zephyrproject-rtos · nashif · Jun 7, 2024 · May 29, 2024 · May 29, 2024 · May 29, 2024
diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt
@@ -25,7 +25,6 @@ zephyr_library_compile_definitions(
 	TLS_DEFAULT_CIPHERS=\""DEFAULT:!EXP:!LOW"\"
 	CONFIG_SME
 	CONFIG_NO_CONFIG_WRITE
-	CONFIG_NO_CONFIG_BLOBS
 	CONFIG_CTRL_IFACE
 	CONFIG_NO_RANDOM_POOL
 	CONFIG_SHA256
@@ -76,10 +75,6 @@ zephyr_library_include_directories(
 	${ZEPHYR_BASE}/include/net
 	)
 
-zephyr_library_compile_definitions_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO
-	CONFIG_NO_PBKDF2
-)
-
 zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_NO_DEBUG
 	CONFIG_NO_STDOUT_DEBUG
 )
@@ -225,25 +220,13 @@ zephyr_library_sources_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	${HOSTAP_SRC_BASE}/rsn_supp/wpa.c
 	${HOSTAP_SRC_BASE}/rsn_supp/preauth.c
 	${HOSTAP_SRC_BASE}/rsn_supp/wpa_ie.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c
-	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c
-	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
-	${HOSTAP_SRC_BASE}/crypto/rc4.c
-	${HOSTAP_SRC_BASE}/crypto/sha1-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha384-prf.c
 )
 
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3
 	${HOSTAP_SRC_BASE}/common/sae.c
 	${HOSTAP_SRC_BASE}/common/dragonfly.c
 
 	${HOSTAP_SRC_BASE}/crypto/dh_groups.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
 )
 
 zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3
@@ -255,9 +238,6 @@ zephyr_library_include_directories_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_N
 	${CMAKE_SOURCE_DIR}
 )
 
-zephyr_library_link_libraries_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
-	mbedTLS)
-
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_P2P
 	${WIFI_NM_WPA_SUPPLICANT_BASE}/p2p_supplicant.c
 	${WIFI_NM_WPA_SUPPLICANT_BASE}/p2p_supplicant_sd.c
@@ -305,28 +285,10 @@ zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPS
 	EAP_WSC
 )
 
-zephyr_library_sources_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
-	${HOSTAP_SRC_BASE}/common/wpa_common.c
-	${HOSTAP_SRC_BASE}/rsn_supp/wpa.c
-	${HOSTAP_SRC_BASE}/rsn_supp/preauth.c
-	${HOSTAP_SRC_BASE}/rsn_supp/wpa_ie.c
-
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
-	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c
-	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
-	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
-	${HOSTAP_SRC_BASE}/crypto/rc4.c
-	${HOSTAP_SRC_BASE}/crypto/sha1-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
-	${HOSTAP_SRC_BASE}/crypto/sha384-prf.c
-)
-
 zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
-	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c
 	${HOSTAP_SRC_BASE}/eap_peer/eap_tls.c
 	${HOSTAP_SRC_BASE}/eap_peer/eap_tls_common.c
+	${HOSTAP_SRC_BASE}/eap_common/eap_common.c
 
 	${HOSTAP_SRC_BASE}/eap_peer/eap_peap.c
 	${HOSTAP_SRC_BASE}/eap_common/eap_peap_common.c
@@ -364,17 +326,10 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	${HOSTAP_SRC_BASE}/eap_common/eap_ikev2_common.c
 	${HOSTAP_SRC_BASE}/eap_common/ikev2_common.c
 
-	# common
-	${HOSTAP_SRC_BASE}/crypto/sha384-tlsprf.c
-	${HOSTAP_SRC_BASE}/crypto/sha256-tlsprf.c
-	${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
-	${HOSTAP_SRC_BASE}/crypto/sha1-tprf.c
-	${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
-	${HOSTAP_SRC_BASE}/crypto/aes-eax.c
-	# MD4 removed from MbedTLS
-	${HOSTAP_SRC_BASE}/crypto/md4-internal
-	${HOSTAP_SRC_BASE}/crypto/aes-encblock.c
+	${HOSTAP_SRC_BASE}/eap_peer/eap_sim.c
+	${HOSTAP_SRC_BASE}/eap_common/eap_sim_common.c
 
+	${HOSTAP_SRC_BASE}/eap_peer/eap_aka.c
 )
 
 zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
@@ -410,4 +365,101 @@ zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_EAPOL
 zephyr_library_compile_definitions_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_NW_SEL_RELIABILITY
 	CONFIG_NW_SEL_RELIABILITY
 )
+
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_DPP
+	${WIFI_NM_WPA_SUPPLICANT_BASE}/dpp_supplicant.c
+	${WIFI_NM_WPA_SUPPLICANT_BASE}/offchannel.c
+	${WIFI_NM_WPA_SUPPLICANT_BASE}/gas_query.c
+
+	${HOSTAP_SRC_BASE}/ap/dpp_hostapd.c
+	${HOSTAP_SRC_BASE}/ap/gas_query_ap.c
+	${HOSTAP_SRC_BASE}/ap/gas_serv.c
+
+	${HOSTAP_SRC_BASE}/common/dpp_tcp.c
+	${HOSTAP_SRC_BASE}/common/dpp.c
+	${HOSTAP_SRC_BASE}/common/dpp_pkex.c
+	${HOSTAP_SRC_BASE}/common/dpp_crypto.c
+	${HOSTAP_SRC_BASE}/common/dpp_auth.c
+	${HOSTAP_SRC_BASE}/common/dpp_reconfig.c
+	${HOSTAP_SRC_BASE}/common/gas_server.c
+	${HOSTAP_SRC_BASE}/common/gas.c
+	${HOSTAP_SRC_BASE}/common/dpp_backup.c
+
+	${HOSTAP_SRC_BASE}/crypto/aes-siv.c
+
+	${HOSTAP_SRC_BASE}/utils/json.c
+	${HOSTAP_SRC_BASE}/utils/ip_addr.c
+
+	${HOSTAP_SRC_BASE}/tls/asn1.c
+)
+
+# crypto mbedtls related
+if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO)
+zephyr_library_sources(
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-bignum.c
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls-ec.c
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls.c
+	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+	${HOSTAP_SRC_BASE}/crypto/rc4.c
+	${HOSTAP_SRC_BASE}/crypto/sha1-internal.c
+	${HOSTAP_SRC_BASE}/crypto/sha1-prf.c
+	${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+	${HOSTAP_SRC_BASE}/crypto/sha256-prf.c
+	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+	${HOSTAP_SRC_BASE}/crypto/sha384-prf.c
+	${HOSTAP_SRC_BASE}/crypto/sha384-kdf.c
+	${HOSTAP_SRC_BASE}/crypto/sha512-internal.c
+	${HOSTAP_SRC_BASE}/crypto/sha512.c
+	${HOSTAP_SRC_BASE}/crypto/sha512-prf.c
+	${HOSTAP_SRC_BASE}/crypto/sha512-kdf.c
+)
+
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_WPA3
+	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+)
+
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	# common
+	${HOSTAP_SRC_BASE}/crypto/sha384-tlsprf.c
+	${HOSTAP_SRC_BASE}/crypto/sha256-tlsprf.c
+	${HOSTAP_SRC_BASE}/crypto/sha1-tlsprf.c
+	${HOSTAP_SRC_BASE}/crypto/sha1-tprf.c
+	${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+	${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+	# MD4 removed from MbedTLS
+	${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+	${HOSTAP_SRC_BASE}/crypto/aes-encblock.c
+)
+endif()
+
+if(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT)
+zephyr_include_directories(
+	${HOSTAP_BASE}/port/mbedtls
+)
+
+zephyr_library_sources(
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/rc4.c
+)
+
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+	${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+)
+
+zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+	${HOSTAP_SRC_BASE}/crypto/ms_funcs.c
+	${HOSTAP_SRC_BASE}/crypto/aes-eax.c
+	${HOSTAP_SRC_BASE}/crypto/md4-internal.c
+	${HOSTAP_SRC_BASE}/crypto/fips_prf_internal.c
+	${HOSTAP_SRC_BASE}/crypto/milenage.c
+)
+endif()
+
+zephyr_library_link_libraries_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
+	mbedTLS)
+
 endif()
diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -106,6 +106,8 @@ choice WIFI_NM_WPA_SUPPLICANT_CRYPTO_BACKEND
 	default WIFI_NM_WPA_SUPPLICANT_CRYPTO
 	help
 	  Select the crypto implementation to use for WPA supplicant.
+	  WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT support enterprise
+	  and DPP. And use Mbedtls PSA apis for HW acceleration.
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO
 	bool "Crypto support for WiFi"
@@ -125,11 +127,37 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO
 	select MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
 
+config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
+	bool "Crypto Mbedtls alt support for WiFi"
+	select MBEDTLS
+	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
+	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
+	select MBEDTLS_ECP_C
+	select MBEDTLS_ECP_ALL_ENABLED
+	select MBEDTLS_CMAC
+	select MBEDTLS_PKCS5_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_ECDH_C
+	select MBEDTLS_ECDSA_C
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+	select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+	select MBEDTLS_NIST_KW_C
+	select MBEDTLS_DHM_C
+	select MBEDTLS_HKDF_C
+	select MBEDTLS_SERVER_NAME_INDICATION
+	select MBEDTLS_X509_CRL_PARSE_C
+
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	bool "No Crypto support for WiFi"
 
 endchoice
 
+config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+	bool "Crypto Platform Secure Architecture support for WiFi"
+	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT
+	help
+	  Support Mbedtls 3.x to use PSA apis instead of legacy apis.
+
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	bool "Enterprise Crypto support for WiFi"
 	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
@@ -174,6 +202,18 @@ config WIFI_NM_WPA_SUPPLICANT_BSS_MAX_IDLE_TIME
 config WIFI_NM_WPA_SUPPLICANT_NO_DEBUG
 	bool "Disable printing of debug messages, saves code size significantly"
 
+
+config WIFI_NM_WPA_SUPPLICANT_DPP
+	bool "WFA Easy Connect DPP"
+	select DPP
+	select DPP2
+	select DPP3
+	select GAS
+	select GAS_SERVER
+	select OFFCHANNEL
+	select MBEDTLS_X509_CSR_WRITE_C
+	select MBEDTLS_X509_CSR_PARSE_C
+
 # Create hidden config options that are used in hostap. This way we do not need
 # to mark them as allowed for CI checks, and also someone else cannot use the
 # same name options.
@@ -188,7 +228,7 @@ config NO_CONFIG_WRITE
 
 config NO_CONFIG_BLOBS
 	bool
-	default y
+	default y if !WIFI_NM_WPA_SUPPLICANT_DPP && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 
 config CTRL_IFACE
 	bool
@@ -211,7 +251,7 @@ config NO_WPA
 
 config NO_PBKDF2
 	bool
-	default y
+	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 
 config SAE_PK
 	bool
@@ -254,6 +294,9 @@ config P2P
 config GAS
 	bool
 
+config GAS_SERVER
+	bool
+
 config OFFCHANNEL
 	bool
 
@@ -358,6 +401,15 @@ config RRM
 config WMM_AC
 	bool
 
+config DPP
+	bool
+
+config DPP2
+	bool
+
+config DPP3
+	bool
+
 config NW_SEL_RELIABILITY
 	bool
 	default y

diff --git a/modules/hostap/src/supp_main.c b/modules/hostap/src/supp_main.c
@@ -14,6 +14,9 @@ LOG_MODULE_REGISTER(wifi_supplicant, CONFIG_WIFI_NM_WPA_SUPPLICANT_LOG_LEVEL);
 #if !defined(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE) && !defined(CONFIG_MBEDTLS_ENABLE_HEAP)
 #include <mbedtls/platform.h>
 #endif /* !CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !CONFIG_MBEDTLS_ENABLE_HEAP */
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+#include "supp_psa_api.h"
+#endif
 
 #include <zephyr/net/wifi_mgmt.h>
 #include <zephyr/net/wifi_nm.h>
@@ -523,6 +526,10 @@ static void handler(void)
 	mbedtls_platform_set_calloc_free(calloc, free);
 #endif /* !CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !CONFIG_MBEDTLS_ENABLE_HEAP */
 
+#ifdef CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
+	supp_psa_crypto_init();
+#endif
+
 	ctx = get_default_context();
 
 	k_work_queue_init(&ctx->iface_wq);

diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic
@@ -513,4 +513,32 @@ config MBEDTLS_SSL_DTLS_CONNECTION_ID
 	  which allows to identify DTLS connections across changes
 	  in the underlying transport.
 
+
+config MBEDTLS_NIST_KW_C
+	bool "NIST key wrap"
+	depends on MBEDTLS_CIPHER_AES_ENABLED
+	help
+	  Key Wrapping mode for 128-bit block ciphers,
+	  as defined in NIST SP 800-38F.
+
+config MBEDTLS_DHM_C
+	bool "Diffie-Hellman-Merkle mode"
+	help
+	  Used by the following key exchanges,
+	  DHE-RSA, DHE-PSK
+
+config MBEDTLS_X509_CRL_PARSE_C
+	bool "X509 CRL parsing"
+	help
+	  Used by X509 CRL parsing
+
+config MBEDTLS_X509_CSR_WRITE_C
+	bool "X509 Certificate Signing Requests writing"
+	help
+	  For X.509 certificate request writing.
+
+config MBEDTLS_X509_CSR_PARSE_C
+	bool "X509 Certificate Signing Request parsing"
+	help
+	  For reading X.509 certificate request.
 endmenu
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
@@ -503,6 +503,27 @@
 #define MBEDTLS_SSL_DTLS_CONNECTION_ID
 #endif
 
+#if defined(CONFIG_MBEDTLS_NIST_KW_C)
+#define MBEDTLS_NIST_KW_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_DHM_C)
+#define MBEDTLS_DHM_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_X509_CRL_PARSE_C)
+#define MBEDTLS_X509_CRL_PARSE_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_X509_CSR_WRITE_C)
+#define MBEDTLS_X509_CSR_WRITE_C
+#define MBEDTLS_X509_CREATE_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_X509_CSR_PARSE_C)
+#define MBEDTLS_X509_CSR_PARSE_C
+#endif
+
 #if defined(CONFIG_MBEDTLS_USER_CONFIG_FILE)
 #include CONFIG_MBEDTLS_USER_CONFIG_FILE
 #endif