Proposed Patch: Support for wolfSSL

Sean Parkinson sean at wolfssl.com
Mon May 7 16:26:45 PDT 2018 

Hi Jouni,

I’ve been able to fix the ECDH problem and the error tests.
The EAP tests listed are not failing for me.
I’m using Ubuntu 14.04.1 in a virtual machine, with the OpenSSL that comes with it, as recommended in example-setup.txt.
What setup are you testing on?

See below for the patch file.

Sean
—
Sean Parkinson
sean at wolfssl.com
wolfSSL Inc



From 50827b00c8c8330ec03b09e6b51a9e06ac182162 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sparki at wolfssl.com>
Date: Tue, 8 May 2018 09:20:44 +1000
Subject: [PATCH] Fixes for wolfSSL

Fix for ECDH set peer to use the index when importing point.
Modified DH initialization to call TEST_FAIL() for error tests.

Signed-off-by: Sean Parkinson <sean at wolfssl.com>
---
 src/crypto/crypto_wolfssl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/crypto/crypto_wolfssl.c b/src/crypto/crypto_wolfssl.c
index fc9a67b..bc4fd6a 100644
--- a/src/crypto/crypto_wolfssl.c
+++ b/src/crypto/crypto_wolfssl.c
@@ -783,6 +783,9 @@ int crypto_dh_init(u8 generator, const u8 *prime, size_t prime_len, u8 *privkey,
 	DhKey *dh = NULL;
 	word32 priv_sz, pub_sz;
 
+	if (TEST_FAIL())
+		return -1;
+
 	dh = os_malloc(sizeof(DhKey));
 	if (!dh)
 		return -1;
@@ -1762,7 +1765,7 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
 		goto fail;
 
 	ret = wc_ecc_import_point_der(wpabuf_mhead(pubkey), 1 + 2 * key_len,
-				      ecdh->ec->key.dp->id, point);
+				      ecdh->ec->key.idx, point);
 	if (ret != MP_OKAY)
 		goto fail;
 
-- 
1.9.1



> On 3 May 2018, at 1:00 am, Jouni Malinen <j at w1.fi> wrote:
> 
> On Thu, Mar 29, 2018 at 02:55:55PM +1000, Sean Parkinson wrote:
>> I’ve looked into the failures and made changes as needed.
>> There were changes to wolfSSL as well.
>> 
>> To reproduce the setup I tested:
>> - download wolfSSL latest from master (https://github.com/wolfssl/wolfssl)
>> - configure wolfSSL with option -enable-wpas
>> - build wolfSSL
>> - in wpa_supplicant change .config
>>   - CONFIG_TLS=wolfssl
>>   - disable CONFIG_DPP
>> 
>> The proposed new patch is below.
> 
> Thanks. I applied this as number of smaller commits to make it easier to
> review and understand. I did some cleanup and couple of fixes while
> going through the changes as well.
> 
> There are some remaining issues, but it looks like this is a reasonable
> step forward, so I included or the changes even though it looks like
> there is something wrong with the ECDH wrappers (at least
> crypto_ecdh_set_peerkey() fails to work properly).
> 
> The crypto_ecdh_set_peerkey() version in the patch you sent was broken,
> i.e., it actually ended up causing process termination due to invalid
> wpabuf_put() use that hit the buffer bounds checking routine. I fixed
> that to use wpabuf_mhead() instead of wpabuf_put() since the
> wc_ecc_import_point_der() call was clearly trying to use the already
> generated buffer instead of trying to add something more into the
> buffer. While this removed the process termination part, something is
> still failing.. That wc_ecc_import_point_der() call fails every now and
> then and even if it succeeds, the ECDH shared secret from
> wc_ecc_shared_secret_ex() does not match the one that the AP derives
> (i.e., using crypto_openssl.c on the other end of the connection).
> 
> As far as wolfSSL changes for --enable-wpas case are concerned, please
> note that I had to revert the GetName() change in wolfcrypt/src/asn.c
> (i.e., do not add an extra '=' to make the one-line name output look
> like /CN==FI/ instead of /CN=FI/). This was added in wolfssl commit
> b325e0ff916aa5989c523e7619f4dbbbeded74a1 ("Fixes for wpa_supplicant")
> for some reason, but it results in a failure in one of the hwsim test
> cases that verifies the exact contents of the server certificate name.
> 
> As far as remaining failures from wpa_supplicant build using current
> wolfSSL snapshot against hostapd build using OpenSSL are concerned, I'm
> seeing following issues:
> - quite a few EAP-FAST test cases are failing
> - ap_wpa2_eap_tls_versions is failing since tls_wolfssl.c returns
>  "unknown" from tls_get_version() (i.e., wolfSSL_get_version())
> - all OWE test cases are failing (that ECDH issue)
> - all FILS PFS test cases are failing (ECDH)
> - some EAP protocol test case failures
> 
> I haven't looked at these in much detail yet, but this is the list of
> failing test cases from my tests:
> 
> ap_wpa2_eap_fast_binary_pac
> ap_wpa2_eap_fast_binary_pac_errors
> ap_wpa2_eap_fast_mschapv2_unauth_prov
> ap_wpa2_eap_fast_pac_file
> ap_wpa2_eap_fast_pac_refresh
> ap_wpa2_eap_fast_pac_truncate
> ap_wpa2_eap_fast_prov
> ap_wpa2_eap_fast_server_oom
> ap_wpa2_eap_fast_text_pac_errors
> ap_wpa2_eap_ikev2_oom
> ap_wpa2_eap_pwd_groups
> ap_wpa2_eap_tls_versions
> eap_mschapv2_errors
> eap_proto_eke_errors
> eap_proto_fast_errors
> fils_sk_pfs_20
> fils_sk_pfs_21
> fils_sk_pfs_26
> owe
> owe_and_psk
> owe_group_negotiation
> owe_group_negotiation_connect_cmd
> owe_groups
> owe_limited_group_set
> owe_pmksa_caching
> owe_pmksa_caching_connect_cmd
> owe_transition_mode
> owe_transition_mode_connect_cmd
> owe_transition_mode_multi_bss
> sigma_dut_ap_owe
> sigma_dut_ap_owe_ecgroupid
> sigma_dut_ap_owe_transition_mode
> sigma_dut_ap_owe_transition_mode_2
> sigma_dut_owe
> 
> -- 
> Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list