blob: 9e9e88c1ebebbfb0d8167cdfd8a45a8d2fdc1ad6 [file] [log] [blame]
developerf2e3f562022-12-26 19:41:22 +08001From f24933dc175e0faf44a3cce3330c256a59649ca6 Mon Sep 17 00:00:00 2001
2From: Glenn Strauss <gstrauss@gluelogic.com>
3Date: Tue, 19 Jul 2022 23:01:17 -0400
4Subject: [PATCH 4/7] tests/Makefile make run-tests with CONFIG_TLS=...
5
6add test-crypto_module.c to run crypto_module_tests()
7
8adjust some tests/hwsim/*.py for mbed TLS (work in progress)
9
10option to build and run-tests with CONFIG_TLS=internal # (default)
11$ cd tests; make clean
12$ make run-tests
13
14option to build and run-tests with CONFIG_TLS=gnutls
15$ cd tests; make clean CONFIG_TLS=gnutls
16$ make run-tests CONFIG_TLS=gnutls
17
18option to build and run-tests with CONFIG_TLS=mbedtls
19$ cd tests; make clean CONFIG_TLS=mbedtls
20$ make run-tests CONFIG_TLS=mbedtls
21
22option to build and run-tests with CONFIG_TLS=openssl
23$ cd tests; make clean CONFIG_TLS=openssl
24$ make run-tests CONFIG_TLS=openssl
25
26option to build and run-tests with CONFIG_TLS=wolfssl
27$ cd tests; make clean CONFIG_TLS=wolfssl
28$ make run-tests CONFIG_TLS=wolfssl
29
30RFE: Makefile logic for crypto objects should be centralized
31 instead of being duplicated in hostapd/Makefile,
32 wpa_supplicant/Makefile, src/crypto/Makefile,
33 tests/Makefile, ...
34
35Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
36---
37 hostapd/Makefile | 6 +
38 src/crypto/Makefile | 129 ++++++++++++++++++++-
39 src/crypto/crypto_module_tests.c | 134 ++++++++++++++++++++++
40 src/tls/Makefile | 11 ++
41 tests/Makefile | 75 +++++++++---
42 tests/hwsim/example-hostapd.config | 11 +-
43 tests/hwsim/example-wpa_supplicant.config | 12 +-
44 tests/hwsim/test_ap_eap.py | 114 +++++++++++++-----
45 tests/hwsim/test_ap_ft.py | 4 +-
46 tests/hwsim/test_authsrv.py | 9 +-
47 tests/hwsim/test_dpp.py | 19 ++-
48 tests/hwsim/test_erp.py | 16 +--
49 tests/hwsim/test_fils.py | 5 +-
50 tests/hwsim/test_pmksa_cache.py | 4 +-
51 tests/hwsim/test_sae.py | 7 ++
52 tests/hwsim/test_suite_b.py | 3 +
53 tests/hwsim/test_wpas_ctrl.py | 2 +-
54 tests/hwsim/utils.py | 8 +-
55 tests/test-crypto_module.c | 16 +++
56 tests/test-https.c | 12 +-
57 tests/test-https_server.c | 12 +-
58 wpa_supplicant/Makefile | 6 +
59 22 files changed, 524 insertions(+), 91 deletions(-)
60 create mode 100644 tests/test-crypto_module.c
61
62--- a/hostapd/Makefile
63+++ b/hostapd/Makefile
64@@ -696,6 +696,7 @@ CFLAGS += -DCONFIG_TLSV12
65 endif
66
67 ifeq ($(CONFIG_TLS), wolfssl)
68+CFLAGS += -DCONFIG_TLS_WOLFSSL
69 CONFIG_CRYPTO=wolfssl
70 ifdef TLS_FUNCS
71 OBJS += ../src/crypto/tls_wolfssl.o
72@@ -716,6 +717,7 @@ endif
73 endif
74
75 ifeq ($(CONFIG_TLS), openssl)
76+CFLAGS += -DCONFIG_TLS_OPENSSL
77 CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
78 CONFIG_CRYPTO=openssl
79 ifdef TLS_FUNCS
80@@ -746,6 +748,7 @@ CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONF
81 endif
82
83 ifeq ($(CONFIG_TLS), mbedtls)
84+CFLAGS += -DCONFIG_TLS_MBEDTLS
85 ifndef CONFIG_CRYPTO
86 CONFIG_CRYPTO=mbedtls
87 endif
88@@ -776,6 +779,7 @@ endif
89 endif
90
91 ifeq ($(CONFIG_TLS), gnutls)
92+CFLAGS += -DCONFIG_TLS_GNUTLS
93 ifndef CONFIG_CRYPTO
94 # default to libgcrypt
95 CONFIG_CRYPTO=gnutls
96@@ -806,6 +810,7 @@ endif
97 endif
98
99 ifeq ($(CONFIG_TLS), internal)
100+CFLAGS += -DCONFIG_TLS_INTERNAL
101 ifndef CONFIG_CRYPTO
102 CONFIG_CRYPTO=internal
103 endif
104@@ -884,6 +889,7 @@ endif
105 endif
106
107 ifeq ($(CONFIG_TLS), linux)
108+CFLAGS += -DCONFIG_TLS_INTERNAL
109 OBJS += ../src/crypto/crypto_linux.o
110 ifdef TLS_FUNCS
111 OBJS += ../src/crypto/crypto_internal-rsa.o
112--- a/src/crypto/Makefile
113+++ b/src/crypto/Makefile
114@@ -1,10 +1,121 @@
115-CFLAGS += -DCONFIG_CRYPTO_INTERNAL
116-CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
117-CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
118 #CFLAGS += -DALL_DH_GROUPS
119 CFLAGS += -DCONFIG_SHA256
120 CFLAGS += -DCONFIG_SHA384
121+CFLAGS += -DCONFIG_HMAC_SHA256_KDF
122 CFLAGS += -DCONFIG_HMAC_SHA384_KDF
123+
124+# crypto_module_tests.c
125+CFLAGS += -DCONFIG_MODULE_TESTS
126+CFLAGS += -DCONFIG_DPP
127+#CFLAGS += -DCONFIG_DPP2
128+#CFLAGS += -DCONFIG_DPP3
129+CFLAGS += -DCONFIG_ECC
130+CFLAGS += -DCONFIG_MESH
131+CFLAGS += -DEAP_PSK
132+CFLAGS += -DEAP_FAST
133+
134+ifeq ($(CONFIG_TLS),mbedtls)
135+
136+# (enable features for 'cd tests; make run-tests CONFIG_TLS=mbedtls')
137+CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
138+CFLAGS += -DCONFIG_DES
139+CFLAGS += -DEAP_IKEV2
140+CFLAGS += -DEAP_MSCHAPv2
141+CFLAGS += -DEAP_SIM
142+
143+LIB_OBJS = tls_mbedtls.o crypto_mbedtls.o
144+LIB_OBJS+= \
145+ aes-eax.o \
146+ aes-siv.o \
147+ dh_groups.o \
148+ milenage.o \
149+ ms_funcs.o
150+
151+else
152+ifeq ($(CONFIG_TLS),openssl)
153+
154+# (enable features for 'cd tests; make run-tests CONFIG_TLS=openssl')
155+ifndef CONFIG_TLS_DEFAULT_CIPHERS
156+CONFIG_TLS_DEFAULT_CIPHERS = "DEFAULT:!EXP:!LOW"
157+endif
158+CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONFIG_TLS_DEFAULT_CIPHERS)\"
159+CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
160+CFLAGS += -DEAP_TLS_OPENSSL
161+
162+LIB_OBJS = tls_openssl.o fips_prf_openssl.o crypto_openssl.o
163+LIB_OBJS+= \
164+ aes-ctr.o \
165+ aes-eax.o \
166+ aes-encblock.o \
167+ aes-siv.o \
168+ dh_groups.o \
169+ milenage.o \
170+ ms_funcs.o \
171+ sha1-prf.o \
172+ sha1-tlsprf.o \
173+ sha1-tprf.o \
174+ sha256-kdf.o \
175+ sha256-prf.o \
176+ sha256-tlsprf.o
177+
178+else
179+ifeq ($(CONFIG_TLS),wolfssl)
180+
181+# (wolfssl libraries must be built with ./configure --enable-wpas)
182+# (enable features for 'cd tests; make run-tests CONFIG_TLS=wolfssl')
183+CFLAGS += -DWOLFSSL_DER_LOAD
184+CFLAGS += -DCONFIG_DES
185+
186+LIB_OBJS = tls_wolfssl.o fips_prf_wolfssl.o crypto_wolfssl.o
187+LIB_OBJS+= \
188+ aes-ctr.o \
189+ aes-eax.o \
190+ aes-encblock.o \
191+ aes-siv.o \
192+ dh_groups.o \
193+ milenage.o \
194+ ms_funcs.o \
195+ sha1-prf.o \
196+ sha1-tlsprf.o \
197+ sha1-tprf.o \
198+ sha256-kdf.o \
199+ sha256-prf.o \
200+ sha256-tlsprf.o
201+
202+else
203+ifeq ($(CONFIG_TLS),gnutls)
204+
205+# (enable features for 'cd tests; make run-tests CONFIG_TLS=gnutls')
206+LIB_OBJS = tls_gnutls.o crypto_gnutls.o
207+LIB_OBJS+= \
208+ aes-cbc.o \
209+ aes-ctr.o \
210+ aes-eax.o \
211+ aes-encblock.o \
212+ aes-omac1.o \
213+ aes-siv.o \
214+ aes-unwrap.o \
215+ aes-wrap.o \
216+ dh_group5.o \
217+ dh_groups.o \
218+ milenage.o \
219+ ms_funcs.o \
220+ rc4.o \
221+ sha1-pbkdf2.o \
222+ sha1-prf.o \
223+ fips_prf_internal.o \
224+ sha1-internal.o \
225+ sha1-tlsprf.o \
226+ sha1-tprf.o \
227+ sha256-kdf.o \
228+ sha256-prf.o \
229+ sha256-tlsprf.o
230+
231+else
232+
233+CFLAGS += -DCONFIG_CRYPTO_INTERNAL
234+CFLAGS += -DCONFIG_TLS_INTERNAL_CLIENT
235+CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
236 CFLAGS += -DCONFIG_INTERNAL_SHA384
237
238 LIB_OBJS= \
239@@ -13,7 +124,6 @@ LIB_OBJS= \
240 aes-ctr.o \
241 aes-eax.o \
242 aes-encblock.o \
243- aes-gcm.o \
244 aes-internal.o \
245 aes-internal-dec.o \
246 aes-internal-enc.o \
247@@ -37,6 +147,7 @@ LIB_OBJS= \
248 sha1-tlsprf.o \
249 sha1-tprf.o \
250 sha256.o \
251+ sha256-kdf.o \
252 sha256-prf.o \
253 sha256-tlsprf.o \
254 sha256-internal.o \
255@@ -53,6 +164,16 @@ LIB_OBJS += crypto_internal-modexp.o
256 LIB_OBJS += crypto_internal-rsa.o
257 LIB_OBJS += tls_internal.o
258 LIB_OBJS += fips_prf_internal.o
259+
260+endif
261+endif
262+endif
263+endif
264+
265+
266+# (used by wlantest/{bip,gcmp,rx_mgmt}.c and tests/test-aes.c)
267+LIB_OBJS += aes-gcm.o
268+
269 ifndef TEST_FUZZ
270 LIB_OBJS += random.o
271 endif
272--- a/src/crypto/crypto_module_tests.c
273+++ b/src/crypto/crypto_module_tests.c
274@@ -2469,6 +2469,139 @@ static int test_hpke(void)
275 }
276
277
278+static int test_ecc(void)
279+{
280+#ifdef CONFIG_ECC
281+#ifndef CONFIG_TLS_INTERNAL
282+#ifndef CONFIG_TLS_GNUTLS
283+#if defined(CONFIG_TLS_MBEDTLS) \
284+ || defined(CONFIG_TLS_OPENSSL) \
285+ || defined(CONFIG_TLS_WOLFSSL)
286+ wpa_printf(MSG_INFO, "Testing ECC");
287+ /* Note: some tests below are valid on supported Short Weierstrass
288+ * curves, but not on Montgomery curves (e.g. IKE groups 31 and 32)
289+ * (e.g. deriving and comparing y^2 test below not valid on Montgomery)
290+ */
291+#ifdef CONFIG_TLS_MBEDTLS
292+ const int grps[] = {19, 20, 21, 25, 26, 28};
293+#endif
294+#ifdef CONFIG_TLS_OPENSSL
295+ const int grps[] = {19, 20, 21, 26};
296+#endif
297+#ifdef CONFIG_TLS_WOLFSSL
298+ const int grps[] = {19, 20, 21, 26};
299+#endif
300+ uint32_t i;
301+ struct crypto_ec *e = NULL;
302+ struct crypto_ec_point *p = NULL, *q = NULL;
303+ struct crypto_bignum *x = NULL, *y = NULL;
304+#ifdef CONFIG_DPP
305+ u8 bin[4096];
306+#endif
307+ for (i = 0; i < ARRAY_SIZE(grps); ++i) {
308+ e = crypto_ec_init(grps[i]);
309+ if (e == NULL
310+ || crypto_ec_prime_len(e) == 0
311+ || crypto_ec_prime_len_bits(e) == 0
312+ || crypto_ec_order_len(e) == 0
313+ || crypto_ec_get_prime(e) == NULL
314+ || crypto_ec_get_order(e) == NULL
315+ || crypto_ec_get_a(e) == NULL
316+ || crypto_ec_get_b(e) == NULL
317+ || crypto_ec_get_generator(e) == NULL) {
318+ break;
319+ }
320+#ifdef CONFIG_DPP
321+ struct crypto_ec_key *key = crypto_ec_key_gen(grps[i]);
322+ if (key == NULL)
323+ break;
324+ p = crypto_ec_key_get_public_key(key);
325+ q = crypto_ec_key_get_public_key(key);
326+ crypto_ec_key_deinit(key);
327+ if (p == NULL || q == NULL)
328+ break;
329+ if (!crypto_ec_point_is_on_curve(e, p))
330+ break;
331+
332+ /* inverted point should not match original;
333+ * double-invert should match */
334+ if (crypto_ec_point_invert(e, q) != 0
335+ || crypto_ec_point_cmp(e, p, q) == 0
336+ || crypto_ec_point_invert(e, q) != 0
337+ || crypto_ec_point_cmp(e, p, q) != 0) {
338+ break;
339+ }
340+
341+ /* crypto_ec_point_to_bin() and crypto_ec_point_from_bin()
342+ * imbalanced interfaces? */
343+ size_t prime_len = crypto_ec_prime_len(e);
344+ if (prime_len * 2 > sizeof(bin))
345+ break;
346+ if (crypto_ec_point_to_bin(e, p, bin, bin+prime_len) != 0)
347+ break;
348+ struct crypto_ec_point *tmp = crypto_ec_point_from_bin(e, bin);
349+ if (tmp == NULL)
350+ break;
351+ if (crypto_ec_point_cmp(e, p, tmp) != 0) {
352+ crypto_ec_point_deinit(tmp, 0);
353+ break;
354+ }
355+ crypto_ec_point_deinit(tmp, 0);
356+
357+ x = crypto_bignum_init();
358+ y = crypto_bignum_init_set(bin+prime_len, prime_len);
359+ if (x == NULL || y == NULL || crypto_ec_point_x(e, p, x) != 0)
360+ break;
361+ struct crypto_bignum *y2 = crypto_ec_point_compute_y_sqr(e, x);
362+ if (y2 == NULL)
363+ break;
364+ if (crypto_bignum_sqrmod(y, crypto_ec_get_prime(e), y) != 0
365+ || crypto_bignum_cmp(y, y2) != 0) {
366+ crypto_bignum_deinit(y2, 0);
367+ break;
368+ }
369+ crypto_bignum_deinit(y2, 0);
370+ crypto_bignum_deinit(x, 0);
371+ crypto_bignum_deinit(y, 0);
372+ x = NULL;
373+ y = NULL;
374+
375+ x = crypto_bignum_init();
376+ if (x == NULL)
377+ break;
378+ if (crypto_bignum_rand(x, crypto_ec_get_prime(e)) != 0)
379+ break;
380+ crypto_bignum_deinit(x, 0);
381+ x = NULL;
382+
383+ crypto_ec_point_deinit(p, 0);
384+ p = NULL;
385+ crypto_ec_point_deinit(q, 0);
386+ q = NULL;
387+#endif /* CONFIG_DPP */
388+ crypto_ec_deinit(e);
389+ e = NULL;
390+ }
391+ if (i != ARRAY_SIZE(grps)) {
392+ crypto_bignum_deinit(x, 0);
393+ crypto_bignum_deinit(y, 0);
394+ crypto_ec_point_deinit(p, 0);
395+ crypto_ec_point_deinit(q, 0);
396+ crypto_ec_deinit(e);
397+ wpa_printf(MSG_INFO,
398+ "ECC test case failed tls_id:%d", grps[i]);
399+ return -1;
400+ }
401+
402+ wpa_printf(MSG_INFO, "ECC test cases passed");
403+#endif
404+#endif /* !CONFIG_TLS_GNUTLS */
405+#endif /* !CONFIG_TLS_INTERNAL */
406+#endif /* CONFIG_ECC */
407+ return 0;
408+}
409+
410+
411 static int test_ms_funcs(void)
412 {
413 #ifndef CONFIG_FIPS
414@@ -2590,6 +2723,7 @@ int crypto_module_tests(void)
415 test_fips186_2_prf() ||
416 test_extract_expand_hkdf() ||
417 test_hpke() ||
418+ test_ecc() ||
419 test_ms_funcs())
420 ret = -1;
421
422--- a/src/tls/Makefile
423+++ b/src/tls/Makefile
424@@ -1,3 +1,10 @@
425+LIB_OBJS= asn1.o
426+
427+ifneq ($(CONFIG_TLS),gnutls)
428+ifneq ($(CONFIG_TLS),mbedtls)
429+ifneq ($(CONFIG_TLS),openssl)
430+ifneq ($(CONFIG_TLS),wolfssl)
431+
432 CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
433 CFLAGS += -DCONFIG_CRYPTO_INTERNAL
434 CFLAGS += -DCONFIG_TLSV11
435@@ -21,5 +28,9 @@ LIB_OBJS= \
436 tlsv1_server_read.o \
437 tlsv1_server_write.o \
438 x509v3.o
439+endif
440+endif
441+endif
442+endif
443
444 include ../lib.rules
445--- a/tests/Makefile
446+++ b/tests/Makefile
447@@ -1,8 +1,10 @@
448-ALL=test-base64 test-md4 test-milenage \
449- test-rsa-sig-ver \
450- test-sha1 \
451- test-https test-https_server \
452- test-sha256 test-aes test-x509v3 test-list test-rc4
453+RUN_TESTS= \
454+ test-list \
455+ test-md4 test-rc4 test-sha1 test-sha256 \
456+ test-milenage test-aes \
457+ test-crypto_module
458+
459+ALL=$(RUN_TESTS) test-base64 test-https test-https_server
460
461 include ../src/build.rules
462
463@@ -24,13 +26,27 @@ CFLAGS += -DCONFIG_IEEE80211R_AP
464 CFLAGS += -DCONFIG_IEEE80211R
465 CFLAGS += -DCONFIG_TDLS
466
467+# test-crypto_module
468+CFLAGS += -DCONFIG_MODULE_TESTS
469+CFLAGS += -DCONFIG_DPP
470+#CFLAGS += -DCONFIG_DPP2
471+#CFLAGS += -DCONFIG_DPP3
472+CFLAGS += -DCONFIG_ECC
473+CFLAGS += -DCONFIG_HMAC_SHA256_KDF
474+CFLAGS += -DCONFIG_HMAC_SHA384_KDF
475+CFLAGS += -DCONFIG_MESH
476+CFLAGS += -DCONFIG_SHA256
477+CFLAGS += -DCONFIG_SHA384
478+CFLAGS += -DEAP_PSK
479+CFLAGS += -DEAP_FAST
480+
481 CFLAGS += -I../src
482 CFLAGS += -I../src/utils
483
484 SLIBS = ../src/utils/libutils.a
485
486-DLIBS = ../src/crypto/libcrypto.a \
487- ../src/tls/libtls.a
488+DLIBS = ../src/tls/libtls.a \
489+ ../src/crypto/libcrypto.a
490
491 _OBJS_VAR := LLIBS
492 include ../src/objs.mk
493@@ -42,12 +58,43 @@ include ../src/objs.mk
494 LIBS = $(SLIBS) $(DLIBS)
495 LLIBS = -Wl,--start-group $(DLIBS) -Wl,--end-group $(SLIBS)
496
497+ifeq ($(CONFIG_TLS),mbedtls)
498+CFLAGS += -DCONFIG_TLS_MBEDTLS
499+LLIBS += -lmbedtls -lmbedx509 -lmbedcrypto
500+else
501+ifeq ($(CONFIG_TLS),openssl)
502+CFLAGS += -DCONFIG_TLS_OPENSSL
503+LLIBS += -lssl -lcrypto
504+else
505+ifeq ($(CONFIG_TLS),gnutls)
506+CFLAGS += -DCONFIG_TLS_GNUTLS
507+LLIBS += -lgnutls -lgpg-error -lgcrypt
508+else
509+ifeq ($(CONFIG_TLS),wolfssl)
510+CFLAGS += -DCONFIG_TLS_WOLFSSL
511+LLIBS += -lwolfssl -lm
512+else
513+CFLAGS += -DCONFIG_TLS_INTERNAL
514+CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
515+ALL += test-rsa-sig-ver
516+ALL += test-x509v3
517+clean-config_tls_internal:
518+ rm -f test_x509v3_nist.out.*
519+ rm -f test_x509v3_nist2.out.*
520+endif
521+endif
522+endif
523+endif
524+
525 # glibc < 2.17 needs -lrt for clock_gettime()
526 LLIBS += -lrt
527
528 test-aes: $(call BUILDOBJ,test-aes.o) $(LIBS)
529 $(LDO) $(LDFLAGS) -o $@ $^ $(LLIBS)
530
531+test-crypto_module: $(call BUILDOBJ,test-crypto_module.o) $(LIBS)
532+ $(LDO) $(LDFLAGS) -o $@ $< $(LLIBS)
533+
534 test-base64: $(call BUILDOBJ,test-base64.o) $(LIBS)
535 $(LDO) $(LDFLAGS) -o $@ $^ $(LLIBS)
536
537@@ -83,17 +130,11 @@ test-x509v3: $(call BUILDOBJ,test-x509v3
538
539
540 run-tests: $(ALL)
541- ./test-aes
542- ./test-list
543- ./test-md4
544- ./test-milenage
545- ./test-rsa-sig-ver
546- ./test-sha1
547- ./test-sha256
548+ @set -ex; for i in $(RUN_TESTS); do ./$$i; done
549 @echo
550 @echo All tests completed successfully.
551
552-clean: common-clean
553+clean: common-clean clean-config_tls_internal
554 rm -f *~
555- rm -f test_x509v3_nist.out.*
556- rm -f test_x509v3_nist2.out.*
557+
558+.PHONY: run-tests clean-config_tls_internal
559--- a/tests/hwsim/example-hostapd.config
560+++ b/tests/hwsim/example-hostapd.config
561@@ -34,15 +34,7 @@ CONFIG_EAP_TNC=y
562 CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\"
563 LIBS += -rdynamic
564 CONFIG_EAP_UNAUTH_TLS=y
565-ifeq ($(CONFIG_TLS), openssl)
566-CONFIG_EAP_PWD=y
567-endif
568-ifeq ($(CONFIG_TLS), wolfssl)
569-CONFIG_EAP_PWD=y
570-endif
571-ifeq ($(CONFIG_TLS), mbedtls)
572-CONFIG_EAP_PWD=y
573-endif
574+CONFIG_EAP_PWD=$(if $(filter openssl wolfssl mbedtls,$(CONFIG_TLS)),y,)
575 CONFIG_EAP_EKE=y
576 CONFIG_PKCS12=y
577 CONFIG_RADIUS_SERVER=y
578@@ -89,6 +81,7 @@ CFLAGS += -DCONFIG_RADIUS_TEST
579 CONFIG_MODULE_TESTS=y
580
581 CONFIG_SUITEB=y
582+CONFIG_SUITEB192=$(if $(filter openssl mbedtls,$(CONFIG_TLS)),y,)
583
584 # AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
585 # This can be used as a more efficient memory error detector than valgrind
586--- a/tests/hwsim/example-wpa_supplicant.config
587+++ b/tests/hwsim/example-wpa_supplicant.config
588@@ -35,16 +35,7 @@ LIBS += -rdynamic
589 CONFIG_EAP_FAST=y
590 CONFIG_EAP_TEAP=y
591 CONFIG_EAP_IKEV2=y
592-
593-ifeq ($(CONFIG_TLS), openssl)
594-CONFIG_EAP_PWD=y
595-endif
596-ifeq ($(CONFIG_TLS), wolfssl)
597-CONFIG_EAP_PWD=y
598-endif
599-ifeq ($(CONFIG_TLS), mbedtls)
600-CONFIG_EAP_PWD=y
601-endif
602+CONFIG_EAP_PWD=$(if $(filter openssl wolfssl mbedtls,$(CONFIG_TLS)),y,)
603
604 CONFIG_USIM_SIMULATOR=y
605 CONFIG_SIM_SIMULATOR=y
606@@ -137,6 +128,7 @@ CONFIG_TESTING_OPTIONS=y
607 CONFIG_MODULE_TESTS=y
608
609 CONFIG_SUITEB=y
610+CONFIG_SUITEB192=$(if $(filter openssl mbedtls,$(CONFIG_TLS)),y,)
611
612 # AddressSanitizer (ASan) can be enabled by uncommenting the following lines.
613 # This can be used as a more efficient memory error detector than valgrind
614--- a/tests/hwsim/test_ap_eap.py
615+++ b/tests/hwsim/test_ap_eap.py
616@@ -42,20 +42,42 @@ def check_eap_capa(dev, method):
617 res = dev.get_capability("eap")
618 if method not in res:
619 raise HwsimSkip("EAP method %s not supported in the build" % method)
620+ if method == "FAST" or method == "TEAP":
621+ tls = dev.request("GET tls_library")
622+ if tls.startswith("mbed TLS"):
623+ raise HwsimSkip("EAP-%s not supported with this TLS library: " % method + tls)
624
625 def check_subject_match_support(dev):
626 tls = dev.request("GET tls_library")
627- if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
628+ if tls.startswith("OpenSSL"):
629+ return
630+ elif tls.startswith("wolfSSL"):
631+ return
632+ elif tls.startswith("mbed TLS"):
633+ return
634+ else:
635 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
636
637 def check_check_cert_subject_support(dev):
638 tls = dev.request("GET tls_library")
639- if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
640+ if tls.startswith("OpenSSL"):
641+ return
642+ elif tls.startswith("wolfSSL"):
643+ return
644+ elif tls.startswith("mbed TLS"):
645+ return
646+ else:
647 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls)
648
649 def check_altsubject_match_support(dev):
650 tls = dev.request("GET tls_library")
651- if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
652+ if tls.startswith("OpenSSL"):
653+ return
654+ elif tls.startswith("wolfSSL"):
655+ return
656+ elif tls.startswith("mbed TLS"):
657+ return
658+ else:
659 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
660
661 def check_domain_match(dev):
662@@ -70,7 +92,13 @@ def check_domain_suffix_match(dev):
663
664 def check_domain_match_full(dev):
665 tls = dev.request("GET tls_library")
666- if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"):
667+ if tls.startswith("OpenSSL"):
668+ return
669+ elif tls.startswith("wolfSSL"):
670+ return
671+ elif tls.startswith("mbed TLS"):
672+ return
673+ else:
674 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
675
676 def check_cert_probe_support(dev):
677@@ -79,8 +107,15 @@ def check_cert_probe_support(dev):
678 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
679
680 def check_ext_cert_check_support(dev):
681+ if not openssl_imported:
682+ raise HwsimSkip("OpenSSL python method not available")
683+
684 tls = dev.request("GET tls_library")
685- if not tls.startswith("OpenSSL"):
686+ if tls.startswith("OpenSSL"):
687+ return
688+ elif tls.startswith("mbed TLS"):
689+ return
690+ else:
691 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls)
692
693 def check_ocsp_support(dev):
694@@ -91,14 +126,18 @@ def check_ocsp_support(dev):
695 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
696 #if tls.startswith("wolfSSL"):
697 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
698+ if tls.startswith("mbed TLS"):
699+ raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
700
701 def check_pkcs5_v15_support(dev):
702 tls = dev.request("GET tls_library")
703- if "BoringSSL" in tls or "GnuTLS" in tls:
704+ if "BoringSSL" in tls or "GnuTLS" in tls or "mbed TLS" in tls:
705 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls)
706
707 def check_tls13_support(dev):
708 tls = dev.request("GET tls_library")
709+ if tls.startswith("mbed TLS"):
710+ raise HwsimSkip("TLS v1.3 not supported")
711 if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls and "wolfSSL" not in tls:
712 raise HwsimSkip("TLS v1.3 not supported")
713
714@@ -118,11 +157,15 @@ def check_pkcs12_support(dev):
715 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
716 if tls.startswith("wolfSSL"):
717 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
718+ if tls.startswith("mbed TLS"):
719+ raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
720
721 def check_dh_dsa_support(dev):
722 tls = dev.request("GET tls_library")
723 if tls.startswith("internal"):
724 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
725+ if tls.startswith("mbed TLS"):
726+ raise HwsimSkip("DH DSA not supported with this TLS library: " + tls)
727
728 def check_ec_support(dev):
729 tls = dev.request("GET tls_library")
730@@ -1625,7 +1668,7 @@ def test_ap_wpa2_eap_ttls_pap_subject_ma
731 eap_connect(dev[0], hapd, "TTLS", "pap user",
732 anonymous_identity="ttls", password="password",
733 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
734- subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
735+ check_cert_subject="/C=FI/O=w1.fi/CN=server.w1.fi",
736 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
737 eap_reauth(dev[0], "TTLS")
738
739@@ -2860,6 +2903,7 @@ def test_ap_wpa2_eap_tls_neg_domain_matc
740
741 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
742 """WPA2-Enterprise negative test - subject mismatch"""
743+ check_subject_match_support(dev[0])
744 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
745 hostapd.add_ap(apdev[0], params)
746 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
747@@ -2920,6 +2964,7 @@ def test_ap_wpa2_eap_tls_neg_subject_mat
748
749 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
750 """WPA2-Enterprise negative test - altsubject mismatch"""
751+ check_altsubject_match_support(dev[0])
752 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
753 hostapd.add_ap(apdev[0], params)
754
755@@ -3460,7 +3505,7 @@ def test_ap_wpa2_eap_ikev2_oom(dev, apde
756 dev[0].request("REMOVE_NETWORK all")
757
758 tls = dev[0].request("GET tls_library")
759- if not tls.startswith("wolfSSL"):
760+ if not tls.startswith("wolfSSL") and not tls.startswith("mbed TLS"):
761 tests = [(1, "os_get_random;dh_init")]
762 else:
763 tests = [(1, "crypto_dh_init;dh_init")]
764@@ -4774,7 +4819,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
765 params["private_key"] = "auth_serv/iCA-server/server.key"
766 hostapd.add_ap(apdev[0], params)
767 tls = dev[0].request("GET tls_library")
768- if "GnuTLS" in tls or "wolfSSL" in tls:
769+ if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
770 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
771 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
772 else:
773@@ -4840,6 +4885,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
774 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, "-sha1")
775
776 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev, apdev, params, md):
777+ check_ocsp_support(dev[0])
778 params = int_eap_server_params()
779 params["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
780 params["server_cert"] = "auth_serv/iCA-server/server.pem"
781@@ -4849,7 +4895,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_
782 try:
783 hostapd.add_ap(apdev[0], params)
784 tls = dev[0].request("GET tls_library")
785- if "GnuTLS" in tls or "wolfSSL" in tls:
786+ if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
787 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
788 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
789 else:
790@@ -4885,7 +4931,7 @@ def run_ap_wpa2_eap_tls_intermediate_ca_
791 try:
792 hostapd.add_ap(apdev[0], params)
793 tls = dev[0].request("GET tls_library")
794- if "GnuTLS" in tls or "wolfSSL" in tls:
795+ if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
796 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
797 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
798 else:
799@@ -4935,7 +4981,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
800 try:
801 hostapd.add_ap(apdev[0], params)
802 tls = dev[0].request("GET tls_library")
803- if "GnuTLS" in tls or "wolfSSL" in tls:
804+ if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
805 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
806 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
807 else:
808@@ -5002,7 +5048,7 @@ def test_ap_wpa2_eap_tls_intermediate_ca
809
810 hostapd.add_ap(apdev[0], params)
811 tls = dev[0].request("GET tls_library")
812- if "GnuTLS" in tls or "wolfSSL" in tls:
813+ if "GnuTLS" in tls or "wolfSSL" in tls or "mbed TLS" in tls:
814 ca_cert = "auth_serv/iCA-user/ca-and-root.pem"
815 client_cert = "auth_serv/iCA-user/user_and_ica.pem"
816 else:
817@@ -5260,6 +5306,7 @@ def test_ap_wpa2_eap_ttls_server_cert_ek
818
819 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
820 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
821+ check_pkcs12_support(dev[0])
822 skip_with_fips(dev[0])
823 params = int_eap_server_params()
824 del params["server_cert"]
825@@ -5272,6 +5319,7 @@ def test_ap_wpa2_eap_ttls_server_pkcs12(
826
827 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev, apdev):
828 """EAP-TTLS and server PKCS#12 file with extra certs"""
829+ check_pkcs12_support(dev[0])
830 skip_with_fips(dev[0])
831 params = int_eap_server_params()
832 del params["server_cert"]
833@@ -5294,6 +5342,7 @@ def test_ap_wpa2_eap_ttls_dh_params_serv
834
835 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev, apdev):
836 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
837+ check_dh_dsa_support(dev[0])
838 params = int_eap_server_params()
839 params["dh_file"] = "auth_serv/dsaparam.pem"
840 hapd = hostapd.add_ap(apdev[0], params)
841@@ -5605,8 +5654,8 @@ def test_ap_wpa2_eap_non_ascii_identity2
842 def test_openssl_cipher_suite_config_wpas(dev, apdev):
843 """OpenSSL cipher suite configuration on wpa_supplicant"""
844 tls = dev[0].request("GET tls_library")
845- if not tls.startswith("OpenSSL"):
846- raise HwsimSkip("TLS library is not OpenSSL: " + tls)
847+ if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
848+ raise HwsimSkip("TLS library is not OpenSSL or mbed TLS: " + tls)
849 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
850 hapd = hostapd.add_ap(apdev[0], params)
851 eap_connect(dev[0], hapd, "TTLS", "pap user",
852@@ -5632,14 +5681,14 @@ def test_openssl_cipher_suite_config_wpa
853 def test_openssl_cipher_suite_config_hapd(dev, apdev):
854 """OpenSSL cipher suite configuration on hostapd"""
855 tls = dev[0].request("GET tls_library")
856- if not tls.startswith("OpenSSL"):
857- raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
858+ if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
859+ raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL or mbed TLS: " + tls)
860 params = int_eap_server_params()
861 params['openssl_ciphers'] = "AES256"
862 hapd = hostapd.add_ap(apdev[0], params)
863 tls = hapd.request("GET tls_library")
864- if not tls.startswith("OpenSSL"):
865- raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
866+ if not tls.startswith("OpenSSL") and not tls.startswith("mbed TLS"):
867+ raise HwsimSkip("hostapd TLS library is not OpenSSL or mbed TLS: " + tls)
868 eap_connect(dev[0], hapd, "TTLS", "pap user",
869 anonymous_identity="ttls", password="password",
870 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
871@@ -6081,13 +6130,17 @@ def test_ap_wpa2_eap_tls_versions(dev, a
872 check_tls_ver(dev[0], hapd,
873 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
874 "TLSv1.2")
875- elif tls.startswith("internal"):
876+ elif tls.startswith("internal") or tls.startswith("mbed TLS"):
877 check_tls_ver(dev[0], hapd,
878 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
879- check_tls_ver(dev[1], hapd,
880- "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
881- check_tls_ver(dev[2], hapd,
882- "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
883+ if tls.startswith("mbed TLS"):
884+ check_tls_ver(dev[2], hapd,
885+ "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1.0")
886+ else:
887+ check_tls_ver(dev[1], hapd,
888+ "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=1", "TLSv1.1")
889+ check_tls_ver(dev[2], hapd,
890+ "tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
891 if "run=OpenSSL 1.1.1" in tls or "run=OpenSSL 3.0" in tls:
892 check_tls_ver(dev[0], hapd,
893 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
894@@ -6109,6 +6162,11 @@ def test_ap_wpa2_eap_tls_versions_server
895 tests = [("TLSv1", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
896 ("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
897 ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
898+ tls = dev[0].request("GET tls_library")
899+ if tls.startswith("mbed TLS"):
900+ tests = [#("TLSv1.0", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
901+ #("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
902+ ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
903 for exp, flags in tests:
904 hapd.disable()
905 hapd.set("tls_flags", flags)
906@@ -7145,6 +7203,7 @@ def test_ap_wpa2_eap_assoc_rsn(dev, apde
907 def test_eap_tls_ext_cert_check(dev, apdev):
908 """EAP-TLS and external server certification validation"""
909 # With internal server certificate chain validation
910+ check_ext_cert_check_support(dev[0])
911 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
912 identity="tls user",
913 ca_cert="auth_serv/ca.pem",
914@@ -7157,6 +7216,7 @@ def test_eap_tls_ext_cert_check(dev, apd
915 def test_eap_ttls_ext_cert_check(dev, apdev):
916 """EAP-TTLS and external server certification validation"""
917 # Without internal server certificate chain validation
918+ check_ext_cert_check_support(dev[0])
919 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
920 identity="pap user", anonymous_identity="ttls",
921 password="password", phase2="auth=PAP",
922@@ -7167,6 +7227,7 @@ def test_eap_ttls_ext_cert_check(dev, ap
923 def test_eap_peap_ext_cert_check(dev, apdev):
924 """EAP-PEAP and external server certification validation"""
925 # With internal server certificate chain validation
926+ check_ext_cert_check_support(dev[0])
927 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
928 identity="user", anonymous_identity="peap",
929 ca_cert="auth_serv/ca.pem",
930@@ -7177,6 +7238,7 @@ def test_eap_peap_ext_cert_check(dev, ap
931
932 def test_eap_fast_ext_cert_check(dev, apdev):
933 """EAP-FAST and external server certification validation"""
934+ check_ext_cert_check_support(dev[0])
935 check_eap_capa(dev[0], "FAST")
936 # With internal server certificate chain validation
937 dev[0].request("SET blob fast_pac_auth_ext ")
938@@ -7191,10 +7253,6 @@ def test_eap_fast_ext_cert_check(dev, ap
939 run_ext_cert_check(dev, apdev, id)
940
941 def run_ext_cert_check(dev, apdev, net_id):
942- check_ext_cert_check_support(dev[0])
943- if not openssl_imported:
944- raise HwsimSkip("OpenSSL python method not available")
945-
946 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
947 hapd = hostapd.add_ap(apdev[0], params)
948
949--- a/tests/hwsim/test_ap_ft.py
950+++ b/tests/hwsim/test_ap_ft.py
951@@ -2347,11 +2347,11 @@ def test_ap_ft_ap_oom5(dev, apdev):
952 # This will fail to roam
953 dev[0].roam(bssid1, check_bssid=False)
954
955- with fail_test(hapd1, 1, "sha256_prf_bits;wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
956+ with fail_test(hapd1, 1, "sha256_prf;wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
957 # This will fail to roam
958 dev[0].roam(bssid1, check_bssid=False)
959
960- with fail_test(hapd1, 3, "wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
961+ with fail_test(hapd1, 2, "wpa_pmk_r1_to_ptk;wpa_ft_process_auth_req"):
962 # This will fail to roam
963 dev[0].roam(bssid1, check_bssid=False)
964
965--- a/tests/hwsim/test_authsrv.py
966+++ b/tests/hwsim/test_authsrv.py
967@@ -156,9 +156,12 @@ def test_authsrv_oom(dev, apdev):
968 if "FAIL" not in authsrv.request("ENABLE"):
969 raise Exception("ENABLE succeeded during OOM")
970
971- with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
972- if "FAIL" not in authsrv.request("ENABLE"):
973- raise Exception("ENABLE succeeded during OOM")
974+ # tls_mbedtls.c:tls_init() does not alloc memory (no alloc fail trigger)
975+ tls = dev[0].request("GET tls_library")
976+ if not tls.startswith("mbed TLS"):
977+ with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
978+ if "FAIL" not in authsrv.request("ENABLE"):
979+ raise Exception("ENABLE succeeded during OOM")
980
981 for count in range(1, 3):
982 with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"):
983--- a/tests/hwsim/test_dpp.py
984+++ b/tests/hwsim/test_dpp.py
985@@ -39,7 +39,8 @@ def check_dpp_capab(dev, brainpool=False
986 raise HwsimSkip("DPP not supported")
987 if brainpool:
988 tls = dev.request("GET tls_library")
989- if (not tls.startswith("OpenSSL") or "run=BoringSSL" in tls) and not tls.startswith("wolfSSL"):
990+ if (not tls.startswith("OpenSSL") or "run=BoringSSL" in tls) and not tls.startswith("wolfSSL") \
991+ and not tls.startswith("mbed TLS"):
992 raise HwsimSkip("Crypto library does not support Brainpool curves: " + tls)
993 capa = dev.request("GET_CAPABILITY dpp")
994 ver = 1
995@@ -3621,6 +3622,9 @@ def test_dpp_proto_auth_req_no_i_proto_k
996
997 def test_dpp_proto_auth_req_invalid_i_proto_key(dev, apdev):
998 """DPP protocol testing - invalid I-proto key in Auth Req"""
999+ tls = dev[0].request("GET tls_library")
1000+ if tls.startswith("mbed TLS"):
1001+ raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
1002 run_dpp_proto_auth_req_missing(dev, 66, "Invalid Initiator Protocol Key")
1003
1004 def test_dpp_proto_auth_req_no_i_nonce(dev, apdev):
1005@@ -3716,7 +3720,12 @@ def test_dpp_proto_auth_resp_no_r_proto_
1006
1007 def test_dpp_proto_auth_resp_invalid_r_proto_key(dev, apdev):
1008 """DPP protocol testing - invalid R-Proto Key in Auth Resp"""
1009- run_dpp_proto_auth_resp_missing(dev, 67, "Invalid Responder Protocol Key")
1010+ tls = dev[0].request("GET tls_library")
1011+ if tls.startswith("mbed TLS"):
1012+ # mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key
1013+ run_dpp_proto_auth_resp_missing(dev, 67, "Failed to derive ECDH shared secret")
1014+ else:
1015+ run_dpp_proto_auth_resp_missing(dev, 67, "Invalid Responder Protocol Key")
1016
1017 def test_dpp_proto_auth_resp_no_r_nonce(dev, apdev):
1018 """DPP protocol testing - no R-nonce in Auth Resp"""
1019@@ -4078,11 +4087,17 @@ def test_dpp_proto_pkex_exchange_resp_in
1020
1021 def test_dpp_proto_pkex_cr_req_invalid_bootstrap_key(dev, apdev):
1022 """DPP protocol testing - invalid Bootstrap Key in PKEX Commit-Reveal Request"""
1023+ tls = dev[0].request("GET tls_library")
1024+ if tls.startswith("mbed TLS"):
1025+ raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
1026 run_dpp_proto_pkex_req_missing(dev, 47,
1027 "Peer bootstrapping key is invalid")
1028
1029 def test_dpp_proto_pkex_cr_resp_invalid_bootstrap_key(dev, apdev):
1030 """DPP protocol testing - invalid Bootstrap Key in PKEX Commit-Reveal Response"""
1031+ tls = dev[0].request("GET tls_library")
1032+ if tls.startswith("mbed TLS"):
1033+ raise HwsimSkip("mbed TLS crypto_ecdh_set_peerkey() properly detects invalid key; no response")
1034 run_dpp_proto_pkex_resp_missing(dev, 48,
1035 "Peer bootstrapping key is invalid")
1036
1037--- a/tests/hwsim/test_erp.py
1038+++ b/tests/hwsim/test_erp.py
1039@@ -12,7 +12,7 @@ import time
1040
1041 import hostapd
1042 from utils import *
1043-from test_ap_eap import int_eap_server_params, check_tls13_support
1044+from test_ap_eap import int_eap_server_params, check_tls13_support, check_eap_capa
1045 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
1046
1047 def test_erp_initiate_reauth_start(dev, apdev):
1048@@ -276,6 +276,7 @@ def test_erp_radius_eap_methods(dev, apd
1049 params['erp_domain'] = 'example.com'
1050 params['disable_pmksa_caching'] = '1'
1051 hapd = hostapd.add_ap(apdev[0], params)
1052+ tls = dev[0].request("GET tls_library")
1053
1054 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
1055 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1056@@ -289,7 +290,7 @@ def test_erp_radius_eap_methods(dev, apd
1057 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1058 erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
1059 password="hello")
1060- if "FAST" in eap_methods:
1061+ if "FAST" in eap_methods and check_eap_capa(dev[0], "FAST"):
1062 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
1063 password="password", ca_cert="auth_serv/ca.pem",
1064 phase2="auth=GTC",
1065@@ -301,13 +302,14 @@ def test_erp_radius_eap_methods(dev, apd
1066 password="password")
1067 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
1068 password_hex="0123456789abcdef0123456789abcdef")
1069- if "MSCHAPV2" in eap_methods:
1070+ if "MSCHAPV2" in eap_methods and check_eap_capa(dev[0], "MSCHAPV2"):
1071 erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
1072 password="password", ca_cert="auth_serv/ca.pem",
1073 phase2="auth=MSCHAPV2")
1074- erp_test(dev[0], hapd, eap="TEAP", identity="erp-teap@example.com",
1075- password="password", ca_cert="auth_serv/ca.pem",
1076- phase2="auth=MSCHAPV2", pac_file="blob://teap_pac")
1077+ if check_eap_capa(dev[0], "TEAP"):
1078+ erp_test(dev[0], hapd, eap="TEAP", identity="erp-teap@example.com",
1079+ password="password", ca_cert="auth_serv/ca.pem",
1080+ phase2="auth=MSCHAPV2", pac_file="blob://teap_pac")
1081 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
1082 password_hex="0123456789abcdef0123456789abcdef")
1083 if "PWD" in eap_methods:
1084@@ -640,7 +642,7 @@ def test_erp_local_errors(dev, apdev):
1085 dev[0].request("REMOVE_NETWORK all")
1086 dev[0].wait_disconnected()
1087
1088- for count in range(1, 6):
1089+ for count in range(1, 4):
1090 dev[0].request("ERP_FLUSH")
1091 with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
1092 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1093--- a/tests/hwsim/test_fils.py
1094+++ b/tests/hwsim/test_fils.py
1095@@ -1422,7 +1422,10 @@ def run_fils_sk_pfs(dev, apdev, group, p
1096 check_erp_capa(dev[0])
1097
1098 tls = dev[0].request("GET tls_library")
1099- if not tls.startswith("wolfSSL"):
1100+ if tls.startswith("mbed TLS"):
1101+ if int(group) == 27:
1102+ raise HwsimSkip("Brainpool EC group 27 not supported by mbed TLS")
1103+ elif not tls.startswith("wolfSSL"):
1104 if int(group) in [25]:
1105 if not (tls.startswith("OpenSSL") and ("build=OpenSSL 1.0.2" in tls or "build=OpenSSL 1.1" in tls or "build=OpenSSL 3.0" in tls) and ("run=OpenSSL 1.0.2" in tls or "run=OpenSSL 1.1" in tls or "run=OpenSSL 3.0" in tls)):
1106 raise HwsimSkip("EC group not supported")
1107--- a/tests/hwsim/test_pmksa_cache.py
1108+++ b/tests/hwsim/test_pmksa_cache.py
1109@@ -954,7 +954,7 @@ def test_pmksa_cache_preauth_wpas_oom(de
1110 eap_connect(dev[0], hapd, "PAX", "pax.user@example.com",
1111 password_hex="0123456789abcdef0123456789abcdef",
1112 bssid=apdev[0]['bssid'])
1113- for i in range(1, 11):
1114+ for i in range(1, 10):
1115 with alloc_fail(dev[0], i, "rsn_preauth_init"):
1116 res = dev[0].request("PREAUTH f2:11:22:33:44:55").strip()
1117 logger.info("Iteration %d - PREAUTH command results: %s" % (i, res))
1118@@ -962,7 +962,7 @@ def test_pmksa_cache_preauth_wpas_oom(de
1119 state = dev[0].request('GET_ALLOC_FAIL')
1120 if state.startswith('0:'):
1121 break
1122- time.sleep(0.05)
1123+ time.sleep(0.10)
1124
1125 def test_pmksa_cache_ctrl(dev, apdev):
1126 """PMKSA cache control interface operations"""
1127--- a/tests/hwsim/test_sae.py
1128+++ b/tests/hwsim/test_sae.py
1129@@ -177,6 +177,11 @@ def test_sae_groups(dev, apdev):
1130 if tls.startswith("OpenSSL") and "run=OpenSSL 1." in tls:
1131 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1132 sae_groups += [27, 28, 29, 30]
1133+ if tls.startswith("mbed TLS"):
1134+ # secp224k1 and secp224r1 (26) have prime p = 1 mod 4, and mbedtls
1135+ # does not have code to derive y from compressed format for those curves
1136+ sae_groups = [19, 25, 20, 21, 1, 2, 5, 14, 15, 16, 22, 23, 24]
1137+ sae_groups += [27, 28, 29, 30]
1138 heavy_groups = [14, 15, 16]
1139 suitable_groups = [15, 16, 17, 18, 19, 20, 21]
1140 groups = [str(g) for g in sae_groups]
1141@@ -2122,6 +2127,8 @@ def run_sae_pwe_group(dev, apdev, group)
1142 logger.info("Add Brainpool EC groups since OpenSSL is new enough")
1143 elif tls.startswith("wolfSSL"):
1144 logger.info("Make sure Brainpool EC groups were enabled when compiling wolfSSL")
1145+ elif tls.startswith("mbed TLS"):
1146+ logger.info("Make sure Brainpool EC groups were enabled when compiling mbed TLS")
1147 else:
1148 raise HwsimSkip("Brainpool curve not supported")
1149 start_sae_pwe_ap(apdev[0], group, 2)
1150--- a/tests/hwsim/test_suite_b.py
1151+++ b/tests/hwsim/test_suite_b.py
1152@@ -26,6 +26,8 @@ def check_suite_b_tls_lib(dev, dhe=False
1153 return
1154 if tls.startswith("wolfSSL"):
1155 return
1156+ if tls.startswith("mbed TLS"):
1157+ return
1158 if not tls.startswith("OpenSSL"):
1159 raise HwsimSkip("TLS library not supported for Suite B: " + tls)
1160 supported = False
1161@@ -499,6 +501,7 @@ def test_suite_b_192_rsa_insufficient_dh
1162
1163 dev[0].connect("test-suite-b", key_mgmt="WPA-EAP-SUITE-B-192",
1164 ieee80211w="2",
1165+ openssl_ciphers="DHE-RSA-AES256-GCM-SHA384",
1166 phase1="tls_suiteb=1",
1167 eap="TLS", identity="tls user",
1168 ca_cert="auth_serv/rsa3072-ca.pem",
1169--- a/tests/hwsim/test_wpas_ctrl.py
1170+++ b/tests/hwsim/test_wpas_ctrl.py
1171@@ -1834,7 +1834,7 @@ def _test_wpas_ctrl_oom(dev):
1172 tls = dev[0].request("GET tls_library")
1173 if not tls.startswith("internal"):
1174 tests.append(('NFC_GET_HANDOVER_SEL NDEF P2P-CR-TAG', 'FAIL',
1175- 4, 'wpas_ctrl_nfc_get_handover_sel_p2p'))
1176+ 3, 'wpas_ctrl_nfc_get_handover_sel_p2p'))
1177 for cmd, exp, count, func in tests:
1178 with alloc_fail(dev[0], count, func):
1179 res = dev[0].request(cmd)
1180--- a/tests/hwsim/utils.py
1181+++ b/tests/hwsim/utils.py
1182@@ -135,7 +135,13 @@ def check_fils_sk_pfs_capa(dev):
1183
1184 def check_tls_tod(dev):
1185 tls = dev.request("GET tls_library")
1186- if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
1187+ if tls.startswith("OpenSSL"):
1188+ return
1189+ elif tls.startswith("internal"):
1190+ return
1191+ elif tls.startswith("mbed TLS"):
1192+ return
1193+ else:
1194 raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls)
1195
1196 def vht_supported():
1197--- /dev/null
1198+++ b/tests/test-crypto_module.c
1199@@ -0,0 +1,16 @@
1200+/*
1201+ * crypto module tests - test program
1202+ * Copyright (c) 2022, Glenn Strauss <gstrauss@gluelogic.com>
1203+ *
1204+ * This software may be distributed under the terms of the BSD license.
1205+ * See README for more details.
1206+ */
1207+
1208+#include "utils/includes.h"
1209+#include "utils/module_tests.h"
1210+#include "crypto/crypto_module_tests.c"
1211+
1212+int main(int argc, char *argv[])
1213+{
1214+ return crypto_module_tests();
1215+}
1216--- a/tests/test-https.c
1217+++ b/tests/test-https.c
1218@@ -75,7 +75,7 @@ static int https_client(int s, const cha
1219 struct tls_connection *conn;
1220 struct wpabuf *in, *out, *appl;
1221 int res = -1;
1222- int need_more_data;
1223+ int need_more_data = 0;
1224
1225 os_memset(&conf, 0, sizeof(conf));
1226 conf.event_cb = https_tls_event_cb;
1227@@ -93,8 +93,12 @@ static int https_client(int s, const cha
1228
1229 for (;;) {
1230 appl = NULL;
1231+#ifdef CONFIG_TLS_INTERNAL_SERVER
1232 out = tls_connection_handshake2(tls, conn, in, &appl,
1233 &need_more_data);
1234+#else
1235+ out = tls_connection_handshake(tls, conn, in, &appl);
1236+#endif
1237 wpabuf_free(in);
1238 in = NULL;
1239 if (out == NULL) {
1240@@ -152,11 +156,15 @@ static int https_client(int s, const cha
1241
1242 wpa_printf(MSG_INFO, "Reading HTTP response");
1243 for (;;) {
1244- int need_more_data;
1245+ int need_more_data = 0;
1246 in = https_recv(s);
1247 if (in == NULL)
1248 goto done;
1249+#ifdef CONFIG_TLS_INTERNAL_SERVER
1250 out = tls_connection_decrypt2(tls, conn, in, &need_more_data);
1251+#else
1252+ out = tls_connection_decrypt(tls, conn, in);
1253+#endif
1254 if (need_more_data)
1255 wpa_printf(MSG_DEBUG, "HTTP: Need more data");
1256 wpabuf_free(in);
1257--- a/tests/test-https_server.c
1258+++ b/tests/test-https_server.c
1259@@ -67,10 +67,12 @@ static struct wpabuf * https_recv(int s,
1260 }
1261
1262
1263+#ifdef CONFIG_TLS_INTERNAL_SERVER
1264 static void https_tls_log_cb(void *ctx, const char *msg)
1265 {
1266 wpa_printf(MSG_DEBUG, "TLS: %s", msg);
1267 }
1268+#endif
1269
1270
1271 static int https_server(int s)
1272@@ -79,7 +81,7 @@ static int https_server(int s)
1273 void *tls;
1274 struct tls_connection_params params;
1275 struct tls_connection *conn;
1276- struct wpabuf *in, *out, *appl;
1277+ struct wpabuf *in = NULL, *out = NULL, *appl = NULL;
1278 int res = -1;
1279
1280 os_memset(&conf, 0, sizeof(conf));
1281@@ -106,7 +108,9 @@ static int https_server(int s)
1282 return -1;
1283 }
1284
1285+#ifdef CONFIG_TLS_INTERNAL_SERVER
1286 tls_connection_set_log_cb(conn, https_tls_log_cb, NULL);
1287+#endif
1288
1289 for (;;) {
1290 in = https_recv(s, 5000);
1291@@ -147,12 +151,16 @@ static int https_server(int s)
1292
1293 wpa_printf(MSG_INFO, "Reading HTTP request");
1294 for (;;) {
1295- int need_more_data;
1296+ int need_more_data = 0;
1297
1298 in = https_recv(s, 5000);
1299 if (!in)
1300 goto done;
1301+#ifdef CONFIG_TLS_INTERNAL_SERVER
1302 out = tls_connection_decrypt2(tls, conn, in, &need_more_data);
1303+#else
1304+ out = tls_connection_decrypt(tls, conn, in);
1305+#endif
1306 wpabuf_free(in);
1307 in = NULL;
1308 if (need_more_data) {
1309--- a/wpa_supplicant/Makefile
1310+++ b/wpa_supplicant/Makefile
1311@@ -1108,6 +1108,7 @@ CFLAGS += -DCONFIG_TLSV12
1312 endif
1313
1314 ifeq ($(CONFIG_TLS), wolfssl)
1315+CFLAGS += -DCONFIG_TLS_WOLFSSL
1316 ifdef TLS_FUNCS
1317 CFLAGS += -DWOLFSSL_DER_LOAD
1318 OBJS += ../src/crypto/tls_wolfssl.o
1319@@ -1123,6 +1124,7 @@ LIBS_p += -lwolfssl -lm
1320 endif
1321
1322 ifeq ($(CONFIG_TLS), openssl)
1323+CFLAGS += -DCONFIG_TLS_OPENSSL
1324 CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
1325 ifdef TLS_FUNCS
1326 CFLAGS += -DEAP_TLS_OPENSSL
1327@@ -1150,6 +1152,7 @@ CFLAGS += -DTLS_DEFAULT_CIPHERS=\"$(CONF
1328 endif
1329
1330 ifeq ($(CONFIG_TLS), mbedtls)
1331+CFLAGS += -DCONFIG_TLS_MBEDTLS
1332 ifndef CONFIG_CRYPTO
1333 CONFIG_CRYPTO=mbedtls
1334 endif
1335@@ -1169,6 +1172,7 @@ endif
1336 endif
1337
1338 ifeq ($(CONFIG_TLS), gnutls)
1339+CFLAGS += -DCONFIG_TLS_GNUTLS
1340 ifndef CONFIG_CRYPTO
1341 # default to libgcrypt
1342 CONFIG_CRYPTO=gnutls
1343@@ -1199,6 +1203,7 @@ endif
1344 endif
1345
1346 ifeq ($(CONFIG_TLS), internal)
1347+CFLAGS += -DCONFIG_TLS_INTERNAL
1348 ifndef CONFIG_CRYPTO
1349 CONFIG_CRYPTO=internal
1350 endif
1351@@ -1279,6 +1284,7 @@ endif
1352 endif
1353
1354 ifeq ($(CONFIG_TLS), linux)
1355+CFLAGS += -DCONFIG_TLS_INTERNAL
1356 OBJS += ../src/crypto/crypto_linux.o
1357 OBJS_p += ../src/crypto/crypto_linux.o
1358 ifdef TLS_FUNCS