304423a4ff
Add patches:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch
Remove upstreamed:
- 170-DPP-fix-memleak-of-intro.peer_key.patch
- 461-driver_nl80211-use-new-parameters-during-ibss-join.patch
- 800-acs-don-t-select-indoor-channel-on-outdoor-operation.patch
- 992-openssl-include-rsa.patch
Automatically refreshed:
- 011-mesh-use-deterministic-channel-on-channel-switch.patch
- 021-fix-sta-add-after-previous-connection.patch
- 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
- 030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 050-build_fix.patch
- 110-mbedtls-TLS-crypto-option-initial-port.patch
- 120-mbedtls-fips186_2_prf.patch
- 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
- 150-add-NULL-checks-encountered-during-tests-hwsim.patch
- 160-dpp_pkex-EC-point-mul-w-value-prime.patch
- 200-multicall.patch
- 300-noscan.patch
- 310-rescan_immediately.patch
- 330-nl80211_fix_set_freq.patch
- 341-mesh-ctrl-iface-channel-switch.patch
- 360-ctrl_iface_reload.patch
- 381-hostapd_cli_UNKNOWN-COMMAND.patch
- 390-wpa_ie_cap_workaround.patch
- 410-limit_debug_messages.patch
- 420-indicate-features.patch
- 430-hostapd_cli_ifdef.patch
- 450-scan_wait.patch
- 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
- 463-add-mcast_rate-to-11s.patch
- 465-hostapd-config-support-random-BSS-color.patch
- 500-lto-jobserver-support.patch
- 590-rrm-wnm-statistics.patch
- 710-vlan_no_bridge.patch
- 720-iface_max_num_sta.patch
- 730-ft_iface.patch
- 750-qos_map_set_without_interworking.patch
- 751-qos_map_ignore_when_unsupported.patch
- 760-dynamic_own_ip.patch
- 761-shared_das_port.patch
- 990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch
Manually refresh:
- 010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
- 301-mesh-noscan.patch
- 340-reload_freq_change.patch
- 350-nl80211_del_beacon_bss.patch
- 370-ap_sta_support.patch
- 380-disable_ctrl_iface_mib.patch
- 464-fix-mesh-obss-check.patch
- 470-survey_data_fallback.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 711-wds_bridge_force.patch
- 740-snoop_iface.patch
Tested-by: Packet Please <pktpls@systemli.org> [Fritzbox 4040 (ipq40xx),
EAP225-Outdoor (ath79); 802.11s, WPA3 OWE, and WPA3 PSK]
Tested-by: Andrew Sim <andrewsimz@gmail.com> [mediatek/filogic]
Signed-off-by: Nick Hainke <vincent@systemli.org>
115 lines
3.6 KiB
Diff
115 lines
3.6 KiB
Diff
From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
|
|
From: Glenn Strauss <gstrauss@gluelogic.com>
|
|
Date: Tue, 19 Jul 2022 20:02:21 -0400
|
|
Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
|
|
|
|
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
|
|
---
|
|
hostapd/Makefile | 4 ---
|
|
src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
|
|
wpa_supplicant/Makefile | 4 ---
|
|
3 files changed, 60 insertions(+), 8 deletions(-)
|
|
|
|
--- a/hostapd/Makefile
|
|
+++ b/hostapd/Makefile
|
|
@@ -759,10 +759,6 @@ endif
|
|
OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
-ifdef NEED_FIPS186_2_PRF
|
|
-OBJS += ../src/crypto/fips_prf_internal.o
|
|
-SHA1OBJS += ../src/crypto/sha1-internal.o
|
|
-endif
|
|
ifeq ($(CONFIG_CRYPTO), mbedtls)
|
|
ifdef CONFIG_DPP
|
|
LIBS += -lmbedx509
|
|
--- a/src/crypto/crypto_mbedtls.c
|
|
+++ b/src/crypto/crypto_mbedtls.c
|
|
@@ -132,6 +132,12 @@
|
|
#define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
|
|
#endif
|
|
|
|
+#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
|
|
+ || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
|
|
+/* EAP_SIM=y EAP_AKA=y */
|
|
+#define CRYPTO_MBEDTLS_FIPS186_2_PRF
|
|
+#endif
|
|
+
|
|
#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
|
|
|| defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
|
|
#define CRYPTO_MBEDTLS_SHA1_T_PRF
|
|
@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
|
|
|
|
#endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
|
|
|
|
+#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
|
|
+
|
|
+/* fips_prf_internal.c sha1-internal.c */
|
|
+
|
|
+/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
|
|
+ * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
|
|
+ * where xlen is 160 */
|
|
+
|
|
+int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
|
|
+{
|
|
+ /* FIPS 186-2 + change notice 1 */
|
|
+
|
|
+ mbedtls_sha1_context ctx;
|
|
+ u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
|
|
+ u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
|
|
+ const u32 xstate_init[] =
|
|
+ { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
|
|
+
|
|
+ mbedtls_sha1_init(&ctx);
|
|
+ os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
|
|
+
|
|
+ /* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
|
|
+ for (; xlen >= 20; xlen -= 20) {
|
|
+ /* XSEED_j = 0 */
|
|
+ /* XVAL = (XKEY + XSEED_j) mod 2^b */
|
|
+
|
|
+ /* w_i = G(t, XVAL) */
|
|
+ os_memcpy(xstate, xstate_init, sizeof(xstate_init));
|
|
+ mbedtls_internal_sha1_process(&ctx, xkey);
|
|
+
|
|
+ #if __BYTE_ORDER == __LITTLE_ENDIAN
|
|
+ xstate[0] = host_to_be32(xstate[0]);
|
|
+ xstate[1] = host_to_be32(xstate[1]);
|
|
+ xstate[2] = host_to_be32(xstate[2]);
|
|
+ xstate[3] = host_to_be32(xstate[3]);
|
|
+ xstate[4] = host_to_be32(xstate[4]);
|
|
+ #endif
|
|
+ os_memcpy(x, xstate, 20);
|
|
+ if (xlen == 20) /*(done; skip prep for next loop)*/
|
|
+ break;
|
|
+
|
|
+ /* XKEY = (1 + XKEY + w_i) mod 2^b */
|
|
+ for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
|
|
+ xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
|
|
+ x += 20;
|
|
+ /* x_j = w_0|w_1 (each pair of iterations through loop)*/
|
|
+ }
|
|
+
|
|
+ mbedtls_sha1_free(&ctx);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
|
|
+
|
|
#endif /* MBEDTLS_SHA1_C */
|
|
|
|
|
|
--- a/wpa_supplicant/Makefile
|
|
+++ b/wpa_supplicant/Makefile
|
|
@@ -1174,10 +1174,6 @@ endif
|
|
OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
|
|
-ifdef NEED_FIPS186_2_PRF
|
|
-OBJS += ../src/crypto/fips_prf_internal.o
|
|
-SHA1OBJS += ../src/crypto/sha1-internal.o
|
|
-endif
|
|
ifeq ($(CONFIG_CRYPTO), mbedtls)
|
|
LIBS += -lmbedcrypto
|
|
LIBS_p += -lmbedcrypto
|