Proposed Patch: Support for wolfSSL

Jouni Malinen j at w1.fi
Wed May 2 08:00:35 PDT 2018 

On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote:
> I’ve looked into the failures and made changes as needed.
> There were changes to wolfSSL as well.
> 
> To reproduce the setup I tested:
>  - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl)
>  - configure wolfSSL with option -enable-wpas
>  - build wolfSSL
>  - in wpa_supplicant change .config
>    - CONFIG_TLS=wolfssl
>    - disable CONFIG_DPP
> 
> The proposed new patch is below.

Thanks. I applied this as number of smaller commits to make it easier to
review and understand. I did some cleanup and couple of fixes while
going through the changes as well.

There are some remaining issues, but it looks like this is a reasonable
step forward, so I included or the changes even though it looks like
there is something wrong with the ECDH wrappers (at least
crypto_ecdh_set_peerkey() fails to work properly).

The crypto_ecdh_set_peerkey() version in the patch you sent was broken,
i.e., it actually ended up causing process termination due to invalid
wpabuf_put() use that hit the buffer bounds checking routine. I fixed
that to use wpabuf_mhead() instead of wpabuf_put() since the
wc_ecc_import_point_der() call was clearly trying to use the already
generated buffer instead of trying to add something more into the
buffer. While this removed the process termination part, something is
still failing.. That wc_ecc_import_point_der() call fails every now and
then and even if it succeeds, the ECDH shared secret from
wc_ecc_shared_secret_ex() does not match the one that the AP derives
(i.e., using crypto_openssl.c on the other end of the connection).

As far as wolfSSL changes for --enable-wpas case are concerned, please
note that I had to revert the GetName() change in wolfcrypt/src/asn.c
(i.e., do not add an extra '=' to make the one-line name output look
like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit
b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant")
for some reason, but it results in a failure in one of the hwsim test
cases that verifies the exact contents of the server certificate name.

As far as remaining failures from wpa_supplicant build using current
wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm
seeing following issues:
- quite a few EAP-FAST test cases are failing
- ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns
  "unknown" from tls_get_version() (i.e., wolfSSL_get_version())
- all OWE test cases are failing (that ECDH issue)
- all FILS PFS test cases are failing (ECDH)
- some EAP protocol test case failures

I haven't looked at these in much detail yet, but this is the list of
failing test cases from my tests:

ap_wpa2_eap_fast_binary_pac
ap_wpa2_eap_fast_binary_pac_errors
ap_wpa2_eap_fast_mschapv2_unauth_prov
ap_wpa2_eap_fast_pac_file
ap_wpa2_eap_fast_pac_refresh
ap_wpa2_eap_fast_pac_truncate
ap_wpa2_eap_fast_prov
ap_wpa2_eap_fast_server_oom
ap_wpa2_eap_fast_text_pac_errors
ap_wpa2_eap_ikev2_oom
ap_wpa2_eap_pwd_groups
ap_wpa2_eap_tls_versions
eap_mschapv2_errors
eap_proto_eke_errors
eap_proto_fast_errors
fils_sk_pfs_20
fils_sk_pfs_21
fils_sk_pfs_26
owe
owe_and_psk
owe_group_negotiation
owe_group_negotiation_connect_cmd
owe_groups
owe_limited_group_set
owe_pmksa_caching
owe_pmksa_caching_connect_cmd
owe_transition_mode
owe_transition_mode_connect_cmd
owe_transition_mode_multi_bss
sigma_dut_ap_owe
sigma_dut_ap_owe_ecgroupid
sigma_dut_ap_owe_transition_mode
sigma_dut_ap_owe_transition_mode_2
sigma_dut_owe

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list