From: Daniel Golle Date: Sat, 16 May 2020 21:23:41 +0000 (+0200) Subject: hostapd: backport wolfssl bignum fixes X-Git-Tag: v21.02.0-rc1~2800 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=631c437a91c20df678b25dcc34fe23636116a35a;p=openwrt%2Fopenwrt.git hostapd: backport wolfssl bignum fixes crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle --- diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index aa57d2121a..4fd285390e 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=9 +PKG_RELEASE:=10 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git diff --git a/package/network/services/hostapd/patches/091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch b/package/network/services/hostapd/patches/091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch new file mode 100644 index 0000000000..464bcff0b5 --- /dev/null +++ b/package/network/services/hostapd/patches/091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch @@ -0,0 +1,31 @@ +From 6a28c4dbc102de3fed9db44637f47a10e7adfb78 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 May 2020 21:01:51 +0300 +Subject: [PATCH 1/3] wolfssl: Fix compiler warnings on size_t printf format + use + +Signed-off-by: Jouni Malinen +--- + src/crypto/tls_wolfssl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/crypto/tls_wolfssl.c ++++ b/src/crypto/tls_wolfssl.c +@@ -1741,7 +1741,7 @@ struct wpabuf * tls_connection_encrypt(v + if (!conn) + return NULL; + +- wpa_printf(MSG_DEBUG, "SSL: encrypt: %ld bytes", wpabuf_len(in_data)); ++ wpa_printf(MSG_DEBUG, "SSL: encrypt: %zu bytes", wpabuf_len(in_data)); + + wolfssl_reset_out_data(&conn->output); + +@@ -1792,7 +1792,7 @@ struct wpabuf * tls_connection_decrypt(v + } + wpabuf_put(buf, res); + +- wpa_printf(MSG_DEBUG, "SSL: decrypt: %ld bytes", wpabuf_len(buf)); ++ wpa_printf(MSG_DEBUG, "SSL: decrypt: %zu bytes", wpabuf_len(buf)); + + return buf; + } diff --git a/package/network/services/hostapd/patches/091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch b/package/network/services/hostapd/patches/091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch new file mode 100644 index 0000000000..2464b63489 --- /dev/null +++ b/package/network/services/hostapd/patches/091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch @@ -0,0 +1,49 @@ +From eb595b3e3ab531645a5bde71cf6385335b7a4b95 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 May 2020 21:02:17 +0300 +Subject: [PATCH 2/3] wolfssl: Fix crypto_bignum_rand() implementation + +The previous implementation used mp_rand_prime() to generate a random +value in range 0..m. That is insanely slow way of generating a random +value since mp_rand_prime() is for generating a random _prime_ which is +not what is needed here. Replace that implementation with generationg of +a random value in the requested range without doing any kind of prime +number checks or loops to reject values that are not primes. + +This speeds up SAE and EAP-pwd routines by couple of orders of +magnitude.. + +Signed-off-by: Jouni Malinen +--- + src/crypto/crypto_wolfssl.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/src/crypto/crypto_wolfssl.c ++++ b/src/crypto/crypto_wolfssl.c +@@ -1084,19 +1084,21 @@ int crypto_bignum_rand(struct crypto_big + { + int ret = 0; + WC_RNG rng; ++ size_t len; ++ u8 *buf; + + if (TEST_FAIL()) + return -1; + if (wc_InitRng(&rng) != 0) + return -1; +- if (mp_rand_prime((mp_int *) r, +- (mp_count_bits((mp_int *) m) + 7) / 8 * 2, +- &rng, NULL) != 0) +- ret = -1; +- if (ret == 0 && ++ len = (mp_count_bits((mp_int *) m) + 7) / 8; ++ buf = os_malloc(len); ++ if (!buf || wc_RNG_GenerateBlock(&rng, buf, len) != 0 || ++ mp_read_unsigned_bin((mp_int *) r, buf, len) != MP_OKAY || + mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0) + ret = -1; + wc_FreeRng(&rng); ++ bin_clear_free(buf, len); + return ret; + } + diff --git a/package/network/services/hostapd/patches/091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch b/package/network/services/hostapd/patches/091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch new file mode 100644 index 0000000000..b15dccd7d1 --- /dev/null +++ b/package/network/services/hostapd/patches/091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch @@ -0,0 +1,26 @@ +From 79488da576aeeb9400e1742fab7f463eed0fa7a1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 May 2020 21:07:45 +0300 +Subject: [PATCH 3/3] wolfssl: Do not hardcode include directory in + wpa_supplicant build + +This is not really appropriate for any kind of cross compilations and is +not really needed in general since system specific values can be set in +.config. + +Signed-off-by: Jouni Malinen +--- + wpa_supplicant/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/wpa_supplicant/Makefile ++++ b/wpa_supplicant/Makefile +@@ -1086,7 +1086,7 @@ endif + + ifeq ($(CONFIG_TLS), wolfssl) + ifdef TLS_FUNCS +-CFLAGS += -DWOLFSSL_DER_LOAD -I/usr/local/include/wolfssl ++CFLAGS += -DWOLFSSL_DER_LOAD + OBJS += ../src/crypto/tls_wolfssl.o + endif + OBJS += ../src/crypto/crypto_wolfssl.o