hostap option to use mbedtls (under development)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Greetings!

I am a lighttpd developer who has written TLS modules for lighttpd
to support OpenSSL, mbed TLS, GnuTLS, WolfSSL, and NSS TLS libraries.

I am in the process of porting hostap to have the option to use mbedtls
in support of https://github.com/openwrt/openwrt/issues/10303

development branch:
  https://github.com/gstrauss/hostap/tree/mbedtls  (work in progress)

My branch builds with mbedtls 2.27.0 or later, and also with mbedtls 3.x

Please note: my effort here is independent from
  https://www.spinics.net/lists/hostap/msg09799.html


My development branch (work in progress) passes most tests/hwsim
tests at the lower layers, though support is limited or incomplete
for SAE, DPP, and OWE.  Also, not all src/crypto/tls.h features are
implemented.  TLS session ticket and master secret handling is not yet
implemented in tls_mbedtls.c for EAP-FAST and EAP-TEAP.

Of note, mbedtls_ecp_mul() validates ecp point and bignum params.
This leads to some test failures after calls to crypto_ec_point_mul():
e.g. 18 of 39 sae tests which fail are due to mbedtls_ecp_mul()
rejecting the point param as not being on the curve.  sae_tests() in
common_module_tests() fails due to the hard-coded mask in the test not
passing mbedtls validation.

More testing is needed, as is augmenting existing automated tests.


Running tests/hwsim with mbedtls requires following tests/hwsim/README
and modifying wpa_supplicant/.config and hostapd/.config to set
CONFIG_TLS=mbedtls and to comment out CONFIG_TLS=openssl, or to override
the value on the make command line with 'make CONFIG_TLS=mbedtls ...'


My development branch also adds the ability for run-tests to test using
different crypto libraries (assuming the crypto libraries are installed)
  cd tests
  for crypto_lib in mbedtls openssl gnutls wolfssl internal; do
    make -j 4 CONFIG_TLS=$crypto_lib clean
    make -j 4 CONFIG_TLS=$crypto_lib run-tests
    make -j 4 CONFIG_TLS=$crypto_lib clean
  done


Before I post a patch -- which is a work in progress -- containing 6400+
lines changed, please let me know if there is a better way to continue
development of these patches and to obtain feedback.  (PRs are welcome
at https://github.com/gstrauss/hostap to the 'mbedtls' branch)

Thank you.  Glenn

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux