forked from openwrt/openwrt
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- Loading branch information
Showing
4 changed files
with
107 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
...vices/hostapd/patches/091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
From 6a28c4dbc102de3fed9db44637f47a10e7adfb78 Mon Sep 17 00:00:00 2001 | ||
From: Jouni Malinen <j@w1.fi> | ||
Date: Sat, 16 May 2020 21:01:51 +0300 | ||
Subject: [PATCH 1/3] wolfssl: Fix compiler warnings on size_t printf format | ||
use | ||
|
||
Signed-off-by: Jouni Malinen <j@w1.fi> | ||
--- | ||
src/crypto/tls_wolfssl.c | 4 ++-- | ||
1 file changed, 2 insertions(+), 2 deletions(-) | ||
|
||
--- a/src/crypto/tls_wolfssl.c | ||
+++ b/src/crypto/tls_wolfssl.c | ||
@@ -1741,7 +1741,7 @@ struct wpabuf * tls_connection_encrypt(v | ||
if (!conn) | ||
return NULL; | ||
|
||
- wpa_printf(MSG_DEBUG, "SSL: encrypt: %ld bytes", wpabuf_len(in_data)); | ||
+ wpa_printf(MSG_DEBUG, "SSL: encrypt: %zu bytes", wpabuf_len(in_data)); | ||
|
||
wolfssl_reset_out_data(&conn->output); | ||
|
||
@@ -1792,7 +1792,7 @@ struct wpabuf * tls_connection_decrypt(v | ||
} | ||
wpabuf_put(buf, res); | ||
|
||
- wpa_printf(MSG_DEBUG, "SSL: decrypt: %ld bytes", wpabuf_len(buf)); | ||
+ wpa_printf(MSG_DEBUG, "SSL: decrypt: %zu bytes", wpabuf_len(buf)); | ||
|
||
return buf; | ||
} |
49 changes: 49 additions & 0 deletions
49
...ork/services/hostapd/patches/091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
From eb595b3e3ab531645a5bde71cf6385335b7a4b95 Mon Sep 17 00:00:00 2001 | ||
From: Jouni Malinen <j@w1.fi> | ||
Date: Sat, 16 May 2020 21:02:17 +0300 | ||
Subject: [PATCH 2/3] wolfssl: Fix crypto_bignum_rand() implementation | ||
|
||
The previous implementation used mp_rand_prime() to generate a random | ||
value in range 0..m. That is insanely slow way of generating a random | ||
value since mp_rand_prime() is for generating a random _prime_ which is | ||
not what is needed here. Replace that implementation with generationg of | ||
a random value in the requested range without doing any kind of prime | ||
number checks or loops to reject values that are not primes. | ||
|
||
This speeds up SAE and EAP-pwd routines by couple of orders of | ||
magnitude.. | ||
|
||
Signed-off-by: Jouni Malinen <j@w1.fi> | ||
--- | ||
src/crypto/crypto_wolfssl.c | 12 +++++++----- | ||
1 file changed, 7 insertions(+), 5 deletions(-) | ||
|
||
--- a/src/crypto/crypto_wolfssl.c | ||
+++ b/src/crypto/crypto_wolfssl.c | ||
@@ -1084,19 +1084,21 @@ int crypto_bignum_rand(struct crypto_big | ||
{ | ||
int ret = 0; | ||
WC_RNG rng; | ||
+ size_t len; | ||
+ u8 *buf; | ||
|
||
if (TEST_FAIL()) | ||
return -1; | ||
if (wc_InitRng(&rng) != 0) | ||
return -1; | ||
- if (mp_rand_prime((mp_int *) r, | ||
- (mp_count_bits((mp_int *) m) + 7) / 8 * 2, | ||
- &rng, NULL) != 0) | ||
- ret = -1; | ||
- if (ret == 0 && | ||
+ len = (mp_count_bits((mp_int *) m) + 7) / 8; | ||
+ buf = os_malloc(len); | ||
+ if (!buf || wc_RNG_GenerateBlock(&rng, buf, len) != 0 || | ||
+ mp_read_unsigned_bin((mp_int *) r, buf, len) != MP_OKAY || | ||
mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0) | ||
ret = -1; | ||
wc_FreeRng(&rng); | ||
+ bin_clear_free(buf, len); | ||
return ret; | ||
} | ||
|
26 changes: 26 additions & 0 deletions
26
...vices/hostapd/patches/091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
From 79488da576aeeb9400e1742fab7f463eed0fa7a1 Mon Sep 17 00:00:00 2001 | ||
From: Jouni Malinen <j@w1.fi> | ||
Date: Sat, 16 May 2020 21:07:45 +0300 | ||
Subject: [PATCH 3/3] wolfssl: Do not hardcode include directory in | ||
wpa_supplicant build | ||
|
||
This is not really appropriate for any kind of cross compilations and is | ||
not really needed in general since system specific values can be set in | ||
.config. | ||
|
||
Signed-off-by: Jouni Malinen <j@w1.fi> | ||
--- | ||
wpa_supplicant/Makefile | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
--- a/wpa_supplicant/Makefile | ||
+++ b/wpa_supplicant/Makefile | ||
@@ -1086,7 +1086,7 @@ endif | ||
|
||
ifeq ($(CONFIG_TLS), wolfssl) | ||
ifdef TLS_FUNCS | ||
-CFLAGS += -DWOLFSSL_DER_LOAD -I/usr/local/include/wolfssl | ||
+CFLAGS += -DWOLFSSL_DER_LOAD | ||
OBJS += ../src/crypto/tls_wolfssl.o | ||
endif | ||
OBJS += ../src/crypto/crypto_wolfssl.o |