[PATCH 01/12] Print ciphersuites in wolfSSL
Juliusz Sosinowicz
juliusz at wolfssl.com
Thu Apr 4 11:40:04 PDT 2024
Hi Jouni,
its taken me a while but I was able to fix the failing tests. Fixing
bugs and implementing new features. The large patchset I just sent
passes all tests except the following:
- ap_wpa2_eap_tls_ec_and_rsa
- ap_wpa2_eap_tls_rsa_and_ec
- wolfSSL does not support loading multiple certs into one
object. This could be implemented by lazily loading the appropriate
certificate by using wolfSSL_get_ciphersuite_info and
wolfSSL_get_sigalg_info to determine the ciphersuite and sigalgs but
this is still on the roadmap.
- ap_wpa2_eap_ttls_optional_ocsp_unknown
- wolfSSL does not support recovering from an OCSP error dynamically.
- OCSP tests with sha256
- wolfSSL only works with sha-1 (although it can be changed to
sha256 at compile time) signatures in OCSP responses. Being signature
algorithm agnostic is in our backlog for a while now.
The wolfSSL dev branch to use for testing is
https://github.com/julek-wolfssl/wolfssl/tree/hostap.
The wolfSSL configuration I used is:
--enable-wpas --enable-wpas-dpp --enable-brainpool
--with-eccminsz=192 --enable-tlsv10 --enable-oldtls
'CPPFLAGS=-DWOLFSSL_STATIC_RSA'
Sincerely
Juliusz
On 04/11/2023 18:01, Jouni Malinen wrote:
> Thanks, applied the full series with some cleanup and fixes. The last
> patches in this series were quite inconvenient to review since there was
> a mix of refactoring and functional changes in the same patch and also
> cases where some FIPS cases were first removed and then re-added in a
> later patch in the same series. I ended up splitting those quite
> differently for the commit to make the real changes easier to
> understand.
>
> This broke the build with wolfSSL 5.2.0 which was the version I used
> when testing the functionality last time. I ended up adding a simple
> wrapper function based on the library version to try to work around that
> for now. I'm not sure whether 5.2.0 is considered supported anymore, so
> it might be fine to remove that wrapper if that is considered obsolete.
>
> In addition, I ran the full hwsim test case set with wolfSSL 5.5.4 on
> the STA side and OpenSSL on the AP and authentication server. The
> following test cases are failing likely due to some missing
> functionality. I did not look at the details, though.
>
> ap_wpa2_eap_fast_binary_pac
> ap_wpa2_eap_fast_binary_pac_errors
> ap_wpa2_eap_fast_cipher_suites
> ap_wpa2_eap_fast_eap_aka
> ap_wpa2_eap_fast_eap_sim
> ap_wpa2_eap_fast_gtc_auth_prov
> ap_wpa2_eap_fast_mschapv2_unauth_prov
> ap_wpa2_eap_fast_pac_file
> ap_wpa2_eap_fast_pac_lifetime
> ap_wpa2_eap_fast_pac_refresh
> ap_wpa2_eap_fast_pac_truncate
> ap_wpa2_eap_fast_prf_oom
> ap_wpa2_eap_fast_prov
> ap_wpa2_eap_fast_server_oom
> ap_wpa2_eap_fast_text_pac_errors
> ap_wpa2_eap_tls_ec_and_rsa
> ap_wpa2_eap_tls_intermediate_ca_ocsp
> ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked
> ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1
> ap_wpa2_eap_tls_rsa_and_ec
> ap_wpa2_eap_tls_versions
> ap_wpa2_eap_tls_versions_server
> ap_wpa2_eap_ttls_expired_cert
> ap_wpa2_eap_ttls_ignore_expired_cert
> ap_wpa2_eap_ttls_ocsp_revoked
> ap_wpa2_eap_ttls_ocsp_unknown
> ap_wpa2_eap_ttls_optional_ocsp_unknown
> ap_wpa2_eap_ttls_pap_check_cert_subject_neg
> dpp_peer_intro_failures
> dpp_pkex_hostapd_initiator
> eap_fast_proto_phase2
> eap_fast_tlv_nak_oom
> eap_mschapv2_errors
> eap_proto_fast_errors
> eap_teap_tls_cs_sha1
> eap_teap_tls_cs_sha256
> eap_teap_tls_cs_sha384
> fils_sk_pfs_25
> openssl_ecdh_curves
> owe_invalid_assoc_resp
> sae_bignum_failure
> sae_no_ffc_by_default
> sae_password_ffc
> sae_pwe_failure
> sae_pwe_group_14
> sae_pwe_group_15
> sae_pwe_group_16
> sae_pwe_group_23
> sae_pwe_group_24
> sae_pwe_group_25
> sae_pwe_group_5
> sae_reflection_attack_ffc
> sae_reflection_attack_ffc_internal
> sigma_dut_ap_cipher_ccmp_128
> sigma_dut_ap_cipher_ccmp_256
> sigma_dut_ap_cipher_ccmp_gcmp_1
> sigma_dut_ap_cipher_ccmp_gcmp_2
> sigma_dut_ap_cipher_gcmp_128
> sigma_dut_ap_cipher_gcmp_256
> sigma_dut_ap_cipher_gcmp_256_group_ccmp
> sigma_dut_ap_suite_b
> sigma_dut_eap_aka
> sigma_dut_eap_ttls
> sigma_dut_eap_ttls_uosc
> sigma_dut_eap_ttls_uosc_ca_mistrust
> sigma_dut_suite_b
> suite_b
> suite_b_192
> suite_b_192_mic_failure
> suite_b_192_okc
> suite_b_192_pmkid_failure
> suite_b_192_pmksa_caching_roam
> suite_b_192_radius
> suite_b_192_rsa
> suite_b_192_rsa_dhe
> suite_b_192_rsa_ecdhe
> suite_b_192_rsa_insufficient_dh
> suite_b_192_rsa_insufficient_key
> suite_b_192_rsa_radius
> suite_b_192_rsa_tls_13
> suite_b_mic_failure
> suite_b_pmkid_failure
> suite_b_radius
>
More information about the Hostap
mailing list