Proposed Patch: Support for wolfSSL
j at w1.fi
Wed May 2 08:00:35 PDT 2018
On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote:
> I’ve looked into the failures and made changes as needed.
> There were changes to wolfSSL as well.
> To reproduce the setup I tested:
> - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl)
> - configure wolfSSL with option -enable-wpas
> - build wolfSSL
> - in wpa_supplicant change .config
> - CONFIG_TLS=wolfssl
> - disable CONFIG_DPP
> The proposed new patch is below.
Thanks. I applied this as number of smaller commits to make it easier to
review and understand. I did some cleanup and couple of fixes while
going through the changes as well.
There are some remaining issues, but it looks like this is a reasonable
step forward, so I included or the changes even though it looks like
there is something wrong with the ECDH wrappers (at least
crypto_ecdh_set_peerkey() fails to work properly).
The crypto_ecdh_set_peerkey() version in the patch you sent was broken,
i.e., it actually ended up causing process termination due to invalid
wpabuf_put() use that hit the buffer bounds checking routine. I fixed
that to use wpabuf_mhead() instead of wpabuf_put() since the
wc_ecc_import_point_der() call was clearly trying to use the already
generated buffer instead of trying to add something more into the
buffer. While this removed the process termination part, something is
still failing.. That wc_ecc_import_point_der() call fails every now and
then and even if it succeeds, the ECDH shared secret from
wc_ecc_shared_secret_ex() does not match the one that the AP derives
(i.e., using crypto_openssl.c on the other end of the connection).
As far as wolfSSL changes for --enable-wpas case are concerned, please
note that I had to revert the GetName() change in wolfcrypt/src/asn.c
(i.e., do not add an extra '=' to make the one-line name output look
like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit
b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant")
for some reason, but it results in a failure in one of the hwsim test
cases that verifies the exact contents of the server certificate name.
As far as remaining failures from wpa_supplicant build using current
wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm
seeing following issues:
- quite a few EAP-FAST test cases are failing
- ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns
"unknown" from tls_get_version() (i.e., wolfSSL_get_version())
- all OWE test cases are failing (that ECDH issue)
- all FILS PFS test cases are failing (ECDH)
- some EAP protocol test case failures
I haven't looked at these in much detail yet, but this is the list of
failing test cases from my tests:
Jouni Malinen PGP id EFC895FA
More information about the Hostap