From patchwork Thu Apr 4 18:16:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1919909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=VXykyDJa; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=wolfssl-com.20230601.gappssmtp.com header.i=@wolfssl-com.20230601.gappssmtp.com header.a=rsa-sha256 header.s=20230601 header.b=u3LMdbxX; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V9VGr0ZPWz1yYf for ; Fri, 5 Apr 2024 05:18:12 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=iDbLhJH0c9vpmVPjwvFuaJAid7Q2d9Wj0lFhuKp9+6E=; b=VXykyDJaeNhOGF y/oRPywr4TCAZwd2hA+N3drOMd5/wJeJ95kTa6FEzwY2HnCH5WMMRyocUXl47ZjEFqJGBo2U9c6IH NfV9a1nAMiKKcRCUkBqIQdhljH9iH21vuNfBmNIU84ZRX0wLG8xVDosf5E8GkrQkrtpY6LBU0Jd3E EgaydZvquc+BHivWvzLfBNjCNhKT9sa6w925j0NtdEF4F/C6lmok/S4jW1REeHwHh1uxQUqnGScTo LrDCuvY/nSxJvDzCsKO7gAScbH+oEhaxRXRzYOX1iRv655kxMDzh/0rG1thiIAeEadeBboOKWHS0/ nbre0EesjZ5uEioocbGw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRel-00000003nC9-1kSP; Thu, 04 Apr 2024 18:17:47 +0000 Received: from mail-ed1-x52f.google.com ([2a00:1450:4864:20::52f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rsRe7-00000003miW-3Ula for hostap@lists.infradead.org; Thu, 04 Apr 2024 18:17:10 +0000 Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-563cb3ba9daso1376750a12.3 for ; Thu, 04 Apr 2024 11:17:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wolfssl-com.20230601.gappssmtp.com; s=20230601; t=1712254625; x=1712859425; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TKmL97h+9C4ZEuOpf+kaJ5kgSN8uSjmgTTLxfo8iVD8=; b=u3LMdbxXtOjkaEV5MuJzDBMo6LwUShy7/xiBVm6o2NaBLMMOhfp54cj0zzWIVFlb8q vw3VYG7iHYDVJVTV2e/HCMYa3/rqBkUXjNkJC+0zsOgRnjLiTb/LuOmscRl5T2f353zj fvBqRHzHS3xJb4YbHk9DCjvtRHqtAhbn+YJZYhjPn+ag60BSUnLyBAk8pl1uLO+QKgdO /Yw5b90zHyEEtdoX0cCz0zHBxpyJeR3awp3Ftu5EqwUDecEIMRcRI0A42aHR1/Vg0td1 743MR1quf9cK3mcgUEgMEiqXu06OGWwLT+gvCwUDol4bVqpM0JXBisTW1If+XiQJwGYL YE3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712254625; x=1712859425; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TKmL97h+9C4ZEuOpf+kaJ5kgSN8uSjmgTTLxfo8iVD8=; b=PWCVoSQ7Him9Eyh9osttnpifxwGWLngwkCGDi22Iowkr5j69Nb0wxyAOgepl0Mtxrs F6+vMpFBaMFz956lLkx6zAzpyt6ftUmt2G/vx7OY+n/SgkNUThUmg70quLMCtQVAjaZL wZydPgsxheKr9xDLXwgCkxXtApSK/l3Eljfza6/gAqvPJ56rzRYs1KD6x1Gsvltd86n8 sMcxYEVGtXw+99pWkRIr9ocsHfPFK1CSpaF8R+h0W5Aqra36sOWrLB7uPajfQXOL2AZQ n0RFYRdRL3VV2xhrSlM/useuWtE+SFnfpo4UnFAXQdmEohx23GHxolGf0ORt8UgBODcn e09A== X-Gm-Message-State: AOJu0YyWMN9RK1qPThk/6rKXJA09kJS3fgubkbsFboVxTGuYG4X11xoJ UX3QlgUpBoPVNPzL8kxuK3lXeRtG8GTGSvE63LKhNlhsCioy6zJpZxX61aAOPLijJoe29zy5Y2g VV7s= X-Google-Smtp-Source: AGHT+IFgEz3reWS2eLr/43OawBfyJg6+ZC0LQ2mBksDGV9rcJwdiKQyFZ69jupR+s4i/MrmI2x2BmQ== X-Received: by 2002:a50:d484:0:b0:56e:22a1:a9a2 with SMTP id s4-20020a50d484000000b0056e22a1a9a2mr404218edi.33.1712254625576; Thu, 04 Apr 2024 11:17:05 -0700 (PDT) Received: from localhost.localdomain ([82.118.30.15]) by smtp.gmail.com with ESMTPSA id dh26-20020a0564021d3a00b0056e0b358e86sm1976349edb.97.2024.04.04.11.17.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Apr 2024 11:17:05 -0700 (PDT) From: Juliusz Sosinowicz To: hostap@lists.infradead.org Cc: Juliusz Sosinowicz Subject: [PATCH 10/24] ap_wpa2_eap_tls_rsa_and_ec: use ciphersuites that wolfSSL understands Date: Thu, 4 Apr 2024 20:16:16 +0200 Message-Id: <20240404181630.2431991-10-juliusz@wolfssl.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240404181630.2431991-1-juliusz@wolfssl.com> References: <20240404181630.2431991-1-juliusz@wolfssl.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240404_111708_063169_CF57ACF8 X-CRM114-Status: UNSURE ( 9.54 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 5fe2cbc711..8f4b846f57 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6406,7 +6406,12 @@ def te [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:52f listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Signed-off-by: Juliusz Sosinowicz --- tests/hwsim/test_ap_eap.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 5fe2cbc711..8f4b846f57 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6406,7 +6406,12 @@ def test_ap_wpa2_eap_tls_rsa_and_ec(dev, apdev, params): private_key="auth_serv/ec-user.key") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() - + + tls = dev[1].request("GET tls_library") + if tls.startswith("wolfSSL"): + ciphers = "RSA" + else: + ciphers = "DEFAULT:-aECDH:-aECDSA" # TODO: Make wpa_supplicant automatically filter out cipher suites that # would require ECDH/ECDSA keys when those are not configured in the # selected client certificate. And for no-client-cert case, deprioritize @@ -6414,7 +6419,7 @@ def test_ap_wpa2_eap_tls_rsa_and_ec(dev, apdev, params): # likely to work cipher suites are selected by the server. Only do these # when an explicit openssl_ciphers parameter is not set. eap_connect(dev[1], hapd, "TLS", "tls user", - openssl_ciphers="DEFAULT:-aECDH:-aECDSA", + openssl_ciphers=ciphers, ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key") @@ -6450,7 +6455,12 @@ def test_ap_wpa2_eap_tls_ec_and_rsa(dev, apdev, params): private_key="auth_serv/ec-user.key") dev[0].request("REMOVE_NETWORK all") dev[0].wait_disconnected() - + + tls = dev[1].request("GET tls_library") + if tls.startswith("wolfSSL"): + ciphers = "RSA" + else: + ciphers = "DEFAULT:-aECDH:-aECDSA" # TODO: Make wpa_supplicant automatically filter out cipher suites that # would require ECDH/ECDSA keys when those are not configured in the # selected client certificate. And for no-client-cert case, deprioritize @@ -6458,7 +6468,7 @@ def test_ap_wpa2_eap_tls_ec_and_rsa(dev, apdev, params): # likely to work cipher suites are selected by the server. Only do these # when an explicit openssl_ciphers parameter is not set. eap_connect(dev[1], hapd, "TLS", "tls user", - openssl_ciphers="DEFAULT:-aECDH:-aECDSA", + openssl_ciphers=ciphers, ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", private_key="auth_serv/user.key")