net: lib: Add a new hostap crypto library

This libray is primarily to maintain NCS build for hostap using nRF
security. It uses external crypto option in the upstream hostap to
overriwde crypto configuration.

Signed-off-by: Chaitanya Tata <[email protected]>

Author: krish2718

CODEOWNERS

@@ -678,6 +678,7 @@
 /subsys/net/lib/azure_*                   @nrfconnect/ncs-cia
 /subsys/net/lib/aws_*                     @nrfconnect/ncs-cia
 /subsys/net/lib/ftp_client/               @nrfconnect/ncs-iot-oulu
+/subsys/net/lib/hostap_crypto/            @krish2718 @jukkar @vivekuppunda
 /subsys/net/lib/icalendar_parser/         @lats1980
 /subsys/net/lib/lwm2m_client_utils/       @nrfconnect/ncs-co-networking @nrfconnect/ncs-iot-oulu
 /subsys/net/lib/nrf_cloud/                @nrfconnect/ncs-nrf-cloud

subsys/net/lib/CMakeLists.txt

@@ -36,3 +36,4 @@ add_subdirectory_ifdef(CONFIG_MQTT_HELPER mqtt_helper)
 add_subdirectory_ifdef(CONFIG_NRF_PROVISIONING nrf_provisioning)
 add_subdirectory_ifdef(CONFIG_NRF_MCUMGR_SMP_CLIENT mcumgr_smp_client)
 add_subdirectory_ifdef(CONFIG_WIFI_NRF70 nrf70_fw_ext)
+add_subdirectory_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT hostap_crypto)

subsys/net/lib/Kconfig

@@ -48,5 +48,6 @@ rsource "mqtt_helper/Kconfig"
 rsource "nrf_provisioning/Kconfig"
 rsource "mcumgr_smp_client/Kconfig"
 rsource "nrf70_fw_ext/Kconfig"
+rsource "hostap_crypto/Kconfig"
 
 endmenu

subsys/net/lib/hostap_crypto/CMakeLists.txt

@@ -0,0 +1,130 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_interface_library_named(hostap_crypto)
+
+set(HOSTAP_BASE ${ZEPHYR_HOSTAP_MODULE_DIR})
+set(WIFI_NM_WPA_SUPPLICANT_BASE ${HOSTAP_BASE}/wpa_supplicant)
+set(HOSTAP_SRC_BASE ${HOSTAP_BASE}/src)
+set(WIFI_NM_HOSTAPD_BASE ${HOSTAP_BASE}/hostapd)
+
+set(CMAKE_EXE_LINKER_FLAGS "--specs=nosys.specs -lnosys")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DMISSING_SYSCALL_NAMES")
+
+# For src/utils includes
+target_link_libraries(hostap_crypto INTERFACE hostap)
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY OR
+   DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY_PSA)
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha384-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha384-kdf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-kdf.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_WPA3
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+  )
+
+  zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    # common
+    ${HOSTAP_SRC_BASE}/crypto/sha384-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tprf.c
+    ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+    # MD4 removed from MbedTLS
+    ${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-encblock.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c
+  )
+endif()
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_LEGACY)
+  zephyr_include_directories(
+    ${HOSTAP_BASE}/port/mbedtls
+  )
+
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_MBEDTLS_PSA
+    ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+    ${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
+    ${HOSTAP_SRC_BASE}/crypto/milenage.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
+  )
+
+  zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_TEST
+    ${HOSTAP_SRC_BASE}/crypto/crypto_module_tests.c
+    ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+  )
+endif()
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_PSA)
+  # Source code still uses the original symbol
+  zephyr_compile_definitions(
+    CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+  )
+
+  zephyr_include_directories(
+    ${HOSTAP_BASE}/port/mbedtls
+  )
+
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+    ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+endif()

subsys/net/lib/hostap_crypto/Kconfig

@@ -0,0 +1,151 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if WIFI_NM_WPA_SUPPLICANT
+
+choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
+	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT
+endchoice
+
+choice HOSTAP_CRYPTO_BACKEND
+	prompt "WPA supplicant crypto implementation"
+	default HOSTAP_CRYPTO_ALT_PSA if SOC_SERIES_NRF54HX
+	default HOSTAP_CRYPTO_LEGACY_PSA if SOC_SERIES_NRF54LX || BUILD_WITH_TFM
+	default HOSTAP_CRYPTO_ALT_LEGACY
+	help
+	  Select the crypto implementation to use for WPA supplicant.
+	  HOSTAP_CRYPTO_ALT supports enterprise mode
+	  and DPP.
+
+config HOSTAP_CRYPTO_LEGACY
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_C
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_PK_PARSE_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+
+config HOSTAP_CRYPTO_LEGACY_PSA
+	bool "PSA Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	# Legacy crypto, still needed
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_GCM_C
+	select MBEDTLS_TLS_LIBRARY
+	select MBEDTLS_PK_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_X509_LIBRARY
+	select MBEDTLS_X509_CRT_PARSE_C
+	select MBEDTLS_CIPHER_C
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_SSL_TLS_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_MD_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+
+config HOSTAP_CRYPTO_ALT_LEGACY
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_CIPHER
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_HKDF_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_MD_C
+	select MBEDTLS_MD5_C
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PKCS5_C
+
+config HOSTAP_CRYPTO_ALT_LEGACY_PSA
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_C
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_PK_PARSE_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_ENTROPY_C
+
+config HOSTAP_CRYPTO_ALT_PSA
+	bool "PSA Crypto support for WiFi WPA2 using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	select MBEDTLS_PK_C
+	select MBEDTLS_MD_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_ENABLE_HEAP
+	select MBEDTLS_PSA_CRYPTO_C
+	select MBEDTLS_USE_PSA_CRYPTO
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_CMAC
+	select PSA_WANT_ALG_ECB_NO_PADDING
+	select PSA_WANT_ALG_CBC_PKCS7
+	select PSA_ACCEL_CBC_MAC_AES_128
+	select PSA_ACCEL_CBC_MAC_AES_192
+	select PSA_ACCEL_CBC_MAC_AES_256
+	select PSA_WANT_ALG_CCM
+	select PSA_WANT_ALG_GCM
+	select PSA_WANT_ALG_CTR
+	select PSA_WANT_ALG_MD5
+	select PSA_ACCEL_MD5
+	select PSA_WANT_ALG_SHA_1
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_SHA_224
+	select PSA_WANT_ALG_SHA_384
+	select PSA_WANT_ALG_SHA_512
+	select PSA_WANT_ALG_PBKDF2_HMAC
+	select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+endchoice
+
+# PSA crypto is WPA2 only for now
+if HOSTAP_CRYPTO_ALT_PSA
+	config WIFI_NM_WPA_SUPPLICANT_WPA3
+		default n
+	config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+		default n
+endif
+endif