mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-21 14:37:57 +00:00
hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 631c437a91
)
This commit is contained in:
parent
ab7e9754df
commit
d8d1956a80
@ -7,7 +7,7 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=hostapd
|
||||
PKG_RELEASE:=3
|
||||
PKG_RELEASE:=4
|
||||
|
||||
PKG_SOURCE_URL:=http://w1.fi/hostap.git
|
||||
PKG_SOURCE_PROTO:=git
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 6a28c4dbc102de3fed9db44637f47a10e7adfb78 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sat, 16 May 2020 21:01:51 +0300
|
||||
Subject: [PATCH 1/3] wolfssl: Fix compiler warnings on size_t printf format
|
||||
use
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/crypto/tls_wolfssl.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/src/crypto/tls_wolfssl.c
|
||||
+++ b/src/crypto/tls_wolfssl.c
|
||||
@@ -1741,7 +1741,7 @@ struct wpabuf * tls_connection_encrypt(v
|
||||
if (!conn)
|
||||
return NULL;
|
||||
|
||||
- wpa_printf(MSG_DEBUG, "SSL: encrypt: %ld bytes", wpabuf_len(in_data));
|
||||
+ wpa_printf(MSG_DEBUG, "SSL: encrypt: %zu bytes", wpabuf_len(in_data));
|
||||
|
||||
wolfssl_reset_out_data(&conn->output);
|
||||
|
||||
@@ -1792,7 +1792,7 @@ struct wpabuf * tls_connection_decrypt(v
|
||||
}
|
||||
wpabuf_put(buf, res);
|
||||
|
||||
- wpa_printf(MSG_DEBUG, "SSL: decrypt: %ld bytes", wpabuf_len(buf));
|
||||
+ wpa_printf(MSG_DEBUG, "SSL: decrypt: %zu bytes", wpabuf_len(buf));
|
||||
|
||||
return buf;
|
||||
}
|
@ -0,0 +1,49 @@
|
||||
From eb595b3e3ab531645a5bde71cf6385335b7a4b95 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sat, 16 May 2020 21:02:17 +0300
|
||||
Subject: [PATCH 2/3] wolfssl: Fix crypto_bignum_rand() implementation
|
||||
|
||||
The previous implementation used mp_rand_prime() to generate a random
|
||||
value in range 0..m. That is insanely slow way of generating a random
|
||||
value since mp_rand_prime() is for generating a random _prime_ which is
|
||||
not what is needed here. Replace that implementation with generationg of
|
||||
a random value in the requested range without doing any kind of prime
|
||||
number checks or loops to reject values that are not primes.
|
||||
|
||||
This speeds up SAE and EAP-pwd routines by couple of orders of
|
||||
magnitude..
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
src/crypto/crypto_wolfssl.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/src/crypto/crypto_wolfssl.c
|
||||
+++ b/src/crypto/crypto_wolfssl.c
|
||||
@@ -1084,19 +1084,21 @@ int crypto_bignum_rand(struct crypto_big
|
||||
{
|
||||
int ret = 0;
|
||||
WC_RNG rng;
|
||||
+ size_t len;
|
||||
+ u8 *buf;
|
||||
|
||||
if (TEST_FAIL())
|
||||
return -1;
|
||||
if (wc_InitRng(&rng) != 0)
|
||||
return -1;
|
||||
- if (mp_rand_prime((mp_int *) r,
|
||||
- (mp_count_bits((mp_int *) m) + 7) / 8 * 2,
|
||||
- &rng, NULL) != 0)
|
||||
- ret = -1;
|
||||
- if (ret == 0 &&
|
||||
+ len = (mp_count_bits((mp_int *) m) + 7) / 8;
|
||||
+ buf = os_malloc(len);
|
||||
+ if (!buf || wc_RNG_GenerateBlock(&rng, buf, len) != 0 ||
|
||||
+ mp_read_unsigned_bin((mp_int *) r, buf, len) != MP_OKAY ||
|
||||
mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0)
|
||||
ret = -1;
|
||||
wc_FreeRng(&rng);
|
||||
+ bin_clear_free(buf, len);
|
||||
return ret;
|
||||
}
|
||||
|
@ -0,0 +1,26 @@
|
||||
From 79488da576aeeb9400e1742fab7f463eed0fa7a1 Mon Sep 17 00:00:00 2001
|
||||
From: Jouni Malinen <j@w1.fi>
|
||||
Date: Sat, 16 May 2020 21:07:45 +0300
|
||||
Subject: [PATCH 3/3] wolfssl: Do not hardcode include directory in
|
||||
wpa_supplicant build
|
||||
|
||||
This is not really appropriate for any kind of cross compilations and is
|
||||
not really needed in general since system specific values can be set in
|
||||
.config.
|
||||
|
||||
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||
---
|
||||
wpa_supplicant/Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/wpa_supplicant/Makefile
|
||||
+++ b/wpa_supplicant/Makefile
|
||||
@@ -1086,7 +1086,7 @@ endif
|
||||
|
||||
ifeq ($(CONFIG_TLS), wolfssl)
|
||||
ifdef TLS_FUNCS
|
||||
-CFLAGS += -DWOLFSSL_DER_LOAD -I/usr/local/include/wolfssl
|
||||
+CFLAGS += -DWOLFSSL_DER_LOAD
|
||||
OBJS += ../src/crypto/tls_wolfssl.o
|
||||
endif
|
||||
OBJS += ../src/crypto/crypto_wolfssl.o
|
Loading…
Reference in New Issue
Block a user