hostap option to use mbedtls (under development)

krishna t krish271828 at gmail.com
Thu Sep 22 12:21:25 PDT 2022


On Fri, Sep 23, 2022 at 12:47 AM krishna t <krish271828 at gmail.com> wrote:
>
> On Thu, Sep 15, 2022 at 2:48 AM <gs-lists-hostap at gluelogic.com> wrote:
> >
> > Greetings!
> >
> > I am a lighttpd developer who has written TLS modules for lighttpd
> > to support OpenSSL, mbed TLS, GnuTLS, WolfSSL, and NSS TLS libraries.
> >
> > I am in the process of porting hostap to have the option to use mbedtls
> > in support of https://github.com/openwrt/openwrt/issues/10303
> >
> > development branch:
> >   https://github.com/gstrauss/hostap/tree/mbedtls  (work in progress)
> >
> > My branch builds with mbedtls 2.27.0 or later, and also with mbedtls 3.x
> >
> > Please note: my effort here is independent from
> >   https://www.spinics.net/lists/hostap/msg09799.html
> >
> >
> > My development branch (work in progress) passes most tests/hwsim
> > tests at the lower layers, though support is limited or incomplete
> > for SAE, DPP, and OWE.  Also, not all src/crypto/tls.h features are
> > implemented.  TLS session ticket and master secret handling is not yet
> > implemented in tls_mbedtls.c for EAP-FAST and EAP-TEAP.
> >
> > Of note, mbedtls_ecp_mul() validates ecp point and bignum params.
> > This leads to some test failures after calls to crypto_ec_point_mul():
> > e.g. 18 of 39 sae tests which fail are due to mbedtls_ecp_mul()
> > rejecting the point param as not being on the curve.  sae_tests() in
> > common_module_tests() fails due to the hard-coded mask in the test not
> > passing mbedtls validation.
> >
> > More testing is needed, as is augmenting existing automated tests.
> >
> >
> > Running tests/hwsim with mbedtls requires following tests/hwsim/README
> > and modifying wpa_supplicant/.config and hostapd/.config to set
> > CONFIG_TLS=mbedtls and to comment out CONFIG_TLS=openssl, or to override
> > the value on the make command line with 'make CONFIG_TLS=mbedtls ...'
> >
> >
> > My development branch also adds the ability for run-tests to test using
> > different crypto libraries (assuming the crypto libraries are installed)
> >   cd tests
> >   for crypto_lib in mbedtls openssl gnutls wolfssl internal; do
> >     make -j 4 CONFIG_TLS=$crypto_lib clean
> >     make -j 4 CONFIG_TLS=$crypto_lib run-tests
> >     make -j 4 CONFIG_TLS=$crypto_lib clean
> >   done
> >
> >
> > Before I post a patch -- which is a work in progress -- containing 6400+
> > lines changed, please let me know if there is a better way to continue
> > development of these patches and to obtain feedback.  (PRs are welcome
> > at https://github.com/gstrauss/hostap to the 'mbedtls' branch)
> Hi Glenn,
>
> I have already submitted a patch which is still under review here
> https://www.spinics.net/lists/hostap/msg09799.html. I am awaiting
> Jouni's response
> for my comment before submitting the next version.
>
> Please have a look, BTW, it's good to see another user of MbedTLS.
Adding community mail address.



More information about the Hostap mailing list