projects / openwrt / staging / stintel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
hostapd: bump to 2024-03-09
[openwrt/staging/stintel.git] / package / network / services / hostapd / patches / 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
1 From f24933dc175e0faf44a3cce3330c256a59649ca6 Mon Sep 17 00:00:00 2001
2 From: Glenn Strauss <gstrauss@gluelogic.com>
3 Date: Tue, 19 Jul 2022 23:01:17 -0400
4 Subject: [PATCH 4/7] tests/Makefile make run-tests with CONFIG_TLS=...
5
6 add test-crypto_module.c to run crypto_module_tests()
7
8 adjust some tests/hwsim/*.py for mbed TLS (work in progress)
9
10 option to build and run-tests with CONFIG_TLS=internal # (default)
11 $ cd tests; make clean
12 $ make run-tests
13
14 option to build and run-tests with CONFIG_TLS=gnutls
15 $ cd tests; make clean CONFIG_TLS=gnutls
16 $ make run-tests CONFIG_TLS=gnutls
17
18 option to build and run-tests with CONFIG_TLS=mbedtls
19 $ cd tests; make clean CONFIG_TLS=mbedtls
20 $ make run-tests CONFIG_TLS=mbedtls
21
22 option to build and run-tests with CONFIG_TLS=openssl
23 $ cd tests; make clean CONFIG_TLS=openssl
24 $ make run-tests CONFIG_TLS=openssl
25
26 option to build and run-tests with CONFIG_TLS=wolfssl
27 $ cd tests; make clean CONFIG_TLS=wolfssl
28 $ make run-tests CONFIG_TLS=wolfssl
29
30 RFE: Makefile logic for crypto objects should be centralized
31 instead of being duplicated in hostapd/Makefile,
32 wpa_supplicant/Makefile, src/crypto/Makefile,
33 tests/Makefile, ...
34
35 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
36 ---
37 hostapd/Makefile | 6 +
38 src/crypto/Makefile | 129 ++++++++++++++++++++-
39 src/crypto/crypto_module_tests.c | 134 ++++++++++++++++++++++
40 src/tls/Makefile | 11 ++
41 tests/Makefile | 76 +++++++++---
42 tests/hwsim/example-hostapd.config | 10 +-
43 tests/hwsim/example-wpa_supplicant.config | 11 +-
44 tests/hwsim/test_ap_eap.py | 114 +++++++++++++-----
45 tests/hwsim/test_ap_ft.py | 4 +-
46 tests/hwsim/test_authsrv.py | 9 +-
47 tests/hwsim/test_dpp.py | 19 ++-
48 tests/hwsim/test_erp.py | 16 +--
49 tests/hwsim/test_fils.py | 4 +
50 tests/hwsim/test_pmksa_cache.py | 4 +-
51 tests/hwsim/test_sae.py | 7 ++
52 tests/hwsim/test_suite_b.py | 3 +
53 tests/hwsim/test_wpas_ctrl.py | 2 +-
54 tests/hwsim/utils.py | 8 +-
55 tests/test-crypto_module.c | 16 +++
56 tests/test-https.c | 12 +-
57 tests/test-https_server.c | 12 +-
58 wpa_supplicant/Makefile | 6 +
59 22 files changed, 522 insertions(+), 91 deletions(-)
60 create mode 100644 tests/test-crypto_module.c
61
62 --- a/hostapd/Makefile
63 +++ b/hostapd/Makefile
64 @@ -709,6 +709,7 @@ CFLAGS += -DCONFIG_TLSV12
65 endif
66
67 ifeq ($(CONFIG_TLS), wolfssl)
68 +CFLAGS += -DCONFIG_TLS_WOLFSSL
69 CONFIG_CRYPTO=wolfssl
70 ifdef TLS_FUNCS
71 OBJS += ../src/crypto/tls_wolfssl.o
72 @@ -729,6 +730,7 @@ endif
73 endif
74
75 ifeq ($(CONFIG_TLS), openssl)
76 +CFLAGS += -DCONFIG_TLS_OPENSSL
77 CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
78 CONFIG_CRYPTO=openssl
79 ifdef TLS_FUNCS
80 @@ -759,6 +761,7 @@ CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONF
81 endif
82
83 ifeq ($(CONFIG_TLS), mbedtls)
84 +CFLAGS += -DCONFIG_TLS_MBEDTLS
85 ifndef CONFIG_CRYPTO
86 CONFIG_CRYPTO=mbedtls
87 endif
88 @@ -789,6 +792,7 @@ endif
89 endif
90
91 ifeq ($(CONFIG_TLS), gnutls)
92 +CFLAGS += -DCONFIG_TLS_GNUTLS
93 ifndef CONFIG_CRYPTO
94 # default to libgcrypt
95 CONFIG_CRYPTO=gnutls
96 @@ -819,6 +823,7 @@ endif
97 endif
98
99 ifeq ($(CONFIG_TLS), internal)
100 +CFLAGS += -DCONFIG_TLS_INTERNAL
101 ifndef CONFIG_CRYPTO
102 CONFIG_CRYPTO=internal
103 endif
104 @@ -897,6 +902,7 @@ endif
105 endif
106
107 ifeq ($(CONFIG_TLS), linux)
108 +CFLAGS += -DCONFIG_TLS_INTERNAL
109 OBJS += ../src/crypto/crypto_linux.o
110 ifdef TLS_FUNCS
111 OBJS += ../src/crypto/crypto_internal-rsa.o
112 --- a/src/crypto/Makefile
113 +++ b/src/crypto/Makefile
114 @@ -1,10 +1,121 @@
115 -CFLAGS += -DCONFIG_CRYPTO_INTERNAL
116 -CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
117 -CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
118 #CFLAGS += -DALL_DH_GROUPS
119 CFLAGS += -DCONFIG_SHA256
120 CFLAGS += -DCONFIG_SHA384
121 +CFLAGS += -DCONFIG_HMAC_SHA256_KDF
122 CFLAGS += -DCONFIG_HMAC_SHA384_KDF
123 +
124 +# crypto_module_tests.c
125 +CFLAGS += -DCONFIG_MODULE_TESTS
126 +CFLAGS += -DCONFIG_DPP
127 +#CFLAGS += -DCONFIG_DPP2
128 +#CFLAGS += -DCONFIG_DPP3
129 +CFLAGS += -DCONFIG_ECC
130 +CFLAGS += -DCONFIG_MESH
131 +CFLAGS += -DEAP_PSK
132 +CFLAGS += -DEAP_FAST
133 +
134 +ifeq ($(CONFIG_TLS),mbedtls)
135 +
136 +# (enable features for 'cd tests; make run-tests CONFIG_TLS=mbedtls')
137 +CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
138 +CFLAGS += -DCONFIG_DES
139 +CFLAGS += -DEAP_IKEV2
140 +CFLAGS += -DEAP_MSCHAPv2
141 +CFLAGS += -DEAP_SIM
142 +
143 +LIB_OBJS = tls_mbedtls.o crypto_mbedtls.o
144 +LIB_OBJS+= \
145 + aes-eax.o \
146 + aes-siv.o \
147 + dh_groups.o \
148 + milenage.o \
149 + ms_funcs.o
150 +
151 +else
152 +ifeq ($(CONFIG_TLS),openssl)
153 +
154 +# (enable features for 'cd tests; make run-tests CONFIG_TLS=openssl')
155 +ifndef CONFIG_TLS_DEFAULT_CIPHERS
156 +CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
157 +endif
158 +CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
159 +CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
160 +CFLAGS += -DEAP_TLS_OPENSSL
161 +
162 +LIB_OBJS = tls_openssl.o fips_prf_openssl.o crypto_openssl.o
163 +LIB_OBJS+= \
164 + aes-ctr.o \
165 + aes-eax.o \
166 + aes-encblock.o \
167 + aes-siv.o \
168 + dh_groups.o \
169 + milenage.o \
170 + ms_funcs.o \
171 + sha1-prf.o \
172 + sha1-tlsprf.o \
173 + sha1-tprf.o \
174 + sha256-kdf.o \
175 + sha256-prf.o \
176 + sha256-tlsprf.o
177 +
178 +else
179 +ifeq ($(CONFIG_TLS),wolfssl)
180 +
181 +# (wolfssl libraries must be built with ./configure --enable-wpas)
182 +# (enable features for 'cd tests; make run-tests CONFIG_TLS=wolfssl')
183 +CFLAGS += -DWOLFSSL_DER_LOAD
184 +CFLAGS += -DCONFIG_DES
185 +
186 +LIB_OBJS = tls_wolfssl.o fips_prf_wolfssl.o crypto_wolfssl.o
187 +LIB_OBJS+= \
188 + aes-ctr.o \
189 + aes-eax.o \
190 + aes-encblock.o \
191 + aes-siv.o \
192 + dh_groups.o \
193 + milenage.o \
194 + ms_funcs.o \
195 + sha1-prf.o \
196 + sha1-tlsprf.o \
197 + sha1-tprf.o \
198 + sha256-kdf.o \
199 + sha256-prf.o \
200 + sha256-tlsprf.o
201 +
202 +else
203 +ifeq ($(CONFIG_TLS),gnutls)
204 +
205 +# (enable features for 'cd tests; make run-tests CONFIG_TLS=gnutls')
206 +LIB_OBJS = tls_gnutls.o crypto_gnutls.o
207 +LIB_OBJS+= \
208 + aes-cbc.o \
209 + aes-ctr.o \
210 + aes-eax.o \
211 + aes-encblock.o \
212 + aes-omac1.o \
213 + aes-siv.o \
214 + aes-unwrap.o \
215 + aes-wrap.o \
216 + dh_group5.o \
217 + dh_groups.o \
218 + milenage.o \
219 + ms_funcs.o \
220 + rc4.o \
221 + sha1-pbkdf2.o \
222 + sha1-prf.o \
223 + fips_prf_internal.o \
224 + sha1-internal.o \
225 + sha1-tlsprf.o \
226 + sha1-tprf.o \
227 + sha256-kdf.o \
228 + sha256-prf.o \
229 + sha256-tlsprf.o
230 +
231 +else
232 +
233 +CFLAGS += -DCONFIG_CRYPTO_INTERNAL
234 +CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
235 +CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
236 CFLAGS += -DCONFIG_INTERNAL_SHA384
237
238 LIB_OBJS= \
239 @@ -13,7 +124,6 @@ LIB_OBJS= \
240 aes-ctr.o \
241 aes-eax.o \
242 aes-encblock.o \
243 - aes-gcm.o \
244 aes-internal.o \
245 aes-internal-dec.o \
246 aes-internal-enc.o \
247 @@ -37,6 +147,7 @@ LIB_OBJS= \
248 sha1-tlsprf.o \
249 sha1-tprf.o \
250 sha256.o \
251 + sha256-kdf.o \
252 sha256-prf.o \
253 sha256-tlsprf.o \
254 sha256-internal.o \
255 @@ -53,6 +164,16 @@ LIB_OBJS += crypto_internal-modexp.o
256 LIB_OBJS += crypto_internal-rsa.o
257 LIB_OBJS += tls_internal.o
258 LIB_OBJS += fips_prf_internal.o
259 +
260 +endif
261 +endif
262 +endif
263 +endif
264 +
265 +
266 +# (used by wlantest/{bip,gcmp,rx_mgmt}.c and tests/test-aes.c)
267 +LIB_OBJS += aes-gcm.o
268 +
269 ifndef TEST_FUZZ
270 LIB_OBJS += random.o
271 endif
272 --- a/src/crypto/crypto_module_tests.c
273 +++ b/src/crypto/crypto_module_tests.c
274 @@ -2470,6 +2470,139 @@ static int test_hpke(void)
275 }
276
277
278 +static int test_ecc(void)
279 +{
280 +#ifdef CONFIG_ECC
281 +#ifndef CONFIG_TLS_INTERNAL
282 +#ifndef CONFIG_TLS_GNUTLS
283 +#if defined(CONFIG_TLS_MBEDTLS) \
284 + || defined(CONFIG_TLS_OPENSSL) \
285 + || defined(CONFIG_TLS_WOLFSSL)
286 + wpa_printf(MSG_INFO, "Testing ECC");
287 + /* Note: some tests below are valid on supported Short Weierstrass
288 + * curves, but not on Montgomery curves (e.g. IKE groups 31 and 32)
289 + * (e.g. deriving and comparing y^2 test below not valid on Montgomery)
290 + */
291 +#ifdef CONFIG_TLS_MBEDTLS
292 + const int grps[] = {19, 20, 21, 25, 26, 28};
293 +#endif
294 +#ifdef CONFIG_TLS_OPENSSL
295 + const int grps[] = {19, 20, 21, 26};
296 +#endif
297 +#ifdef CONFIG_TLS_WOLFSSL
298 + const int grps[] = {19, 20, 21, 26};
299 +#endif
300 + uint32_t i;
301 + struct crypto_ec *e = NULL;
302 + struct crypto_ec_point *p = NULL, *q = NULL;
303 + struct crypto_bignum *x = NULL, *y = NULL;
304 +#ifdef CONFIG_DPP
305 + u8 bin[4096];
306 +#endif
307 + for (i = 0; i < ARRAY_SIZE(grps); ++i) {
308 + e = crypto_ec_init(grps[i]);
309 + if (e == NULL
310 + || crypto_ec_prime_len(e) == 0
311 + || crypto_ec_prime_len_bits(e) == 0
312 + || crypto_ec_order_len(e) == 0
313 + || crypto_ec_get_prime(e) == NULL
314 + || crypto_ec_get_order(e) == NULL
315 + || crypto_ec_get_a(e) == NULL
316 + || crypto_ec_get_b(e) == NULL
317 + || crypto_ec_get_generator(e) == NULL) {
318 + break;
319 + }
320 +#ifdef CONFIG_DPP
321 + struct crypto_ec_key *key = crypto_ec_key_gen(grps[i]);
322 + if (key == NULL)
323 + break;
324 + p = crypto_ec_key_get_public_key(key);
325 + q = crypto_ec_key_get_public_key(key);
326 + crypto_ec_key_deinit(key);
327 + if (p == NULL || q == NULL)
328 + break;
329 + if (!crypto_ec_point_is_on_curve(e, p))
330 + break;
331 +
332 + /* inverted point should not match original;
333 + * double-invert should match */
334 + if (crypto_ec_point_invert(e, q) != 0
335 + || crypto_ec_point_cmp(e, p, q) == 0
336 + || crypto_ec_point_invert(e, q) != 0
337 + || crypto_ec_point_cmp(e, p, q) != 0) {
338 + break;
339 + }
340 +
341 + /* crypto_ec_point_to_bin() and crypto_ec_point_from_bin()
342 + * imbalanced interfaces? */
343 + size_t prime_len = crypto_ec_prime_len(e);
344 + if (prime_len * 2 > sizeof(bin))
345 + break;
346 + if (crypto_ec_point_to_bin(e, p, bin, bin+prime_len) != 0)
347 + break;
348 + struct crypto_ec_point *tmp = crypto_ec_point_from_bin(e, bin);
349 + if (tmp == NULL)
350 + break;
351 + if (crypto_ec_point_cmp(e, p, tmp) != 0) {
352 + crypto_ec_point_deinit(tmp, 0);
353 + break;
354 + }
355 + crypto_ec_point_deinit(tmp, 0);
356 +
357 + x = crypto_bignum_init();
358 + y = crypto_bignum_init_set(bin+prime_len, prime_len);
359 + if (x == NULL || y == NULL || crypto_ec_point_x(e, p, x) != 0)
360 + break;
361 + struct crypto_bignum *y2 = crypto_ec_point_compute_y_sqr(e, x);
362 + if (y2 == NULL)
363 + break;
364 + if (crypto_bignum_sqrmod(y, crypto_ec_get_prime(e), y) != 0
365 + || crypto_bignum_cmp(y, y2) != 0) {
366 + crypto_bignum_deinit(y2, 0);
367 + break;
368 + }
369 + crypto_bignum_deinit(y2, 0);
370 + crypto_bignum_deinit(x, 0);
371 + crypto_bignum_deinit(y, 0);
372 + x = NULL;
373 + y = NULL;
374 +
375 + x = crypto_bignum_init();
376 + if (x == NULL)
377 + break;
378 + if (crypto_bignum_rand(x, crypto_ec_get_prime(e)) != 0)
379 + break;
380 + crypto_bignum_deinit(x, 0);
381 + x = NULL;
382 +
383 + crypto_ec_point_deinit(p, 0);
384 + p = NULL;
385 + crypto_ec_point_deinit(q, 0);
386 + q = NULL;
387 +#endif /* CONFIG_DPP */
388 + crypto_ec_deinit(e);
389 + e = NULL;
390 + }
391 + if (i != ARRAY_SIZE(grps)) {
392 + crypto_bignum_deinit(x, 0);
393 + crypto_bignum_deinit(y, 0);
394 + crypto_ec_point_deinit(p, 0);
395 + crypto_ec_point_deinit(q, 0);
396 + crypto_ec_deinit(e);
397 + wpa_printf(MSG_INFO,
398 + "ECC test case failed tls_id:%d", grps[i]);
399 + return -1;
400 + }
401 +
402 + wpa_printf(MSG_INFO, "ECC test cases passed");
403 +#endif
404 +#endif /* !CONFIG_TLS_GNUTLS */
405 +#endif /* !CONFIG_TLS_INTERNAL */
406 +#endif /* CONFIG_ECC */
407 + return 0;
408 +}
409 +
410 +
411 static int test_ms_funcs(void)
412 {
413 #ifndef CONFIG_FIPS
414 @@ -2591,6 +2724,7 @@ int crypto_module_tests(void)
415 test_fips186_2_prf() ||
416 test_extract_expand_hkdf() ||
417 test_hpke() ||
418 + test_ecc() ||
419 test_ms_funcs())
420 ret = -1;
421
422 --- a/src/tls/Makefile
423 +++ b/src/tls/Makefile
424 @@ -1,3 +1,10 @@
425 +LIB_OBJS= asn1.o
426 +
427 +ifneq ($(CONFIG_TLS),gnutls)
428 +ifneq ($(CONFIG_TLS),mbedtls)
429 +ifneq ($(CONFIG_TLS),openssl)
430 +ifneq ($(CONFIG_TLS),wolfssl)
431 +
432 CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
433 CFLAGS += -DCONFIG_CRYPTO_INTERNAL
434 CFLAGS += -DCONFIG_TLSV11
435 @@ -21,5 +28,9 @@ LIB_OBJS= \
436 tlsv1_server_read.o \
437 tlsv1_server_write.o \
438 x509v3.o
439 +endif
440 +endif
441 +endif
442 +endif
443
444 include ../lib.rules
445 --- a/tests/Makefile
446 +++ b/tests/Makefile
447 @@ -1,10 +1,12 @@
448 -ALL=test-base64 test-md4 test-milenage \
449 - test-rsa-sig-ver \
450 - test-sha1 \
451 - test-https test-https_server \
452 - test-sha256 test-aes test-x509v3 test-list test-rc4 \
453 +RUN_TESTS= \
454 + test-list \
455 + test-md4 test-rc4 test-sha1 test-sha256 \
456 + test-milenage test-aes \
457 + test-crypto_module \
458 test-bss
459
460 +ALL=$(RUN_TESTS) test-base64 test-https test-https_server
461 +
462 include ../src/build.rules
463
464 ifdef LIBFUZZER
465 @@ -25,13 +27,27 @@ CFLAGS += -DCONFIG_IEEE80211R_AP
466 CFLAGS += -DCONFIG_IEEE80211R
467 CFLAGS += -DCONFIG_TDLS
468
469 +# test-crypto_module
470 +CFLAGS += -DCONFIG_MODULE_TESTS
471 +CFLAGS += -DCONFIG_DPP
472 +#CFLAGS += -DCONFIG_DPP2
473 +#CFLAGS += -DCONFIG_DPP3
474 +CFLAGS += -DCONFIG_ECC
475 +CFLAGS += -DCONFIG_HMAC_SHA256_KDF
476 +CFLAGS += -DCONFIG_HMAC_SHA384_KDF
477 +CFLAGS += -DCONFIG_MESH
478 +CFLAGS += -DCONFIG_SHA256
479 +CFLAGS += -DCONFIG_SHA384
480 +CFLAGS += -DEAP_PSK
481 +CFLAGS += -DEAP_FAST
482 +
483 CFLAGS += -I../src
484 CFLAGS += -I../src/utils
485
486 SLIBS = ../src/utils/libutils.a
487
488 -DLIBS = ../src/crypto/libcrypto.a \
489 - ../src/tls/libtls.a
490 +DLIBS = ../src/tls/libtls.a \
491 + ../src/crypto/libcrypto.a
492
493 _OBJS_VAR := LLIBS
494 include ../src/objs.mk
495 @@ -43,12 +59,43 @@ include ../src/objs.mk
496 LIBS = $(SLIBS) $(DLIBS)
497 LLIBS = -Wl,--start-group $(DLIBS) -Wl,--end-group $(SLIBS)
498
499 +ifeq ($(CONFIG_TLS),mbedtls)
500 +CFLAGS += -DCONFIG_TLS_MBEDTLS
501 +LLIBS += -lmbedtls -lmbedx509 -lmbedcrypto
502 +else
503 +ifeq ($(CONFIG_TLS),openssl)
504 +CFLAGS += -DCONFIG_TLS_OPENSSL
505 +LLIBS += -lssl -lcrypto
506 +else
507 +ifeq ($(CONFIG_TLS),gnutls)
508 +CFLAGS += -DCONFIG_TLS_GNUTLS
509 +LLIBS += -lgnutls -lgpg-error -lgcrypt
510 +else
511 +ifeq ($(CONFIG_TLS),wolfssl)
512 +CFLAGS += -DCONFIG_TLS_WOLFSSL
513 +LLIBS += -lwolfssl -lm
514 +else
515 +CFLAGS += -DCONFIG_TLS_INTERNAL
516 +CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
517 +ALL += test-rsa-sig-ver
518 +ALL += test-x509v3
519 +clean-config_tls_internal:
520 + rm -f test_x509v3_nist.out.*
521 + rm -f test_x509v3_nist2.out.*
522 +endif
523 +endif
524 +endif
525 +endif
526 +
527 # glibc < 2.17 needs -lrt for clock_gettime()
528 LLIBS += -lrt
529
530 test-aes: $(call BUILDOBJ,test-aes.o) $(LIBS)
531 $(LDO) $(LDFLAGS) -o $@ $^ $(LLIBS)
532
533 +test-crypto_module: $(call BUILDOBJ,test-crypto_module.o) $(LIBS)
534 + $(LDO) $(LDFLAGS) -o $@ $< $(LLIBS)
535 +
536 test-base64: $(call BUILDOBJ,test-base64.o) $(LIBS)
537 $(LDO) $(LDFLAGS) -o $@ $^ $(LLIBS)
538
539 @@ -141,18 +188,11 @@ test-bss: $(call BUILDOBJ,test-bss.o) $(
540 $(LDO) $(LDFLAGS) -o $@ $< $(LLIBS) $(WPA_CFLAGS) $(WPA_OBJS) $(LIBS)
541
542 run-tests: $(ALL)
543 - ./test-aes
544 - ./test-list
545 - ./test-md4
546 - ./test-milenage
547 - ./test-rsa-sig-ver
548 - ./test-sha1
549 - ./test-sha256
550 - ./test-bss
551 + @set -ex; for i in $(RUN_TESTS); do ./$$i; done
552 @echo
553 @echo All tests completed successfully.
554
555 -clean: common-clean
556 +clean: common-clean clean-config_tls_internal
557 rm -f *~
558 - rm -f test_x509v3_nist.out.*
559 - rm -f test_x509v3_nist2.out.*
560 +
561 +.PHONY: run-tests clean-config_tls_internal
562 --- a/tests/hwsim/example-hostapd.config
563 +++ b/tests/hwsim/example-hostapd.config
564 @@ -34,15 +34,7 @@ CONFIG_EAP_TNC=y
565 CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
566 LIBS += -rdynamic
567 CONFIG_EAP_UNAUTH_TLS=y
568 -ifeq ($(CONFIG_TLS), openssl)
569 -CONFIG_EAP_PWD=y
570 -endif
571 -ifeq ($(CONFIG_TLS), wolfssl)
572 -CONFIG_EAP_PWD=y
573 -endif
574 -ifeq ($(CONFIG_TLS), mbedtls)
575 -CONFIG_EAP_PWD=y
576 -endif
577 +CONFIG_EAP_PWD=$(if $(filter openssl wolfssl mbedtls,$(CONFIG_TLS)),y,)
578 CONFIG_EAP_EKE=y
579 CONFIG_PKCS12=y
580 CONFIG_RADIUS_SERVER=y
581 --- a/tests/hwsim/example-wpa_supplicant.config
582 +++ b/tests/hwsim/example-wpa_supplicant.config
583 @@ -35,16 +35,7 @@ LIBS += -rdynamic
584 CONFIG_EAP_FAST=y
585 CONFIG_EAP_TEAP=y
586 CONFIG_EAP_IKEV2=y
587 -
588 -ifeq ($(CONFIG_TLS), openssl)
589 -CONFIG_EAP_PWD=y
590 -endif
591 -ifeq ($(CONFIG_TLS), wolfssl)
592 -CONFIG_EAP_PWD=y
593 -endif
594 -ifeq ($(CONFIG_TLS), mbedtls)
595 -CONFIG_EAP_PWD=y
596 -endif
597 +CONFIG_EAP_PWD=$(if $(filter openssl wolfssl mbedtls,$(CONFIG_TLS)),y,)
598
599 CONFIG_USIM_SIMULATOR=y
600 CONFIG_SIM_SIMULATOR=y
601 --- a/tests/hwsim/test_ap_eap.py
602 +++ b/tests/hwsim/test_ap_eap.py
603 @@ -42,20 +42,42 @@ def check_eap_capa(dev, method):
604 res = dev.get_capability("eap")
605 if method not in res:
606 raise HwsimSkip("EAP method %s not supported in the build" % method)
607 + if method == "FAST" or method == "TEAP":
608 + tls = dev.request("GET tls_library")
609 + if tls.startswith("mbed TLS"):
610 + raise HwsimSkip("EAP-%s not supported with this TLS library: " % method + tls)
611
612 def check_subject_match_support(dev):
613 tls = dev.request("GET tls_library")
614 - if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
615 + if tls.startswith("OpenSSL"):
616 + return
617 + elif tls.startswith("wolfSSL"):
618 + return
619 + elif tls.startswith("mbed TLS"):
620 + return
621 + else:
622 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
623
624 def check_check_cert_subject_support(dev):
625 tls = dev.request("GET tls_library")
626 - if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
627 + if tls.startswith("OpenSSL"):
628 + return
629 + elif tls.startswith("wolfSSL"):
630 + return
631 + elif tls.startswith("mbed TLS"):
632 + return
633 + else:
634 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls)
635
636 def check_altsubject_match_support(dev):
637 tls = dev.request("GET tls_library")
638 - if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
639 + if tls.startswith("OpenSSL"):
640 + return
641 + elif tls.startswith("wolfSSL"):
642 + return
643 + elif tls.startswith("mbed TLS"):
644 + return
645 + else:
646 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
647
648 def check_domain_match(dev):
649 @@ -70,7 +92,13 @@ def check_domain_suffix_match(dev):
650
651 def check_domain_match_full(dev):
652 tls = dev.request("GET tls_library")
653 - if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
654 + if tls.startswith("OpenSSL"):
655 + return
656 + elif tls.startswith("wolfSSL"):
657 + return
658 + elif tls.startswith("mbed TLS"):
659 + return
660 + else:
661 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
662
663 def check_cert_probe_support(dev):
664 @@ -79,8 +107,15 @@ def check_cert_probe_support(dev):
665 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
666
667 def check_ext_cert_check_support(dev):
668 + if not openssl_imported:
669 + raise HwsimSkip("OpenSSL python method not available")
670 +
671 tls = dev.request("GET tls_library")
672 - if not tls.startswith("OpenSSL"):
673 + if tls.startswith("OpenSSL"):
674 + return
675 + elif tls.startswith("mbed TLS"):
676 + return
677 + else:
678 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
679
680 def check_ocsp_support(dev):
681 @@ -91,14 +126,18 @@ def check_ocsp_support(dev):
682 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
683 #if tls.startswith("wolfSSL"):
684 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
685 + if tls.startswith("mbed TLS"):
686 + raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
687
688 def check_pkcs5_v15_support(dev):
689 tls = dev.request("GET tls_library")
690 - if "BoringSSL" in tls or "GnuTLS" in tls:
691 + if "BoringSSL" in tls or "GnuTLS" in tls or "mbed TLS" in tls:
692 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
693
694 def check_tls13_support(dev):
695 tls = dev.request("GET tls_library")
696 + if tls.startswith("mbed TLS"):
697 + raise HwsimSkip("TLS v1.3 not supported")
698 ok = ['run=OpenSSL 1.1.1', 'run=OpenSSL 3.0', 'run=OpenSSL 3.1',
699 'run=OpenSSL 3.2', 'wolfSSL']
700 for s in ok:
701 @@ -122,11 +161,15 @@ def check_pkcs12_support(dev):
702 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
703 if tls.startswith("wolfSSL"):
704 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
705 + if tls.startswith("mbed TLS"):
706 + raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
707
708 def check_dh_dsa_support(dev):
709 tls = dev.request("GET tls_library")
710 if tls.startswith("internal"):
711 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
712 + if tls.startswith("mbed TLS"):
713 + raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
714
715 def check_ec_support(dev):
716 tls = dev.request("GET tls_library")
717 @@ -1741,7 +1784,7 @@ def test_ap_wpa2_eap_ttls_pap_subject_ma
718 eap_connect(dev[0], hapd, "TTLS", "pap user",
719 anonymous_identity="ttls", password="password",
720 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
721 - subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
722 + check_cert_subject="/C=FI/O=w1.fi/CN=server.w1.fi",
723 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
724 eap_reauth(dev[0], "TTLS")
725
726 @@ -2976,6 +3019,7 @@ def test_ap_wpa2_eap_tls_neg_domain_matc
727
728 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
729 """WPA2-Enterprise negative test - subject mismatch"""
730 + check_subject_match_support(dev[0])
731 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
732 hostapd.add_ap(apdev[0], params)
733 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
734 @@ -3036,6 +3080,7 @@ def test_ap_wpa2_eap_tls_neg_subject_mat
735
736 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
737 """WPA2-Enterprise negative test - altsubject mismatch"""
738 + check_altsubject_match_support(dev[0])
739 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
740 hostapd.add_ap(apdev[0], params)
741
742 @@ -3582,7 +3627,7 @@ def test_ap_wpa2_eap_ikev2_oom(dev, apde
743 dev[0].request("REMOVE_NETWORK all")
744
745 tls = dev[0].request("GET tls_library")
746 - if not tls.startswith("wolfSSL"):
747 + if not tls.startswith("wolfSSL") and not tls.startswith("mbed TLS"):
748 tests = [(1, "os_get_random;dh_init")]
749 else:
750 tests = [(1, "crypto_dh_init;dh_init")]
751 @@ -4896,7 +4941,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
752 params["private_key"] = "auth_serv/iCA-server/server.key"
753 hostapd.add_ap(apdev[0], params)
754 tls = dev[0].request("GET tls_library")
755 - if "GnuTLS" in tls or "wolfSSL" in tls:
756 + if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
757 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
758 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
759 else:
760 @@ -4962,6 +5007,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
761 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
762
763 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
764 + check_ocsp_support(dev[0])
765 params = int_eap_server_params()
766 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
767 params["server_cert"] = "auth_serv/iCA-server/server.pem"
768 @@ -4971,7 +5017,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_
769 try:
770 hostapd.add_ap(apdev[0], params)
771 tls = dev[0].request("GET tls_library")
772 - if "GnuTLS" in tls or "wolfSSL" in tls:
773 + if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
774 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
775 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
776 else:
777 @@ -5007,7 +5053,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_
778 try:
779 hostapd.add_ap(apdev[0], params)
780 tls = dev[0].request("GET tls_library")
781 - if "GnuTLS" in tls or "wolfSSL" in tls:
782 + if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
783 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
784 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
785 else:
786 @@ -5057,7 +5103,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
787 try:
788 hostapd.add_ap(apdev[0], params)
789 tls = dev[0].request("GET tls_library")
790 - if "GnuTLS" in tls or "wolfSSL" in tls:
791 + if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
792 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
793 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
794 else:
795 @@ -5124,7 +5170,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
796
797 hostapd.add_ap(apdev[0], params)
798 tls = dev[0].request("GET tls_library")
799 - if "GnuTLS" in tls or "wolfSSL" in tls:
800 + if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
801 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
802 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
803 else:
804 @@ -5382,6 +5428,7 @@ def test_ap_wpa2_eap_ttls_server_cert_ek
805
806 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
807 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
808 + check_pkcs12_support(dev[0])
809 skip_with_fips(dev[0])
810 params = int_eap_server_params()
811 del params["server_cert"]
812 @@ -5394,6 +5441,7 @@ def test_ap_wpa2_eap_ttls_server_pkcs12(
813
814 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
815 """EAP-TTLS and server PKCS#12 file with extra certs"""
816 + check_pkcs12_support(dev[0])
817 skip_with_fips(dev[0])
818 params = int_eap_server_params()
819 del params["server_cert"]
820 @@ -5416,6 +5464,7 @@ def test_ap_wpa2_eap_ttls_dh_params_serv
821
822 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
823 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
824 + check_dh_dsa_support(dev[0])
825 params = int_eap_server_params()
826 params["dh_file"] = "auth_serv/dsaparam.pem"
827 hapd = hostapd.add_ap(apdev[0], params)
828 @@ -5727,8 +5776,8 @@ def test_ap_wpa2_eap_non_ascii_identity2
829 def test_openssl_cipher_suite_config_wpas(dev, apdev):
830 """OpenSSL cipher suite configuration on wpa_supplicant"""
831 tls = dev[0].request("GET tls_library")
832 - if not tls.startswith("OpenSSL"):
833 - raise HwsimSkip("TLS library is not OpenSSL: " + tls)
834 + if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
835 + raise HwsimSkip("TLS library is not OpenSSL or mbed TLS: " + tls)
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hapd = hostapd.add_ap(apdev[0], params)
838 eap_connect(dev[0], hapd, "TTLS", "pap user",
839 @@ -5754,14 +5803,14 @@ def test_openssl_cipher_suite_config_wpa
840 def test_openssl_cipher_suite_config_hapd(dev, apdev):
841 """OpenSSL cipher suite configuration on hostapd"""
842 tls = dev[0].request("GET tls_library")
843 - if not tls.startswith("OpenSSL"):
844 - raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
845 + if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
846 + raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL or mbed TLS: " + tls)
847 params = int_eap_server_params()
848 params['openssl_ciphers'] = "AES256"
849 hapd = hostapd.add_ap(apdev[0], params)
850 tls = hapd.request("GET tls_library")
851 - if not tls.startswith("OpenSSL"):
852 - raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
853 + if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
854 + raise HwsimSkip("hostapd TLS library is not OpenSSL or mbed TLS: " + tls)
855 eap_connect(dev[0], hapd, "TTLS", "pap user",
856 anonymous_identity="ttls", password="password",
857 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
858 @@ -6207,13 +6256,17 @@ def test_ap_wpa2_eap_tls_versions(dev, a
859 check_tls_ver(dev[0], hapd,
860 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
861 "TLSv1.2")
862 - elif tls.startswith("internal"):
863 + elif tls.startswith("internal") or tls.startswith("mbed TLS"):
864 check_tls_ver(dev[0], hapd,
865 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
866 - check_tls_ver(dev[1], hapd,
867 - "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
868 - check_tls_ver(dev[2], hapd,
869 - "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
870 + if tls.startswith("mbed TLS"):
871 + check_tls_ver(dev[2], hapd,
872 + "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1.0")
873 + else:
874 + check_tls_ver(dev[1], hapd,
875 + "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
876 + check_tls_ver(dev[2], hapd,
877 + "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
878 if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3." in tls:
879 check_tls_ver(dev[0], hapd,
880 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
881 @@ -6235,6 +6288,11 @@ def test_ap_wpa2_eap_tls_versions_server
882 tests = [("TLSv1", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
883 ("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
884 ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
885 + tls = dev[0].request("GET tls_library")
886 + if tls.startswith("mbed TLS"):
887 + tests = [#("TLSv1.0", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
888 + #("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
889 + ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
890 for exp, flags in tests:
891 hapd.disable()
892 hapd.set("tls_flags", flags)
893 @@ -7305,6 +7363,7 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apde
894 def test_eap_tls_ext_cert_check(dev, apdev):
895 """EAP-TLS and external server certification validation"""
896 # With internal server certificate chain validation
897 + check_ext_cert_check_support(dev[0])
898 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
899 identity="tls user",
900 ca_cert="auth_serv/ca.pem",
901 @@ -7317,6 +7376,7 @@ def test_eap_tls_ext_cert_check(dev, apd
902 def test_eap_ttls_ext_cert_check(dev, apdev):
903 """EAP-TTLS and external server certification validation"""
904 # Without internal server certificate chain validation
905 + check_ext_cert_check_support(dev[0])
906 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
907 identity="pap user", anonymous_identity="ttls",
908 password="password", phase2="auth=PAP",
909 @@ -7327,6 +7387,7 @@ def test_eap_ttls_ext_cert_check(dev, ap
910 def test_eap_peap_ext_cert_check(dev, apdev):
911 """EAP-PEAP and external server certification validation"""
912 # With internal server certificate chain validation
913 + check_ext_cert_check_support(dev[0])
914 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
915 identity="user", anonymous_identity="peap",
916 ca_cert="auth_serv/ca.pem",
917 @@ -7337,6 +7398,7 @@ def test_eap_peap_ext_cert_check(dev, ap
918
919 def test_eap_fast_ext_cert_check(dev, apdev):
920 """EAP-FAST and external server certification validation"""
921 + check_ext_cert_check_support(dev[0])
922 check_eap_capa(dev[0], "FAST")
923 # With internal server certificate chain validation
924 dev[0].request("SET blob fast_pac_auth_ext ")
925 @@ -7351,10 +7413,6 @@ def test_eap_fast_ext_cert_check(dev, ap
926 run_ext_cert_check(dev, apdev, id)
927
928 def run_ext_cert_check(dev, apdev, net_id):
929 - check_ext_cert_check_support(dev[0])
930 - if not openssl_imported:
931 - raise HwsimSkip("OpenSSL python method not available")
932 -
933 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
934 hapd = hostapd.add_ap(apdev[0], params)
935
936 --- a/tests/hwsim/test_ap_ft.py
937 +++ b/tests/hwsim/test_ap_ft.py
938 @@ -2486,11 +2486,11 @@ def test_ap_ft_ap_oom5(dev, apdev):
939 # This will fail to roam
940 dev[0].roam(bssid1, check_bssid=False)
941
942 - with fail_test(hapd1, 1, "sha256_prf_bits;wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
943 + with fail_test(hapd1, 1, "sha256_prf;wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
944 # This will fail to roam
945 dev[0].roam(bssid1, check_bssid=False)
946
947 - with fail_test(hapd1, 3, "wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
948 + with fail_test(hapd1, 2, "wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
949 # This will fail to roam
950 dev[0].roam(bssid1, check_bssid=False)
951
952 --- a/tests/hwsim/test_authsrv.py
953 +++ b/tests/hwsim/test_authsrv.py
954 @@ -156,9 +156,12 @@ def test_authsrv_oom(dev, apdev):
955 if "FAIL" not in authsrv.request("ENABLE"):
956 raise Exception("ENABLE succeeded during OOM")
957
958 - with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
959 - if "FAIL" not in authsrv.request("ENABLE"):
960 - raise Exception("ENABLE succeeded during OOM")
961 + # tls_mbedtls.c:tls_init() does not alloc memory (no alloc fail trigger)
962 + tls = dev[0].request("GET tls_library")
963 + if not tls.startswith("mbed TLS"):
964 + with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
965 + if "FAIL" not in authsrv.request("ENABLE"):
966 + raise Exception("ENABLE succeeded during OOM")
967
968 for count in range(1, 3):
969 with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"):
970 --- a/tests/hwsim/test_dpp.py
971 +++ b/tests/hwsim/test_dpp.py
972 @@ -39,7 +39,8 @@ def check_dpp_capab(dev, brainpool=False
973 raise HwsimSkip("DPP not supported")
974 if brainpool:
975 tls = dev.request("GET tls_library")
976 - if (not tls.startswith("OpenSSL") or "run=BoringSSL" in tls) and not tls.startswith("wolfSSL"):
977 + if (not tls.startswith("OpenSSL") or "run=BoringSSL" in tls) and not tls.startswith("wolfSSL") \
978 + and not tls.startswith("mbed TLS"):
979 raise HwsimSkip("Crypto library does not support Brainpool curves: " + tls)
980 capa = dev.request("GET_CAPABILITY dpp")
981 ver = 1
982 @@ -3902,6 +3903,9 @@ def test_dpp_proto_auth_req_no_i_proto_k
983
984 def test_dpp_proto_auth_req_invalid_i_proto_key(dev, apdev):
985 """DPP protocol testing - invalid I-proto key in Auth Req"""
986 + tls = dev[0].request("GET tls_library")
987 + if tls.startswith("mbed TLS"):
988 + raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
989 run_dpp_proto_auth_req_missing(dev, 66, "Invalid Initiator Protocol Key")
990
991 def test_dpp_proto_auth_req_no_i_nonce(dev, apdev):
992 @@ -3997,7 +4001,12 @@ def test_dpp_proto_auth_resp_no_r_proto_
993
994 def test_dpp_proto_auth_resp_invalid_r_proto_key(dev, apdev):
995 """DPP protocol testing - invalid R-Proto Key in Auth Resp"""
996 - run_dpp_proto_auth_resp_missing(dev, 67, "Invalid Responder Protocol Key")
997 + tls = dev[0].request("GET tls_library")
998 + if tls.startswith("mbed TLS"):
999 + # mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key
1000 + run_dpp_proto_auth_resp_missing(dev, 67, "Failed to derive ECDH shared secret")
1001 + else:
1002 + run_dpp_proto_auth_resp_missing(dev, 67, "Invalid Responder Protocol Key")
1003
1004 def test_dpp_proto_auth_resp_no_r_nonce(dev, apdev):
1005 """DPP protocol testing - no R-nonce in Auth Resp"""
1006 @@ -4359,11 +4368,17 @@ def test_dpp_proto_pkex_exchange_resp_in
1007
1008 def test_dpp_proto_pkex_cr_req_invalid_bootstrap_key(dev, apdev):
1009 """DPP protocol testing - invalid Bootstrap Key in PKEX Commit-Reveal Request"""
1010 + tls = dev[0].request("GET tls_library")
1011 + if tls.startswith("mbed TLS"):
1012 + raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
1013 run_dpp_proto_pkex_req_missing(dev, 47,
1014 "Peer bootstrapping key is invalid")
1015
1016 def test_dpp_proto_pkex_cr_resp_invalid_bootstrap_key(dev, apdev):
1017 """DPP protocol testing - invalid Bootstrap Key in PKEX Commit-Reveal Response"""
1018 + tls = dev[0].request("GET tls_library")
1019 + if tls.startswith("mbed TLS"):
1020 + raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
1021 run_dpp_proto_pkex_resp_missing(dev, 48,
1022 "Peer bootstrapping key is invalid")
1023
1024 --- a/tests/hwsim/test_erp.py
1025 +++ b/tests/hwsim/test_erp.py
1026 @@ -12,7 +12,7 @@ import time
1027
1028 import hostapd
1029 from utils import *
1030 -from test_ap_eap import int_eap_server_params, check_tls13_support
1031 +from test_ap_eap import int_eap_server_params, check_tls13_support, check_eap_capa
1032 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
1033
1034 def test_erp_initiate_reauth_start(dev, apdev):
1035 @@ -276,6 +276,7 @@ def test_erp_radius_eap_methods(dev, apd
1036 params['erp_domain'] = 'example.com'
1037 params['disable_pmksa_caching'] = '1'
1038 hapd = hostapd.add_ap(apdev[0], params)
1039 + tls = dev[0].request("GET tls_library")
1040
1041 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
1042 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1043 @@ -289,7 +290,7 @@ def test_erp_radius_eap_methods(dev, apd
1044 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1045 erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
1046 password="hello")
1047 - if "FAST" in eap_methods:
1048 + if "FAST" in eap_methods and check_eap_capa(dev[0], "FAST"):
1049 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
1050 password="password", ca_cert="auth_serv/ca.pem",
1051 phase2="auth=GTC",
1052 @@ -301,13 +302,14 @@ def test_erp_radius_eap_methods(dev, apd
1053 password="password")
1054 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
1055 password_hex="0123456789abcdef0123456789abcdef")
1056 - if "MSCHAPV2" in eap_methods:
1057 + if "MSCHAPV2" in eap_methods and check_eap_capa(dev[0], "MSCHAPV2"):
1058 erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
1059 password="password", ca_cert="auth_serv/ca.pem",
1060 phase2="auth=MSCHAPV2")
1061 - erp_test(dev[0], hapd, eap="TEAP", identity="erp-teap@example.com",
1062 - password="password", ca_cert="auth_serv/ca.pem",
1063 - phase2="auth=MSCHAPV2", pac_file="blob://teap_pac")
1064 + if check_eap_capa(dev[0], "TEAP"):
1065 + erp_test(dev[0], hapd, eap="TEAP", identity="erp-teap@example.com",
1066 + password="password", ca_cert="auth_serv/ca.pem",
1067 + phase2="auth=MSCHAPV2", pac_file="blob://teap_pac")
1068 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
1069 password_hex="0123456789abcdef0123456789abcdef")
1070 if "PWD" in eap_methods:
1071 @@ -640,7 +642,7 @@ def test_erp_local_errors(dev, apdev):
1072 dev[0].request("REMOVE_NETWORK all")
1073 dev[0].wait_disconnected()
1074
1075 - for count in range(1, 6):
1076 + for count in range(1, 4):
1077 dev[0].request("ERP_FLUSH")
1078 with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
1079 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1080 --- a/tests/hwsim/test_fils.py
1081 +++ b/tests/hwsim/test_fils.py
1082 @@ -1472,6 +1472,10 @@ def check_ec_group(dev, group):
1083 tls = dev.request("GET tls_library")
1084 if tls.startswith("wolfSSL"):
1085 return
1086 + elif tls.startswith("mbed TLS"):
1087 + if int(group) == 27:
1088 + raise HwsimSkip("Brainpool EC group 27 not supported by mbed TLS")
1089 + return
1090 if int(group) in [25]:
1091 if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3." in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3." in tls)):
1092 raise HwsimSkip("EC group not supported")
1093 --- a/tests/hwsim/test_pmksa_cache.py
1094 +++ b/tests/hwsim/test_pmksa_cache.py
1095 @@ -958,7 +958,7 @@ def test_pmksa_cache_preauth_wpas_oom(de
1096 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
1097 password_hex="0123456789abcdef0123456789abcdef",
1098 bssid=apdev[0]['bssid'])
1099 - for i in range(1, 11):
1100 + for i in range(1, 10):
1101 with alloc_fail(dev[0], i, "rsn_preauth_init"):
1102 res = dev[0].request("PREAUTH f2:11:22:33:44:55").strip()
1103 logger.info("Iteration %d - PREAUTH command results: %s" % (i, res))
1104 @@ -966,7 +966,7 @@ def test_pmksa_cache_preauth_wpas_oom(de
1105 state = dev[0].request('GET_ALLOC_FAIL')
1106 if state.startswith('0:'):
1107 break
1108 - time.sleep(0.05)
1109 + time.sleep(0.10)
1110
1111 def test_pmksa_cache_ctrl(dev, apdev):
1112 """PMKSA cache control interface operations"""
1113 --- a/tests/hwsim/test_sae.py
1114 +++ b/tests/hwsim/test_sae.py
1115 @@ -178,6 +178,11 @@ def test_sae_groups(dev, apdev):
1116 if tls.startswith("OpenSSL") and "run=OpenSSL 1." in tls:
1117 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1118 sae_groups += [27, 28, 29, 30]
1119 + if tls.startswith("mbed TLS"):
1120 + # secp224k1 and secp224r1 (26) have prime p = 1 mod 4, and mbedtls
1121 + # does not have code to derive y from compressed format for those curves
1122 + sae_groups = [19, 25, 20, 21, 1, 2, 5, 14, 15, 16, 22, 23, 24]
1123 + sae_groups += [27, 28, 29, 30]
1124 heavy_groups = [14, 15, 16]
1125 suitable_groups = [15, 16, 17, 18, 19, 20, 21]
1126 groups = [str(g) for g in sae_groups]
1127 @@ -2194,6 +2199,8 @@ def run_sae_pwe_group(dev, apdev, group)
1128 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1129 elif tls.startswith("wolfSSL"):
1130 logger.info("Make sure Brainpool EC groups were enabled when compiling wolfSSL")
1131 + elif tls.startswith("mbed TLS"):
1132 + logger.info("Make sure Brainpool EC groups were enabled when compiling mbed TLS")
1133 else:
1134 raise HwsimSkip("Brainpool curve not supported")
1135 start_sae_pwe_ap(apdev[0], group, 2)
1136 --- a/tests/hwsim/test_suite_b.py
1137 +++ b/tests/hwsim/test_suite_b.py
1138 @@ -27,6 +27,8 @@ def check_suite_b_tls_lib(dev, dhe=False
1139 return
1140 if tls.startswith("wolfSSL"):
1141 return
1142 + if tls.startswith("mbed TLS"):
1143 + return
1144 if not tls.startswith("OpenSSL"):
1145 raise HwsimSkip("TLS library not supported for Suite B: " + tls)
1146 supported = False
1147 @@ -520,6 +522,7 @@ def test_suite_b_192_rsa_insufficient_dh
1148
1149 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
1150 ieee80211w="2",
1151 + openssl_ciphers="DHE-RSA-AES256-GCM-SHA384",
1152 phase1="tls_suiteb=1",
1153 eap="TLS", identity="tls user",
1154 ca_cert="auth_serv/rsa3072-ca.pem",
1155 --- a/tests/hwsim/test_wpas_ctrl.py
1156 +++ b/tests/hwsim/test_wpas_ctrl.py
1157 @@ -1842,7 +1842,7 @@ def _test_wpas_ctrl_oom(dev):
1158 tls = dev[0].request("GET tls_library")
1159 if not tls.startswith("internal"):
1160 tests.append(('NFC_GET_HANDOVER_SEL NDEF P2P-CR-TAG', 'FAIL',
1161 - 4, 'wpas_ctrl_nfc_get_handover_sel_p2p'))
1162 + 3, 'wpas_ctrl_nfc_get_handover_sel_p2p'))
1163 for cmd, exp, count, func in tests:
1164 with alloc_fail(dev[0], count, func):
1165 res = dev[0].request(cmd)
1166 --- a/tests/hwsim/utils.py
1167 +++ b/tests/hwsim/utils.py
1168 @@ -145,7 +145,13 @@ def check_imsi_privacy_support(dev):
1169
1170 def check_tls_tod(dev):
1171 tls = dev.request("GET tls_library")
1172 - if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
1173 + if tls.startswith("OpenSSL"):
1174 + return
1175 + elif tls.startswith("internal"):
1176 + return
1177 + elif tls.startswith("mbed TLS"):
1178 + return
1179 + else:
1180 raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls)
1181
1182 def vht_supported():
1183 --- /dev/null
1184 +++ b/tests/test-crypto_module.c
1185 @@ -0,0 +1,16 @@
1186 +/*
1187 + * crypto module tests - test program
1188 + * Copyright (c) 2022, Glenn Strauss <gstrauss@gluelogic.com>
1189 + *
1190 + * This software may be distributed under the terms of the BSD license.
1191 + * See README for more details.
1192 + */
1193 +
1194 +#include "utils/includes.h"
1195 +#include "utils/module_tests.h"
1196 +#include "crypto/crypto_module_tests.c"
1197 +
1198 +int main(int argc, char *argv[])
1199 +{
1200 + return crypto_module_tests();
1201 +}
1202 --- a/tests/test-https.c
1203 +++ b/tests/test-https.c
1204 @@ -75,7 +75,7 @@ static int https_client(int s, const cha
1205 struct tls_connection *conn;
1206 struct wpabuf *in, *out, *appl;
1207 int res = -1;
1208 - int need_more_data;
1209 + int need_more_data = 0;
1210
1211 os_memset(&conf, 0, sizeof(conf));
1212 conf.event_cb = https_tls_event_cb;
1213 @@ -93,8 +93,12 @@ static int https_client(int s, const cha
1214
1215 for (;;) {
1216 appl = NULL;
1217 +#ifdef CONFIG_TLS_INTERNAL_SERVER
1218 out = tls_connection_handshake2(tls, conn, in, &appl,
1219 &need_more_data);
1220 +#else
1221 + out = tls_connection_handshake(tls, conn, in, &appl);
1222 +#endif
1223 wpabuf_free(in);
1224 in = NULL;
1225 if (out == NULL) {
1226 @@ -152,11 +156,15 @@ static int https_client(int s, const cha
1227
1228 wpa_printf(MSG_INFO, "Reading HTTP response");
1229 for (;;) {
1230 - int need_more_data;
1231 + int need_more_data = 0;
1232 in = https_recv(s);
1233 if (in == NULL)
1234 goto done;
1235 +#ifdef CONFIG_TLS_INTERNAL_SERVER
1236 out = tls_connection_decrypt2(tls, conn, in, &need_more_data);
1237 +#else
1238 + out = tls_connection_decrypt(tls, conn, in);
1239 +#endif
1240 if (need_more_data)
1241 wpa_printf(MSG_DEBUG, "HTTP: Need more data");
1242 wpabuf_free(in);
1243 --- a/tests/test-https_server.c
1244 +++ b/tests/test-https_server.c
1245 @@ -67,10 +67,12 @@ static struct wpabuf * https_recv(int s,
1246 }
1247
1248
1249 +#ifdef CONFIG_TLS_INTERNAL_SERVER
1250 static void https_tls_log_cb(void *ctx, const char *msg)
1251 {
1252 wpa_printf(MSG_DEBUG, "TLS: %s", msg);
1253 }
1254 +#endif
1255
1256
1257 static int https_server(int s)
1258 @@ -79,7 +81,7 @@ static int https_server(int s)
1259 void *tls;
1260 struct tls_connection_params params;
1261 struct tls_connection *conn;
1262 - struct wpabuf *in, *out, *appl;
1263 + struct wpabuf *in = NULL, *out = NULL, *appl = NULL;
1264 int res = -1;
1265
1266 os_memset(&conf, 0, sizeof(conf));
1267 @@ -106,7 +108,9 @@ static int https_server(int s)
1268 return -1;
1269 }
1270
1271 +#ifdef CONFIG_TLS_INTERNAL_SERVER
1272 tls_connection_set_log_cb(conn, https_tls_log_cb, NULL);
1273 +#endif
1274
1275 for (;;) {
1276 in = https_recv(s, 5000);
1277 @@ -147,12 +151,16 @@ static int https_server(int s)
1278
1279 wpa_printf(MSG_INFO, "Reading HTTP request");
1280 for (;;) {
1281 - int need_more_data;
1282 + int need_more_data = 0;
1283
1284 in = https_recv(s, 5000);
1285 if (!in)
1286 goto done;
1287 +#ifdef CONFIG_TLS_INTERNAL_SERVER
1288 out = tls_connection_decrypt2(tls, conn, in, &need_more_data);
1289 +#else
1290 + out = tls_connection_decrypt(tls, conn, in);
1291 +#endif
1292 wpabuf_free(in);
1293 in = NULL;
1294 if (need_more_data) {
1295 --- a/wpa_supplicant/Makefile
1296 +++ b/wpa_supplicant/Makefile
1297 @@ -1189,6 +1189,7 @@ TLS_FUNCS=y
1298 endif
1299
1300 ifeq ($(CONFIG_TLS), wolfssl)
1301 +CFLAGS += -DCONFIG_TLS_WOLFSSL
1302 ifdef TLS_FUNCS
1303 CFLAGS += -DWOLFSSL_DER_LOAD
1304 OBJS += ../src/crypto/tls_wolfssl.o
1305 @@ -1204,6 +1205,7 @@ LIBS_p += -lwolfssl -lm
1306 endif
1307
1308 ifeq ($(CONFIG_TLS), openssl)
1309 +CFLAGS += -DCONFIG_TLS_OPENSSL
1310 CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
1311 ifdef TLS_FUNCS
1312 CFLAGS += -DEAP_TLS_OPENSSL
1313 @@ -1231,6 +1233,7 @@ CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONF
1314 endif
1315
1316 ifeq ($(CONFIG_TLS), mbedtls)
1317 +CFLAGS += -DCONFIG_TLS_MBEDTLS
1318 ifndef CONFIG_CRYPTO
1319 CONFIG_CRYPTO=mbedtls
1320 endif
1321 @@ -1250,6 +1253,7 @@ endif
1322 endif
1323
1324 ifeq ($(CONFIG_TLS), gnutls)
1325 +CFLAGS += -DCONFIG_TLS_GNUTLS
1326 ifndef CONFIG_CRYPTO
1327 # default to libgcrypt
1328 CONFIG_CRYPTO=gnutls
1329 @@ -1280,6 +1284,7 @@ endif
1330 endif
1331
1332 ifeq ($(CONFIG_TLS), internal)
1333 +CFLAGS += -DCONFIG_TLS_INTERNAL
1334 ifndef CONFIG_CRYPTO
1335 CONFIG_CRYPTO=internal
1336 endif
1337 @@ -1360,6 +1365,7 @@ endif
1338 endif
1339
1340 ifeq ($(CONFIG_TLS), linux)
1341 +CFLAGS += -DCONFIG_TLS_INTERNAL
1342 OBJS += ../src/crypto/crypto_linux.o
1343 OBJS_p += ../src/crypto/crypto_linux.o
1344 ifdef TLS_FUNCS
Staging tree of Stijn Tintel