Proposed Patch: Support for wolfSSL
sean at wolfssl.com
Mon May 7 16:26:45 PDT 2018
I’ve been able to fix the ECDH problem and the error tests.
The EAP tests listed are not failing for me.
I’m using Ubuntu 14.04.1 in a virtual machine, with the OpenSSL that comes with it, as recommended in example-setup.txt.
What setup are you testing on?
See below for the patch file.
sean at wolfssl.com
From 50827b00c8c8330ec03b09e6b51a9e06ac182162 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sparki at wolfssl.com>
Date: Tue, 8 May 2018 09:20:44 +1000
Subject: [PATCH] Fixes for wolfSSL
Fix for ECDH set peer to use the index when importing point.
Modified DH initialization to call TEST_FAIL() for error tests.
Signed-off-by: Sean Parkinson <sean at wolfssl.com>
src/crypto/crypto_wolfssl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index fc9a67b..bc4fd6a 100644
@@ -783,6 +783,9 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
DhKey *dh = NULL;
word32 priv_sz, pub_sz;
+ if (TEST_FAIL())
+ return -1;
dh = os_malloc(sizeof(DhKey));
@@ -1762,7 +1765,7 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
ret = wc_ecc_import_point_der(wpabuf_mhead(pubkey), 1 + 2 * key_len,
- ecdh->ec->key.dp->id, point);
+ ecdh->ec->key.idx, point);
if (ret != MP_OKAY)
> On 3 May 2018, at 1:00 am, Jouni Malinen <j at w1.fi> wrote:
> On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote:
>> I’ve looked into the failures and made changes as needed.
>> There were changes to wolfSSL as well.
>> To reproduce the setup I tested:
>> - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl)
>> - configure wolfSSL with option -enable-wpas
>> - build wolfSSL
>> - in wpa_supplicant change .config
>> - CONFIG_TLS=wolfssl
>> - disable CONFIG_DPP
>> The proposed new patch is below.
> Thanks. I applied this as number of smaller commits to make it easier to
> review and understand. I did some cleanup and couple of fixes while
> going through the changes as well.
> There are some remaining issues, but it looks like this is a reasonable
> step forward, so I included or the changes even though it looks like
> there is something wrong with the ECDH wrappers (at least
> crypto_ecdh_set_peerkey() fails to work properly).
> The crypto_ecdh_set_peerkey() version in the patch you sent was broken,
> i.e., it actually ended up causing process termination due to invalid
> wpabuf_put() use that hit the buffer bounds checking routine. I fixed
> that to use wpabuf_mhead() instead of wpabuf_put() since the
> wc_ecc_import_point_der() call was clearly trying to use the already
> generated buffer instead of trying to add something more into the
> buffer. While this removed the process termination part, something is
> still failing.. That wc_ecc_import_point_der() call fails every now and
> then and even if it succeeds, the ECDH shared secret from
> wc_ecc_shared_secret_ex() does not match the one that the AP derives
> (i.e., using crypto_openssl.c on the other end of the connection).
> As far as wolfSSL changes for --enable-wpas case are concerned, please
> note that I had to revert the GetName() change in wolfcrypt/src/asn.c
> (i.e., do not add an extra '=' to make the one-line name output look
> like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit
> b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant")
> for some reason, but it results in a failure in one of the hwsim test
> cases that verifies the exact contents of the server certificate name.
> As far as remaining failures from wpa_supplicant build using current
> wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm
> seeing following issues:
> - quite a few EAP-FAST test cases are failing
> - ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns
> "unknown" from tls_get_version() (i.e., wolfSSL_get_version())
> - all OWE test cases are failing (that ECDH issue)
> - all FILS PFS test cases are failing (ECDH)
> - some EAP protocol test case failures
> I haven't looked at these in much detail yet, but this is the list of
> failing test cases from my tests:
> Jouni Malinen PGP id EFC895FA
More information about the Hostap