Proposed Patch: Support for wolfSSL

Jouni Malinen j at w1.fi
Sat Mar 3 11:19:07 PST 2018 

On Thu, Jan 18, 2018 at 12:26:39PM +1000, Sean Parkinson wrote:
> I’ve prepared a new patch with the changes as asked for by Jouni.
> 
> This patch was written to allow hostap to be compiled with the wolfSSL cryptography and TLS library.

Thanks! I'm seeing number of errors in the hwsim test cases, but it
looks like it is easiest to move ahead with this if I push in the
cleaned up version that I've been testing with some fixes to avoid
breaking non-wolfSSL builds. I'd welcome any incremental changes on top
of the current hostap.git master branch snapshot to address things that
I list below or maybe a recommendation on how to configure the wolfSSL
build properly to avoid the issues. I ran my tests with wolfSSL 3.13.0
and ended up adding various configure options until the build went
through cleanly. This ended up with following options:

./configure --prefix=/home/jm/wolfssl/3.13.0 --enable-des3 --enable-md4 --enable-harden --enable-pwdbased --enable-tlsv10 --enable-oldtls --enable-cmac --enable-aeskeywrap --enable-keygen --enable-crl --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-pkcallbacks --enable-tls13 --enable-fortress --enable-wpas --enable-static=yes --enable-shared=no


These are the notes from my hwsim test runs:

SAE:
- SAE: Could not solve y
- SAE: Could not pick PWE
--> check crypto_ec_point_solve_y_coord() implementation
   (wc_ecc_import_point_der() returns -1)
sae
sae_anti_clogging
sae_anti_clogging_proto
sae_bignum_failure
sae_forced_anti_clogging
sae_group_nego
sae_groups
sae_invalid_anti_clogging_token_req
sae_key_lifetime_in_memory
sae_mixed
sae_mixed_mfp
sae_no_random
sae_oom_wpas
sae_password
sae_password_ecc
sae_password_long
sae_password_short
sae_pmksa_caching
sae_pmksa_caching_disabled
sae_proto_confirm_replay
sae_proto_ecc
sae_pwe_failure
ap_ft_sae
ap_ft_sae_over_ds
sigma_dut_ap_psk_sae
sigma_dut_ap_sae
sigma_dut_ap_sae_group
sigma_dut_ap_sae_password
sigma_dut_sae
sigma_dut_sae_password
wpas_mesh_password_mismatch
mesh_forwarding_secure
ap_mixed_security


TLS interop(?) issue with OpenSSL server:
- OpenSSL server:
  * SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad record mac
  * SSL: SSL_accept:error in SSLv3 read finished A
  * OpenSSL: openssl_handshake - SSL_connect error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
ap_hs20_remediation_sql
eap_tls_no_session_resumption_radius
authsrv_testing_options
ap_wpa2_eap_tls_versions


OpenSSL authentication server:
- OpenSSL: openssl_handshake - SSL_connect error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
ap_wpa2_eap_ttls_dh_params
ap_wpa2_eap_ttls_dh_params_blob
ap_wpa2_eap_ttls_dh_params_dsa


OpenSSL authentication server:
- TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/C=FI/O=w1.fi/CN=user.w1.fi'
- SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
- OpenSSL: openssl_handshake - SSL_connect error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
ap_wpa2_eap_tls_intermediate_ca
ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1
ap_wpa2_eap_tls_intermediate_ca_ocsp
ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked
ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1


TLS: tls_verify_cb - preverify_ok=1 err=0 (unknown error number) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi'
TLS: altSubjectName match 'EMAIL:noone at example.com;DNS:server.w1.fi;URI:http://example.com/' not found
wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=6 depth=0 subject='/C=FI/O=w1.fi/CN=server.w1.fi' err='AltSubject mismatch'
ap_wpa2_eap_ttls_pap_subject_match


TLS: tls_verify_cb - preverify_ok=1 err=0 (unknown error number) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi'
TLS: altSubjectName match 'EMAIL:noone at example.com;URI:http://example.com/;DNS:server.w1.fi' not found
wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=6 depth=0 subject='/C=FI/O=w1.fi/CN=server.w1.fi' err='AltSubject mismatch'
ap_wpa2_eap_ttls_chap_altsubject_match


TLS: Certificate verification failed, error -407 (Invalid OCSP Status Error) depth 2 for '/C=FI/O=w1.fi/CN=server.w1.fi'
ap_wpa2_eap_ttls_ocsp_revoked
ap_wpa2_eap_ttls_ocsp_unknown
ap_wpa2_eap_ttls_optional_ocsp_unknown


Missing altsubject in D-Bus output?!
dbus_connect_eap


DH: crypto_dh_derive_secret failed
eap_proto_ikev2


TLS: Certificate verification failed, error -238 (ASN CA path length larger than signer error) depth 2 for '/C=FI/O=w1.fi/CN=sha384.server.w1.fi'
eap_tls_sha384
eap_tls_sha512



GET_FAIL/GET_ALLOC_FAIL failure did not trigger:
radius_mppe_failure
authsrv_oom

 
-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list