hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>master
parent
2ea481193c
commit
631c437a91
@ -0,0 +1,31 @@
|
|||||||
|
From 6a28c4dbc102de3fed9db44637f47a10e7adfb78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Sat, 16 May 2020 21:01:51 +0300
|
||||||
|
Subject: [PATCH 1/3] wolfssl: Fix compiler warnings on size_t printf format
|
||||||
|
use
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
src/crypto/tls_wolfssl.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/src/crypto/tls_wolfssl.c
|
||||||
|
+++ b/src/crypto/tls_wolfssl.c
|
||||||
|
@@ -1741,7 +1741,7 @@ struct wpabuf * tls_connection_encrypt(v
|
||||||
|
if (!conn)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- wpa_printf(MSG_DEBUG, "SSL: encrypt: %ld bytes", wpabuf_len(in_data));
|
||||||
|
+ wpa_printf(MSG_DEBUG, "SSL: encrypt: %zu bytes", wpabuf_len(in_data));
|
||||||
|
|
||||||
|
wolfssl_reset_out_data(&conn->output);
|
||||||
|
|
||||||
|
@@ -1792,7 +1792,7 @@ struct wpabuf * tls_connection_decrypt(v
|
||||||
|
}
|
||||||
|
wpabuf_put(buf, res);
|
||||||
|
|
||||||
|
- wpa_printf(MSG_DEBUG, "SSL: decrypt: %ld bytes", wpabuf_len(buf));
|
||||||
|
+ wpa_printf(MSG_DEBUG, "SSL: decrypt: %zu bytes", wpabuf_len(buf));
|
||||||
|
|
||||||
|
return buf;
|
||||||
|
}
|
@ -0,0 +1,49 @@
|
|||||||
|
From eb595b3e3ab531645a5bde71cf6385335b7a4b95 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Sat, 16 May 2020 21:02:17 +0300
|
||||||
|
Subject: [PATCH 2/3] wolfssl: Fix crypto_bignum_rand() implementation
|
||||||
|
|
||||||
|
The previous implementation used mp_rand_prime() to generate a random
|
||||||
|
value in range 0..m. That is insanely slow way of generating a random
|
||||||
|
value since mp_rand_prime() is for generating a random _prime_ which is
|
||||||
|
not what is needed here. Replace that implementation with generationg of
|
||||||
|
a random value in the requested range without doing any kind of prime
|
||||||
|
number checks or loops to reject values that are not primes.
|
||||||
|
|
||||||
|
This speeds up SAE and EAP-pwd routines by couple of orders of
|
||||||
|
magnitude..
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
src/crypto/crypto_wolfssl.c | 12 +++++++-----
|
||||||
|
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
--- a/src/crypto/crypto_wolfssl.c
|
||||||
|
+++ b/src/crypto/crypto_wolfssl.c
|
||||||
|
@@ -1084,19 +1084,21 @@ int crypto_bignum_rand(struct crypto_big
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
WC_RNG rng;
|
||||||
|
+ size_t len;
|
||||||
|
+ u8 *buf;
|
||||||
|
|
||||||
|
if (TEST_FAIL())
|
||||||
|
return -1;
|
||||||
|
if (wc_InitRng(&rng) != 0)
|
||||||
|
return -1;
|
||||||
|
- if (mp_rand_prime((mp_int *) r,
|
||||||
|
- (mp_count_bits((mp_int *) m) + 7) / 8 * 2,
|
||||||
|
- &rng, NULL) != 0)
|
||||||
|
- ret = -1;
|
||||||
|
- if (ret == 0 &&
|
||||||
|
+ len = (mp_count_bits((mp_int *) m) + 7) / 8;
|
||||||
|
+ buf = os_malloc(len);
|
||||||
|
+ if (!buf || wc_RNG_GenerateBlock(&rng, buf, len) != 0 ||
|
||||||
|
+ mp_read_unsigned_bin((mp_int *) r, buf, len) != MP_OKAY ||
|
||||||
|
mp_mod((mp_int *) r, (mp_int *) m, (mp_int *) r) != 0)
|
||||||
|
ret = -1;
|
||||||
|
wc_FreeRng(&rng);
|
||||||
|
+ bin_clear_free(buf, len);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 79488da576aeeb9400e1742fab7f463eed0fa7a1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jouni Malinen <j@w1.fi>
|
||||||
|
Date: Sat, 16 May 2020 21:07:45 +0300
|
||||||
|
Subject: [PATCH 3/3] wolfssl: Do not hardcode include directory in
|
||||||
|
wpa_supplicant build
|
||||||
|
|
||||||
|
This is not really appropriate for any kind of cross compilations and is
|
||||||
|
not really needed in general since system specific values can be set in
|
||||||
|
.config.
|
||||||
|
|
||||||
|
Signed-off-by: Jouni Malinen <j@w1.fi>
|
||||||
|
---
|
||||||
|
wpa_supplicant/Makefile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/wpa_supplicant/Makefile
|
||||||
|
+++ b/wpa_supplicant/Makefile
|
||||||
|
@@ -1086,7 +1086,7 @@ endif
|
||||||
|
|
||||||
|
ifeq ($(CONFIG_TLS), wolfssl)
|
||||||
|
ifdef TLS_FUNCS
|
||||||
|
-CFLAGS += -DWOLFSSL_DER_LOAD -I/usr/local/include/wolfssl
|
||||||
|
+CFLAGS += -DWOLFSSL_DER_LOAD
|
||||||
|
OBJS += ../src/crypto/tls_wolfssl.o
|
||||||
|
endif
|
||||||
|
OBJS += ../src/crypto/crypto_wolfssl.o
|
Loading…
Reference in New Issue