diff --git a/CODEOWNERS b/CODEOWNERS index 28be5ff5f161..6936a75e3ece 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -678,8 +678,10 @@ /subsys/net/lib/azure_* @nrfconnect/ncs-cia /subsys/net/lib/aws_* @nrfconnect/ncs-cia /subsys/net/lib/ftp_client/ @nrfconnect/ncs-iot-oulu +/subsys/net/lib/hostap_crypto/ @krish2718 @jukkar @vivekuppunda /subsys/net/lib/icalendar_parser/ @lats1980 /subsys/net/lib/lwm2m_client_utils/ @nrfconnect/ncs-co-networking @nrfconnect/ncs-iot-oulu +/subsys/net/lib/nrf70_fw_ext/ @krish2718 @sachinthegreen /subsys/net/lib/nrf_cloud/ @nrfconnect/ncs-nrf-cloud /subsys/net/lib/nrf_provisioning/ @nrfconnect/ncs-iot-oulu /subsys/net/lib/zzhc/ @junqingzou diff --git a/subsys/net/lib/CMakeLists.txt b/subsys/net/lib/CMakeLists.txt index c58764ef3835..7f91ddd25d50 100644 --- a/subsys/net/lib/CMakeLists.txt +++ b/subsys/net/lib/CMakeLists.txt @@ -36,3 +36,4 @@ add_subdirectory_ifdef(CONFIG_MQTT_HELPER mqtt_helper) add_subdirectory_ifdef(CONFIG_NRF_PROVISIONING nrf_provisioning) add_subdirectory_ifdef(CONFIG_NRF_MCUMGR_SMP_CLIENT mcumgr_smp_client) add_subdirectory_ifdef(CONFIG_WIFI_NRF70 nrf70_fw_ext) +add_subdirectory_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT hostap_crypto) diff --git a/subsys/net/lib/Kconfig b/subsys/net/lib/Kconfig index 6a653344a719..fe65e6400022 100644 --- a/subsys/net/lib/Kconfig +++ b/subsys/net/lib/Kconfig @@ -48,5 +48,6 @@ rsource "mqtt_helper/Kconfig" rsource "nrf_provisioning/Kconfig" rsource "mcumgr_smp_client/Kconfig" rsource "nrf70_fw_ext/Kconfig" +rsource "hostap_crypto/Kconfig" endmenu diff --git a/subsys/net/lib/hostap_crypto/CMakeLists.txt b/subsys/net/lib/hostap_crypto/CMakeLists.txt new file mode 100644 index 000000000000..6450265fca0d --- /dev/null +++ b/subsys/net/lib/hostap_crypto/CMakeLists.txt @@ -0,0 +1,130 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +zephyr_interface_library_named(hostap_crypto) + +set(HOSTAP_BASE ${ZEPHYR_HOSTAP_MODULE_DIR}) +set(WIFI_NM_WPA_SUPPLICANT_BASE ${HOSTAP_BASE}/wpa_supplicant) +set(HOSTAP_SRC_BASE ${HOSTAP_BASE}/src) +set(WIFI_NM_HOSTAPD_BASE ${HOSTAP_BASE}/hostapd) + +set(CMAKE_EXE_LINKER_FLAGS "--specs=nosys.specs -lnosys") +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DMISSING_SYSCALL_NAMES") + +# For src/utils includes +target_link_libraries(hostap_crypto INTERFACE hostap) + +if(DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY OR + DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY_PSA) + zephyr_library_sources( + ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c + ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c + ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal.c + ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c + ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c + ${HOSTAP_SRC_BASE}/crypto/rc4.c + ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c + ${HOSTAP_SRC_BASE}/crypto/sha1-prf.c + ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c + ${HOSTAP_SRC_BASE}/crypto/sha256-prf.c + ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c + ${HOSTAP_SRC_BASE}/crypto/sha384-prf.c + ${HOSTAP_SRC_BASE}/crypto/sha384-kdf.c + ${HOSTAP_SRC_BASE}/crypto/sha512-internal.c + ${HOSTAP_SRC_BASE}/crypto/sha512.c + ${HOSTAP_SRC_BASE}/crypto/sha512-prf.c + ${HOSTAP_SRC_BASE}/crypto/sha512-kdf.c + ) + + zephyr_library_sources_ifdef(CONFIG_HOSTAP_WPA3 + ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c + ) + + zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE + ${HOSTAP_SRC_BASE}/crypto/tls_none.c + ) + + zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE + # common + ${HOSTAP_SRC_BASE}/crypto/sha384-tlsprf.c + ${HOSTAP_SRC_BASE}/crypto/sha256-tlsprf.c + ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c + ${HOSTAP_SRC_BASE}/crypto/sha1-tprf.c + ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c + ${HOSTAP_SRC_BASE}/crypto/aes-eax.c + # MD4 removed from MbedTLS + ${HOSTAP_SRC_BASE}/crypto/md4-internal.c + ${HOSTAP_SRC_BASE}/crypto/aes-encblock.c + ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c + ) +endif() + +if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_LEGACY) + zephyr_include_directories( + ${HOSTAP_BASE}/port/mbedtls + ) + + zephyr_library_sources( + ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c + ${HOSTAP_SRC_BASE}/crypto/rc4.c + ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c + ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c + ) + + zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_MBEDTLS_PSA + ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c + ) + + zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE + ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c + ${HOSTAP_SRC_BASE}/crypto/aes-eax.c + ${HOSTAP_SRC_BASE}/crypto/md4-internal.c + ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c + ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c + ${HOSTAP_SRC_BASE}/crypto/milenage.c + ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c + ) + + zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE + ${HOSTAP_SRC_BASE}/crypto/tls_none.c + ) + + + zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_TEST + ${HOSTAP_SRC_BASE}/crypto/crypto_module_tests.c + ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c + ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c + ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c + ) +endif() + +if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_PSA) + # Source code still uses the original symbol + zephyr_compile_definitions( + CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA + ) + + zephyr_include_directories( + ${HOSTAP_BASE}/port/mbedtls + ) + + zephyr_library_sources( + ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c + ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal.c + ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c + ${HOSTAP_SRC_BASE}/crypto/rc4.c + ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c + ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c + ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c + ${HOSTAP_SRC_BASE}/crypto/tls_none.c + ) +endif() diff --git a/subsys/net/lib/hostap_crypto/Kconfig b/subsys/net/lib/hostap_crypto/Kconfig new file mode 100644 index 000000000000..c262052a3384 --- /dev/null +++ b/subsys/net/lib/hostap_crypto/Kconfig @@ -0,0 +1,151 @@ +# +# Copyright (c) 2024 Nordic Semiconductor +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# + +if WIFI_NM_WPA_SUPPLICANT + +choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND + default WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT +endchoice + +choice HOSTAP_CRYPTO_BACKEND + prompt "WPA supplicant crypto implementation" + default HOSTAP_CRYPTO_ALT_PSA if SOC_SERIES_NRF54HX + default HOSTAP_CRYPTO_LEGACY_PSA if SOC_SERIES_NRF54LX || BUILD_WITH_TFM + default HOSTAP_CRYPTO_ALT_LEGACY + help + Select the crypto implementation to use for WPA supplicant. + HOSTAP_CRYPTO_ALT supports enterprise mode + and DPP. + +config HOSTAP_CRYPTO_LEGACY + bool "Legacy Crypto support for WiFi using nRF security" + select MBEDTLS + select NRF_SECURITY + select MBEDTLS_CIPHER_MODE_CBC + select MBEDTLS_CIPHER_MODE_CTR + select MBEDTLS_LEGACY_CRYPTO_C + select MBEDTLS_SHA1_C + select MBEDTLS_ECP_C + select MBEDTLS_CTR_DRBG_C + select MBEDTLS_PK_C + select MBEDTLS_PKCS5_C + select MBEDTLS_PK_PARSE_C + select MBEDTLS_CMAC_C + select MBEDTLS_CIPHER_PADDING_PKCS7 + select MBEDTLS_PK_WRITE_C + select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED + select MBEDTLS_ECP_DP_SECP256R1_ENABLED + +config HOSTAP_CRYPTO_LEGACY_PSA + bool "PSA Crypto support for WiFi using nRF security" + select MBEDTLS + select NRF_SECURITY + select PSA_WANT_GENERATE_RANDOM + # Legacy crypto, still needed + select MBEDTLS_SHA1_C + select MBEDTLS_LEGACY_CRYPTO_C + select MBEDTLS_CMAC_C + select MBEDTLS_GCM_C + select MBEDTLS_TLS_LIBRARY + select MBEDTLS_PK_C + select MBEDTLS_PK_WRITE_C + select MBEDTLS_X509_LIBRARY + select MBEDTLS_X509_CRT_PARSE_C + select MBEDTLS_CIPHER_C + select MBEDTLS_CIPHER_MODE_CTR + select MBEDTLS_CIPHER_MODE_CBC + select MBEDTLS_SSL_TLS_C + select MBEDTLS_ECP_C + select MBEDTLS_CTR_DRBG_C + select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED + select MBEDTLS_MD_C + select MBEDTLS_CIPHER_PADDING_PKCS7 + select MBEDTLS_PKCS5_C + select MBEDTLS_ECP_DP_SECP256R1_ENABLED + +config HOSTAP_CRYPTO_ALT_LEGACY + bool "Legacy Crypto support for WiFi using nRF security" + select MBEDTLS + select NRF_SECURITY + select MBEDTLS_CIPHER_MODE_CBC + select MBEDTLS_CIPHER_MODE_CTR + select MBEDTLS_LEGACY_CRYPTO_C + select MBEDTLS_ENTROPY_C + select MBEDTLS_CIPHER + select MBEDTLS_ECP_C + select MBEDTLS_CTR_DRBG_C + select MBEDTLS_PK_WRITE_C + select MBEDTLS_HKDF_C + select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED + select MBEDTLS_MD_C + select MBEDTLS_MD5_C + select MBEDTLS_ENTROPY_C + select MBEDTLS_CIPHER_PADDING_PKCS7 + select MBEDTLS_PKCS5_C + +config HOSTAP_CRYPTO_ALT_LEGACY_PSA + bool "Legacy Crypto support for WiFi using nRF security" + select MBEDTLS + select NRF_SECURITY + select PSA_WANT_GENERATE_RANDOM + select MBEDTLS_CIPHER_MODE_CBC + select MBEDTLS_CIPHER_MODE_CTR + select MBEDTLS_LEGACY_CRYPTO_C + select MBEDTLS_SHA1_C + select MBEDTLS_ECP_C + select MBEDTLS_CTR_DRBG_C + select MBEDTLS_PK_C + select MBEDTLS_PKCS5_C + select MBEDTLS_PK_PARSE_C + select MBEDTLS_CMAC_C + select MBEDTLS_CIPHER_PADDING_PKCS7 + select MBEDTLS_PK_WRITE_C + select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED + select MBEDTLS_ENTROPY_C + +config HOSTAP_CRYPTO_ALT_PSA + bool "PSA Crypto support for WiFi WPA2 using nRF security" + select MBEDTLS + select NRF_SECURITY + select PSA_WANT_GENERATE_RANDOM + select MBEDTLS_PK_C + select MBEDTLS_MD_C + select MBEDTLS_PK_WRITE_C + select MBEDTLS_ENABLE_HEAP + select MBEDTLS_PSA_CRYPTO_C + select MBEDTLS_USE_PSA_CRYPTO + select PSA_WANT_ALG_HMAC + select PSA_WANT_ALG_CMAC + select PSA_WANT_ALG_ECB_NO_PADDING + select PSA_WANT_ALG_CBC_PKCS7 + select PSA_ACCEL_CBC_MAC_AES_128 + select PSA_ACCEL_CBC_MAC_AES_192 + select PSA_ACCEL_CBC_MAC_AES_256 + select PSA_WANT_ALG_CCM + select PSA_WANT_ALG_GCM + select PSA_WANT_ALG_CTR + select PSA_WANT_ALG_MD5 + select PSA_ACCEL_MD5 + select PSA_WANT_ALG_SHA_1 + select PSA_WANT_ALG_SHA_256 + select PSA_WANT_ALG_SHA_224 + select PSA_WANT_ALG_SHA_384 + select PSA_WANT_ALG_SHA_512 + select PSA_WANT_ALG_PBKDF2_HMAC + select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY + +endchoice + +# PSA crypto is WPA2 only for now +if HOSTAP_CRYPTO_ALT_PSA + config WIFI_NM_WPA_SUPPLICANT_WPA3 + default n + config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE + default n +endif +endif diff --git a/west.yml b/west.yml index 71a931e50604..90aa67309322 100644 --- a/west.yml +++ b/west.yml @@ -69,7 +69,7 @@ manifest: # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html - name: zephyr repo-path: sdk-zephyr - revision: b4762701d5b8d1a2e6924a21cbbe64e8fdebb1eb + revision: 53f5e6dae760d95db2dcb5efac83b83023484043 import: # In addition to the zephyr repository itself, NCS also # imports the contents of zephyr/west.yml at the above