hostapd: add mbedtls variant

This adds the current WIP mbedtls patches for hostapd. The motivation
here is to reduce size.

Signed-off-by: Rosen Penev <rosenp@gmail.com>

package/network/services/hostapd/Config.in

@@ -4,20 +4,25 @@ config WPA_RFKILL_SUPPORT
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
+		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
+		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
+		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
+		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
-		   PACKAGE_wpad-mesh-wolfssl
+		   PACKAGE_wpad-mesh-wolfssl || \
+		   PACKAGE_wpad-mesh-mbedtls
 	default n
 
 config WPA_MSG_MIN_PRIORITY
@@ -25,20 +30,25 @@ config WPA_MSG_MIN_PRIORITY
 	depends on PACKAGE_wpa-supplicant || \
 		   PACKAGE_wpa-supplicant-openssl || \
 		   PACKAGE_wpa-supplicant-wolfssl || \
+		   PACKAGE_wpa-supplicant-mbedtls || \
 		   PACKAGE_wpa-supplicant-mesh-openssl || \
 		   PACKAGE_wpa-supplicant-mesh-wolfssl || \
+		   PACKAGE_wpa-supplicant-mesh-mbedtls || \
 		   PACKAGE_wpa-supplicant-basic || \
 		   PACKAGE_wpa-supplicant-mini || \
 		   PACKAGE_wpa-supplicant-p2p || \
 		   PACKAGE_wpad || \
 		   PACKAGE_wpad-openssl || \
 		   PACKAGE_wpad-wolfssl || \
+		   PACKAGE_wpad-mbedtls || \
 		   PACKAGE_wpad-basic || \
 		   PACKAGE_wpad-basic-openssl || \
 		   PACKAGE_wpad-basic-wolfssl || \
+		   PACKAGE_wpad-basic-mbedtls || \
 		   PACKAGE_wpad-mini || \
 		   PACKAGE_wpad-mesh-openssl || \
-		   PACKAGE_wpad-mesh-wolfssl
+		   PACKAGE_wpad-mesh-wolfssl || \
+		   PACKAGE_wpad-mesh-mbedtls
 	default 3
 	help
 	  Useful values are:
@@ -91,9 +101,11 @@ config WPA_MBO_SUPPORT
 	default PACKAGE_wpa-supplicant || \
 		PACKAGE_wpa-supplicant-openssl || \
 		PACKAGE_wpa-supplicant-wolfssl || \
+		PACKAGE_wpa-supplicant-mbedtls || \
 		PACKAGE_wpad || \
 		PACKAGE_wpad-openssl || \
-		PACKAGE_wpad-wolfssl
+		PACKAGE_wpad-wolfssl || \
+		PACKAGE_wpad-mbedtls
 	help
 	  Multi Band Operation aka (Agile Multiband) enables features
 	  that facilitate efficient use of multiple frequency bands.

package/network/services/hostapd/Makefile

@@ -52,14 +52,16 @@ LOCAL_AND_LIB_VARIANT=$(patsubst hostapd-%,%,\
 LOCAL_VARIANT=$(patsubst %-internal,%,\
 	      $(patsubst %-openssl,%,\
 	      $(patsubst %-wolfssl,%,\
+	      $(patsubst %-mbedtls,%,\
 	      $(LOCAL_AND_LIB_VARIANT)\
-	      )))
+	      ))))
 
 SSL_VARIANT=$(strip \
 		$(if $(findstring openssl,$(LOCAL_AND_LIB_VARIANT)),openssl,\
 		$(if $(findstring wolfssl,$(LOCAL_AND_LIB_VARIANT)),wolfssl,\
+		$(if $(findstring mbedtls,$(LOCAL_AND_LIB_VARIANT)),mbedtls,\
 		internal\
-		)))
+		))))
 
 CONFIG_VARIANT:=$(LOCAL_VARIANT)
 ifeq ($(LOCAL_VARIANT),mesh)
@@ -116,6 +118,21 @@ ifeq ($(SSL_VARIANT),wolfssl)
   endif
 endif
 
+ifeq ($(SSL_VARIANT),mbedtls)
+  DRIVER_MAKEOPTS += CONFIG_TLS=mbedtls CONFIG_SAE=y
+  TARGET_LDFLAGS += -lmbedcrypto -lmbedx509 -lmbedtls
+
+  ifeq ($(LOCAL_VARIANT),basic)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y
+  endif
+  ifeq ($(LOCAL_VARIANT),mesh)
+    DRIVER_MAKEOPTS += CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+  ifeq ($(LOCAL_VARIANT),full)
+    DRIVER_MAKEOPTS += CONFIG_OWE=y CONFIG_SUITEB192=y CONFIG_AP=y CONFIG_MESH=y CONFIG_WPS_NFC=1
+  endif
+endif
+
 ifneq ($(LOCAL_TYPE),hostapd)
   ifdef CONFIG_WPA_RFKILL_SUPPORT
     DRIVER_MAKEOPTS += NEED_RFKILL=y
@@ -173,6 +190,15 @@ endef
 
 Package/hostapd-wolfssl/description = $(Package/hostapd/description)
 
+define Package/hostapd-mbedtls
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=full-mbedtls
+  DEPENDS+=+PACKAGE_hostapd-mbedtls:libmbedtls
+endef
+
+Package/hostapd-mbedtls/description = $(Package/hostapd/description)
+
 define Package/hostapd-basic
 $(call Package/hostapd/Default,$(1))
   TITLE+= (WPA-PSK, 11r, 11w)
@@ -205,6 +231,17 @@ define Package/hostapd-basic-wolfssl/description
  This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
 endef
 
+define Package/hostapd-basic-mbedtls
+$(call Package/hostapd/Default,$(1))
+  TITLE+= (WPA-PSK, 11r and 11w)
+  VARIANT:=basic-mbedtls
+  DEPENDS+=+PACKAGE_hostapd-basic-mbedtls:libmbedtls
+endef
+
+define Package/hostapd-basic-mbedtls/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator with WPA-PSK, 802.11r and 802.11w support.
+endef
+
 define Package/hostapd-mini
 $(call Package/hostapd/Default,$(1))
   TITLE+= (WPA-PSK only)
@@ -260,6 +297,15 @@ endef
 
 Package/wpad-wolfssl/description = $(Package/wpad/description)
 
+define Package/wpad-mbedtls
+$(call Package/wpad/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=wpad-full-mbedtls
+  DEPENDS+=+PACKAGE_wpad-mbedtls:libmbedtls
+endef
+
+Package/wpad-mbedtls/description = $(Package/wpad/description)
+
 define Package/wpad-basic
 $(call Package/wpad/Default,$(1))
   TITLE+= (WPA-PSK, 11r, 11w)
@@ -292,6 +338,17 @@ define Package/wpad-basic-wolfssl/description
  This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
 endef
 
+define Package/wpad-basic-mbedtls
+$(call Package/wpad/Default,$(1))
+  TITLE+= (mbedTLS, 11r, 11w)
+  VARIANT:=wpad-basic-mbedtls
+  DEPENDS+=+PACKAGE_wpad-basic-mbedtls:libmbedtls
+endef
+
+define Package/wpad-basic-mbedtls/description
+ This package contains a basic IEEE 802.1x/WPA Authenticator and Supplicant with WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w support.
+endef
+
 define Package/wpad-mini
 $(call Package/wpad/Default,$(1))
   TITLE+= (WPA-PSK only)
@@ -330,6 +387,15 @@ endef
 
 Package/wpad-mesh-wolfssl/description = $(Package/wpad-mesh/description)
 
+define Package/wpad-mesh-mbedtls
+$(call Package/wpad-mesh,$(1))
+  TITLE+= (mbedTLS, 11s, SAE)
+  DEPENDS+=+PACKAGE_wpad-mesh-mbedtls:libmbedtls
+  VARIANT:=wpad-mesh-mbedtls
+endef
+
+Package/wpad-mesh-mbedtls/description = $(Package/wpad-mesh/description)
+
 
 define Package/wpa-supplicant/Default
   SECTION:=net
@@ -365,6 +431,13 @@ $(call Package/wpa-supplicant/Default,$(1))
   DEPENDS+=+PACKAGE_wpa-supplicant-wolfssl:libwolfssl
 endef
 
+define Package/wpa-supplicant-mbedtls
+$(call Package/wpa-supplicant/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=supplicant-full-mbedtls
+  DEPENDS+=+PACKAGE_wpa-supplicant-mbedtls:libmbedtls
+endef
+
 define Package/wpa-supplicant/config
 	source "$(SOURCE)/Config.in"
 endef
@@ -396,6 +469,13 @@ $(call Package/wpa-supplicant-mesh/Default,$(1))
   DEPENDS+=+PACKAGE_wpa-supplicant-mesh-wolfssl:libwolfssl
 endef
 
+define Package/wpa-supplicant-mesh-mbedtls
+$(call Package/wpa-supplicant-mesh/Default,$(1))
+  TITLE+= (mbedTLS, 11s, SAE)
+  VARIANT:=supplicant-mesh-mbedtls
+  DEPENDS+=+PACKAGE_wpa-supplicant-mesh-mbedtls:libmbedtls
+endef
+
 define Package/wpa-supplicant-basic
 $(call Package/wpa-supplicant/Default,$(1))
   TITLE+= (11r, 11w)
@@ -472,6 +552,15 @@ define Package/eapol-test-wolfssl
   PROVIDES:=eapol-test
 endef
 
+define Package/eapol-test-mbedtls
+  $(call Package/eapol-test/Default,$(1))
+  TITLE+= (mbedTLS full)
+  VARIANT:=supplicant-full-mbedtls
+  CONFLICTS:=$(filter-out eapol-test-openssl ,$(filter-out eapol-test-mbedtls ,$(EAPOL_TEST_PROVIDERS)))
+  DEPENDS+=+PACKAGE_eapol-test-mbedtls:libmbedtls
+  PROVIDES:=eapol-test
+endef
+
 
 ifneq ($(wildcard $(PKG_BUILD_DIR)/.config_*),$(subst .configured_,.config_,$(STAMP_CONFIGURED)))
   define Build/Configure/rebuild
@@ -580,6 +669,12 @@ define Build/Compile/supplicant-full-wolfssl
 	)
 endef
 
+define Build/Compile/supplicant-full-mbedtls
+	+$(call Build/RunMake,wpa_supplicant, \
+		eapol_test \
+	)
+endef
+
 define Build/Compile
 	$(Build/Compile/$(LOCAL_TYPE))
 	$(Build/Compile/$(BUILD_VARIANT))
@@ -610,9 +705,11 @@ endef
 Package/hostapd-basic/install = $(Package/hostapd/install)
 Package/hostapd-basic-openssl/install = $(Package/hostapd/install)
 Package/hostapd-basic-wolfssl/install = $(Package/hostapd/install)
+Package/hostapd-basic-mbedtls/install = $(Package/hostapd/install)
 Package/hostapd-mini/install = $(Package/hostapd/install)
 Package/hostapd-openssl/install = $(Package/hostapd/install)
 Package/hostapd-wolfssl/install = $(Package/hostapd/install)
+Package/hostapd-mbedtls/install = $(Package/hostapd/install)
 
 ifneq ($(LOCAL_TYPE),supplicant)
   define Package/hostapd-utils/install
@@ -631,11 +728,14 @@ endef
 Package/wpad-basic/install = $(Package/wpad/install)
 Package/wpad-basic-openssl/install = $(Package/wpad/install)
 Package/wpad-basic-wolfssl/install = $(Package/wpad/install)
+Package/wpad-basic-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mini/install = $(Package/wpad/install)
 Package/wpad-openssl/install = $(Package/wpad/install)
 Package/wpad-wolfssl/install = $(Package/wpad/install)
+Package/wpad-mbedtls/install = $(Package/wpad/install)
 Package/wpad-mesh-openssl/install = $(Package/wpad/install)
 Package/wpad-mesh-wolfssl/install = $(Package/wpad/install)
+Package/wpad-mesh-mbedtls/install = $(Package/wpad/install)
 
 define Package/wpa-supplicant/install
 	$(call Install/supplicant,$(1))
@@ -646,8 +746,10 @@ Package/wpa-supplicant-mini/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-p2p/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-wolfssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mbedtls/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-openssl/install = $(Package/wpa-supplicant/install)
 Package/wpa-supplicant-mesh-wolfssl/install = $(Package/wpa-supplicant/install)
+Package/wpa-supplicant-mesh-mbedtls/install = $(Package/wpa-supplicant/install)
 
 ifneq ($(LOCAL_TYPE),hostapd)
   define Package/wpa-cli/install
@@ -677,6 +779,13 @@ ifeq ($(BUILD_VARIANT),supplicant-full-wolfssl)
   endef
 endif
 
+ifeq ($(BUILD_VARIANT),supplicant-full-mbedtls)
+  define Package/eapol-test-mbedtls/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_BUILD_DIR)/wpa_supplicant/eapol_test $(1)/usr/sbin/
+  endef
+endif
+
 # Build hostapd-common before its dependents, to avoid
 # spurious rebuilds when building multiple variants.
 $(eval $(call BuildPackage,hostapd-common))
@@ -684,28 +793,36 @@ $(eval $(call BuildPackage,hostapd))
 $(eval $(call BuildPackage,hostapd-basic))
 $(eval $(call BuildPackage,hostapd-basic-openssl))
 $(eval $(call BuildPackage,hostapd-basic-wolfssl))
+$(eval $(call BuildPackage,hostapd-basic-mbedtls))
 $(eval $(call BuildPackage,hostapd-mini))
 $(eval $(call BuildPackage,hostapd-openssl))
 $(eval $(call BuildPackage,hostapd-wolfssl))
+$(eval $(call BuildPackage,hostapd-mbedtls))
 $(eval $(call BuildPackage,wpad))
 $(eval $(call BuildPackage,wpad-mesh-openssl))
 $(eval $(call BuildPackage,wpad-mesh-wolfssl))
+$(eval $(call BuildPackage,wpad-mesh-mbedtls))
 $(eval $(call BuildPackage,wpad-basic))
 $(eval $(call BuildPackage,wpad-basic-openssl))
 $(eval $(call BuildPackage,wpad-basic-wolfssl))
+$(eval $(call BuildPackage,wpad-basic-mbedtls))
 $(eval $(call BuildPackage,wpad-mini))
 $(eval $(call BuildPackage,wpad-openssl))
 $(eval $(call BuildPackage,wpad-wolfssl))
+$(eval $(call BuildPackage,wpad-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-mesh-wolfssl))
+$(eval $(call BuildPackage,wpa-supplicant-mesh-mbedtls))
 $(eval $(call BuildPackage,wpa-supplicant-basic))
 $(eval $(call BuildPackage,wpa-supplicant-mini))
 $(eval $(call BuildPackage,wpa-supplicant-p2p))
 $(eval $(call BuildPackage,wpa-supplicant-openssl))
 $(eval $(call BuildPackage,wpa-supplicant-wolfssl))
+$(eval $(call BuildPackage,wpa-supplicant-mbedtls))
 $(eval $(call BuildPackage,wpa-cli))
 $(eval $(call BuildPackage,hostapd-utils))
 $(eval $(call BuildPackage,eapol-test))
 $(eval $(call BuildPackage,eapol-test-openssl))
 $(eval $(call BuildPackage,eapol-test-wolfssl))
+$(eval $(call BuildPackage,eapol-test-mbedtls))

package/network/services/hostapd/patches/120-mbedtls-fips186_2_prf.patch

@@ -0,0 +1,114 @@
+From c8dba4bd750269bcc80fed3d546e2077cb4cdf0e Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 19 Jul 2022 20:02:21 -0400
+Subject: [PATCH 2/7] mbedtls: fips186_2_prf()
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ hostapd/Makefile            |  4 ---
+ src/crypto/crypto_mbedtls.c | 60 +++++++++++++++++++++++++++++++++++++
+ wpa_supplicant/Makefile     |  4 ---
+ 3 files changed, 60 insertions(+), 8 deletions(-)
+
+--- a/hostapd/Makefile
++++ b/hostapd/Makefile
+@@ -759,10 +759,6 @@ endif
+ OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ HOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ SOBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+-ifdef NEED_FIPS186_2_PRF
+-OBJS += ../src/crypto/fips_prf_internal.o
+-SHA1OBJS += ../src/crypto/sha1-internal.o
+-endif
+ ifeq ($(CONFIG_CRYPTO), mbedtls)
+ ifdef CONFIG_DPP
+ LIBS += -lmbedx509
+--- a/src/crypto/crypto_mbedtls.c
++++ b/src/crypto/crypto_mbedtls.c
+@@ -132,6 +132,12 @@
+ #define CRYPTO_MBEDTLS_HMAC_KDF_SHA512
+ #endif
+ 
++#if defined(EAP_SIM) || defined(EAP_SIM_DYNAMIC) || defined(EAP_SERVER_SIM) \
++ || defined(EAP_AKA) || defined(EAP_AKA_DYNAMIC) || defined(EAP_SERVER_AKA)
++/* EAP_SIM=y EAP_AKA=y */
++#define CRYPTO_MBEDTLS_FIPS186_2_PRF
++#endif
++
+ #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST) \
+  || defined(EAP_TEAP) || defined(EAP_TEAP_DYNAMIC) || defined(EAP_SERVER_FAST)
+ #define CRYPTO_MBEDTLS_SHA1_T_PRF
+@@ -813,6 +819,60 @@ int sha1_t_prf(const u8 *key, size_t key
+ 
+ #endif /* CRYPTO_MBEDTLS_SHA1_T_PRF */
+ 
++#ifdef CRYPTO_MBEDTLS_FIPS186_2_PRF
++
++/* fips_prf_internal.c sha1-internal.c */
++
++/* used only by src/eap_common/eap_sim_common.c:eap_sim_prf()
++ * for eap_sim_derive_keys() and eap_sim_derive_keys_reauth()
++ * where xlen is 160 */
++
++int fips186_2_prf(const u8 *seed, size_t seed_len, u8 *x, size_t xlen)
++{
++	/* FIPS 186-2 + change notice 1 */
++
++	mbedtls_sha1_context ctx;
++	u8 * const xkey = ctx.MBEDTLS_PRIVATE(buffer);
++	u32 * const xstate = ctx.MBEDTLS_PRIVATE(state);
++	const u32 xstate_init[] =
++	  { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 };
++
++	mbedtls_sha1_init(&ctx);
++	os_memcpy(xkey, seed, seed_len < 64 ? seed_len : 64);
++
++	/* note: does not fill extra bytes if (xlen % 20) (SHA1_MAC_LEN) */
++	for (; xlen >= 20; xlen -= 20) {
++		/* XSEED_j = 0 */
++		/* XVAL = (XKEY + XSEED_j) mod 2^b */
++
++		/* w_i = G(t, XVAL) */
++		os_memcpy(xstate, xstate_init, sizeof(xstate_init));
++		mbedtls_internal_sha1_process(&ctx, xkey);
++
++	  #if __BYTE_ORDER == __LITTLE_ENDIAN
++		xstate[0] = host_to_be32(xstate[0]);
++		xstate[1] = host_to_be32(xstate[1]);
++		xstate[2] = host_to_be32(xstate[2]);
++		xstate[3] = host_to_be32(xstate[3]);
++		xstate[4] = host_to_be32(xstate[4]);
++	  #endif
++		os_memcpy(x, xstate, 20);
++		if (xlen == 20) /*(done; skip prep for next loop)*/
++			break;
++
++		/* XKEY = (1 + XKEY + w_i) mod 2^b */
++		for (u32 carry = 1, k = 20; k-- > 0; carry >>= 8)
++			xkey[k] = (carry += xkey[k] + x[k]) & 0xff;
++		x += 20;
++		/* x_j = w_0|w_1 (each pair of iterations through loop)*/
++	}
++
++	mbedtls_sha1_free(&ctx);
++	return 0;
++}
++
++#endif /* CRYPTO_MBEDTLS_FIPS186_2_PRF */
++
+ #endif /* MBEDTLS_SHA1_C */
+ 
+ 
+--- a/wpa_supplicant/Makefile
++++ b/wpa_supplicant/Makefile
+@@ -1160,10 +1160,6 @@ endif
+ OBJS += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ OBJS_p += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+ OBJS_priv += ../src/crypto/crypto_$(CONFIG_CRYPTO).o
+-ifdef NEED_FIPS186_2_PRF
+-OBJS += ../src/crypto/fips_prf_internal.o
+-SHA1OBJS += ../src/crypto/sha1-internal.o
+-endif
+ ifeq ($(CONFIG_CRYPTO), mbedtls)
+ LIBS += -lmbedcrypto
+ LIBS_p += -lmbedcrypto

package/network/services/hostapd/patches/130-mbedtls-annotate-with-TEST_FAIL-for-hwsim-tests.patch

@@ -0,0 +1,421 @@
+From 31bd19e0e0254b910cccfd3ddc6a6a9222bbcfc0 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 9 Oct 2022 05:12:17 -0400
+Subject: [PATCH 3/7] mbedtls: annotate with TEST_FAIL() for hwsim tests
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/crypto/crypto_mbedtls.c | 124 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 124 insertions(+)
+
+--- a/src/crypto/crypto_mbedtls.c
++++ b/src/crypto/crypto_mbedtls.c
+@@ -280,6 +280,9 @@ __attribute_noinline__
+ static int md_vector(size_t num_elem, const u8 *addr[], const size_t *len,
+                      u8 *mac, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 0) != 0){
+@@ -343,6 +346,9 @@ __attribute_noinline__
+ static int sha384_512_vector(size_t num_elem, const u8 *addr[],
+                              const size_t *len, u8 *mac, int is384)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha512_context ctx;
+ 	mbedtls_sha512_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -375,6 +381,9 @@ int sha384_vector(size_t num_elem, const
+ #include <mbedtls/sha256.h>
+ int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha256_context ctx;
+ 	mbedtls_sha256_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -397,6 +406,9 @@ int sha256_vector(size_t num_elem, const
+ #include <mbedtls/sha1.h>
+ int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_sha1_context ctx;
+ 	mbedtls_sha1_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -419,6 +431,9 @@ int sha1_vector(size_t num_elem, const u
+ #include <mbedtls/md5.h>
+ int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_md5_context ctx;
+ 	mbedtls_md5_init(&ctx);
+   #if MBEDTLS_VERSION_MAJOR >= 3
+@@ -441,6 +456,9 @@ int md5_vector(size_t num_elem, const u8
+ #include <mbedtls/md4.h>
+ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	struct mbedtls_md4_context ctx;
+ 	mbedtls_md4_init(&ctx);
+ 	mbedtls_md4_starts_ret(&ctx);
+@@ -460,6 +478,9 @@ static int hmac_vector(const u8 *key, si
+                        const u8 *addr[], const size_t *len, u8 *mac,
+                        mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	if (mbedtls_md_setup(&ctx, mbedtls_md_info_from_type(md_type), 1) != 0){
+@@ -571,6 +592,9 @@ static int hmac_kdf_expand(const u8 *prk
+                            const char *label, const u8 *info, size_t info_len,
+                            u8 *okm, size_t okm_len, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
+   #ifdef MBEDTLS_HKDF_C
+ 	if (label == NULL)  /* RFC 5869 HKDF-Expand when (label == NULL) */
+@@ -663,6 +687,9 @@ static int hmac_prf_bits(const u8 *key,
+                          const u8 *data, size_t data_len, u8 *buf,
+                          size_t buf_len_bits, mbedtls_md_type_t md_type)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_md_context_t ctx;
+ 	mbedtls_md_init(&ctx);
+ 	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_type);
+@@ -938,6 +965,9 @@ int pbkdf2_sha1(const char *passphrase,
+ 
+ static void *aes_crypt_init_mode(const u8 *key, size_t len, int mode)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_aes_context *aes = os_malloc(sizeof(*aes));
+ 	if (!aes)
+ 		return NULL;
+@@ -996,6 +1026,9 @@ void aes_decrypt_deinit(void *ctx)
+ /* aes-wrap.c */
+ int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_nist_kw_context ctx;
+ 	mbedtls_nist_kw_init(&ctx);
+ 	size_t olen;
+@@ -1010,6 +1043,9 @@ int aes_wrap(const u8 *kek, size_t kek_l
+ /* aes-unwrap.c */
+ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, u8 *plain)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_nist_kw_context ctx;
+ 	mbedtls_nist_kw_init(&ctx);
+ 	size_t olen;
+@@ -1041,6 +1077,9 @@ int omac1_aes_vector(
+     const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[],
+     const size_t *len, u8 *mac)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_cipher_type_t cipher_type;
+ 	switch (key_len) {
+ 	case 16: cipher_type = MBEDTLS_CIPHER_AES_128_ECB; break;
+@@ -1103,6 +1142,9 @@ int omac1_aes_256(const u8 *key, const u
+ /* aes-encblock.c */
+ int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_aes_context aes;
+ 	mbedtls_aes_init(&aes);
+ 	int ret = mbedtls_aes_setkey_enc(&aes, key, 128)
+@@ -1118,6 +1160,9 @@ int aes_128_encrypt_block(const u8 *key,
+ int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
+ 		    u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	unsigned char counter[MBEDTLS_AES_BLOCK_SIZE];
+ 	unsigned char stream_block[MBEDTLS_AES_BLOCK_SIZE];
+ 	os_memcpy(counter, nonce, MBEDTLS_AES_BLOCK_SIZE);/*(must be writable)*/
+@@ -1160,11 +1205,17 @@ static int aes_128_cbc_oper(const u8 *ke
+ 
+ int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_ENCRYPT);
+ }
+ 
+ int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return aes_128_cbc_oper(key, iv, data, data_len, MBEDTLS_AES_DECRYPT);
+ }
+ 
+@@ -1407,6 +1458,10 @@ int crypto_hash_finish(struct crypto_has
+ 	}
+ 	mbedtls_md_free(mctx);
+ 	os_free(mctx);
++
++	if (TEST_FAIL())
++		return -1;
++
+ 	return 0;
+ }
+ 
+@@ -1421,6 +1476,9 @@ int crypto_hash_finish(struct crypto_has
+ 
+ struct crypto_bignum *crypto_bignum_init(void)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
+ 	if (bn)
+ 		mbedtls_mpi_init(bn);
+@@ -1429,6 +1487,9 @@ struct crypto_bignum *crypto_bignum_init
+ 
+ struct crypto_bignum *crypto_bignum_init_set(const u8 *buf, size_t len)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *bn = os_malloc(sizeof(*bn));
+ 	if (bn) {
+ 		mbedtls_mpi_init(bn);
+@@ -1442,6 +1503,9 @@ struct crypto_bignum *crypto_bignum_init
+ 
+ struct crypto_bignum *crypto_bignum_init_uint(unsigned int val)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+   #if 0 /*(hostap use of this interface passes int, not uint)*/
+ 	val = host_to_be32(val);
+ 	return crypto_bignum_init_set((const u8 *)&val, sizeof(val));
+@@ -1467,6 +1531,9 @@ void crypto_bignum_deinit(struct crypto_
+ int crypto_bignum_to_bin(const struct crypto_bignum *a,
+ 			 u8 *buf, size_t buflen, size_t padlen)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	size_t n = mbedtls_mpi_size((mbedtls_mpi *)a);
+ 	if (n < padlen)
+ 		n = padlen;
+@@ -1477,6 +1544,9 @@ int crypto_bignum_to_bin(const struct cr
+ 
+ int crypto_bignum_rand(struct crypto_bignum *r, const struct crypto_bignum *m)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/*assert(r != m);*//* r must not be same as m for mbedtls_mpi_random()*/
+   #if MBEDTLS_VERSION_NUMBER >= 0x021B0000 /* mbedtls 2.27.0 */
+ 	return mbedtls_mpi_random((mbedtls_mpi *)r, 0, (mbedtls_mpi *)m,
+@@ -1513,6 +1583,9 @@ int crypto_bignum_exptmod(const struct c
+ 			  const struct crypto_bignum *c,
+ 			  struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* (check if input params match d; d is the result) */
+ 	/* (a == d) is ok in current mbedtls implementation */
+ 	if (b == d || c == d) { /*(not ok; store result in intermediate)*/
+@@ -1540,6 +1613,9 @@ int crypto_bignum_inverse(const struct c
+ 			  const struct crypto_bignum *b,
+ 			  struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_inv_mod((mbedtls_mpi *)c,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b) ? -1 : 0;
+@@ -1549,6 +1625,9 @@ int crypto_bignum_sub(const struct crypt
+ 		      const struct crypto_bignum *b,
+ 		      struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_sub_mpi((mbedtls_mpi *)c,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b) ? -1 : 0;
+@@ -1558,6 +1637,9 @@ int crypto_bignum_div(const struct crypt
+ 		      const struct crypto_bignum *b,
+ 		      struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/*(most current use of this crypto.h interface has a == c (result),
+ 	 * so store result in an intermediate to avoid overwritten input)*/
+ 	mbedtls_mpi R;
+@@ -1575,6 +1657,9 @@ int crypto_bignum_addmod(const struct cr
+ 			 const struct crypto_bignum *c,
+ 			 struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_add_mpi((mbedtls_mpi *)d,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b)
+@@ -1588,6 +1673,9 @@ int crypto_bignum_mulmod(const struct cr
+ 			 const struct crypto_bignum *c,
+ 			 struct crypto_bignum *d)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_mpi_mul_mpi((mbedtls_mpi *)d,
+ 				   (const mbedtls_mpi *)a,
+ 				   (const mbedtls_mpi *)b)
+@@ -1600,6 +1688,9 @@ int crypto_bignum_sqrmod(const struct cr
+ 			 const struct crypto_bignum *b,
+ 			 struct crypto_bignum *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 1
+ 	return crypto_bignum_mulmod(a, a, b, c);
+   #else
+@@ -1650,6 +1741,9 @@ int crypto_bignum_is_odd(const struct cr
+ int crypto_bignum_legendre(const struct crypto_bignum *a,
+ 			   const struct crypto_bignum *p)
+ {
++	if (TEST_FAIL())
++		return -2;
++
+ 	/* Security Note:
+ 	 * mbedtls_mpi_exp_mod() is not documented to run in constant time,
+ 	 * though mbedtls/library/bignum.c uses constant_time_internal.h funcs.
+@@ -1702,6 +1796,9 @@ int crypto_mod_exp(const u8 *base, size_
+ 		   const u8 *modulus, size_t modulus_len,
+ 		   u8 *result, size_t *result_len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	mbedtls_mpi bn_base, bn_exp, bn_modulus, bn_result;
+ 	mbedtls_mpi_init(&bn_base);
+ 	mbedtls_mpi_init(&bn_exp);
+@@ -1769,6 +1866,9 @@ static int crypto_mbedtls_dh_init_public
+ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
+ 		   u8 *pubkey)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 0 /*(crypto_dh_init() duplicated (and identical) in crypto_*.c modules)*/
+ 	size_t pubkey_len, pad;
+ 
+@@ -1810,6 +1910,9 @@ int crypto_dh_derive_secret(u8 generator
+ 			    const u8 *pubkey, size_t pubkey_len,
+ 			    u8 *secret, size_t *len)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+   #if 0
+ 	if (pubkey_len > prime_len ||
+ 	    (pubkey_len == prime_len &&
+@@ -2512,6 +2615,9 @@ const struct crypto_ec_point * crypto_ec
+ 
+ struct crypto_ec_point *crypto_ec_point_init(struct crypto_ec *e)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
+ 	if (p != NULL)
+ 		mbedtls_ecp_point_init(p);
+@@ -2536,6 +2642,9 @@ int crypto_ec_point_x(struct crypto_ec *
+ int crypto_ec_point_to_bin(struct crypto_ec *e,
+ 			   const struct crypto_ec_point *point, u8 *x, u8 *y)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* crypto.h documents crypto_ec_point_to_bin() output is big-endian */
+ 	size_t len = CRYPTO_EC_plen(e);
+ 	if (x) {
+@@ -2563,6 +2672,9 @@ int crypto_ec_point_to_bin(struct crypto
+ struct crypto_ec_point * crypto_ec_point_from_bin(struct crypto_ec *e,
+ 						  const u8 *val)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	size_t len = CRYPTO_EC_plen(e);
+ 	mbedtls_ecp_point *p = os_malloc(sizeof(*p));
+ 	u8 buf[1+MBEDTLS_MPI_MAX_SIZE*2];
+@@ -2615,6 +2727,9 @@ int crypto_ec_point_add(struct crypto_ec
+ 			const struct crypto_ec_point *b,
+ 			struct crypto_ec_point *c)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	/* mbedtls does not provide an mbedtls_ecp_point add function */
+ 	mbedtls_mpi one;
+ 	mbedtls_mpi_init(&one);
+@@ -2631,6 +2746,9 @@ int crypto_ec_point_mul(struct crypto_ec
+ 			const struct crypto_bignum *b,
+ 			struct crypto_ec_point *res)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	return mbedtls_ecp_mul(
+ 		(mbedtls_ecp_group *)e, (mbedtls_ecp_point *)res,
+ 		(const mbedtls_mpi *)b, (const mbedtls_ecp_point *)p,
+@@ -2639,6 +2757,9 @@ int crypto_ec_point_mul(struct crypto_ec
+ 
+ int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
+ {
++	if (TEST_FAIL())
++		return -1;
++
+ 	if (mbedtls_ecp_get_type((mbedtls_ecp_group *)e)
+ 	    == MBEDTLS_ECP_TYPE_MONTGOMERY) {
+ 		/* e.g. MBEDTLS_ECP_DP_CURVE25519 and MBEDTLS_ECP_DP_CURVE448 */
+@@ -2751,6 +2872,9 @@ struct crypto_bignum *
+ crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
+ 			      const struct crypto_bignum *x)
+ {
++	if (TEST_FAIL())
++		return NULL;
++
+ 	mbedtls_mpi *y2 = os_malloc(sizeof(*y2));
+ 	if (y2 == NULL)
+ 		return NULL;

package/network/services/hostapd/patches/150-add-NULL-checks-encountered-during-tests-hwsim.patch

@@ -0,0 +1,45 @@
+From 33afce36c54b0cad38643629ded10ff5d727f077 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Fri, 12 Aug 2022 05:34:47 -0400
+Subject: [PATCH 5/7] add NULL checks (encountered during tests/hwsim)
+
+sae_derive_commit_element_ecc NULL pwe_ecc check
+dpp_gen_keypair() NULL curve check
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/common/dpp_crypto.c | 6 ++++++
+ src/common/sae.c        | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/src/common/dpp_crypto.c
++++ b/src/common/dpp_crypto.c
+@@ -248,6 +248,12 @@ struct crypto_ec_key * dpp_set_pubkey_po
+ 
+ struct crypto_ec_key * dpp_gen_keypair(const struct dpp_curve_params *curve)
+ {
++	if (curve == NULL) {
++		wpa_printf(MSG_DEBUG,
++		           "DPP: %s curve must be initialized", __func__);
++		return NULL;
++	}
++
+ 	struct crypto_ec_key *key;
+ 
+ 	wpa_printf(MSG_DEBUG, "DPP: Generating a keypair");
+--- a/src/common/sae.c
++++ b/src/common/sae.c
+@@ -1278,6 +1278,13 @@ void sae_deinit_pt(struct sae_pt *pt)
+ static int sae_derive_commit_element_ecc(struct sae_data *sae,
+ 					 struct crypto_bignum *mask)
+ {
++	if (sae->tmp->pwe_ecc == NULL) {
++		wpa_printf(MSG_DEBUG,
++		           "SAE: %s sae->tmp->pwe_ecc must be initialized",
++		           __func__);
++		return -1;
++	}
++
+ 	/* COMMIT-ELEMENT = inverse(scalar-op(mask, PWE)) */
+ 	if (!sae->tmp->own_commit_element_ecc) {
+ 		sae->tmp->own_commit_element_ecc =

package/network/services/hostapd/patches/160-dpp_pkex-EC-point-mul-w-value-prime.patch

@@ -0,0 +1,26 @@
+From 54211caa2e0e5163aefef390daf88a971367a702 Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Tue, 4 Oct 2022 17:09:24 -0400
+Subject: [PATCH 6/7] dpp_pkex: EC point mul w/ value < prime
+
+crypto_ec_point_mul() with mbedtls requires point
+be multiplied by a multiplicand with value < prime
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ src/common/dpp_crypto.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/src/common/dpp_crypto.c
++++ b/src/common/dpp_crypto.c
+@@ -1567,7 +1567,9 @@ dpp_pkex_derive_Qr(const struct dpp_curv
+ 	Pr = crypto_ec_key_get_public_key(Pr_key);
+ 	Qr = crypto_ec_point_init(ec);
+ 	hash_bn = crypto_bignum_init_set(hash, curve->hash_len);
+-	if (!Pr || !Qr || !hash_bn || crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
++	if (!Pr || !Qr || !hash_bn ||
++	    crypto_bignum_mod(hash_bn, crypto_ec_get_prime(ec), hash_bn) ||
++	    crypto_ec_point_mul(ec, Pr, hash_bn, Qr))
+ 		goto fail;
+ 
+ 	if (crypto_ec_point_is_at_infinity(ec, Qr)) {

package/network/services/hostapd/patches/170-DPP-fix-memleak-of-intro.peer_key.patch

@@ -0,0 +1,32 @@
+From 639bb1bb912029ec4ff110c3ed807b62f583d6bf Mon Sep 17 00:00:00 2001
+From: Glenn Strauss <gstrauss@gluelogic.com>
+Date: Sun, 9 Oct 2022 04:02:44 -0400
+Subject: [PATCH 7/7] DPP: fix memleak of intro.peer_key
+
+fix memleak of intro.peer_key in wpas_dpp_rx_peer_disc_resp()
+
+Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
+---
+ wpa_supplicant/dpp_supplicant.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/wpa_supplicant/dpp_supplicant.c
++++ b/wpa_supplicant/dpp_supplicant.c
+@@ -2610,6 +2610,8 @@ static void wpas_dpp_rx_peer_disc_resp(s
+ 		return;
+ 	}
+ 
++	os_memset(&intro, 0, sizeof(intro));
++
+ 	trans_id = dpp_get_attr(buf, len, DPP_ATTR_TRANSACTION_ID,
+ 			       &trans_id_len);
+ 	if (!trans_id || trans_id_len != 1) {
+@@ -2720,7 +2722,7 @@ static void wpas_dpp_rx_peer_disc_resp(s
+ 		wpa_supplicant_req_scan(wpa_s, 0, 0);
+ 	}
+ fail:
+-	os_memset(&intro, 0, sizeof(intro));
++	dpp_peer_intro_deinit(&intro);
+ }
+ 
+ 

package/network/services/hostapd/patches/200-multicall.patch

@@ -36,7 +36,7 @@
  LIBS += $(DRV_AP_LIBS)
  
  ifdef CONFIG_L2_PACKET
-@@ -1291,6 +1297,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
+@@ -1378,6 +1384,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
  _OBJS_VAR := OBJS
  include ../src/objs.mk
  
@@ -49,7 +49,7 @@
  hostapd: $(OBJS)
  	$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
  	@$(E) "  LD " $@
-@@ -1365,6 +1377,12 @@ include ../src/objs.mk
+@@ -1458,6 +1470,12 @@ include ../src/objs.mk
  _OBJS_VAR := SOBJS
  include ../src/objs.mk
  
@@ -128,7 +128,7 @@
  NEED_AES_WRAP=y
  OBJS += ../src/ap/wpa_auth.o
  OBJS += ../src/ap/wpa_auth_ie.o
-@@ -1920,6 +1937,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
+@@ -1996,6 +2013,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
  
  _OBJS_VAR := OBJS
  include ../src/objs.mk
@@ -141,7 +141,7 @@
  wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
  	$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
  	@$(E) "  LD " $@
-@@ -2052,6 +2075,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
+@@ -2128,6 +2151,12 @@ eap_gpsk.so: $(SRC_EAP_GPSK)
  	$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
  	@$(E) "  sed" $<
  

package/network/services/hostapd/patches/500-lto-jobserver-support.patch

@@ -1,6 +1,6 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
-@@ -1307,7 +1307,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
+@@ -1394,7 +1394,7 @@ hostapd_multi.a: $(BCHECK) $(OBJS)
  	@$(AR) cr $@ hostapd_multi.o $(OBJS)
  
  hostapd: $(OBJS)
@@ -9,7 +9,7 @@
  	@$(E) "  LD " $@
  
  ifdef CONFIG_WPA_TRACE
-@@ -1318,7 +1318,7 @@ _OBJS_VAR := OBJS_c
+@@ -1405,7 +1405,7 @@ _OBJS_VAR := OBJS_c
  include ../src/objs.mk
  
  hostapd_cli: $(OBJS_c)
@@ -20,7 +20,7 @@
  NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS)
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
-@@ -1949,31 +1949,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
+@@ -2025,31 +2025,31 @@ wpa_supplicant_multi.a: .config $(BCHECK
  	@$(AR) cr $@ wpa_supplicant_multi.o $(OBJS)
  
  wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)