[PATCH] Implement new functions for EAP:

Juliusz Sosinowicz juliusz at wolfssl.com
Fri May 6 03:25:07 PDT 2022

Hi Jouni,

I believe that we have a proposed fix for the memory leak you found. The 
issue happens to be in our library. You can find it and test it here: 


On 20/04/2022 11:01, Juliusz Sosinowicz wrote:
> Hi Jouni,
> thank you for your feedback. We are aware of the issue with TLS 1.3 in 
> wpa_supplicant with wolfSSL. We have put in work to fix this and I am 
> preparing another patch that will add TLS 1.3 support along with a few 
> other new features when using wolfSSL as the crypto/TLS backend.
> This memory leak hasn't been reported before. I will fix it and 
> include it in the upcoming patch.
> Sincerely
> Juliusz Sosinowicz
> On 18/04/2022 16:09, Jouni Malinen wrote:
>> On Thu, Aug 26, 2021 at 11:25:34AM +0200, Juliusz Sosinowicz wrote:
>>> - `tls_get_tls_unique`
>>> - `tls_connection_get_cipher_suite`
>>> - `tls_connection_get_peer_subject`
>>> - `tls_connection_get_own_cert_used`
>>> The necessary wolfSSL changes are located in 
>>> https://github.com/wolfSSL/wolfssl/pull/4205 .
>> Thanks, applied with some cleanup in a number of separate commits.
>> While testing these with various wolfSSL versions, I noticed that there
>> were some regressions or old issues being revealed by additional
>> functionality getting enabled. I fixed some of these, but it looks like
>> there is still something wrong going on whenever TLS 1.3 is enabled and
>> the wpa_supplicant mechanism of disabling that by default not working
>> with wolfSSL. I ended up doing most of the testing with --disable-tls13
>> build of wolfSSL to verify previously working functionality.
>> As far as the now enabled TLS session resumption and caching is
>> concerned, it looks looks like there might be a memory leak in the
>> WOLFSSL_SESSION ex_data handling. tls_connection_set_success_data() adds
>> a heap allocated memory pointer with wolfSSL_SESSION_set_ex_data() and
>> that buffer is not always cleared. It looks like remove_session_cb() is
>> supposed to do that, but there is no mechanism to force that to happen
>> when exiting the process. It looks like there is
>> wolfSSL_flush_sessions(), but that is not called and even it it were,
>> the current implementation of it does not really do anything. I'm not
>> sure whether this is a real memory leak in the sense of each session
>> leaking one instance or whether this just shows up since the session
>> entry has not timed out and it would have been freed when processing the
>> eventual timeout.

More information about the Hostap mailing list