wolfssl/description = $(Package/wpad/description)
define Package/wpad-mbedtls
$(call Package/wpad/Default,$(1))
TITLE+= (mbedTLS full)
VARIANT:=wpad-full-mbedtls
DEPENDS+=+PACKAGE_wpad-mbedtls:libmbedtls
endef
Package/wpad-mbedtls/description = $(Package/wpad/description)
define Package/wpad-basic
$(call Package/wpad/Default,$(1))
TITLE+= (WPA-PSK, 11r, 11w)
@ -292,6 +338,17 @@ define Package/wpad-basic-wolfssl/description
This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
endef
define Package/wpad-basic-mbedtls
$(call Package/wpad/Default,$(1))
TITLE+= (mbedTLS, 11r, 11w)
VARIANT:=wpad-basic-mbedtls
DEPENDS+=+PACKAGE_wpad-basic-mbedtls:libmbedtls
endef
define Package/wpad-basic-mbedtls/description
This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
endef
define Package/wpad-mini
$(call Package/wpad/Default,$(1))
TITLE+= (WPA-PSK only)
@ -330,6 +387,15 @@ endef
Package/wpad-mesh-wolfssl/description = $(Package/wpad-mesh/description)
define Package/wpad-mesh-mbedtls
$(call Package/wpad-mesh,$(1))
TITLE+= (mbedTLS, 11s, SAE)
DEPENDS+=+PACKAGE_wpad-mesh-mbedtls:libmbedtls
VARIANT:=wpad-mesh-mbedtls
endef
Package/wpad-mesh-mbedtls/description = $(Package/wpad-mesh/description)
define Package/wpa-supplicant/Default
SECTION:=net
@ -365,6 +431,13 @@ $(call Package/wpa-supplicant/Default,$(1))
DEPENDS+=+PACKAGE_wpa-supplicant-wolfssl:libwolfssl
endef
define Package/wpa-supplicant-mbedtls
$(call Package/wpa-supplicant/Default,$(1))
TITLE+= (mbedTLS full)
VARIANT:=supplicant-full-mbedtls
DEPENDS+=+PACKAGE_wpa-supplicant-mbedtls:libmbedtls
endef
define Package/wpa-supplicant/config
source "$(SOURCE)/Config.in"
endef
@ -396,6 +469,13 @@ $(call Package/wpa-supplicant-mesh/Default,$(1))
DEPENDS+=+PACKAGE_wpa-supplicant-mesh-wolfssl:libwolfssl
endef
define Package/wpa-supplicant-mesh-mbedtls
$(call Package/wpa-supplicant-mesh/Default,$(1))
TITLE+= (mbedTLS, 11s, SAE)
VARIANT:=supplicant-mesh-mbedtls
DEPENDS+=+PACKAGE_wpa-supplicant-mesh-mbedtls:libmbedtls
endef
define Package/wpa-supplicant-basic
$(call Package/wpa-supplicant/Default,$(1))
TITLE+= (11r, 11w)
@ -472,6 +552,15 @@ define Package/eapol-test-wolfssl
PROVIDES:=eapol-test
endef
define Package/eapol-test-mbedtls
$(call Package/eapol-test/Default,$(1))
TITLE+= (mbedTLS full)
VARIANT:=supplicant-full-mbedtls
CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-mbedtls ,$(EAPOL_TEST_PROVIDERS)))
DEPENDS+=+PACKAGE_eapol-test-mbedtls:libmbedtls
PROVIDES:=eapol-test
endef
ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
define Build/Configure/rebuild
@ -580,6 +669,12 @@ define Build/Compile/supplicant-full-wolfssl
)
endef
define Build/Compile/supplicant-full-mbedtls
+$(call Build/RunMake,wpa_supplicant, \
eapol_test \
)
endef
define Build/Compile
$(Build/Compile/$(LOCAL_TYPE))
$(Build/Compile/$(BUILD_VARIANT))
@ -610,9 +705,11 @@ endef
Package/hostapd-basic/install = $(Package/hostapd/install)
Package/hostapd-basic-openssl/install = $(Package/hostapd/install)
Package/hostapd-basic-wolfssl/install = $(Package/hostapd/install)
Package/hostapd-basic-mbedtls/install = $(Package/hostapd/install)
Package/hostapd-mini/install = $(Package/hostapd/install)
Package/hostapd-openssl/install = $(Package/hostapd/install)
Package/hostapd-wolfssl/install = $(Package/hostapd/install)
Package/hostapd-mbedtls/install = $(Package/hostapd/install)
ifneq ($(LOCAL_TYPE),supplicant)
define Package/hostapd-utils/install
@ -631,11 +728,14 @@ endef
Package/wpad-basic/install = $(Package/wpad/install)
Package/wpad-basic-openssl/install = $(Package/wpad/install)
Package/wpad-basic-wolfssl/install = $(Package/wpad/install)
Package/wpad-basic-mbedtls/install = $(Package/wpad/install)
Package/wpad-mini/install = $(Package/wpad/install)
Package/wpad-openssl/install = $(Package/wpad/install)
Package/wpad-wolfssl/install = $(Package/wpad/install)
Package/wpad-mbedtls/install = $(Package/wpad/install)
Package/wpad-mesh-openssl/install = $(Package/wpad/install)
Package/wpad-mesh-wolfssl/install = $(Package/wpad/install)
Package/wpad-mesh-mbedtls/install = $(Package/wpad/install)
define Package/wpa-supplicant/install
$(call Install/supplicant,$(1))
@ -646,8 +746,10 @@ Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-wolfssl/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-mbedtls/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-mesh-openssl/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-mesh-wolfssl/install = $(Package/wpa-supplicant/install)
Package/wpa-supplicant-mesh-mbedtls/install = $(Package/wpa-supplicant/install)
ifneq ($(LOCAL_TYPE),hostapd)
define Package/wpa-cli/install
@ -677,6 +779,13 @@ ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
endef
endif
ifeq ($(BUILD_VARIANT),supplicant-full-mbedtls)
define Package/eapol-test-mbedtls/install
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
endef
endif
# Build hostapd-common before its dependents, to avoid
# spurious rebuilds when building multiple variants.
$(eval $(call BuildPackage,hostapd-common))
@ -684,28 +793,36 @@ $(eval $(call BuildPackage,hostapd))
$(eval $(call BuildPackage,hostapd-basic))
$(eval $(call BuildPackage,hostapd-basic-openssl))
$(eval $(call BuildPackage,hostapd-basic-wolfssl))
$(eval $(call BuildPackage,hostapd-basic-mbedtls))
$(eval $(call BuildPackage,hostapd-mini))
$(eval $(call BuildPackage,hostapd-openssl))
$(eval $(call BuildPackage,hostapd-wolfssl))
$(eval $(call BuildPackage,hostapd-mbedtls))
$(eval $(call BuildPackage,wpad))
$(eval $(call BuildPackage,wpad-mesh-openssl))
$(eval $(call BuildPackage,wpad-mesh-wolfssl))
$(eval $(call BuildPackage,wpad-mesh-mbedtls))
$(eval $(call BuildPackage,wpad-basic))
$(eval $(call BuildPackage,wpad-basic-openssl))
$(eval $(call BuildPackage,wpad-basic-wolfssl))
$(eval $(call BuildPackage,wpad-basic-mbedtls))
$(eval $(call BuildPackage,wpad-mini))
$(eval $(call BuildPackage,wpad-openssl))
$(eval $(call BuildPackage,wpad-wolfssl))
$(eval $(call BuildPackage,wpad-mbedtls))
$(eval $(call BuildPackage,wpa-supplicant))
$(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
$(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
$(eval $(call BuildPackage,wpa-supplicant-mesh-mbedtls))
$(eval $(call BuildPackage,wpa-supplicant-basic))
$(eval $(call BuildPackage,wpa-supplicant-mini))
$(eval $(call BuildPackage,wpa-supplicant-p2p))
$(eval $(call BuildPackage,wpa-supplicant-openssl))
$(eval $(call BuildPackage,wpa-supplicant-wolfssl))
$(eval $(call BuildPackage,wpa-supplicant-mbedtls))
$(eval $(call BuildPackage,wpa-cli))
$(eval $(call BuildPackage,hostapd-utils))
$(eval $(call BuildPackage,eapol-test))
$(eval $(call BuildPackage,eapol-test-openssl))
$(eval $(call BuildPackage,eapol-test-wolfssl))
$(eval $(call BuildPackage,eapol-test-mbedtls))

8051
package/network/services/hostapd/patches/110-mbedtls-TLS-crypto-option-initial-port.patch Normal file
View File

File diff suppressed because it is too large Load Diff

114
package/network/services/hostapd/patches/120-mbedtls-fips186_2_prf.patch Normal file
View File

@ -0,0 +1,114 @@
From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 19 Jul 2022 20:02:21 -0400
Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
hostapd/Makefile | 4 ---
src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
wpa_supplicant/Makefile | 4 ---
3 files changed, 60 insertions(+), 8 deletions(-)
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -759,10 +759,6 @@ endif
OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
-ifdef NEED_FIPS186_2_PRF
-OBJS += ../src/crypto/fips_prf_internal.o
-SHA1OBJS += ../src/crypto/sha1-internal.o
-endif
ifeq ($(CONFIG_CRYPTO), mbedtls)
ifdef CONFIG_DPP
LIBS += -lmbedx509
--- a/src/crypto/crypto_mbedtls.c
+++ b/src/crypto/crypto_mbedtls.c
@@ -132,6 +132,12 @@
#define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
#endif
+#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
+ || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
+/* EAP_SIM=y EAP_AKA=y */
+#define CRYPTO_MBEDTLS_FIPS186_2_PRF
+#endif
+
#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
|| defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
#define CRYPTO_MBEDTLS_SHA1_T_PRF
@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
#endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
+#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
+
+/* fips_prf_internal.c sha1-internal.c */
+
+/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
+ * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
+ * where xlen is 160 */
+
+int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
+{
+ /* FIPS 186-2 + change notice 1 */
+
+ mbedtls_sha1_context ctx;
+ u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
+ u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
+ const u32 xstate_init[] =
+ { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
+
+ mbedtls_sha1_init(&ctx);
+ os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
+
+ /* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
+ for (; xlen >= 20; xlen -= 20) {
+ /* XSEED_j = 0 */
+ /* XVAL = (XKEY + XSEED_j) mod 2^b */
+
+ /* w_i = G(t, XVAL) */
+ os_memcpy(xstate, xstate_init, sizeof(xstate_init));
+ mbedtls_internal_sha1_process(&ctx, xkey);
+
+ #if __BYTE_ORDER == __LITTLE_ENDIAN
+ xstate[0] = host_to_be32(xstate[0]);
+ xstate[1] = host_to_be32(xstate[1]);
+ xstate[2] = host_to_be32(xstate[2]);
+ xstate[3] = host_to_be32(xstate[3]);
+ xstate[4] = host_to_be32(xstate[4]);
+ #endif
+ os_memcpy(x, xstate, 20);
+ if (xlen == 20) /*(done; skip prep for next loop)*/
+ break;
+
+ /* XKEY = (1 + XKEY + w_i) mod 2^b */
+ for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
+ xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
+ x += 20;
+ /* x_j = w_0|w_1 (each pair of iterations through loop)*/
+ }
+
+ mbedtls_sha1_free(&ctx);
+ return 0;
+}
+
+#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
+
#endif /* MBEDTLS_SHA1_C */
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1160,10 +1160,6 @@ endif
OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
-ifdef NEED_FIPS186_2_PRF
-OBJS += ../src/crypto/fips_prf_internal.o
-SHA1OBJS += ../src/crypto/sha1-internal.o
-endif
ifeq ($(CONFIG_CRYPTO), mbedtls)
LIBS += -lmbedcrypto
LIBS_p += -lmbedcrypto

421
package/network/services/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch Normal file
View File

@ -0,0 +1,421 @@
From 31bd19e0e0254b910cccfd3ddc6a6a9222bbcfc0 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 9 Oct 2022 05:12:17 -0400
Subject: [PATCH 3/7] mbedtls: annotate with TEST_FAIL() for hwsim tests
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
src/crypto/crypto_mbedtls.c | 124 ++++++++++++++++++++++++++++++++++++
1 file changed, 124 insertions(+)
--- a/src/crypto/crypto_mbedtls.c
+++ b/src/crypto/crypto_mbedtls.c
@@ -280,6 +280,9 @@ __attribute_noinline__
static int md_vector(size_t num_elem, const u8 *addr[], const size_t *len,
u8 *mac, mbedtls_md_type_t md_type)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_md_context_t ctx;
mbedtls_md_init(&ctx);
if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 0) != 0){
@@ -343,6 +346,9 @@ __attribute_noinline__
static int sha384_512_vector(size_t num_elem, const u8 *addr[],
const size_t *len, u8 *mac, int is384)
{
+ if (TEST_FAIL())
+ return -1;
+
struct mbedtls_sha512_context ctx;
mbedtls_sha512_init(&ctx);
#if MBEDTLS_VERSION_MAJOR >= 3
@@ -375,6 +381,9 @@ int sha384_vector(size_t num_elem, const
#include <mbedtls/sha256.h>
int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
+ if (TEST_FAIL())
+ return -1;
+
struct mbedtls_sha256_context ctx;
mbedtls_sha256_init(&ctx);
#if MBEDTLS_VERSION_MAJOR >= 3
@@ -397,6 +406,9 @@ int sha256_vector(size_t num_elem, const
#include <mbedtls/sha1.h>
int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
+ if (TEST_FAIL())
+ return -1;
+
struct mbedtls_sha1_context ctx;
mbedtls_sha1_init(&ctx);
#if MBEDTLS_VERSION_MAJOR >= 3
@@ -419,6 +431,9 @@ int sha1_vector(size_t num_elem, const u
#include <mbedtls/md5.h>
int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
+ if (TEST_FAIL())
+ return -1;
+
struct mbedtls_md5_context ctx;
mbedtls_md5_init(&ctx);
#if MBEDTLS_VERSION_MAJOR >= 3
@@ -441,6 +456,9 @@ int md5_vector(size_t num_elem, const u8
#include <mbedtls/md4.h>
int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
+ if (TEST_FAIL())
+ return -1;
+
struct mbedtls_md4_context ctx;
mbedtls_md4_init(&ctx);
mbedtls_md4_starts_ret(&ctx);
@@ -460,6 +478,9 @@ static int hmac_vector(const u8 *key, si
const u8 *addr[], const size_t *len, u8 *mac,
mbedtls_md_type_t md_type)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_md_context_t ctx;
mbedtls_md_init(&ctx);
if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 1) != 0){
@@ -571,6 +592,9 @@ static int hmac_kdf_expand(const u8 *prk
const char *label, const u8 *info, size_t info_len,
u8 *okm, size_t okm_len, mbedtls_md_type_t md_type)
{
+ if (TEST_FAIL())
+ return -1;
+
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
#ifdef MBEDTLS_HKDF_C
if (label == NULL) /* RFC 5869 HKDF-Expand when (label == NULL) */
@@ -663,6 +687,9 @@ static int hmac_prf_bits(const u8 *key,
const u8 *data, size_t data_len, u8 *buf,
size_t buf_len_bits, mbedtls_md_type_t md_type)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_md_context_t ctx;
mbedtls_md_init(&ctx);
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
@@ -938,6 +965,9 @@ int pbkdf2_sha1(const char *passphrase,
static void *aes_crypt_init_mode(const u8 *key, size_t len, int mode)
{
+ if (TEST_FAIL())
+ return NULL;
+
mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
if (!aes)
return NULL;
@@ -996,6 +1026,9 @@ void aes_decrypt_deinit(void *ctx)
/* aes-wrap.c */
int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_nist_kw_context ctx;
mbedtls_nist_kw_init(&ctx);
size_t olen;
@@ -1010,6 +1043,9 @@ int aes_wrap(const u8 *kek, size_t kek_l
/* aes-unwrap.c */
int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 *plain)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_nist_kw_context ctx;
mbedtls_nist_kw_init(&ctx);
size_t olen;
@@ -1041,6 +1077,9 @@ int omac1_aes_vector(
const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[],
const size_t *len, u8 *mac)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_cipher_type_t cipher_type;
switch (key_len) {
case 16: cipher_type = MBEDTLS_CIPHER_AES_128_ECB; break;
@@ -1103,6 +1142,9 @@ int omac1_aes_256(const u8 *key, const u
/* aes-encblock.c */
int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_aes_context aes;
mbedtls_aes_init(&aes);
int ret = mbedtls_aes_setkey_enc(&aes, key, 128)
@@ -1118,6 +1160,9 @@ int aes_128_encrypt_block(const u8 *key,
int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
u8 *data, size_t data_len)
{
+ if (TEST_FAIL())
+ return -1;
+
unsigned char counter[MBEDTLS_AES_BLOCK_SIZE];
unsigned char stream_block[MBEDTLS_AES_BLOCK_SIZE];
os_memcpy(counter, nonce, MBEDTLS_AES_BLOCK_SIZE);/*(must be writable)*/
@@ -1160,11 +1205,17 @@ static int aes_128_cbc_oper(const u8 *ke
int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
+ if (TEST_FAIL())
+ return -1;
+
return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_ENCRYPT);
}
int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
+ if (TEST_FAIL())
+ return -1;
+
return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_DECRYPT);
}
@@ -1407,6 +1458,10 @@ int crypto_hash_finish(struct crypto_has
}
mbedtls_md_free(mctx);
os_free(mctx);
+
+ if (TEST_FAIL())
+ return -1;
+
return 0;
}
@@ -1421,6 +1476,9 @@ int crypto_hash_finish(struct crypto_has
struct crypto_bignum *crypto_bignum_init(void)
{
+ if (TEST_FAIL())
+ return NULL;
+
mbedtls_mpi *bn = os_malloc(sizeof(*bn));
if (bn)
mbedtls_mpi_init(bn);
@@ -1429,6 +1487,9 @@ struct crypto_bignum *crypto_bignum_init
struct crypto_bignum *crypto_bignum_init_set(const u8 *buf, size_t len)
{
+ if (TEST_FAIL())
+ return NULL;
+
mbedtls_mpi *bn = os_malloc(sizeof(*bn));
if (bn) {
mbedtls_mpi_init(bn);
@@ -1442,6 +1503,9 @@ struct crypto_bignum *crypto_bignum_init
struct crypto_bignum *crypto_bignum_init_uint(unsigned int val)
{
+ if (TEST_FAIL())
+ return NULL;
+
#if 0 /*(hostap use of this interface passes int, not uint)*/
val = host_to_be32(val);
return crypto_bignum_init_set((const u8 *)&val, sizeof(val));
@@ -1467,6 +1531,9 @@ void crypto_bignum_deinit(struct crypto_
int crypto_bignum_to_bin(const struct crypto_bignum *a,
u8 *buf, size_t buflen, size_t padlen)
{
+ if (TEST_FAIL())
+ return -1;
+
size_t n = mbedtls_mpi_size((mbedtls_mpi *)a);
if (n < padlen)
n = padlen;
@@ -1477,6 +1544,9 @@ int crypto_bignum_to_bin(const struct cr
int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
{
+ if (TEST_FAIL())
+ return -1;
+
/*assert(r != m);*//* r must not be same as m for mbedtls_mpi_random()*/
#if MBEDTLS_VERSION_NUMBER >= 0x021B0000 /* mbedtls 2.27.0 */
return mbedtls_mpi_random((mbedtls_mpi *)r, 0, (mbedtls_mpi *)m,
@@ -1513,6 +1583,9 @@ int crypto_bignum_exptmod(const struct c
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
+ if (TEST_FAIL())
+ return -1;
+
/* (check if input params match d; d is the result) */
/* (a == d) is ok in current mbedtls implementation */
if (b == d || c == d) { /*(not ok; store result in intermediate)*/
@@ -1540,6 +1613,9 @@ int crypto_bignum_inverse(const struct c
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
+ if (TEST_FAIL())
+ return -1;
+
return mbedtls_mpi_inv_mod((mbedtls_mpi *)c,
(const mbedtls_mpi *)a,
(const mbedtls_mpi *)b) ? -1 : 0;
@@ -1549,6 +1625,9 @@ int crypto_bignum_sub(const struct crypt
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
+ if (TEST_FAIL())
+ return -1;
+
return mbedtls_mpi_sub_mpi((mbedtls_mpi *)c,
(const mbedtls_mpi *)a,
(const mbedtls_mpi *)b) ? -1 : 0;
@@ -1558,6 +1637,9 @@ int crypto_bignum_div(const struct crypt
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
+ if (TEST_FAIL())
+ return -1;
+
/*(most current use of this crypto.h interface has a == c (result),
* so store result in an intermediate to avoid overwritten input)*/
mbedtls_mpi R;
@@ -1575,6 +1657,9 @@ int crypto_bignum_addmod(const struct cr
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
+ if (TEST_FAIL())
+ return -1;
+
return mbedtls_mpi_add_mpi((mbedtls_mpi *)d,
(const mbedtls_mpi *)a,
(const mbedtls_mpi *)b)
@@ -1588,6 +1673,9 @@ int crypto_bignum_mulmod(const struct cr
const struct crypto_bignum *c,
struct crypto_bignum *d)
{
+ if (TEST_FAIL())
+ return -1;
+
return mbedtls_mpi_mul_mpi((mbedtls_mpi *)d,
(const mbedtls_mpi *)a,
(const mbedtls_mpi *)b)
@@ -1600,6 +1688,9 @@ int crypto_bignum_sqrmod(const struct cr
const struct crypto_bignum *b,
struct crypto_bignum *c)
{
+ if (TEST_FAIL())
+ return -1;
+
#if 1
return crypto_bignum_mulmod(a, a, b, c);
#else
@@ -1650,6 +1741,9 @@ int crypto_bignum_is_odd(const struct cr
int crypto_bignum_legendre(const struct crypto_bignum *a,
const struct crypto_bignum *p)
{
+ if (TEST_FAIL())
+ return -2;
+
/* Security Note:
* mbedtls_mpi_exp_mod() is not documented to run in constant time,
* though mbedtls/library/bignum.c uses constant_time_internal.h funcs.
@@ -1702,6 +1796,9 @@ int crypto_mod_exp(const u8 *base, size_
const u8 *modulus, size_t modulus_len,
u8 *result, size_t *result_len)
{
+ if (TEST_FAIL())
+ return -1;
+
mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result;
mbedtls_mpi_init(&bn_base);
mbedtls_mpi_init(&bn_exp);
@@ -1769,6 +1866,9 @@ static int crypto_mbedtls_dh_init_public
int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
u8 *pubkey)
{
+ if (TEST_FAIL())
+ return -1;
+
#if 0 /*(crypto_dh_init() duplicated (and identical) in crypto_*.c modules)*/
size_t pubkey_len, pad;
@@ -1810,6 +1910,9 @@ int crypto_dh_derive_secret(u8 generator
const u8 *pubkey, size_t pubkey_len,
u8 *secret, size_t *len)
{
+ if (TEST_FAIL())
+ return -1;
+
#if 0
if (pubkey_len > prime_len ||
(pubkey_len == prime_len &&
@@ -2512,6 +2615,9 @@ const struct crypto_ec_point * crypto_ec
struct crypto_ec_point *crypto_ec_point_init(struct crypto_ec *e)
{
+ if (TEST_FAIL())
+ return NULL;
+
mbedtls_ecp_point *p = os_malloc(sizeof(*p));
if (p != NULL)
mbedtls_ecp_point_init(p);
@@ -2536,6 +2642,9 @@ int crypto_ec_point_x(struct crypto_ec *
int crypto_ec_point_to_bin(struct crypto_ec *e,
const struct crypto_ec_point *point, u8 *x, u8 *y)
{
+ if (TEST_FAIL())
+ return -1;
+
/* crypto.h documents crypto_ec_point_to_bin() output is big-endian */
size_t len = CRYPTO_EC_plen(e);
if (x) {
@@ -2563,6 +2672,9 @@ int crypto_ec_point_to_bin(struct crypto
struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
const u8 *val)
{
+ if (TEST_FAIL())
+ return NULL;
+
size_t len = CRYPTO_EC_plen(e);
mbedtls_ecp_point *p = os_malloc(sizeof(*p));
u8 buf[1+MBEDTLS_MPI_MAX_SIZE*2];
@@ -2615,6 +2727,9 @@ int crypto_ec_point_add(struct crypto_ec
const struct crypto_ec_point *b,
struct crypto_ec_point *c)
{
+ if (TEST_FAIL())
+ return -1;
+
/* mbedtls does not provide an mbedtls_ecp_point add function */
mbedtls_mpi one;
mbedtls_mpi_init(&one);
@@ -2631,6 +2746,9 @@ int crypto_ec_point_mul(struct crypto_ec
const struct crypto_bignum *b,
struct crypto_ec_point *res)
{
+ if (TEST_FAIL())
+ return -1;
+
return mbedtls_ecp_mul(
(mbedtls_ecp_group *)e, (mbedtls_ecp_point *)res,
(const mbedtls_mpi *)b, (const mbedtls_ecp_point *)p,
@@ -2639,6 +2757,9 @@ int crypto_ec_point_mul(struct crypto_ec
int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
{
+ if (TEST_FAIL())
+ return -1;
+
if (mbedtls_ecp_get_type((mbedtls_ecp_group *)e)
== MBEDTLS_ECP_TYPE_MONTGOMERY) {
/* e.g. MBEDTLS_ECP_DP_CURVE25519 and MBEDTLS_ECP_DP_CURVE448 */
@@ -2751,6 +2872,9 @@ struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
const struct crypto_bignum *x)
{
+ if (TEST_FAIL())
+ return NULL;
+
mbedtls_mpi *y2 = os_malloc(sizeof(*y2));
if (y2 == NULL)
return NULL;

1358
package/network/services/hostapd/patches/140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch Normal file
View File

File diff suppressed because it is too large Load Diff

45
package/network/services/hostapd/patches/150-add-NULL-checks-encountered-during-tests-hwsim.patch Normal file
View File

@ -0,0 +1,45 @@
From 33afce36c54b0cad38643629ded10ff5d727f077 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Fri, 12 Aug 2022 05:34:47 -0400
Subject: [PATCH 5/7] add NULL checks (encountered during tests/hwsim)
sae_derive_commit_element_ecc NULL pwe_ecc check
dpp_gen_keypair() NULL curve check
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
src/common/dpp_crypto.c | 6 ++++++
src/common/sae.c | 7 +++++++
2 files changed, 13 insertions(+)
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -248,6 +248,12 @@ struct crypto_ec_key * dpp_set_pubkey_po
struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
{
+ if (curve == NULL) {
+ wpa_printf(MSG_DEBUG,
+ "DPP: %s curve must be initialized", __func__);
+ return NULL;
+ }
+
struct crypto_ec_key *key;
wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
--- a/src/common/sae.c
+++ b/src/common/sae.c
@@ -1278,6 +1278,13 @@ void sae_deinit_pt(struct sae_pt *pt)
static int sae_derive_commit_element_ecc(struct sae_data *sae,
struct crypto_bignum *mask)
{
+ if (sae->tmp->pwe_ecc == NULL) {
+ wpa_printf(MSG_DEBUG,
+ "SAE: %s sae->tmp->pwe_ecc must be initialized",
+ __func__);
+ return -1;
+ }
+
/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
if (!sae->tmp->own_commit_element_ecc) {
sae->tmp->own_commit_element_ecc =

26
package/network/services/hostapd/patches/160-dpp_pkex-EC-point-mul-w-value-prime.patch Normal file
View File

@ -0,0 +1,26 @@
From 54211caa2e0e5163aefef390daf88a971367a702 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 4 Oct 2022 17:09:24 -0400
Subject: [PATCH 6/7] dpp_pkex: EC point mul w/ value < prime
crypto_ec_point_mul() with mbedtls requires point
be multiplied by a multiplicand with value < prime
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
src/common/dpp_crypto.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/src/common/dpp_crypto.c
+++ b/src/common/dpp_crypto.c
@@ -1567,7 +1567,9 @@ dpp_pkex_derive_Qr(const struct dpp_curv
Pr = crypto_ec_key_get_public_key(Pr_key);
Qr = crypto_ec_point_init(ec);
hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
- if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
+ if (!Pr || !Qr || !hash_bn ||
+ crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
+ crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
goto fail;
if (crypto_ec_point_is_at_infinity(ec, Qr)) {

32
package/network/services/hostapd/patches/170-DPP-fix-memleak-of-intro.peer_key.patch Normal file
View File

@ -0,0 +1,32 @@
From 639bb1bb912029ec4ff110c3ed807b62f583d6bf Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 9 Oct 2022 04:02:44 -0400
Subject: [PATCH 7/7] DPP: fix memleak of intro.peer_key
fix memleak of intro.peer_key in wpas_dpp_rx_peer_disc_resp()
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
---
wpa_supplicant/dpp_supplicant.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -2610,6 +2610,8 @@ static void wpas_dpp_rx_peer_disc_resp(s
return;
}
+ os_memset(&intro, 0, sizeof(intro));
+
trans_id = dpp_get_attr(buf, len, DPP_ATTR_TRANSACTION_ID,
&trans_id_len);
if (!trans_id || trans_id_len != 1) {
@@ -2720,7 +2722,7 @@ static void wpas_dpp_rx_peer_disc_resp(s
wpa_supplicant_req_scan(wpa_s, 0, 0);
}
fail:
- os_memset(&intro, 0, sizeof(intro));
+ dpp_peer_intro_deinit(&intro);
}

8
package/network/services/hostapd/patches/200-multicall.patch
View File

@ -36,7 +36,7 @@
LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET
@@ -1291,6 +1297,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
@@ -1378,6 +1384,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
_OBJS_VAR := OBJS
include ../src/objs.mk
@ -49,7 +49,7 @@
hostapd: $(OBJS)
$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@
@@ -1365,6 +1377,12 @@ include ../src/objs.mk
@@ -1458,6 +1470,12 @@ include ../src/objs.mk
_OBJS_VAR := SOBJS
include ../src/objs.mk
@ -128,7 +128,7 @@
NEED_AES_WRAP=y
OBJS += ../src/ap/wpa_auth.o
OBJS += ../src/ap/wpa_auth_ie.o
@@ -1920,6 +1937,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
@@ -1996,6 +2013,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
_OBJS_VAR := OBJS
include ../src/objs.mk
@ -141,7 +141,7 @@
wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
@$(E) " LD " $@
@@ -2052,6 +2075,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
@@ -2128,6 +2151,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
@$(E) " sed" $<

6
package/network/services/hostapd/patches/500-lto-jobserver-support.patch
View File

@ -1,6 +1,6 @@
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -1307,7 +1307,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
@@ -1394,7 +1394,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
@$(AR) cr $@ hostapd_multi.o $(OBJS)
hostapd: $(OBJS)
@ -9,7 +9,7 @@
@$(E) " LD " $@
ifdef CONFIG_WPA_TRACE
@@ -1318,7 +1318,7 @@ _OBJS_VAR := OBJS_c
@@ -1405,7 +1405,7 @@ _OBJS_VAR := OBJS_c
include ../src/objs.mk
hostapd_cli: $(OBJS_c)
@ -20,7 +20,7 @@
NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1949,31 +1949,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
@@ -2025,31 +2025,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)