[PATCH] wolfssl: Implement EAP-FAST

Juliusz Sosinowicz juliusz at wolfssl.com
Wed May 28 05:15:50 PDT 2025 

Would it be possible to apply this patch and the 
"run_ap_wpa2_eap_tls_intermediate_ca_ocsp[_revoked]: fix cert config for 
wolfSSL" patch please?

Sincerely
Juliusz Sosinowicz

On 04/03/2025 14:11, Juliusz Sosinowicz wrote:
> Add tls_session_ticket_ext_cb and use the new wolfSSL_set_session_ticket_ext_cb API.
>
> Signed-off-by: Juliusz Sosinowicz <juliusz at wolfssl.com>
> ---
>   src/crypto/tls_wolfssl.c | 75 ++++++++++++++++++++++++++++++----------
>   1 file changed, 57 insertions(+), 18 deletions(-)
>
> diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
> index 3bf52d64eb..c6a801a2e5 100644
> --- a/src/crypto/tls_wolfssl.c
> +++ b/src/crypto/tls_wolfssl.c
> @@ -94,7 +94,8 @@ struct tls_connection {
>   #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
>   	tls_session_ticket_cb session_ticket_cb;
>   	void *session_ticket_cb_ctx;
> -	byte session_ticket[SESSION_TICKET_LEN];
> +	u8 *session_ticket;
> +	size_t session_ticket_len;
>   #endif
>   	unsigned int ca_cert_verify:1;
>   	unsigned int cert_probe:1;
> @@ -545,6 +546,7 @@ void tls_connection_deinit(void *tls_ctx, struct tls_connection *conn)
>   	os_free(conn->domain_match);
>   	os_free(conn->peer_subject);
>   	os_free(conn->check_cert_subject);
> +	os_free(conn->session_ticket);
>   
>   	/* self */
>   	os_free(conn);
> @@ -2534,7 +2536,8 @@ int tls_connection_get_eap_fast_key(void *tls_ctx, struct tls_connection *conn,
>   }
>   
>   
> -#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
> +#if LIBWOLFSSL_VERSION_HEX >= 0x05007002 && \
> +    (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST))
>   
>   int tls_connection_client_hello_ext(void *ssl_ctx, struct tls_connection *conn,
>   				    int ext_type, const u8 *data,
> @@ -2559,33 +2562,60 @@ static int tls_sess_sec_cb(WOLFSSL *s, void *secret, int *secret_len, void *arg)
>   	int ret;
>   	unsigned char client_random[RAN_LEN];
>   	unsigned char server_random[RAN_LEN];
> -	word32 ticket_len = sizeof(conn->session_ticket);
>   
>   	if (!conn || !conn->session_ticket_cb)
> -		return 1;
> +		return -1;
> +
> +	wpa_printf(MSG_DEBUG, "wolfSSL: %s", __func__);
>   
>   	if (wolfSSL_get_client_random(s, client_random,
>   				      sizeof(client_random)) == 0 ||
>   	    wolfSSL_get_server_random(s, server_random,
> -				      sizeof(server_random)) == 0 ||
> -	    wolfSSL_get_SessionTicket(s, conn->session_ticket,
> -				      &ticket_len) != 1)
> -		return 1;
> -
> -	if (ticket_len == 0)
> -		return 0;
> +				      sizeof(server_random)) == 0)
> +		return -1;
>   
>   	ret = conn->session_ticket_cb(conn->session_ticket_cb_ctx,
> -				      conn->session_ticket, ticket_len,
> +				      conn->session_ticket, conn->session_ticket_len,
>   				      client_random, server_random, secret);
> +
> +	wpa_printf(MSG_DEBUG, "wolfSSL: %s conn->session_ticket_cb: %d", __func__, ret);
> +
> +	os_free(conn->session_ticket);
> +	conn->session_ticket = NULL;
> +
>   	if (ret <= 0)
> -		return 1;
> +		return -1;
>   
>   	*secret_len = SECRET_LEN;
>   	return 0;
>   }
>   
> -#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
> +static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
> +				     int len, void *arg)
> +{
> +	struct tls_connection *conn = arg;
> +
> +	if (conn == NULL || conn->session_ticket_cb == NULL)
> +		return 0;
> +
> +	wpa_printf(MSG_DEBUG, "wolfSSL: %s: length=%d", __func__, len);
> +
> +	os_free(conn->session_ticket);
> +	conn->session_ticket = NULL;
> +
> +	wpa_hexdump(MSG_DEBUG, "wolfSSL: ClientHello SessionTicket "
> +		    "extension", data, len);
> +
> +	conn->session_ticket = os_memdup(data, len);
> +	if (conn->session_ticket == NULL)
> +		return 0;
> +
> +	conn->session_ticket_len = len;
> +
> +	return 1;
> +}
> +#endif /* LIBWOLFSSL_VERSION_HEX >= 0x05007002 &&
> + 	 	* (EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST) */
>   
>   
>   int tls_connection_set_session_ticket_cb(void *tls_ctx,
> @@ -2593,23 +2623,32 @@ int tls_connection_set_session_ticket_cb(void *tls_ctx,
>   					 tls_session_ticket_cb cb,
>   					 void *ctx)
>   {
> -#if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)
> +	/* wolfSSL_set_session_ticket_ext_cb added in wolfSSL 5.7.2 */
> +#if LIBWOLFSSL_VERSION_HEX >= 0x05007002 && \
> +    (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST))
>   	conn->session_ticket_cb = cb;
>   	conn->session_ticket_cb_ctx = ctx;
>   
>   	if (cb) {
>   		if (wolfSSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
> -						  conn) != 1)
> +				conn) != 1)
> +			return -1;
> +		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl,
> +				tls_session_ticket_ext_cb, conn) != 1)
>   			return -1;
>   	} else {
>   		if (wolfSSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
>   			return -1;
> +		if (wolfSSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL) != 1)
> +			return -1;
>   	}
>   
>   	return 0;
> -#else /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
> +#else /* LIBWOLFSSL_VERSION_HEX >= 0x05007002 &&
> +	   * (EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST) */
>   	return -1;
> -#endif /* EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST */
> +#endif /* LIBWOLFSSL_VERSION_HEX >= 0x05007002 &&
> + 	 	* (EAP_FAST || EAP_FAST_DYNAMIC || EAP_SERVER_FAST) */
>   }
>   
>

More information about the Hostap mailing list