wifi: hostap: Add a module to manage hostap crypto configuration

CODEOWNERS

@@ -678,8 +678,10 @@
 /subsys/net/lib/azure_*                   @nrfconnect/ncs-cia
 /subsys/net/lib/aws_*                     @nrfconnect/ncs-cia
 /subsys/net/lib/ftp_client/               @nrfconnect/ncs-iot-oulu
+/subsys/net/lib/hostap_crypto/            @krish2718 @jukkar @vivekuppunda
 /subsys/net/lib/icalendar_parser/         @lats1980
 /subsys/net/lib/lwm2m_client_utils/       @nrfconnect/ncs-co-networking @nrfconnect/ncs-iot-oulu
+/subsys/net/lib/nrf70_fw_ext/             @krish2718 @sachinthegreen
 /subsys/net/lib/nrf_cloud/                @nrfconnect/ncs-nrf-cloud
 /subsys/net/lib/nrf_provisioning/         @nrfconnect/ncs-iot-oulu
 /subsys/net/lib/zzhc/                     @junqingzou

subsys/net/lib/CMakeLists.txt

@@ -36,3 +36,4 @@ add_subdirectory_ifdef(CONFIG_MQTT_HELPER mqtt_helper)
 add_subdirectory_ifdef(CONFIG_NRF_PROVISIONING nrf_provisioning)
 add_subdirectory_ifdef(CONFIG_NRF_MCUMGR_SMP_CLIENT mcumgr_smp_client)
 add_subdirectory_ifdef(CONFIG_WIFI_NRF70 nrf70_fw_ext)
+add_subdirectory_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT hostap_crypto)

subsys/net/lib/Kconfig

@@ -48,5 +48,6 @@ rsource "mqtt_helper/Kconfig"
 rsource "nrf_provisioning/Kconfig"
 rsource "mcumgr_smp_client/Kconfig"
 rsource "nrf70_fw_ext/Kconfig"
+rsource "hostap_crypto/Kconfig"
 
 endmenu

subsys/net/lib/hostap_crypto/CMakeLists.txt

@@ -0,0 +1,130 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_interface_library_named(hostap_crypto)
+
+set(HOSTAP_BASE ${ZEPHYR_HOSTAP_MODULE_DIR})
+set(WIFI_NM_WPA_SUPPLICANT_BASE ${HOSTAP_BASE}/wpa_supplicant)
+set(HOSTAP_SRC_BASE ${HOSTAP_BASE}/src)
+set(WIFI_NM_HOSTAPD_BASE ${HOSTAP_BASE}/hostapd)
+
+set(CMAKE_EXE_LINKER_FLAGS "--specs=nosys.specs -lnosys")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DMISSING_SYSCALL_NAMES")
+
+# For src/utils includes
+target_link_libraries(hostap_crypto INTERFACE hostap)
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY OR
+   DEFINED CONFIG_HOSTAP_CRYPTO_LEGACY_PSA)
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha384-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha384-kdf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-prf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha512-kdf.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_WPA3
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+  )
+
+  zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    # common
+    ${HOSTAP_SRC_BASE}/crypto/sha384-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tprf.c
+    ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+    # MD4 removed from MbedTLS
+    ${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-encblock.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c
+  )
+endif()
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_LEGACY)
+  zephyr_include_directories(
+    ${HOSTAP_BASE}/port/mbedtls
+  )
+
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_MBEDTLS_PSA
+    ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+  )
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+    ${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
+    ${HOSTAP_SRC_BASE}/crypto/milenage.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
+  )
+
+  zephyr_library_sources_ifndef(CONFIG_HOSTAP_CRYPTO_ENTERPRISE
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+
+
+  zephyr_library_sources_ifdef(CONFIG_HOSTAP_CRYPTO_TEST
+    ${HOSTAP_SRC_BASE}/crypto/crypto_module_tests.c
+    ${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+  )
+endif()
+
+if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_PSA)
+  # Source code still uses the original symbol
+  zephyr_compile_definitions(
+    CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+  )
+
+  zephyr_include_directories(
+    ${HOSTAP_BASE}/port/mbedtls
+  )
+
+  zephyr_library_sources(
+    ${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+    ${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+    ${HOSTAP_SRC_BASE}/crypto/rc4.c
+    ${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+    ${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+    ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+    ${HOSTAP_SRC_BASE}/crypto/tls_none.c
+  )
+endif()

subsys/net/lib/hostap_crypto/Kconfig

@@ -0,0 +1,151 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+if WIFI_NM_WPA_SUPPLICANT
+
+choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
+	default WIFI_NM_WPA_SUPPLICANT_CRYPTO_EXT
+endchoice
+
+choice HOSTAP_CRYPTO_BACKEND
+	prompt "WPA supplicant crypto implementation"
+	default HOSTAP_CRYPTO_ALT_PSA if SOC_SERIES_NRF54HX
+	default HOSTAP_CRYPTO_LEGACY_PSA if SOC_SERIES_NRF54LX || BUILD_WITH_TFM
+	default HOSTAP_CRYPTO_ALT_LEGACY
+	help
+	  Select the crypto implementation to use for WPA supplicant.
+	  HOSTAP_CRYPTO_ALT supports enterprise mode
+	  and DPP.
+
+config HOSTAP_CRYPTO_LEGACY
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_C
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_PK_PARSE_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+
+config HOSTAP_CRYPTO_LEGACY_PSA
+	bool "PSA Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	# Legacy crypto, still needed
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_GCM_C
+	select MBEDTLS_TLS_LIBRARY
+	select MBEDTLS_PK_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_X509_LIBRARY
+	select MBEDTLS_X509_CRT_PARSE_C
+	select MBEDTLS_CIPHER_C
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_SSL_TLS_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_MD_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_ECP_DP_SECP256R1_ENABLED
+
+config HOSTAP_CRYPTO_ALT_LEGACY
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_CIPHER
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_HKDF_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_MD_C
+	select MBEDTLS_MD5_C
+	select MBEDTLS_ENTROPY_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PKCS5_C
+
+config HOSTAP_CRYPTO_ALT_LEGACY_PSA
+	bool "Legacy Crypto support for WiFi using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	select MBEDTLS_CIPHER_MODE_CBC
+	select MBEDTLS_CIPHER_MODE_CTR
+	select MBEDTLS_LEGACY_CRYPTO_C
+	select MBEDTLS_SHA1_C
+	select MBEDTLS_ECP_C
+	select MBEDTLS_CTR_DRBG_C
+	select MBEDTLS_PK_C
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_PK_PARSE_C
+	select MBEDTLS_CMAC_C
+	select MBEDTLS_CIPHER_PADDING_PKCS7
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
+	select MBEDTLS_ENTROPY_C
+
+config HOSTAP_CRYPTO_ALT_PSA
+	bool "PSA Crypto support for WiFi WPA2 using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	select MBEDTLS_PK_C
+	select MBEDTLS_MD_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_ENABLE_HEAP
+	select MBEDTLS_PSA_CRYPTO_C
+	select MBEDTLS_USE_PSA_CRYPTO
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_CMAC
+	select PSA_WANT_ALG_ECB_NO_PADDING
+	select PSA_WANT_ALG_CBC_PKCS7
+	select PSA_ACCEL_CBC_MAC_AES_128
+	select PSA_ACCEL_CBC_MAC_AES_192
+	select PSA_ACCEL_CBC_MAC_AES_256
+	select PSA_WANT_ALG_CCM
+	select PSA_WANT_ALG_GCM
+	select PSA_WANT_ALG_CTR
+	select PSA_WANT_ALG_MD5
+	select PSA_ACCEL_MD5
+	select PSA_WANT_ALG_SHA_1
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_SHA_224
+	select PSA_WANT_ALG_SHA_384
+	select PSA_WANT_ALG_SHA_512
+	select PSA_WANT_ALG_PBKDF2_HMAC
+	select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
+endchoice
+
+# PSA crypto is WPA2 only for now
+if HOSTAP_CRYPTO_ALT_PSA
+	config WIFI_NM_WPA_SUPPLICANT_WPA3
+		default n
+	config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+		default n
+endif
+endif

west.yml

@@ -69,7 +69,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: b4762701d5b8d1a2e6924a21cbbe64e8fdebb1eb
+      revision: 53f5e6dae760d95db2dcb5efac83b83023484043
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above