[PATCH] Fix TLS 1.3 and OCSP stapling with wolfSSL

Juliusz Sosinowicz juliusz at wolfssl.com
Mon Apr 25 07:09:13 PDT 2022


---
 src/crypto/tls_wolfssl.c    | 18 +++++++++++++-----
 tests/hwsim/test_ap_eap.py  |  6 +++---
 tests/hwsim/test_suite_b.py |  2 ++
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index fe6a28162c..31f0bd8f3c 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -554,11 +554,13 @@ int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
 	wolfSSL_set_quiet_shutdown(conn->ssl, 1);
 	wolfSSL_shutdown(conn->ssl);
 
-	session = wolfSSL_get_session(conn->ssl);
-	if (wolfSSL_clear(conn->ssl) != 1)
+	session = wolfSSL_get1_session(conn->ssl);
+	if (wolfSSL_clear(conn->ssl) != 1) {
+		wolfSSL_SESSION_free(session);
 		return -1;
+	}
 	wolfSSL_set_session(conn->ssl, session);
-
+	wolfSSL_SESSION_free(session);
 	return 0;
 }
 
@@ -1495,6 +1497,8 @@ static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags)
 		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
 	if (flags & TLS_CONN_DISABLE_TLSv1_2)
 		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
+	if (flags & TLS_CONN_DISABLE_TLSv1_3)
+		wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
 }
 
 #ifdef ANDROID
@@ -1921,7 +1925,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					    WOLFSSL_CSR_OCSP_USE_NONCE) !=
 		    SSL_SUCCESS)
 			return -1;
-		wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+		if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+		    SSL_SUCCESS)
+			return -1;
 	}
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
@@ -1930,7 +1936,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					      WOLFSSL_CSR2_OCSP_MULTI, 0) !=
 		    SSL_SUCCESS)
 			return -1;
-		wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+		if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+		    SSL_SUCCESS)
+			return -1;
 	}
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
 #if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 757cb5399b..55519c28e8 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -89,8 +89,8 @@ def check_ocsp_support(dev):
     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
     #if "BoringSSL" in tls:
     #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
-    if tls.startswith("wolfSSL"):
-        raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
+    #if tls.startswith("wolfSSL"):
+    #    raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
 
 def check_pkcs5_v15_support(dev):
     tls = dev.request("GET tls_library")
@@ -99,7 +99,7 @@ def check_pkcs5_v15_support(dev):
 
 def check_tls13_support(dev):
     tls = dev.request("GET tls_library")
-    if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls:
+    if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls and "wolfSSL" not in tls:
         raise HwsimSkip("TLS v1.3 not supported")
 
 def check_ocsp_multi_support(dev):
diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py
index 2b3c30fc19..f3b6be50cd 100644
--- a/tests/hwsim/test_suite_b.py
+++ b/tests/hwsim/test_suite_b.py
@@ -24,6 +24,8 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False):
     tls = dev[0].request("GET tls_library")
     if tls.startswith("GnuTLS"):
         return
+    if tls.startswith("wolfSSL"):
+        return
     if not tls.startswith("OpenSSL"):
         raise HwsimSkip("TLS library not supported for Suite B: " + tls)
     supported = False
-- 
2.25.1




More information about the Hostap mailing list