[PATCH 0/3] Support TLS/SSL and WPA3-Personal/SAE by default

Petr Štetiar ynezz at true.cz
Fri Jul 24 10:29:37 EDT 2020 

Hi,

it has been discussed several times and some of core developers would like to
include SSL/TLS and WPA3-Personal/SAE support in the next release as we've
dropped support for 4/32M devices officialy with 19.07 and it's time to move
on and improve the default security features in official images.

wolfSSL and mbed TLS were pre-selected as possible crypto libraries due to the
size. mbed TLS currently lacks support in hostapd so I went with wolfSSL for
the start.

In order to keep the size as small as possible I've created
`wpad-basic-wolfssl` variant of currently shipped `wpad-basic` package which
just adds support for SAE.

I've tested the patchset on my Rambutan board with `sae` and `sae-mixed`
encryption settings against my Android 10 phone and installed random package
with opkg over HTTPS.

Size comparison of openwrt-ath79-nand-8dev_rambutan-squashfs-factory.bin:

 5373952 bytes for wolfSSL enabled image
 5111808 bytes for current image as of r13926-f94b09867d
 -------
  262144 bytes is difference

I think, that those numbers are not that bad if you consider that the
following patchset adds ca-certificates, libustream-wolfssl, libwolfssl and
wpad-basic-wolfssl into default packages.

Cheers,

Petr

Petr Štetiar (3):
  hostapd: add wpad-basic-wolfssl variant
  treewide: use wpad-basic-wolfssl as default
  treewide: switch to HTTPS by default

 README                                        |   2 +-
 include/target.mk                             |   8 +-
 include/version.mk                            |   2 +-
 package/network/services/hostapd/Config.in    |   2 +
 package/network/services/hostapd/Makefile     |  20 +++
 target/linux/apm821xx/image/sata.mk           |   2 +-
 target/linux/apm821xx/nand/target.mk          |   2 +-
 .../apm821xx/sata/profiles/00-default.mk      |   2 +-
 target/linux/ar71xx/generic/target.mk         |   2 +-
 target/linux/ar71xx/image/generic.mk          |   4 +-
 target/linux/ar71xx/mikrotik/target.mk        |   2 +-
 target/linux/ar71xx/nand/target.mk            |   2 +-
 .../arc770/generic/profiles/00-default.mk     |   2 +-
 .../archs38/generic/profiles/00-default.mk    |   2 +-
 target/linux/ath79/generic/target.mk          |   2 +-
 target/linux/ath79/image/generic.mk           |   2 +-
 target/linux/ath79/mikrotik/target.mk         |   2 +-
 target/linux/ath79/nand/target.mk             |   2 +-
 target/linux/bcm27xx/image/Makefile           |   8 +-
 .../generic/profiles/101-Broadcom-wl.mk       |   2 +-
 .../generic/profiles/105-Broadcom-none.mk     |   2 +-
 .../generic/profiles/201-Broadcom-b44-wl.mk   |   2 +-
 .../generic/profiles/205-Broadcom-b44-none.mk |   2 +-
 .../generic/profiles/211-Broadcom-tg3-wl.mk   |   2 +-
 .../generic/profiles/215-Broadcom-tg3-none.mk |   2 +-
 .../generic/profiles/221-Broadcom-bgmac-wl.mk |   2 +-
 .../profiles/225-Broadcom-bgmac-none.mk       |   2 +-
 .../bcm47xx/generic/profiles/PS-1208MFG.mk    |   2 +-
 target/linux/bcm47xx/generic/target.mk        |   2 +-
 .../mips74k/profiles/102-Broadcom-wl.mk       |   2 +-
 .../mips74k/profiles/103-Broadcom-none.mk     |   2 +-
 target/linux/bcm47xx/mips74k/target.mk        |   2 +-
 target/linux/bcm53xx/image/Makefile           |   2 +-
 target/linux/bcm63xx/image/Makefile           |  10 +-
 target/linux/bcm63xx/profiles/default.mk      |   2 +-
 target/linux/cns3xxx/Makefile                 |   2 +-
 target/linux/ipq40xx/Makefile                 |   2 +-
 target/linux/ipq806x/Makefile                 |   2 +-
 target/linux/kirkwood/image/Makefile          |   6 +-
 target/linux/kirkwood/profiles/00-default.mk  |   2 +-
 target/linux/lantiq/image/ar9.mk              |  18 +--
 target/linux/lantiq/image/danube.mk           |  24 ++--
 target/linux/lantiq/image/tp-link.mk          |   8 +-
 target/linux/lantiq/image/vr9.mk              |  30 ++---
 target/linux/lantiq/image/xway_legacy.mk      |   2 +-
 target/linux/malta/Makefile                   |   2 +-
 target/linux/mediatek/mt7622/target.mk        |   2 +-
 target/linux/mpc85xx/Makefile                 |   2 +-
 target/linux/mvebu/image/cortexa9.mk          |   4 +-
 target/linux/omap/profiles/00-default.mk      |   2 +-
 target/linux/oxnas/image/ox820.mk             |   2 +-
 target/linux/ramips/image/mt7620.mk           |   2 +-
 target/linux/ramips/image/mt7621.mk           | 124 +++++++++---------
 target/linux/ramips/mt7620/target.mk          |   2 +-
 target/linux/ramips/mt76x8/target.mk          |   2 +-
 target/linux/rb532/Makefile                   |   2 +-
 target/linux/sunxi/image/cortexa7.mk          |   8 +-
 target/linux/sunxi/profiles/00-default.mk     |   2 +-
 target/linux/uml/Makefile                     |   2 +-
 59 files changed, 195 insertions(+), 169 deletions(-)

More information about the openwrt-devel mailing list