[PATCH] Fix TLS 1.3 and OCSP stapling with wolfSSL
Juliusz Sosinowicz
juliusz at wolfssl.com
Mon Apr 25 07:18:49 PDT 2022
Uses the changes to wolfSSL found in https://github.com/wolfSSL/wolfssl/pull/5078
Signed-off-by: Juliusz Sosinowicz <juliusz at wolfssl.com>
---
src/crypto/tls_wolfssl.c | 18 +++++++++++++-----
tests/hwsim/test_ap_eap.py | 6 +++---
tests/hwsim/test_suite_b.py | 2 ++
3 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index fe6a28162c..31f0bd8f3c 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -554,11 +554,13 @@ int tls_connection_shutdown(void *tls_ctx, struct tls_connection *conn)
wolfSSL_set_quiet_shutdown(conn->ssl, 1);
wolfSSL_shutdown(conn->ssl);
- session = wolfSSL_get_session(conn->ssl);
- if (wolfSSL_clear(conn->ssl) != 1)
+ session = wolfSSL_get1_session(conn->ssl);
+ if (wolfSSL_clear(conn->ssl) != 1) {
+ wolfSSL_SESSION_free(session);
return -1;
+ }
wolfSSL_set_session(conn->ssl, session);
-
+ wolfSSL_SESSION_free(session);
return 0;
}
@@ -1495,6 +1497,8 @@ static void tls_set_conn_flags(WOLFSSL *ssl, unsigned int flags)
wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
if (flags & TLS_CONN_DISABLE_TLSv1_2)
wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_2);
+ if (flags & TLS_CONN_DISABLE_TLSv1_3)
+ wolfSSL_set_options(ssl, SSL_OP_NO_TLSv1_3);
}
#ifdef ANDROID
@@ -1921,7 +1925,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
WOLFSSL_CSR_OCSP_USE_NONCE) !=
SSL_SUCCESS)
return -1;
- wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+ if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+ SSL_SUCCESS)
+ return -1;
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
@@ -1930,7 +1936,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
WOLFSSL_CSR2_OCSP_MULTI, 0) !=
SSL_SUCCESS)
return -1;
- wolfSSL_CTX_EnableOCSP(tls_ctx, 0);
+ if (wolfSSL_EnableOCSPStapling(conn->ssl) !=
+ SSL_SUCCESS)
+ return -1;
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
#if !defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 757cb5399b..55519c28e8 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -89,8 +89,8 @@ def check_ocsp_support(dev):
# raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
#if "BoringSSL" in tls:
# raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
- if tls.startswith("wolfSSL"):
- raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
+ #if tls.startswith("wolfSSL"):
+ # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
def check_pkcs5_v15_support(dev):
tls = dev.request("GET tls_library")
@@ -99,7 +99,7 @@ def check_pkcs5_v15_support(dev):
def check_tls13_support(dev):
tls = dev.request("GET tls_library")
- if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls:
+ if "run=OpenSSL 1.1.1" not in tls and "run=OpenSSL 3.0" not in tls and "wolfSSL" not in tls:
raise HwsimSkip("TLS v1.3 not supported")
def check_ocsp_multi_support(dev):
diff --git a/tests/hwsim/test_suite_b.py b/tests/hwsim/test_suite_b.py
index 2b3c30fc19..f3b6be50cd 100644
--- a/tests/hwsim/test_suite_b.py
+++ b/tests/hwsim/test_suite_b.py
@@ -24,6 +24,8 @@ def check_suite_b_tls_lib(dev, dhe=False, level128=False):
tls = dev[0].request("GET tls_library")
if tls.startswith("GnuTLS"):
return
+ if tls.startswith("wolfSSL"):
+ return
if not tls.startswith("OpenSSL"):
raise HwsimSkip("TLS library not supported for Suite B: " + tls)
supported = False
--
2.25.1
More information about the Hostap
mailing list